Link to home
Start Free TrialLog in
Avatar of chrisi_uk
chrisi_uk

asked on

Another PIX problem

I am having a nightmare with this issue.

Clients running Cisco VPN Client Version 3 are having problem with IP connectivity once a Tunnel is established. I have checked the routes and they seems o.k

That leaves ACLs, but I have the sysopt coonection permit ipsec command on the PIX. This command is supposed to allow IPSEC traffic to bypass ACL right??

I try to replicate the issue on my network. VPN client connects, but no IP connectivity but when I used the new sysopt ipsec pl-compatible, IP connectivity was o.k suggestion again that at least on my network routing is fine.

VPN connection + IP connectivity should work without this sexy command. Sysopt ipsec pl-compatible. I dont want to deploy this command on customers network because I bypass PIX ASA etc.

Everyone, any suggestion.

Frustrated Chrisi
Avatar of Les Moore
Les Moore
Flag of United States of America image

What version PIX OS? 6.x?
Yes, sysopt permit ipsec bypasses acls, but not nat. sysopt pl-compatible bypasses nat and ASA
To get around it, you need to use a nat 0 setup, example:

inside LAN = 192.168.223.0
VPN IPpool = 192.168.234.0

access-list no_nat permit ip 192.168.223.0 192.168.234.0
nat (inside)0 access-list no_nat

Avatar of chrisi_uk
chrisi_uk

ASKER

Thanks Irmoore,

I am using ver 6.1 (2) and I already have the nat ) implemented. Below is my config: Saved
:
PIX Version 6.1(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pix1
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list dmzinbound permit icmp any host 200.1.1.99
access-list dmzinbound permit tcp any host 200.1.1.99
access-list dmzinbound permit udp any host 200.1.1.99
access-list nonat permit ip 10.48.66.0 255.255.254.0 10.48.67.0 255.255.255.0
access-list inbound permit ip host 10.48.67.1 host 192.168.10.3
access-list inbound permit tcp host 10.48.67.1 host 192.168.10.3 eq 3389
pager lines 24
logging on
logging buffered debugging
interface ethernet0 10baset
interface ethernet1 10full
interface ethernet2 10full
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside 200.1.1.1 255.255.255.0
ip address inside 10.48.66.18 255.255.254.0
ip address dmz 127.0.0.1 255.255.255.255
ip audit info action alarm
ip audit attack action alarm
ip local pool ippool 10.48.67.1-10.48.67.20
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
failover ip address dmz 0.0.0.0
pdm history enable
arp timeout 14400
global (outside) 1 200.1.1.100-200.1.1.110
global (outside) 2 200.1.1.111-200.1.1.120
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz) 2 0.0.0.0 0.0.0.0 0 0
static (dmz,outside) 200.1.1.99 10.48.66.99 netmask 255.255.255.255 0 0
static (inside,outside) 200.1.1.121 10.48.66.102 netmask 255.255.255.255 0 0
access-group dmzinbound in interface dmz
route inside 192.168.10.0 255.255.255.0 10.48.66.19 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server AuthInBound protocol tacacs+
aaa-server AuthInBound (inside) host 10.48.66.102 cisco timeout 10
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map mymap 20 set transform-set myset
crypto map chris 20 ipsec-isakmp dynamic mymap
crypto map chris client configuration address initiate
crypto map chris client configuration address respond
crypto map chris interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup vpn3 address-pool ippool
vpngroup vpn3 idle-time 1800
vpngroup vpn3 password ********
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:90c8fbcded5ddf0215c29a2acfe09978
: end
[OK]

Regards
Chris
ASKER CERTIFIED SOLUTION
Avatar of Les Moore
Les Moore
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
How's it going, Chris, any luck?
chrisi_uk:
This old question needs to be finalized -- accept an answer, split points, or get a refund.  For information on your options, please click here-> http:/help/closing.jsp#1 
EXPERTS:
Post your closing recommendations!  No comment means you don't care.
RECOMMENDATION: Points awarded to: lrmoore