?
Solved

Another PIX problem

Posted on 2003-02-25
6
Medium Priority
?
241 Views
Last Modified: 2010-03-19
I am having a nightmare with this issue.

Clients running Cisco VPN Client Version 3 are having problem with IP connectivity once a Tunnel is established. I have checked the routes and they seems o.k

That leaves ACLs, but I have the sysopt coonection permit ipsec command on the PIX. This command is supposed to allow IPSEC traffic to bypass ACL right??

I try to replicate the issue on my network. VPN client connects, but no IP connectivity but when I used the new sysopt ipsec pl-compatible, IP connectivity was o.k suggestion again that at least on my network routing is fine.

VPN connection + IP connectivity should work without this sexy command. Sysopt ipsec pl-compatible. I dont want to deploy this command on customers network because I bypass PIX ASA etc.

Everyone, any suggestion.

Frustrated Chrisi
0
Comment
Question by:chrisi_uk
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
6 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 8016330
What version PIX OS? 6.x?
Yes, sysopt permit ipsec bypasses acls, but not nat. sysopt pl-compatible bypasses nat and ASA
To get around it, you need to use a nat 0 setup, example:

inside LAN = 192.168.223.0
VPN IPpool = 192.168.234.0

access-list no_nat permit ip 192.168.223.0 192.168.234.0
nat (inside)0 access-list no_nat

0
 

Author Comment

by:chrisi_uk
ID: 8017769
Thanks Irmoore,

I am using ver 6.1 (2) and I already have the nat ) implemented. Below is my config: Saved
:
PIX Version 6.1(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pix1
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list dmzinbound permit icmp any host 200.1.1.99
access-list dmzinbound permit tcp any host 200.1.1.99
access-list dmzinbound permit udp any host 200.1.1.99
access-list nonat permit ip 10.48.66.0 255.255.254.0 10.48.67.0 255.255.255.0
access-list inbound permit ip host 10.48.67.1 host 192.168.10.3
access-list inbound permit tcp host 10.48.67.1 host 192.168.10.3 eq 3389
pager lines 24
logging on
logging buffered debugging
interface ethernet0 10baset
interface ethernet1 10full
interface ethernet2 10full
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside 200.1.1.1 255.255.255.0
ip address inside 10.48.66.18 255.255.254.0
ip address dmz 127.0.0.1 255.255.255.255
ip audit info action alarm
ip audit attack action alarm
ip local pool ippool 10.48.67.1-10.48.67.20
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
failover ip address dmz 0.0.0.0
pdm history enable
arp timeout 14400
global (outside) 1 200.1.1.100-200.1.1.110
global (outside) 2 200.1.1.111-200.1.1.120
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz) 2 0.0.0.0 0.0.0.0 0 0
static (dmz,outside) 200.1.1.99 10.48.66.99 netmask 255.255.255.255 0 0
static (inside,outside) 200.1.1.121 10.48.66.102 netmask 255.255.255.255 0 0
access-group dmzinbound in interface dmz
route inside 192.168.10.0 255.255.255.0 10.48.66.19 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server AuthInBound protocol tacacs+
aaa-server AuthInBound (inside) host 10.48.66.102 cisco timeout 10
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map mymap 20 set transform-set myset
crypto map chris 20 ipsec-isakmp dynamic mymap
crypto map chris client configuration address initiate
crypto map chris client configuration address respond
crypto map chris interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup vpn3 address-pool ippool
vpngroup vpn3 idle-time 1800
vpngroup vpn3 password ********
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:90c8fbcded5ddf0215c29a2acfe09978
: end
[OK]

Regards
Chris
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 800 total points
ID: 8018206
>ip address dmz 127.0.0.1 255.255.255.255

I hope you don't have anything connected to this interface..

>access-list nonat permit ip 10.48.66.0 255.255.254.0 10.48.67.0 255.255.255.0

Part of the problem may be that your IPPOOL for VPN is a subset of the local LAN
10.48.66.0 255.255.254.0 includes addresses through 10.48.67.254 and could be why you have routing issues, but not a problem establishing the connection.
I like to setup the VPN ippool as a totally separate subnet, say 192.168.122.0. That way, the no_nat acl makes sense
Also, the VPN client's local LAN interface cannot be on the same 10.48.66.0 network.

I also don't see this command in your config. It is mandatory:

sysopt connection permit-ipsec

0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
LVL 79

Expert Comment

by:lrmoore
ID: 8035168
How's it going, Chris, any luck?
0
 

Expert Comment

by:CleanupPing
ID: 9153397
chrisi_uk:
This old question needs to be finalized -- accept an answer, split points, or get a refund.  For information on your options, please click here-> http:/help/closing.jsp#1 
EXPERTS:
Post your closing recommendations!  No comment means you don't care.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 9162802
RECOMMENDATION: Points awarded to: lrmoore
0

Featured Post

Moving data to the cloud? Find out if you’re ready

Before moving to the cloud, it is important to carefully define your db needs, plan for the migration & understand prod. environment. This wp explains how to define what you need from a cloud provider, plan for the migration & what putting a cloud solution into practice entails.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For many of us, the  holiday season kindles the natural urge to give back to our friends, family members and communities. While it's easy for friends to notice the impact of such deeds, understanding the contributions of businesses and enterprises i…
Learn how to PXE Boot both BIOS & UEFI machines with DHCP Policies and Custom Vendor Classes
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Suggested Courses

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question