Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Unable to connect to the LAN after a success vpn connection

Posted on 2004-08-04
7
Medium Priority
?
636 Views
Last Modified: 2013-11-16
Hello,

I am running a PIX 515 firewall and setup VPN on it. The problem is that users are able to establish a vpn session but are unable to access the resource.

: Saved
: Written by enable_15 at 16:46:11.428 UTC Tue Aug 3 2004
PIX Version 6.3(3)
interface ethernet0 100full
interface ethernet1 auto
interface ethernet2 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security10
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 104 permit tcp any host x.x.x.67 eq 2000
access-list 104 permit tcp any host x.x.x.67 eq 2002
access-list 104 permit tcp any host x.x.x.68 eq 1998
access-list 104 permit tcp any host x.x.x.68 eq 1999
access-list 104 permit tcp any host x.x.x.68 eq 2001
access-list 104 permit tcp any host x.x.x.69 eq 2002
access-list 104 permit tcp any host x.x.x.69 eq 2000
access-list 104 permit tcp any host x.x.x.69 eq 1999
access-list 104 permit tcp any host x.x.x.69 eq 2004
access-list 104 permit tcp any host x.x.x.70 eq 7622
access-list 104 permit tcp any host x.x.x.70 eq 7630
access-list 104 permit tcp any host x.x.x.70 eq 7650
access-list 104 permit tcp any host x.x.x.71 eq 7622
access-list 104 permit tcp any host x.x.x.71 eq 7630
access-list 104 permit tcp any host x.x.x.71 eq 7650
access-list 104 permit tcp any host x.x.x.71 eq 2004
access-list 104 permit tcp any host x.x.x.72 eq www
access-list 104 permit tcp any host x.x.x.72 eq ftp
access-list 104 permit tcp any host x.x.x.67 eq 1999
access-list 104 permit tcp any host x.x.x.73 eq 1999
access-list 104 permit tcp any host x.x.x.73 eq 2000
access-list 104 permit tcp any host x.x.x.73 eq 2004
access-list 104 permit tcp any host x.x.x.73 eq 2001
access-list 104 permit tcp any host x.x.x.73 eq 2003
access-list 104 permit tcp any host x.x.x.73 eq 7650
access-list 104 permit tcp any host x.x.x.68 eq 7650
access-list 104 permit udp host x.x.x.65 host x.x.x.66 eq syslog
access-list 104 permit icmp any any echo-reply
access-list 104 permit tcp any host x.x.x.74 eq 7622
access-list 104 permit tcp any host x.x.x.74 eq 7630
access-list 104 permit tcp any host x.x.x.74 eq 7650
access-list 104 permit tcp any host x.x.x.74 eq 7703
access-list 104 permit tcp any host x.x.x.74 eq 2004
access-list 104 deny tcp any any eq 3127
access-list 104 permit tcp any host x.x.x.75 eq 2004 log
access-list 104 permit tcp any host x.x.x.75 eq 7650 log
access-list 104 permit tcp any host x.x.x.75 eq 8700 log
access-list 104 permit tcp any host x.x.x.75 eq 8702 log
access-list 104 permit tcp any host x.x.x.75 eq 8740 log
access-list 104 deny tcp any any eq 9996
access-list 104 deny tcp any any eq 5554
access-list 104 deny tcp any any eq 6129
access-list 104 deny tcp any any eq 1025
access-list 104 deny tcp any any eq 2745
access-list 104 deny tcp any any eq 445
access-list 104 permit tcp any host x.x.x.74 eq ftp
access-list 104 permit tcp any host x.x.x.77 eq ftp
access-list 104 permit tcp any host x.x.x.77 eq 8740
access-list 104 permit tcp any host x.x.x.77 eq 8700
access-list 104 permit tcp any host x.x.x.77 eq 2004
access-list 104 permit tcp any host x.x.x.77 eq 9100
access-list 104 permit tcp any host x.x.x.78 eq 2000
access-list 104 permit tcp any host x.x.x.78 eq 2004
access-list 104 permit tcp any host x.x.x.78 eq 2070
access-list 104 permit tcp any host x.x.x.78 eq 2090
access-list 104 permit tcp any host x.x.x.79 eq 5001
access-list 104 permit tcp any host x.x.x.80 eq 2004
access-list 104 permit tcp any host x.x.x.80 eq 8700
access-list 104 permit tcp any host x.x.x.80 eq 8740
access-list 104 permit tcp any host x.x.x.80 eq 8702
access-list 104 permit tcp any host x.x.x.80 eq 7650
access-list 104 permit tcp any host x.x.x.81 eq 2004
access-list 104 permit tcp any host x.x.x.81 eq 8700
access-list 104 permit tcp any host x.x.x.81 eq 8740
access-list 104 permit tcp any host x.x.x.81 eq 8702
access-list 104 permit tcp any host x.x.x.81 eq 7650
access-list 104 permit tcp any host x.x.x.82 eq 1999
access-list 104 permit tcp any host x.x.x.82 eq 2000
access-list 104 permit tcp any host x.x.x.82 eq 8702
access-list 104 permit tcp any host x.x.x.83 eq 8720
access-list 104 permit tcp any host x.x.x.83 eq 8750
access-list 104 permit tcp any host x.x.x.83 eq 8700
access-list 101 permit ip 10.16.1.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list 114 permit ip 10.16.1.0 255.255.255.0 10.1.2.0 255.255.255.0
access-list 114 permit ip 10.16.1.0 255.255.255.0 192.168.200.0 255.255.255.0
access-list 114 permit ip 10.16.1.0 255.255.255.0 10.16.10.0 255.255.255.0
access-list 114 permit ip 192.168.200.0 255.255.255.0 10.16.1.0 255.255.255.0
access-list 105 deny ip 192.168.0.0 255.255.0.0 any
access-list 105 deny ip 127.0.0.0 255.255.255.0 any
access-list 105 deny ip 192.168.0.0 255.255.255.0 any
access-list 105 deny ip 224.0.0.0 255.255.255.0 any
access-list 105 deny ip host 127.0.0.1 any
access-list 105 deny tcp any any eq 3127
access-list 105 deny tcp any any eq 4444
access-list 105 deny tcp any any eq 593
access-list 105 deny udp any any eq netbios-dgm
access-list 105 deny udp any any eq tftp
access-list 105 deny udp any any eq netbios-ns
access-list 105 deny tcp any any eq 137
access-list 105 deny udp any any eq 135
access-list 105 deny tcp any any eq 445
access-list 105 deny udp any any eq 445
access-list 105 permit ip any any
pager lines 24
logging on
logging timestamp
logging trap warnings
logging facility 1
logging host inside 10.16.1.248
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside x.x.x.66 255.255.255.224
ip address inside 10.16.1.109 255.255.255.0
ip address dmz 10.16.10.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool tshitshitech 10.1.2.1-10.1.2.254
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address dmz
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 x.x.x.89-x.x.x.92
global (outside) 1 x.x.x.93
global (outside) 3 x.x.x.94
nat (inside) 0 access-list 114
nat (inside) 3 10.16.1.0 255.255.255.0 0 0
nat (inside) 1 10.16.1.0 255.255.255.0 0 0
static (inside,outside) udp interface syslog 10.16.1.3 syslog netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.70 10.16.1.178 netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.71 10.16.1.65 netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.73 10.16.1.31 netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.74 10.16.1.220 netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.75 10.16.1.223 netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.77 10.16.1.57 netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.78 10.16.1.50 netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.79 10.16.1.156 netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.80 10.16.1.232 netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.81 10.16.1.226 netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.82 10.16.1.61 netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.83 10.16.1.42 netmask 255.255.255.255 0 0
static (dmz,outside) x.x.x.72 10.16.10.3 netmask 255.255.255.255 0 0
access-group 104 in interface outside
access-group 105 in interface inside
conduit permit icmp any any
conduit permit icmp any any echo-reply
route outside 0.0.0.0 0.0.0.0 x.x.x.65 1
route inside 10.16.1.0 255.255.255.0 10.16.1.96 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
snmp-server host inside 10.16.1.248
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set tshitshi39 esp-3des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set tshitshi39
crypto map tshitshimap 10 ipsec-isakmp dynamic dynmap
crypto map tshitshimap client configuration address initiate
crypto map tshitshimap client configuration address respond
crypto map tshitshimap interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp identity address
isakmp client configuration address-pool local tshitshitech outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup tshitshi idle-time 1800
vpngroup tshitshi password ********
vpngroup tshitshitech address-pool tshitshitech
vpngroup tshitshitech dns-server 10.16.1.100
vpngroup tshitshitech default-domain mercury
vpngroup tshitshitech idle-time 1800
vpngroup tshitshitech password ********
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 10
ssh timeout 5
console timeout 0
vpdn group 1 ppp authentication pap
vpdn group 1 ppp authentication chap
vpdn group 1 ppp authentication mschap
vpdn group 1 ppp encryption mppe auto
vpdn group 1 client configuration address local tshitshitech
vpdn group 1 pptp echo 60
vpdn group 1 client authentication local
vpdn username tshitshi password ********
vpdn enable outside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
terminal width 80
Cryptochecksum:c482c9b580c14d38a6fc32956b35da3e

the cisco systems ipsec log viewer on the client reports:
"Received malformed message or negotiation no longer active (message id:0xA8FA8AA8)
and
"Could not find an IKE SA for x.x.x.66"

The client PIX log file have the following entry once a session is established:
"%PIX-4-106023: Deny protocol 50 src outside:x.x.x.66 dst inside:y.y.y.196 by access-list 104"

y.y.y.196 is the public ip address of the worstation initiating the vpn session.

my log file meanwhile reports the following:

2004-08-04 12:16:07      User.Error      194.10.1.109      Aug 04 2004 12:36:05: %PIX-3-305005: No translation group found for udp src outside:10.1.2.1/1208 dst inside:10.16.1.1/53
2004-08-04 12:16:09      User.Error      194.10.1.109      Aug 04 2004 12:36:07: %PIX-3-305005: No translation group found for udp src outside:10.1.2.1/1208 dst inside:10.16.1.1/53
2004-08-04 12:16:13      User.Error      194.10.1.109      Aug 04 2004 12:36:11: %PIX-3-305005: No translation group found for udp src outside:10.1.2.1/1208 dst inside:10.16.1.1/53

Please help!!!
0
Comment
Question by:tshi5791
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
7 Comments
 
LVL 36

Expert Comment

by:grblades
ID: 11718849
Hi tshi5791,
So you are connecting via IPSEC with the group name of tshitshitech?
0
 
LVL 36

Expert Comment

by:grblades
ID: 11718911
> isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
Have you setup a LAN - LAN VPN in addition to a client-lan VPN?
This line appears to setup a default shared key for any vpn connection which could be the cause of your problems.

> conduit permit icmp any any
> conduit permit icmp any any echo-reply
You are using static commands and access-lists so you should not be using the old conduit commands aswell.
0
 

Author Comment

by:tshi5791
ID: 11719413
grblades,

I removed the isamkp key ****** address 0.0.0.0 netmask 0.0.0.0
and also the conduit permit icmp any any and the other one.
Still no luck. the VPN dialer makes a successful connection but that is it.
0
Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!

 
LVL 36

Expert Comment

by:grblades
ID: 11719738
I would also try removing these lines as they are not normally present:-

crypto map tshitshimap client configuration address initiate
crypto map tshitshimap client configuration address respond
isakmp client configuration address-pool local tshitshitech outside
vpngroup tshitshi idle-time 1800
vpngroup tshitshi password ********
0
 

Author Comment

by:tshi5791
ID: 11719743
I found what was the problem. The remote pix firewall had an access-list inbound  but did not have access-list inbound permit ip any any so that is why it was showing the message ""%PIX-4-106023: Deny protocol 50 src outside:x.x.x.66 dst inside:y.y.y.196 by access-list 104". after adding access-list inbound permit ip any any at the end of the access-list, it works fine.
0
 

Accepted Solution

by:
CetusMOD earned 0 total points
ID: 15934939
PAQed with points refunded (250)

CetusMOD
Community Support Moderator
0

Featured Post

Tech or Treat! - Giveaway

Submit an article about your scariest tech experience—and the solution—and you’ll be automatically entered to win one of 4 fantastic tech gadgets.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
Visualize your data even better in Access queries. Given a date and a value, this lesson shows how to compare that value with the previous value, calculate the difference, and display a circle if the value is the same, an up triangle if it increased…
This lesson discusses how to use a Mainform + Subforms in Microsoft Access to find and enter data for payments on orders. The sample data comes from a custom shop that builds and sells movable storage structures that are delivered to your property. …
Suggested Courses

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question