We have a new intf2 interface to parent company intranet, the route for local lan users to intf2 network works successfully as does vpn users access to local lan resources. But VPN users cannot ping new network.
Trace shows no traffic reaching any interface, tried inside, outside and intf2.
Config below:
PIX Version 7.2(2)
!
names
name 192.1.11.48 gc
!
interface Ethernet0
nameif outside
security-level 0
ip address 10.0.0.5 255.255.255.0
!
interface Ethernet1
speed 100
duplex full
nameif inside
security-level 100
ip address 192.1.11.7 255.255.255.0
!
interface Ethernet2
nameif intf2
security-level 4
ip address dhcp setroute
!
object-group network ABCVPNGROUP
description ABCVPNGROUP
network-object 192.1.12.96 255.255.255.224
object-group network COMMAND
description COMMAND
network-object 172.0.0.0 255.0.0.0
access-list inside_access_in remark All dns access
access-list inside_access_in extended permit udp any any eq domain
access-list inside_access_in extended permit icmp any any echo
access-list inside_access_in extended permit ip host ExchangeSrv any
access-list inside_access_in remark All dns access
access-list inside_access_in extended permit ip VPNACCESS 255.255.255.0 any
access-list inside_access_in remark All dns access
access-list inside_access_in extended permit ip object-group ABCVPNGROUP any
access-list inside_access_in extended permit udp object-group ABCPPBXGROUP any
access-list inside_access_in extended permit udp host VOIPSignalling any object-group VOIPSignaling
access-list inside_access_in extended permit tcp host VOIPSignalling any object-group VOIPIPNetwork
access-list inside_access_in extended deny ip any any log disable
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended deny icmp object-group PowerTel any
access-list outside_access_in extended deny ip any any log disable
access-list ABCVPN_splitTunnelAcl extended permit ip object-group ABCVPNGROUP interface intf2
access-list ABCVPN_splitTunnelAcl extended permit ip VPNACCESS 255.255.255.0 any
access-list ABCgc_splitTunnelAcl extended permit ip object-group ABCVPNGROUP interface intf2
access-list ABCgc_splitTunnelAcl extended permit ip object-group COMMAND interface intf2
access-list ABCgc_splitTunnelAcl extended permit ip VPNACCESS 255.255.255.0 any
access-list intf2_access_in extended permit icmp any any
access-list default_out_rip_acl standard deny any
access-list inside_nat0_outbound extended permit ip any VPNACCESS 255.255.255.0
access-list inside_nat0_outbound extended permit ip any object-group ABCVPNGROUP
access-list ABC_splitTunnelAcl standard permit VPNACCESS 255.255.255.0
access-list ABC_splitTunnelAcl standard permit COMMANDIntranet 255.255.0.0
access-list ABC_splitTunnelAcl standard permit Connx 255.255.0.0
ip local pool vpnpool 192.1.11.112-192.1.11.139
ip local pool ABCVPNPOOL 192.1.12.97-192.1.12.126 mask 255.255.255.224
nat-control
global (outside) 1 interface
global (inside) 2 ExchangeSrv
global (intf2) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0 dns
static (inside,outside) ExchgeStaticMap ExchangeSrv netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group intf2_access_in in interface intf2
route outside 0.0.0.0 0.0.0.0 ABCRouter 1
route intf2 172.0.0.0 255.0.0.0 172.24.40.1 1
group-policy DfltGrpPolicy attributes
banner none
wins-server none
dns-server value 192.1.11.77 192.1.11.2
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list value ABCVPN_splitTunnelAcl
default-domain value ABCcoms.com.au
split-dns none
intercept-dhcp 255.255.255.255 disable
secure-unit-authentication
disable
user-authentication disable
user-authentication-idle-t
imeout 30
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
msie-proxy server none
msie-proxy method no-modify
msie-proxy except-list none
msie-proxy local-bypass disable
nac disable
nac-sq-period 300
nac-reval-period 36000
nac-default-acl none
address-pools none
client-firewall none
client-access-rule none
group-policy ABCgc internal
group-policy ABCgc attributes
vpn-idle-timeout 30
split-tunnel-policy tunneABCecified
split-tunnel-network-list value ABCgc_splitTunnelAcl
default-domain value ABCcoms.com.au
group-policy ABCVPN internal
group-policy ABCVPN attributes
vpn-idle-timeout 30
split-tunnel-policy tunneABCecified
split-tunnel-network-list value ABCVPN_splitTunnelAcl
default-domain value ABCcoms.com.au
username gc password <removed> privilege 5
crypto isakmp identity hostname
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 5
lifetime 86400
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 60
tunnel-group DefaultRAGroup general-attributes
address-pool vpnpool
authentication-server-grou
p (outside) LOCAL
tunnel-group ABCVPN type ipsec-ra
tunnel-group ABCVPN general-attributes
address-pool vpnpool
authentication-server-grou
p (outside) LOCAL
default-group-policy ABCVPN
tunnel-group ABCVPN ipsec-attributes
pre-shared-key *
tunnel-group ABCgc type ipsec-ra
tunnel-group ABCgc general-attributes
address-pool ABCVPNPOOL
authentication-server-grou
p (outside) LOCAL
default-group-policy ABCgc
tunnel-group ABCgc ipsec-attributes
pre-shared-key *
tunnel-group ABC type ipsec-ra
tunnel-group ABC general-attributes
address-pool ABCVPNPOOL
default-group-policy ABC
tunnel-group ABC ipsec-attributes
pre-shared-key *
: end
Start Free Trial
