Question

Cisco PIX VPN Problem [Imoore?]

Asked by: TonySeaward

I am hoping I could get some input from Imoore since he seems to be the far and beyond expert. I'll throw on bonus points if fixed within the next 2 days if allowed.

Need this figured out ASAP. I have a 501 pix connected using a site-to-site that works using IPSec, but tried setting up remote access for remote desktop with PPTP.  I have a static DSL ip and setup a pool for incoming IPs, but once conneced i am given the IP which matches the gateway. If "use remote gateway" is unchecked through xp i can access the internet, but if checked no internet nor can i get around on the internal network.  I have a Win2003 server that is just for file serving right now, and the dhcp is coming from the pix, so i am willing to change dhcp to 2003 server if that would matter try and setup routing through the server.

My issues i am looking to resolve is:
I cannot ping anything on the internal network
SSH from outside to manage the VPN
Test the VPN from inside the network (if possible)

Another little side question, for the vdpn dns ip, should it be my ISP's dns or my Win2003 server? I will post the config soon as i get to work.

Thanks.

This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

  • Plus...
  • 30 Day FREE access, no risk, no obligation
  • Collaborate with the world's top tech experts
  • Unlimited access to our exclusive solution database
  • Never be left without tech help again

Subscribe Now

Asked On
2004-07-19 at 14:14:41ID21063997
Tags

pix

,

cisco

,

vpn

Topics

Network Software Firewalls

,

Cisco PIX Firewall

,

Enterprise Firewalls

Participating Experts
3
Points
500
Comments
33

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

  • "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
  • "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
  • "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.

Screenshot of Experts Exchange Knowledgebase

Need individual assistance?

Our experts are ready to help.

If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.

Screenshot of Experts Exchange Knowledgebase

Want to learn from the best?

Read articles from industry experts.

Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.

Screenshot of an Article

Working on a long term project?

Store your work and research.

Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.

Screenshot of Experts Exchange Knowledgebase

Access the answers to your technology questions today.

Subscribe Now

30-day free trial. Register in 60 seconds.

What Makes Experts Exchange Unique?

Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Trusted by the world's most respected brands.

image of each brand's logo

Faithfully serving IT professionals since 1996.

Experts Exchange Logo

Try it out and discover for yourself.

Subscribe Now

30-day free trial. Register in 60 seconds.

Related Solutions

  1. VPN with PIX 501
    Hello, I have a PIX 501 cisco router and I would like to connect from home " DSL" at home I have small netwrok MS windows2000 at work I have 2003 server and teh PIX firewall with T1 line, what is the best way to connect via VPN cheap and secure? or any other connect...
  2. Pix to Pix VPN
    Ok, here goes my first question at Experts-Exchange, which looks to me like the perfect place to get an answer. This first post is intended to explain the case and get some preliminary advice (if needed). Hopefully tomorrow i will be able to post more specific information abo...
  3. Cisco PIX VPN with DSL Router
    Anyone with experience with cisco pix 501 VPN and Cayman router (dsl) who would like to assist with setup via phone for $100.00 please leave contact info to this question. Would have to be available Mon-Tues, for help with setup via telephone. Thanks

Free Tech Articles

  1. WARNING: 5 Reasons why you should NEVER fix a computer for free.
    It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
  2. SCCM OSD Basic troubleshooting
    SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
  3. Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
    This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
  4. Create a Win7 Gadget
    This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
  5. Outlook continually prompting for username and password
    There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
  6. Backup Exchange 2010 Information Store using Windows Backup
    There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...

Cloud Class Webinars

  1. Avoiding Bugs in Microsoft Access
    Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
  2. Top 10 Best New Features in Visio 2010
    Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
  3. IT Consultant Business Secrets Revealed
    Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
  4. Disaster Recovery and Business Continuity
    Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
  5. Organize Your Visio Diagrams with Containers and Lists
    Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
  6. How to Us Objects, Properties, Events and Methods in Microsoft Access
    Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...

Join the Community

Give a Little. Get a Lot.

Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.

Join the Community

Answers

 

by: TonySeawardPosted on 2004-07-19 at 16:02:45ID: 11588247

This is what i have, i ran the pptp and Easy VPN client wizzys to try something new.
Still can't access VPN from inside yet at least i know that. I am headed out to try it again.

Result of PIX command: "show running config"
 
: Saved
:
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxxxxxxx encrypted
passwd xxxxxxxxxx encrypted
hostname pixfirewall
domain-name ciscopix.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
name 192.168.5.30 win2003
name xxx.210.150.146 pix-out
name 192.168.5.1 pix-in
name xxx.17.164.57 HomeIP
name xxx.96.240.50 PeaceHealth
name 192.168.5.21 Station21
name 192.168.5.7 Station11
access-list outside_cryptomap_20 permit ip 192.168.5.0 255.255.255.0 xxx.96.64.0 255.255.224.0
access-list inside_outbound_nat0_acl permit ip 192.168.5.0 255.255.255.0 xxx.96.64.0 255.255.224.0
access-list inside_outbound_nat0_acl permit ip host Station21 10.10.10.0 255.255.255.224
access-list inside_outbound_nat0_acl permit ip host Station11 10.10.10.0 255.255.255.224
access-list outside_cryptomap_dyn_20 permit ip any 10.10.10.0 255.255.255.224
pager lines 50
logging on
logging console debugging
interface ethernet0 10baset
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address outside pix-out 255.255.255.248
ip address inside pix-in 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool VPNGroup 10.10.10.10-10.10.10.20
pdm location 192.168.5.0 255.255.255.0 inside
pdm location xxx.210.150.0 255.255.255.0 outside
pdm location xxx.210.150.144 255.255.255.248 outside
pdm location xxx.96.64.0 255.255.224.0 outside
pdm location 192.168.100.0 255.255.255.0 outside
pdm location 192.168.100.0 255.255.255.240 outside
pdm location HomeIP 255.255.255.255 outside
pdm location Station11 255.255.255.255 inside
pdm location Station21 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 xxx.210.150.145 1
route outside xxx.96.64.0 255.255.224.0 xxx.210.150.145 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http xxx.210.150.144 255.255.255.248 outside
http 192.168.5.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server outside pix-out c:\temp\tftp
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
no sysopt route dnat
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer PeaceHealth
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 20 set security-association lifetime seconds 86400 kilobytes 4608000
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address PeaceHealth netmask 255.255.255.255
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
isakmp policy 40 authentication pre-share
isakmp policy 40 encryption 3des
isakmp policy 40 hash sha
isakmp policy 40 group 2
isakmp policy 40 lifetime 86400
vpngroup arnvpn address-pool VPNGroup
vpngroup arnvpn dns-server win2003 xxx.174.194.53
vpngroup arnvpn default-domain arnw.local
vpngroup arnvpn idle-time 1800
vpngroup arnvpn password ********
telnet timeout 5
ssh HomeIP 255.255.255.255 outside
ssh timeout 5
vpdn group PPTP-VPDN-GROUP accept dialin pptp
vpdn group PPTP-VPDN-GROUP ppp authentication pap
vpdn group PPTP-VPDN-GROUP ppp authentication chap
vpdn group PPTP-VPDN-GROUP ppp authentication mschap
vpdn group PPTP-VPDN-GROUP ppp encryption mppe auto
vpdn group PPTP-VPDN-GROUP client configuration address local VPNGroup
vpdn group PPTP-VPDN-GROUP client configuration dns win2003 xxx.174.194.53
vpdn group PPTP-VPDN-GROUP pptp echo 60
vpdn group PPTP-VPDN-GROUP client authentication local
vpdn username arnvpn password *********
vpdn enable outside
vpdn enable inside
dhcpd address 192.168.5.5-192.168.5.29 inside
dhcpd dns xxx.174.194.53 xxx.174.194.54
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain callatg.com
dhcpd auto_config outside
dhcpd enable inside
terminal width 100
Cryptochecksum:3354b31ba440344bd09bffd6092f157e
: end

 

by: lrmoorePosted on 2004-07-19 at 16:13:57ID: 11588299

I'll address the top issues first.
>but once conneced i am given the IP which matches the gateway
Can you be more specifc? What IP address do you get on the client? (use ipconfig/all to see)

>I cannot ping anything on the internal network
Can you ping if "use remote gateway" is checked?

>SSH from outside to manage the VPN
use the following command on the PIX if you want to be able to ssh to it from wherever you find yourself:
  ssh 0.0.0.0 0.0.0.0 outside

Or, if you want to lock it down to your home IP:
  ssh 12.34.56.76 255.255.255.255 outside

>i am willing to change dhcp to 2003 server
Won't make a bit of difference.

>Test the VPN from inside the network (if possible)
Can't do it because you have to attach to the outside interface

>If "use remote gateway" is unchecked through xp i can access the internet,
You're going to have to make an informed decision on this one. It is truely one or the other, not both in this case. Either a user connects to you with "use remote gateway" checked, and has full access to your network, but not the Internet, or not.
There are a couple of things to try as workarounds, but there are no guarantees:
1. On the client, you can add a static route after you connect. Look at your ipconfig to get your IP address, then add a static route:
 C:\>route add A.B.C.D mask 255.255.255.0 <gateway>
Where A.B.C.D = your internal LAN of the PIX
Where <gateway> = your client IP address

2. On the PIX, setup the client pool as a sub-set of the existing internal LAN, not a separate subnet. (may or may not work for you, mileage may vary)

>for the vdpn dns ip, should it be my ISP's dns or my Win2003 server?
Your Win2003 server, for sure, since the purpose of the connection is to access your internal network, not the Internet.
That server "should" forward any requests to Internet anyway.


 

by: TonySeawardPosted on 2004-07-19 at 19:05:16ID: 11589126

In response, when i say given the same IP, it is in this case 10.10.10.11 and so is the Gateway IP when doing the ipconfig cmd. If unchecked, there is no IP listed. I can't ping internally regardless of the gateway checkbox.

I have the SSH command:
ssh HomeIP 255.255.255.255 outside
When i try to connect with putty i get an access denied when i put in the password. Is there a place where i can edit the username and password for ssh account?

I can go without internet access, i need to be able to use remote desktop and browse the network as though i was there. In this case Station 21 and Station 11 are my test boxes for now. Do i need to setup some static routes on the Pix to those machines? I am not sure if there is a client issue, but even when connected with the VPN client 4.0, i can get an IP and connect, but no network. I can't ping my home or office network with or without the Gateway checkbox, all that is determining is whether or not i get internet access. I have not once been able to access the internal network thru the VPN.

I did the add route with the gateway checked and still nothing. I am not if this is something to do with me being on a workgroup through a router at home? When i go to network places it tried to find my Workgroup and obviously doesnt. All my testing has been via Cmd prompt using ping.

When connected here is my IPConfig settings
IP: 10.10.10.11
Sub: 255.255.255.255
Gateway: 10.10.10.11
DNS: 192.168.5.30 <- Win2003 Server
DNS: xxx.174.194.53 <- ISP DNS

Should I change my VPN Pool? I had it at 192.168.100.0, but changed it when i started over to avoid confusion of old settings.  So for your #2 suggestion, i would need to 192.168.5.0? All of things i have read from you, you have said change them. Will the 192.168.100.0 work for what you are talking about?
Thanks Imoore

 

by: TonySeawardPosted on 2004-07-20 at 00:00:08ID: 11590409

I found this, but i dunno if this is correct..  Basically put my VPN Pool on the 192.168.5.0 subnet?

"I have managed to resolve this problem to a certain extent. If split tunneling is enable on the PIX then the users can browse both the internet and the internal network at the same time. This does cause a security weakness in that the entire area protected by the firewall is then relying on the client for the same protection as the firewall. With a number of clients obviously the number of possible vulnerable points of entry onto the internal network increases. The solution was to use a proxy server on the inside (which we already have) to allow web access etc. to outside. We have not decided which solution we will use long term, it may paritally depend on how easily our users can manage with setting and unsetting the proxy server depending on connection (and whether the automatic solution works satisfactorily).

The command for enabling the split tunneling was:
vpngroup vpngp3 split-tunnel 101"

 

by: TonySeawardPosted on 2004-07-20 at 00:03:58ID: 11590430

Do i need to add a router in the mix? Or set my Win2003 server as a proxy server? Basically right now i just need to get the remote desktop working, i can deal with internet connection up and running later. So tomorrow i am going to try and change the VPN Pool to the same subnet unless you say otherwise Imoore, it is the only thing i haven't tried because i read so much that said to separate them.

Or if the split tunneling will make a difference? Or upgrading to 6.3 and 3.0 versions for the pix?

I am willing to try anything.. i need this working by Thursday, so 2 days.

 

by: tim_holmanPosted on 2004-07-20 at 07:03:19ID: 11592931

> I am hoping I could get some input from Imoore since he seems to be the far and beyond expert.

He just types fast...    ;)

Also, what's vpdn ??  Should be vpnd - is this a typo ?

vpdn group PPTP-VPDN-GROUP accept dialin pptp
vpdn group PPTP-VPDN-GROUP ppp authentication pap
vpdn group PPTP-VPDN-GROUP ppp authentication chap
vpdn group PPTP-VPDN-GROUP ppp authentication mschap
vpdn group PPTP-VPDN-GROUP ppp encryption mppe auto
vpdn group PPTP-VPDN-GROUP client configuration address local VPNGroup
vpdn group PPTP-VPDN-GROUP client configuration dns win2003 xxx.174.194.53
vpdn group PPTP-VPDN-GROUP pptp echo 60
vpdn group PPTP-VPDN-GROUP client authentication local
vpdn username arnvpn password *********
vpdn enable outside
vpdn enable inside

You only want vpnd enable OUTSIDE, and NOT inside.  Also, take out win2003 from this line:
vpnd group PPTP-VPDN-GROUP client configuration dns xxx.174.194.53

 

by: tim_holmanPosted on 2004-07-20 at 07:10:17ID: 11593001

This is normal:

IP: 10.10.10.11
Sub: 255.255.255.255
Gateway: 10.10.10.11
DNS: 192.168.5.30 <- Win2003 Server
DNS: xxx.174.194.53 <- ISP DNS

Does your internal network know that to reach 10.10.10.10-20 it MUST route via the internal interface of the PIX ?
It's all very well giving your VPN Clients a different pool of addresses, but if internal routers don't know about this, traffic will be forwarded to their default gateway, which is perhaps different from the PIX ?

 

by: lrmoorePosted on 2004-07-20 at 07:24:47ID: 11593157

You can use split-tunneling on VPNGROUP (IPSEC) only, not on vpdn group (PPTP)

>So for your #2 suggestion, i would need to 192.168.5.0? All of things i have read from you, you have said change them.
In your case, you may get by with using a local pool from that range, yes. I generally do not recommend it, and it may not work. I don't have access to a test PIX to try it out right now...

Tim has asked the fundamental question: Does your internal network know how to get to the 10.10.10.x subnet by routing to the PIX? Is the PIX the internal users default gateway?

 

by: TonySeawardPosted on 2004-07-20 at 10:57:32ID: 11595461

Well, I will try and do the VPN Pool change, because I am not sure how I would set this up:

"Does your internal network know how to get to the 10.10.10.x subnet by routing to the PIX?"  

All i did was make up some random subnet to be different and i saw a lot of examples that just used 10.10.10.0. I am not sure of the significance. But even if i need to have another subnet, i will use 192.168.6.0 as opposed to the 10 for simplicity. But first the same, then if that doesnt work, then use the 192.168.6.0, and hopefully either of you could help me setup so i can answer that question. Because I am assuming at this point the answer is no.  

i was hoping to have the vpdn enable inside, so i could maybe connect to the vpn inside my network, but obviously it isnt working since i cant ping the external ip of the pix.  There isn't a way i can setup a static nat or anything to one machine for testing purposes at the office since I do have more than one external IP address I can use? I wansn't completely clear if there is NO WAY of doing it or just not easy.

Still my first priority is to get on the internal network, next SSH'ing in from home to test it and make changes, and then down the road internet access from within the VPN and even.

Either of you know what is wrong with my SSH issue? I put in the password I am asked for when i access the pdm or via console hyper terminal, but is there a different default username and password for SSH?

 

by: lrmoorePosted on 2004-07-20 at 11:39:31ID: 11595957

You still need to answer the basic question:
What is the default gateway of the hosts on your network that you are tying to access?
Can you post the results of
C:\>route print
From the Windows2003 server?

If you can access the PIX from outside via PDM GUI, then I would expect that you would also be able to SSH. Is your Putty client setup to accept SSHv1? I would expect it to be a client issue. I use the "free-for-personal-use" client from http://www.ssh.com/support/downloads/secureshellwks/non-commercial.html

 

by: tim_holmanPosted on 2004-07-20 at 11:53:17ID: 11596143

A diagram like this would help:

VPN Client
|
Internet
|
PIX
|
Internal Router
|
Inside

It's very difficult to understand topology just from plain text !   ;)

 

by: TonySeawardPosted on 2004-07-20 at 14:32:40ID: 11597710

VPN Client -> D-Link Router -> Cable Modem -> DSL Modem -> PIX -> Linksys Hub -> Client Machines
                                                                                              |
                                                                                       Win2003 Server

And I cannot access the PDM Gui from outside. Never have.

Here is the route print from inside the network at my machine, or aka Station11 as it is labeled in the Pix Config.

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

H:\>route print
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 b0 d0 e4 e1 d1 ...... 3Com 3C920 Integrated Fast Ethernet Controller (
3C905C-TX Compatible) - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.5.1     192.168.5.7       20
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
      192.168.5.0    255.255.255.0      192.168.5.7     192.168.5.7       20
      192.168.5.7  255.255.255.255        127.0.0.1       127.0.0.1       20
    192.168.5.255  255.255.255.255      192.168.5.7     192.168.5.7       20
        224.0.0.0        240.0.0.0      192.168.5.7     192.168.5.7       20
  255.255.255.255  255.255.255.255      192.168.5.7     192.168.5.7       1
Default Gateway:       192.168.5.1
===========================================================================
Persistent Routes:
  None

 

by: TonySeawardPosted on 2004-07-20 at 14:39:00ID: 11597762

Per your advice, i removed win2003 (aka 192.168.5.30) from both DNS, switched the VPN Pool to 192.168.5.200-210

 

by: TonySeawardPosted on 2004-07-20 at 14:46:45ID: 11597826

This is from the Win2003 server....

Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

C:\Documents and Settings\Administrator.SERVER.002>route print

IPv4 Route Table
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 07 e9 3b 0a 0c ...... Intel(R) PRO/100 VE Network Connection - Network
 Load Balancing Filter Device
===========================================================================
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.5.1     192.168.5.30     20
        127.0.0.0        255.0.0.0        127.0.0.1        127.0.0.1      1
      192.168.5.0    255.255.255.0     192.168.5.30     192.168.5.30     20
     192.168.5.30  255.255.255.255        127.0.0.1        127.0.0.1     20
    192.168.5.255  255.255.255.255     192.168.5.30     192.168.5.30     20
        224.0.0.0        240.0.0.0     192.168.5.30     192.168.5.30     20
  255.255.255.255  255.255.255.255     192.168.5.30     192.168.5.30      1
Default Gateway:       192.168.5.1
===========================================================================
Persistent Routes:
  None

 

by: TonySeawardPosted on 2004-07-20 at 16:01:48ID: 11598308

Well.. Tried it .. No luck Here is Route with Gateway UNchecked and below the route checked from my home machine. 192.168.10.0 is my subnet at home. Obviously I could connect to the internet with no problem, but still can't ping anything thru the VPN.


C:\Documents and Settings\Red Vs Blue>route print
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 30 1b 3a 4b 02 ...... NVIDIA nForce MCP Networking Controller - Packet
 Scheduler Miniport
0x120004 ...00 53 45 00 00 00 ...... WAN (PPP/SLIP) Interface
===========================================================================
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0     192.168.10.1  192.168.10.107       20
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
      192.168.5.0    255.255.255.0    192.168.5.200   192.168.5.200       1
    192.168.5.200  255.255.255.255        127.0.0.1       127.0.0.1       50
    192.168.5.255  255.255.255.255    192.168.5.200   192.168.5.200       50
     192.168.10.0    255.255.255.0   192.168.10.107  192.168.10.107       20
   192.168.10.107  255.255.255.255        127.0.0.1       127.0.0.1       20
   192.168.10.255  255.255.255.255   192.168.10.107  192.168.10.107       20
  216.210.150.146  255.255.255.255     192.168.10.1  192.168.10.107       20
        224.0.0.0        240.0.0.0    192.168.5.200   192.168.5.200       50
        224.0.0.0        240.0.0.0   192.168.10.107  192.168.10.107       20
  255.255.255.255  255.255.255.255   192.168.10.107  192.168.10.107       1
Default Gateway:      192.168.10.1
===========================================================================
Persistent Routes:
  None


This is with the Gateway Checkbox.
C:\Documents and Settings\Red Vs Blue>route print
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 30 1b 3a 4b 02 ...... NVIDIA nForce MCP Networking Controller - Packet
 Scheduler Miniport
0x140004 ...00 53 45 00 00 00 ...... WAN (PPP/SLIP) Interface
===========================================================================
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0    192.168.5.200   192.168.5.200       1
          0.0.0.0          0.0.0.0     192.168.10.1  192.168.10.107       21
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
    192.168.5.200  255.255.255.255        127.0.0.1       127.0.0.1       50
    192.168.5.255  255.255.255.255    192.168.5.200   192.168.5.200       50
     192.168.10.0    255.255.255.0   192.168.10.107  192.168.10.107       20
   192.168.10.107  255.255.255.255        127.0.0.1       127.0.0.1       20
   192.168.10.255  255.255.255.255   192.168.10.107  192.168.10.107       20
  216.210.150.146  255.255.255.255     192.168.10.1  192.168.10.107       20
        224.0.0.0        240.0.0.0   192.168.10.107  192.168.10.107       20
        224.0.0.0        240.0.0.0    192.168.5.200   192.168.5.200       1
  255.255.255.255  255.255.255.255   192.168.10.107  192.168.10.107       1
Default Gateway:     192.168.5.200
===========================================================================
Persistent Routes:
  None

 

by: TonySeawardPosted on 2004-07-20 at 16:09:47ID: 11598342

Tried to SSH still getting pw denied. For username i put admin, but i never put one in when i connect via console or PDM, it is just blank and i put in a pw.

 

by: geoffrynPosted on 2004-07-20 at 16:14:09ID: 11598366

User name should be PIX

 

by: lrmoorePosted on 2004-07-20 at 16:14:40ID: 11598370

Can you paste your current running
access-list inside_outbound_nat0_acl

I know we have to be close on this....

> cannot access the PDM Gui from outside
Sorry, I thought you could.
Do you just get a "page cannot be displayed", or do you get a security alert popup?
If you get a username/login prompt, try logging in with a blank username and the enable password
Same with SSH - blank username, enable password

This link may help
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a008009448c.shtml

 

by: lrmoorePosted on 2004-07-20 at 16:16:17ID: 11598376

>http xxx.210.150.144 255.255.255.248 outside

This entry is the equivelent of an access list for https access.
make sure you have an entry for yourself like this:

http HomeIP 255.255.255.255 outside

 

by: TonySeawardPosted on 2004-07-20 at 18:23:21ID: 11598971

This is the current config..  Not sure if this is important, but the outside interface is xxx.210.150.145, and that is the only IP we use. the 150.144 we have, but dont use, so i switched that and did put the http as my HomeIP

PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxx encrypted
hostname pixfirewall
domain-name ciscopix.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
name 192.168.5.30 win2003
name xxx.210.150.146 pix-out
name 192.168.5.1 pix-in
name xxx.17.164.57 HomeIP
name xxx.96.240.50 PeaceHealth
name 192.168.5.21 Station21
name 192.168.5.7 Station11
access-list outside_cryptomap_20 permit ip 192.168.5.0 255.255.255.0 xxx.96.64.0 255.255.224.0
access-list inside_outbound_nat0_acl permit ip 192.168.5.0 255.255.255.0 xxx.96.64.0 255.255.224.0
access-list inside_outbound_nat0_acl permit ip host Station21 192.168.5.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip host Station11 192.168.5.0 255.255.255.0
pager lines 50
logging on
logging console debugging
interface ethernet0 10baset
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address outside pix-out 255.255.255.248
ip address inside pix-in 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool VPNGroup 192.168.5.200-192.168.5.210
pdm location 192.168.5.0 255.255.255.0 inside
pdm location xxx.210.150.0 255.255.255.0 outside
pdm location xxx.210.150.144 255.255.255.248 outside
pdm location xxx.96.64.0 255.255.224.0 outside
pdm location HomeIP 255.255.255.255 outside
pdm location Station11 255.255.255.255 inside
pdm location Station21 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 xxx.210.150.145 1
route outside xxx.96.64.0 255.255.224.0 xxx.210.150.145 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http HomeIP 255.255.255.255 outside
http 192.168.5.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server outside pix-out c:\temp\tftp
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
no sysopt route dnat
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer PeaceHealth
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 20 set security-association lifetime seconds 86400 kilobytes 4608000
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address PeaceHealth netmask 255.255.255.255
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
isakmp policy 40 authentication pre-share
isakmp policy 40 encryption 3des
isakmp policy 40 hash sha
isakmp policy 40 group 2
isakmp policy 40 lifetime 86400
vpngroup arnvpn address-pool VPNGroup
vpngroup arnvpn dns-server xxx.174.194.53
vpngroup arnvpn default-domain arnw.local
vpngroup arnvpn idle-time 1800
vpngroup arnvpn password ********
telnet timeout 5
ssh HomeIP 255.255.255.255 outside
ssh timeout 5
vpdn group PPTP-VPDN-GROUP accept dialin pptp
vpdn group PPTP-VPDN-GROUP ppp authentication pap
vpdn group PPTP-VPDN-GROUP ppp authentication chap
vpdn group PPTP-VPDN-GROUP ppp authentication mschap
vpdn group PPTP-VPDN-GROUP ppp encryption mppe auto
vpdn group PPTP-VPDN-GROUP client configuration address local VPNGroup
vpdn group PPTP-VPDN-GROUP pptp echo 60
vpdn group PPTP-VPDN-GROUP client authentication local
vpdn username arnvpn password *********
vpdn enable outside
vpdn enable inside
dhcpd address 192.168.5.5-192.168.5.29 inside
dhcpd dns xxx.174.194.53 xxx.174.194.54
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain callatg.com
dhcpd auto_config outside
dhcpd enable inside
terminal width 100
Cryptochecksum:9fefc77bb2902ce129b2ec6a247dbaee
: end

 

by: TonySeawardPosted on 2004-07-21 at 01:29:55ID: 11600442

Good News.. I am typing this right now Remote Desktop'd in. However there is a problem. When i was pinging ip's once connected to the VPN, I couldn't ping 192.168.5.1 or 192.168.5.30.  Shouldn't I be able to ping these for sure? what's that about? We are almost through.. WoOHoO! Thanks so much so far.

 

by: TonySeawardPosted on 2004-07-21 at 01:40:35ID: 11600497

What i hope to do is be able to access just the Server to some shared drives without having to completely remote desktop if that is possible. It seems as though it would. So now i just need to refine things and make them cleaner. Or should i make a new question to give ya the points and then more on the little things? Let me know.

 

by: tim_holmanPosted on 2004-07-21 at 02:34:55ID: 11600737

I'm lost....  what exactly is the problem now ?
Are PPTP clients working OK ?
I don't think PING won't work with this configuration, as replies from 192.168.5.1 and 192.168.5.30 are going to hit the local subnet, and aren't going to route out via the VPN tunnel as locally attached subnets take priority during routing.

It would have been useful to put some real IP addresses in the diagram to aid troublehooting -

VPN Client -> D-Link Router -> Cable Modem -> DSL Modem -> PIX -> Linksys Hub -> Client Machines / W2K Server

Let us know if you need more help...

 

by: lrmoorePosted on 2004-07-21 at 05:08:42ID: 11601674

Yes, you can access the shared drives on the server over the vpn.
If you can't get that working, post a new question for that issue.

 

by: TonySeawardPosted on 2004-07-21 at 16:01:08ID: 11607923

I posted a new thread about refining those details, but as far as fixing, i think it might have been the same IP Pool for the VPN since the routing wasn't working right? I dunno, if you guys could tell me? However, today i tried connecting via Dial-up on the VPN and was back at square one getting an IP, but still couldn't access anything on the network, so i dunno if it was having my Home IP address setup somewhere, but i dont think so. HTTP, SSH and PDM commands wouldnt do that would they? I need the VPN open to any IP address since there will be a lot of moving and never knowing the exact IP.

 

by: TonySeawardPosted on 2004-07-21 at 16:08:22ID: 11607967

VPN Client (192.168.5.200 [VPN] & 192.168.10.107) -> D-Link Router (192.168.10.1) -> Cable Modem (xxx.17.164.57)-> DSL Modem (xxx.210.150.146) -> PIX (192.168.5.1) -> Client Machines (192.168.5.7) / W2003 Server (192.168.5.30)


This is the config setup i was using that seemed to work.
What does NOT work now is :
VPN Client (192.168.5.200 [VPN] & 66.109.196.233 [Dialup]) -> DSL Modem (xxx.210.150.146) -> PIX (192.168.5.1) -> Client Machines (192.168.5.7) / W2003 Server (192.168.5.30)

Hmpf... I dunno..

 

by: TonySeawardPosted on 2004-07-21 at 17:34:52ID: 11608381

Nevermind, it is working, it was a DHCP problem changing the ip's around on me and thus not working. Still need access to shared folders and Network Places when just VPN'd. Any thoughts?

 

by: lrmoorePosted on 2004-07-21 at 18:12:39ID: 11608556

Use LMHOSTS or WINS for shared folders/network places...
Not much of an alternative unless you have DDNS and/or WINS setup on your servers.

 

by: tim_holmanPosted on 2004-07-22 at 00:12:52ID: 11609844

You will always run into problems if you've identical IP subnets at the client end and network end BEFORE the VPN comes up, so this configuration would be problematic:

VPN Client (192.168.5.200 [VPN] & 192.168.10.107) -> D-Link Router (192.168.10.1) -> Cable Modem (xxx.17.164.57)-> DSL Modem (xxx.210.150.146) -> PIX (192.168.5.1) -> Client Machines (192.168.5.7) / W2003 Server (192.168.5.30)

To get round this, either change the remote client IP range, or use NAT on the PIX to translate its own network to something else.

 

by: TonySeawardPosted on 2004-07-22 at 16:59:40ID: 11617835

I have wins running on the Win2003 server, but still nothing. Not sure if i understand exaclty how to use LMHOSTS, but ill try to set it up.

Tim, the reason we are using the same subnet is because it wasn't working beforehand. So i dunno. I am willing to try anything, if u can give some examples of how u would do it, that would be nice.

 

by: TonySeawardPosted on 2004-07-23 at 11:08:11ID: 11623961

I'm putting in:
access-list inside_outbound_nat0_acl permit ip host Win2003 192.168.5.0 255.255.255.0
So maybe once they can get access to the server, they can then resolve. I dunno, makes sense, i'll give it a shot.

 

by: tim_holmanPosted on 2004-07-25 at 05:05:22ID: 11631482

You're only letting the Win2003 host access to 192.168.5.0 by doing this ?
Anyway - this question's closed now - if you need more help, probably best to kick off another, so others get the chance to help out too  !  :)

20120131-EE-VQP-002

3 Ways to Join

30-Day Free Trial

The Experts

98% positive feedback on 31,087 answers since March 2000. angeliii is a Microsoft Most Valuable Professional for his work with MS SQL Server & Develoment.

He has also proven his knowledge of Visual Basic Programming, PHP Scripting and Oracle Databases.

The Experts

97% positive feedback on 10,752 answers since July 2000. lrmoore has more than 18 years experience in the networking industry.

The six-time Mircosoft MVPs specialties include firewalls, virtual private networking, and network management.

Testimonials

"...and excellent source for support... Kind of like having your very own IT dept." Electriciansnet

Testimonials

"I was apprehensive at signing up at first. However... it has already made my life as an IT administrator much easier." JaCrews

Testimonials

"WOW! You guys have great, active, and knowledgeable people on here." moore50

Business Clients

Business Clients

In the Press

"If you’ve got a question... Experts Exchange can supply an answer.”

In the Press

"...an invaluable aid for both IT professionals and those who require tech support."

In the Press

"where IT professionals provide quick answers on just about any topic"

Business Account Plans

Loading Advertisement...