We recently closed down one of our offices and had to move people to the local PIX for VPN access. The issue I am having is that I can ping and access the VPN clients but they can not access the local LAN. I can connect to them via remote desktop even but if I try to ping back the other way even to the same machine I initiated the remote desktop connection from I get nothing. No ping no web access no nothing. Below is the configuration straight from the PIX with identities and IP addresses changed.
: Saved
:
PIX Version 8.0(3)
!
hostname Somewhere-pix
domain-name someplace.org
enable password secret encrypted
names
name 10.2.2.0 Somewhere_VPN description Somewhere VPN IP Addresses
name 192.168.2.200 Bigbox_Internal description Bigbox Internal IP Address
name 215.23.37.112 Herenorthere_Internal description Here Nor There Internal IP Addresses
name 192.168.0.0 Fred_Internal description Fred Internal IP Addresses
name 10.2.1.0 Fred_VPN description Fred VPN IP Addresses
name 214.22.36.203 Barracuda_External description Barracuda Spam Filter - External IP
name 192.168.2.3 Barracuda_Internal description Barracuda Spam Filter Internal IP
name 192.168.2.203 Lilbox_Internal description Linux Box Internal
name 214.22.36.206 Bigbox_External description Bigbox External IP Address
name 214.22.36.205 Lilbox_External description Lilbox Server
name 214.22.36.204 PDC_External description Brett's Laptop External IP
name 192.168.2.205 PDC_Internal description PDC
dns-guard
!
interface Ethernet0
nameif outside
security-level 0
ip address 214.22.36.202 255.255.255.248
!
interface Ethernet1
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
!
passwd secret encrypted
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns server-group DefaultDNS
domain-name someplace.org
same-security-traffic permit intra-interface
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list nonat remark Here Nor There Internal IP Addresses
access-list nonat remark Turn off NAT for theses addresses
access-list nonat extended permit ip 192.168.2.0 255.255.255.0 Herenorthere_Internal 255.255.255.240
access-list nonat remark Fred VPN IP Addresses
access-list nonat remark Turn off NAT for theses addresses
access-list nonat extended permit ip 192.168.2.0 255.255.255.0 Fred_VPN 255.255.255.0
access-list nonat remark Fred Internal IP Addresses
access-list nonat remark Turn off NAT for theses addresses
access-list nonat extended permit ip 192.168.2.0 255.255.255.0 Fred_Internal 255.255.255.0
access-list outside_access_in remark Allow ICMP to any host
access-list outside_access_in extended permit icmp any any
access-list outside_access_in remark Port Mapping for WEB to Bigbox
access-list outside_access_in remark Allows WEB Service request to be passed on to server.
access-list outside_access_in extended permit tcp any host PDC_External eq www
access-list outside_access_in remark Port Mapping for SSL to Bigbox
access-list outside_access_in remark Allows SSL Service request to be passed on to server.
access-list outside_access_in extended permit tcp any host PDC_External eq https
access-list outside_access_in remark Port Mapping for IMAP4 to Bigbox
access-list outside_access_in remark Allows IMAP4 Service request to be passed on to server.
access-list outside_access_in extended permit tcp any host PDC_External eq imap4
access-list outside_access_in remark Port Mapping for POP3 to Bigbox
access-list outside_access_in remark Allows POP3 Service request to be passed on to server.
access-list outside_access_in extended permit tcp any host PDC_External eq pop3
access-list outside_access_in remark Port Mapping for SMTP to Barracuda
access-list outside_access_in remark Allows SMTP Service request to be passed on to server.
access-list outside_access_in extended permit tcp any host Barracuda_External eq smtp
access-list outside_access_in remark FTP
access-list outside_access_in extended permit tcp any host Bigbox_External eq ftp
access-list outside_access_in remark Remote Desktop
access-list outside_access_in extended permit tcp any host Lilbox_External eq 3389
access-list outside_access_in remark Remote Desktop
access-list outside_access_in extended permit object-group TCPUDP any host PDC_External eq domain
access-list split-tunnel remark Somewhere LAN
access-list split-tunnel standard permit 192.168.2.0 255.255.255.0
access-list split-tunnel remark Here nor there LAN
access-list split-tunnel standard permit Herenorthere_Internal 255.255.255.240
access-list split-tunnel remark Fred LAN
access-list split-tunnel standard permit Fred_Internal 255.255.255.0
access-list split-tunnel remark Fred VPN
access-list split-tunnel standard permit Fred_VPN 255.255.255.0
access-list Herenorthere remark Somewhere Internal IP Addresses
access-list Herenorthere remark Route matching addresses to Here Nor There Router
access-list Herenorthere extended permit ip 192.168.2.0 255.255.255.0 Herenorthere_Internal 255.255.255.240
access-list Herenorthere remark Somewhere VPN IP Addresses
access-list Herenorthere remark Route matching addresses to Here Nor There Router
access-list Herenorthere extended permit ip Somewhere_VPN 255.255.255.0 Herenorthere_Internal 255.255.255.240
access-list outside_4_cryptomap remark Somewhere Internal IP Addresses
access-list outside_4_cryptomap remark Route matching addresses to Fred PIX
access-list outside_4_cryptomap extended permit ip 192.168.2.0 255.255.255.0 Fred_Internal 255.255.255.0
access-list outside_4_cryptomap remark Somewhere VPN IP Addresses
access-list outside_4_cryptomap remark Route matching addresses to Here Nor There Router
access-list outside_4_cryptomap extended permit ip Somewhere_VPN 255.255.255.0 Fred_VPN 255.255.255.0
access-list outside_4_cryptomap remark Somewhere VPN IP Addresses
access-list outside_4_cryptomap remark Route matching addresses to Fred PIX
access-list outside_4_cryptomap extended permit ip 192.168.2.0 255.255.255.0 Fred_VPN 255.255.255.0
access-list outside_nat0_outbound extended permit ip Somewhere_VPN 255.255.255.0 192.168.2.0 255.255.255.0
access-list inside_nat0_outbound remark Somewhere VPN IP Addresses
access-list inside_nat0_outbound remark Turn off NAT for these addresses
access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 Somewhere_VPN 255.255.255.0
pager lines 24
logging enable
logging buffered informational
logging asdm warnings
logging from-address Somewhere-pix@somewhere.co
m
logging recipient-address Fred@somewhere.com level errors
mtu outside 1500
mtu inside 1500
ip local pool vpn 10.2.2.1-10.2.2.254 mask 255.255.255.0
ip verify reverse-path interface outside
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm
asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (outside) 0 access-list outside_nat0_outbound outside
nat (inside) 0 access-list nonat
nat (inside) 0 access-list inside_nat0_outbound outside
nat (inside) 1 192.168.2.0 255.255.255.0
static (inside,outside) Bigbox_External Bigbox_Internal netmask 255.255.255.255
static (inside,outside) Lilbox_External Lilbox_Internal netmask 255.255.255.255
static (inside,outside) Barracuda_External Barracuda_Internal netmask 255.255.255.255
static (inside,outside) PDC_External PDC_Internal netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 214.22.36.201 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-reco
rd DfltAccessPolicy
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server ADUsers protocol radius
aaa-server ADUsers host PDC_Internal
key weeks-vpn
authentication-port 6969
accounting-port 6970
radius-common-pw weeks-vpn
nac-policy DfltGrpPolicy-nac-framewor
k-create nac-framework
reval-period 36000
sq-period 300
aaa authentication telnet console ADUsers LOCAL
http server enable
http 0.0.0.0 0.0.0.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 36000
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set myset
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800
crypto map mymap 2 match address Herenorthere
crypto map mymap 2 set pfs
crypto map mymap 2 set peer 164.251.12.1
crypto map mymap 2 set transform-set ESP-DES-MD5
crypto map mymap 4 match address outside_4_cryptomap
crypto map mymap 4 set pfs
crypto map mymap 4 set peer 164.12.12.12
crypto map mymap 4 set transform-set ESP-3DES-MD5
crypto map mymap 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map mymap interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp enable inside
crypto isakmp policy 1
authentication pre-share
encryption aes-256
hash md5
group 2
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 12
authentication pre-share
encryption des
hash md5
group 1
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal
no vpn-addr-assign aaa
no vpn-addr-assign local
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 30
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 30
ssh version 1
console timeout 0
management-access inside
priority-queue outside
threat-detection basic-threat
threat-detection statistics
ntp server 192.168.2.30 source inside prefer
group-policy DfltGrpPolicy attributes
wins-server value 192.168.2.205 192.168.2.206
dns-server value 192.168.2.205 192.168.2.206
default-domain value somewhere.org
nac-settings value DfltGrpPolicy-nac-framewor
k-create
address-pools value vpn
username Fred password secret encrypted privilege 15
tunnel-group 164.251.12.1 type ipsec-l2l
tunnel-group 164.251.12.1 ipsec-attributes
pre-shared-key *
tunnel-group 164.12.12.12 type ipsec-l2l
tunnel-group 164.12.12.12 ipsec-attributes
pre-shared-key *
tunnel-group weeks-vpn type remote-access
tunnel-group weeks-vpn general-attributes
authentication-server-grou
p ADUsers LOCAL
accounting-server-group ADUsers
dhcp-server PDC_Internal
dhcp-server 192.168.2.206
password-management
tunnel-group weeks-vpn ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect pptp
inspect ftp
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
!
service-policy global_policy global
smtp-server 192.168.2.200 192.168.4.7
prompt hostname context
Cryptochecksum:ef2cbacc435
cd779b0426
4d68a5b621
9
: end
Start Free Trial
