Solved

Unable to connect to the LAN after a success vpn connection

Posted on 2004-08-04
7
595 Views
Last Modified: 2013-11-16
Hello,

I am running a PIX 515 firewall and setup VPN on it. The problem is that users are able to establish a vpn session but are unable to access the resource.

: Saved
: Written by enable_15 at 16:46:11.428 UTC Tue Aug 3 2004
PIX Version 6.3(3)
interface ethernet0 100full
interface ethernet1 auto
interface ethernet2 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security10
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 104 permit tcp any host x.x.x.67 eq 2000
access-list 104 permit tcp any host x.x.x.67 eq 2002
access-list 104 permit tcp any host x.x.x.68 eq 1998
access-list 104 permit tcp any host x.x.x.68 eq 1999
access-list 104 permit tcp any host x.x.x.68 eq 2001
access-list 104 permit tcp any host x.x.x.69 eq 2002
access-list 104 permit tcp any host x.x.x.69 eq 2000
access-list 104 permit tcp any host x.x.x.69 eq 1999
access-list 104 permit tcp any host x.x.x.69 eq 2004
access-list 104 permit tcp any host x.x.x.70 eq 7622
access-list 104 permit tcp any host x.x.x.70 eq 7630
access-list 104 permit tcp any host x.x.x.70 eq 7650
access-list 104 permit tcp any host x.x.x.71 eq 7622
access-list 104 permit tcp any host x.x.x.71 eq 7630
access-list 104 permit tcp any host x.x.x.71 eq 7650
access-list 104 permit tcp any host x.x.x.71 eq 2004
access-list 104 permit tcp any host x.x.x.72 eq www
access-list 104 permit tcp any host x.x.x.72 eq ftp
access-list 104 permit tcp any host x.x.x.67 eq 1999
access-list 104 permit tcp any host x.x.x.73 eq 1999
access-list 104 permit tcp any host x.x.x.73 eq 2000
access-list 104 permit tcp any host x.x.x.73 eq 2004
access-list 104 permit tcp any host x.x.x.73 eq 2001
access-list 104 permit tcp any host x.x.x.73 eq 2003
access-list 104 permit tcp any host x.x.x.73 eq 7650
access-list 104 permit tcp any host x.x.x.68 eq 7650
access-list 104 permit udp host x.x.x.65 host x.x.x.66 eq syslog
access-list 104 permit icmp any any echo-reply
access-list 104 permit tcp any host x.x.x.74 eq 7622
access-list 104 permit tcp any host x.x.x.74 eq 7630
access-list 104 permit tcp any host x.x.x.74 eq 7650
access-list 104 permit tcp any host x.x.x.74 eq 7703
access-list 104 permit tcp any host x.x.x.74 eq 2004
access-list 104 deny tcp any any eq 3127
access-list 104 permit tcp any host x.x.x.75 eq 2004 log
access-list 104 permit tcp any host x.x.x.75 eq 7650 log
access-list 104 permit tcp any host x.x.x.75 eq 8700 log
access-list 104 permit tcp any host x.x.x.75 eq 8702 log
access-list 104 permit tcp any host x.x.x.75 eq 8740 log
access-list 104 deny tcp any any eq 9996
access-list 104 deny tcp any any eq 5554
access-list 104 deny tcp any any eq 6129
access-list 104 deny tcp any any eq 1025
access-list 104 deny tcp any any eq 2745
access-list 104 deny tcp any any eq 445
access-list 104 permit tcp any host x.x.x.74 eq ftp
access-list 104 permit tcp any host x.x.x.77 eq ftp
access-list 104 permit tcp any host x.x.x.77 eq 8740
access-list 104 permit tcp any host x.x.x.77 eq 8700
access-list 104 permit tcp any host x.x.x.77 eq 2004
access-list 104 permit tcp any host x.x.x.77 eq 9100
access-list 104 permit tcp any host x.x.x.78 eq 2000
access-list 104 permit tcp any host x.x.x.78 eq 2004
access-list 104 permit tcp any host x.x.x.78 eq 2070
access-list 104 permit tcp any host x.x.x.78 eq 2090
access-list 104 permit tcp any host x.x.x.79 eq 5001
access-list 104 permit tcp any host x.x.x.80 eq 2004
access-list 104 permit tcp any host x.x.x.80 eq 8700
access-list 104 permit tcp any host x.x.x.80 eq 8740
access-list 104 permit tcp any host x.x.x.80 eq 8702
access-list 104 permit tcp any host x.x.x.80 eq 7650
access-list 104 permit tcp any host x.x.x.81 eq 2004
access-list 104 permit tcp any host x.x.x.81 eq 8700
access-list 104 permit tcp any host x.x.x.81 eq 8740
access-list 104 permit tcp any host x.x.x.81 eq 8702
access-list 104 permit tcp any host x.x.x.81 eq 7650
access-list 104 permit tcp any host x.x.x.82 eq 1999
access-list 104 permit tcp any host x.x.x.82 eq 2000
access-list 104 permit tcp any host x.x.x.82 eq 8702
access-list 104 permit tcp any host x.x.x.83 eq 8720
access-list 104 permit tcp any host x.x.x.83 eq 8750
access-list 104 permit tcp any host x.x.x.83 eq 8700
access-list 101 permit ip 10.16.1.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list 114 permit ip 10.16.1.0 255.255.255.0 10.1.2.0 255.255.255.0
access-list 114 permit ip 10.16.1.0 255.255.255.0 192.168.200.0 255.255.255.0
access-list 114 permit ip 10.16.1.0 255.255.255.0 10.16.10.0 255.255.255.0
access-list 114 permit ip 192.168.200.0 255.255.255.0 10.16.1.0 255.255.255.0
access-list 105 deny ip 192.168.0.0 255.255.0.0 any
access-list 105 deny ip 127.0.0.0 255.255.255.0 any
access-list 105 deny ip 192.168.0.0 255.255.255.0 any
access-list 105 deny ip 224.0.0.0 255.255.255.0 any
access-list 105 deny ip host 127.0.0.1 any
access-list 105 deny tcp any any eq 3127
access-list 105 deny tcp any any eq 4444
access-list 105 deny tcp any any eq 593
access-list 105 deny udp any any eq netbios-dgm
access-list 105 deny udp any any eq tftp
access-list 105 deny udp any any eq netbios-ns
access-list 105 deny tcp any any eq 137
access-list 105 deny udp any any eq 135
access-list 105 deny tcp any any eq 445
access-list 105 deny udp any any eq 445
access-list 105 permit ip any any
pager lines 24
logging on
logging timestamp
logging trap warnings
logging facility 1
logging host inside 10.16.1.248
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside x.x.x.66 255.255.255.224
ip address inside 10.16.1.109 255.255.255.0
ip address dmz 10.16.10.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool tshitshitech 10.1.2.1-10.1.2.254
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address dmz
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 x.x.x.89-x.x.x.92
global (outside) 1 x.x.x.93
global (outside) 3 x.x.x.94
nat (inside) 0 access-list 114
nat (inside) 3 10.16.1.0 255.255.255.0 0 0
nat (inside) 1 10.16.1.0 255.255.255.0 0 0
static (inside,outside) udp interface syslog 10.16.1.3 syslog netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.70 10.16.1.178 netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.71 10.16.1.65 netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.73 10.16.1.31 netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.74 10.16.1.220 netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.75 10.16.1.223 netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.77 10.16.1.57 netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.78 10.16.1.50 netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.79 10.16.1.156 netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.80 10.16.1.232 netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.81 10.16.1.226 netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.82 10.16.1.61 netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.83 10.16.1.42 netmask 255.255.255.255 0 0
static (dmz,outside) x.x.x.72 10.16.10.3 netmask 255.255.255.255 0 0
access-group 104 in interface outside
access-group 105 in interface inside
conduit permit icmp any any
conduit permit icmp any any echo-reply
route outside 0.0.0.0 0.0.0.0 x.x.x.65 1
route inside 10.16.1.0 255.255.255.0 10.16.1.96 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
snmp-server host inside 10.16.1.248
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set tshitshi39 esp-3des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set tshitshi39
crypto map tshitshimap 10 ipsec-isakmp dynamic dynmap
crypto map tshitshimap client configuration address initiate
crypto map tshitshimap client configuration address respond
crypto map tshitshimap interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp identity address
isakmp client configuration address-pool local tshitshitech outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup tshitshi idle-time 1800
vpngroup tshitshi password ********
vpngroup tshitshitech address-pool tshitshitech
vpngroup tshitshitech dns-server 10.16.1.100
vpngroup tshitshitech default-domain mercury
vpngroup tshitshitech idle-time 1800
vpngroup tshitshitech password ********
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 10
ssh timeout 5
console timeout 0
vpdn group 1 ppp authentication pap
vpdn group 1 ppp authentication chap
vpdn group 1 ppp authentication mschap
vpdn group 1 ppp encryption mppe auto
vpdn group 1 client configuration address local tshitshitech
vpdn group 1 pptp echo 60
vpdn group 1 client authentication local
vpdn username tshitshi password ********
vpdn enable outside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
terminal width 80
Cryptochecksum:c482c9b580c14d38a6fc32956b35da3e

the cisco systems ipsec log viewer on the client reports:
"Received malformed message or negotiation no longer active (message id:0xA8FA8AA8)
and
"Could not find an IKE SA for x.x.x.66"

The client PIX log file have the following entry once a session is established:
"%PIX-4-106023: Deny protocol 50 src outside:x.x.x.66 dst inside:y.y.y.196 by access-list 104"

y.y.y.196 is the public ip address of the worstation initiating the vpn session.

my log file meanwhile reports the following:

2004-08-04 12:16:07      User.Error      194.10.1.109      Aug 04 2004 12:36:05: %PIX-3-305005: No translation group found for udp src outside:10.1.2.1/1208 dst inside:10.16.1.1/53
2004-08-04 12:16:09      User.Error      194.10.1.109      Aug 04 2004 12:36:07: %PIX-3-305005: No translation group found for udp src outside:10.1.2.1/1208 dst inside:10.16.1.1/53
2004-08-04 12:16:13      User.Error      194.10.1.109      Aug 04 2004 12:36:11: %PIX-3-305005: No translation group found for udp src outside:10.1.2.1/1208 dst inside:10.16.1.1/53

Please help!!!
0
Comment
Question by:tshi5791
  • 3
  • 2
7 Comments
 
LVL 36

Expert Comment

by:grblades
ID: 11718849
Hi tshi5791,
So you are connecting via IPSEC with the group name of tshitshitech?
0
 
LVL 36

Expert Comment

by:grblades
ID: 11718911
> isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
Have you setup a LAN - LAN VPN in addition to a client-lan VPN?
This line appears to setup a default shared key for any vpn connection which could be the cause of your problems.

> conduit permit icmp any any
> conduit permit icmp any any echo-reply
You are using static commands and access-lists so you should not be using the old conduit commands aswell.
0
 

Author Comment

by:tshi5791
ID: 11719413
grblades,

I removed the isamkp key ****** address 0.0.0.0 netmask 0.0.0.0
and also the conduit permit icmp any any and the other one.
Still no luck. the VPN dialer makes a successful connection but that is it.
0
Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

 
LVL 36

Expert Comment

by:grblades
ID: 11719738
I would also try removing these lines as they are not normally present:-

crypto map tshitshimap client configuration address initiate
crypto map tshitshimap client configuration address respond
isakmp client configuration address-pool local tshitshitech outside
vpngroup tshitshi idle-time 1800
vpngroup tshitshi password ********
0
 

Author Comment

by:tshi5791
ID: 11719743
I found what was the problem. The remote pix firewall had an access-list inbound  but did not have access-list inbound permit ip any any so that is why it was showing the message ""%PIX-4-106023: Deny protocol 50 src outside:x.x.x.66 dst inside:y.y.y.196 by access-list 104". after adding access-list inbound permit ip any any at the end of the access-list, it works fine.
0
 

Accepted Solution

by:
CetusMOD earned 0 total points
ID: 15934939
PAQed with points refunded (250)

CetusMOD
Community Support Moderator
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now