daxa78
asked on
VPN Question... unable to ping hosts + Nat traversal
Hello i have setup a VPN connection on a PIX 501 im able to connect to the host using cisco vpn client 4.6.
Im able to connect but i can not ping any hosts on the remote network.
But if i add this line it works great
isakmp nat-traversal 20
Why is that ? I have a singe client to pix vpn setup
This is my config:
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
domain-name ciscopix.com
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list smtp permit tcp any host 198.213.42.114 eq smtp
access-list 101 permit ip 192.100.10.0 255.255.255.0 192.100.11.0 255.255.255.0
pager lines 24
icmp deny any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside pppoe setroute
ip address inside 192.100.10.10 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool ippool 192.100.11.240-192.100.11.
pdm location 192.100.10.0 255.255.255.0 inside
pdm location 192.9.2.0 255.255.255.0 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface smtp 192.100.10.100 smtp netmask 255.255.255.255 0 0
access-group smtp in interface outside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.9.2.0 255.255.255.0 inside
http 192.100.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set vpn esp-3des esp-sha-hmac
crypto dynamic-map dynmap 20 set transform-set vpn
crypto map mymap 20 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
isakmp enable outside
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup vpn address-pool ippool
vpngroup vpn dns-server 192.100.10.100
vpngroup vpn default-domain bjoroey.local
vpngroup vpn split-tunnel 101
vpngroup vpn idle-time 1800
vpngroup vpn password ********
telnet timeout 5
ssh 213.184.206.164 255.255.255.255 outside
ssh timeout 5
console timeout 0
vpdn group pppoe_group request dialout pppoe
vpdn group pppoe_group localname 0000a@online.no
vpdn group pppoe_group ppp authentication pap
vpdn username xxx@online.no password *********
terminal width 80
Cryptochecksum:732a9f6fa88
: end
Im able to connect but i can not ping any hosts on the remote network.
But if i add this line it works great
isakmp nat-traversal 20
Why is that ? I have a singe client to pix vpn setup
This is my config:
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
domain-name ciscopix.com
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list smtp permit tcp any host 198.213.42.114 eq smtp
access-list 101 permit ip 192.100.10.0 255.255.255.0 192.100.11.0 255.255.255.0
pager lines 24
icmp deny any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside pppoe setroute
ip address inside 192.100.10.10 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool ippool 192.100.11.240-192.100.11.
pdm location 192.100.10.0 255.255.255.0 inside
pdm location 192.9.2.0 255.255.255.0 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface smtp 192.100.10.100 smtp netmask 255.255.255.255 0 0
access-group smtp in interface outside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.9.2.0 255.255.255.0 inside
http 192.100.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set vpn esp-3des esp-sha-hmac
crypto dynamic-map dynmap 20 set transform-set vpn
crypto map mymap 20 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
isakmp enable outside
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup vpn address-pool ippool
vpngroup vpn dns-server 192.100.10.100
vpngroup vpn default-domain bjoroey.local
vpngroup vpn split-tunnel 101
vpngroup vpn idle-time 1800
vpngroup vpn password ********
telnet timeout 5
ssh 213.184.206.164 255.255.255.255 outside
ssh timeout 5
console timeout 0
vpdn group pppoe_group request dialout pppoe
vpdn group pppoe_group localname 0000a@online.no
vpdn group pppoe_group ppp authentication pap
vpdn username xxx@online.no password *********
terminal width 80
Cryptochecksum:732a9f6fa88
: end
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
What I'm saying is, if you have a setup like the example below, you don't need to configure NAT-traversal (using "isakmp nat-traversal 20") on the target PIX you're trying to establish a VPN connection to:
PIX VPN "server" <--> Internet <--> DSL/cable *modem* <-> VPN client PC (IP is 1.2.3.4, for example)
But since the vast majority of people are behind a device performing NAT/PAT, you might as well leave NAT-traversal enabled on the "PIX VPN server" in case you do need to connect from a PC behind a NAT device, such as in the example below:
PIX VPN "server" <--> Internet <--> [outside IP is: 1.2.3.4] DSL/cable *router/firewall* [inside IP is: 192.168.2.1] <-> VPN client PC (IP is 192.168.2.5)
If you're not able to ping any IPs behind the target PIX, & since you're allowing "split tunneling" on your PIX, you should create a separate ACL for the VPN client(s), for example:
access-list split_acl permit ip 192.100.10.0 255.255.255.0 192.100.11.0 255.255.255.0
vpngroup vpn split-tunnel split_acl
BTW, if possible, you should upgrade your PIX to at least 6.3(4) or 6.3(5) - your PIX is running the much older 6.3(1), which has quite a few bugs in many areas.
cheers
PIX VPN "server" <--> Internet <--> DSL/cable *modem* <-> VPN client PC (IP is 1.2.3.4, for example)
But since the vast majority of people are behind a device performing NAT/PAT, you might as well leave NAT-traversal enabled on the "PIX VPN server" in case you do need to connect from a PC behind a NAT device, such as in the example below:
PIX VPN "server" <--> Internet <--> [outside IP is: 1.2.3.4] DSL/cable *router/firewall* [inside IP is: 192.168.2.1] <-> VPN client PC (IP is 192.168.2.5)
If you're not able to ping any IPs behind the target PIX, & since you're allowing "split tunneling" on your PIX, you should create a separate ACL for the VPN client(s), for example:
access-list split_acl permit ip 192.100.10.0 255.255.255.0 192.100.11.0 255.255.255.0
vpngroup vpn split-tunnel split_acl
BTW, if possible, you should upgrade your PIX to at least 6.3(4) or 6.3(5) - your PIX is running the much older 6.3(1), which has quite a few bugs in many areas.
cheers
ASKER
Thanks a lot :-)
You're welcome!
ASKER