Cisco VPN Client connecting to PIX 515 but no network access?
How can I configure my PIX firewall to correctly accept Cisco VPN Client 3.x connections?
I have no problem authenticating and establishing a tunnel from the VPNclient to the PIX but after that, I cannot ping anything from the client PC or access any network web sites.
I have been experimenting with the PIX configs and trying to follow cisco config examples but have not been able to ping a single host on the network behind the pix. Currently the IP given to VPN clients is in the same subnet as the pix firewall and the hosts behind the firewall...my 202... subnet. I have also tried using 10.x.x.x subnets but these did not work either.
I also have not been able to access any LAN resources from the VPN client. Even though Allow lan access is checked on the client, it shows up as "inactive" in the tunnel.
Shouldnt I even be able to ping the PIX itself after establishing a tunnel?
Running Pix version 6.22 and using the latest version of VPNClient from Cisco.
I have no problem authenticating and establishing a tunnel from the VPNclient to the PIX but after that, I cannot ping anything from the client PC or access any network web sites.
I have been experimenting with the PIX configs and trying to follow cisco config examples but have not been able to ping a single host on the network behind the pix. Currently the IP given to VPN clients is in the same subnet as the pix firewall and the hosts behind the firewall...my 202... subnet. I have also tried using 10.x.x.x subnets but these did not work either.
I also have not been able to access any LAN resources from the VPN client. Even though Allow lan access is checked on the client, it shows up as "inactive" in the tunnel.
Shouldnt I even be able to ping the PIX itself after establishing a tunnel?
Running Pix version 6.22 and using the latest version of VPNClient from Cisco.
ASKER
I have tried it with the No_nat ACL, one that I PDM generated. My latest config was also generated by PDM VPN Wizard but since the subnet is the same as the server subnet, there is no NO_NAT.
I will try it again as you suggested using a 10.xxx for my VPN clients.
When I configure using the VPN wizard, it asks if I want the clients to connect to the outside or inside interface.
I select outside but the servers are on the inside. Is this correct? It didnt even let me establish a tunnel when I tried "inside".
Here are my relevant configs..
#The inside202 range contains my servers
#The pix internal IP is also in the inside202 subnet
access-list NO_NAT permit ip inside202 255.255.255.224 vpnclients 255.255.255.0
#PDM added the one below..
access-list NO_NAT permit ip any vpnclients 255.255.255.240
access-list outside_cryptomap_dyn_40 permit ip any vpnclients 255.255.255.240
nat (inside) 0 access-list NO_NAT
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
# The PDM likes to put this match address in but I don't
# know why. Its working now, but sometimes I cannot get
# a tunnel when it is there.
crypto dynamic-map outside_dyn_map 40 match address outside_cryptomap_dyn_40
#There is no initiate/respond in here but I may put it in
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup vpn address-pool VPNPOOL
vpngroup vpn dns-server dns 131.171.11.253
vpngroup vpn wins-server printers
vpngroup vpn default-domain mydomain.edu
vpngroup vpn idle-time 1800
vpngroup vpn password ********
I will try it again as you suggested using a 10.xxx for my VPN clients.
When I configure using the VPN wizard, it asks if I want the clients to connect to the outside or inside interface.
I select outside but the servers are on the inside. Is this correct? It didnt even let me establish a tunnel when I tried "inside".
Here are my relevant configs..
#The inside202 range contains my servers
#The pix internal IP is also in the inside202 subnet
access-list NO_NAT permit ip inside202 255.255.255.224 vpnclients 255.255.255.0
#PDM added the one below..
access-list NO_NAT permit ip any vpnclients 255.255.255.240
access-list outside_cryptomap_dyn_40 permit ip any vpnclients 255.255.255.240
nat (inside) 0 access-list NO_NAT
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
# The PDM likes to put this match address in but I don't
# know why. Its working now, but sometimes I cannot get
# a tunnel when it is there.
crypto dynamic-map outside_dyn_map 40 match address outside_cryptomap_dyn_40
#There is no initiate/respond in here but I may put it in
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup vpn address-pool VPNPOOL
vpngroup vpn dns-server dns 131.171.11.253
vpngroup vpn wins-server printers
vpngroup vpn default-domain mydomain.edu
vpngroup vpn idle-time 1800
vpngroup vpn password ********
Yes, connect to outside interface, it's the only one with public ip
Keep this line, but you could change it a bit
access-list outside_cryptomap_dyn_40 permit ip any vpnclients 255.255.255.240
or
access-list outside_cryptomap_dyn_40 permit ip inside202 vpnclients 255.255.255.0
## you have different masks on vpnclients here. Make sure it is correct and is the same as the no_nat acl
and this one.
crypto dynamic-map outside_dyn_map 40 match address outside_cryptomap_dyn_40
Keep this line, but you could change it a bit
access-list outside_cryptomap_dyn_40 permit ip any vpnclients 255.255.255.240
or
access-list outside_cryptomap_dyn_40 permit ip inside202 vpnclients 255.255.255.0
## you have different masks on vpnclients here. Make sure it is correct and is the same as the no_nat acl
and this one.
crypto dynamic-map outside_dyn_map 40 match address outside_cryptomap_dyn_40
ASKER
still no luck. When the VPNclients are authenticated from the outside interface, are they outside the pix or inside? That is, do I have to define route statements or access lists so they can have access to servers inside?
I cannot ping any server outside or inside the pix. When a vpn client comes in with one of these 10.xxx addresses, how can a pix route them since the subnet is different?
Thanks,
dan
I cannot ping any server outside or inside the pix. When a vpn client comes in with one of these 10.xxx addresses, how can a pix route them since the subnet is different?
Thanks,
dan
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I was able to get it working finally on both of my pixs.
I am not sure what finally clicked. I did need the NO_NAT as you suggested.
In one case the gateway IP was the pix so that was easiest.
I am still curious as to why my IP does not change when I try checking it on web servers behind the firewall. Though I can ping from the servers to my virtual IP.
Also, I thought traceroutes would appear to work from inside the pix outward. Guess I will play some more.
Wondering too how to send a notification message to the VPN client from the pix.
Thank You for your help!
Sincerely!
dan
I am not sure what finally clicked. I did need the NO_NAT as you suggested.
In one case the gateway IP was the pix so that was easiest.
I am still curious as to why my IP does not change when I try checking it on web servers behind the firewall. Though I can ping from the servers to my virtual IP.
Also, I thought traceroutes would appear to work from inside the pix outward. Guess I will play some more.
Wondering too how to send a notification message to the VPN client from the pix.
Thank You for your help!
Sincerely!
dan
ASKER
The dynamic list should have a value of 40.
Ensure the NO_NAT statement is there.
The clients are actually outside the firewall even though they have virtual 10.x.x.x IPs.
Ensure the NO_NAT statement is there.
The clients are actually outside the firewall even though they have virtual 10.x.x.x IPs.
I always use a separate IP subnet for the vpn users.
Here's a snippit of my working config:
access-list NO_NAT permit ip 10.10.0.0 255.255.0.0 192.168.122.0 255.255.255.0
ip local pool VPNPool 192.168.122.33-192.168.122
nat (inside) 0 access-list NO_NAT
vpngroup GROUP address-pool VPNPool
You can't ping the inside interface of the PIX, even with the VPN open. you can only ping a host on the inside.