negative_ion
asked on
Cisco Pix 501 help
I am wanting to ping a inside address after i vpn into my firewall. Once i connect i get an ip address of 192.168.2.1 subnet mask 255.255.255.255 Default gateway : 192.168.2.1
I am trying to ping any ip address on 192.168.0.x and it times out.
No firewall software is being used on remote computer. OS is win2000 and xp , xp firewall is turned off.
here is my config from the 501
PIX Version 6.3(1)
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol http 407
fixup protocol http 1417-1418
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list 101 permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list 101 permit ip 192.168.3.0 255.255.255.0 192.168.1.0 255.255.255.0
pager lines 24
logging on
mtu outside 1500
mtu inside 1500
ip address outside xx.xxx.xxx.xxx 255.255.255.240
ip address inside 192.168.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnpool 192.168.2.1-192.168.2.254
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
conduit permit icmp any any echo-reply
conduit permit gre any any
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.0.1 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community *****
no snmp-server enable traps
floodguard enable
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 10
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0
vpdn group 1 accept dialin pptp
vpdn group 1 ppp authentication pap
vpdn group 1 ppp authentication chap
vpdn group 1 ppp authentication mschap
vpdn group 1 ppp encryption mppe 40
vpdn group 1 client configuration address local vpnpool
vpdn group 1 pptp echo 60
vpdn group 1 client authentication local
vpdn username *** password ********
vpdn username *** password ********
vpdn username *** password ********
vpdn username *** password ********
vpdn enable outside
dhcpd address 192.168.0.156-192.168.0.20
dhcpd dns xxx.xxx.xxx.xxx dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd enable inside
terminal width 80
I am trying to ping any ip address on 192.168.0.x and it times out.
No firewall software is being used on remote computer. OS is win2000 and xp , xp firewall is turned off.
here is my config from the 501
PIX Version 6.3(1)
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol http 407
fixup protocol http 1417-1418
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list 101 permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list 101 permit ip 192.168.3.0 255.255.255.0 192.168.1.0 255.255.255.0
pager lines 24
logging on
mtu outside 1500
mtu inside 1500
ip address outside xx.xxx.xxx.xxx 255.255.255.240
ip address inside 192.168.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnpool 192.168.2.1-192.168.2.254
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
conduit permit icmp any any echo-reply
conduit permit gre any any
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.0.1 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community *****
no snmp-server enable traps
floodguard enable
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 10
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0
vpdn group 1 accept dialin pptp
vpdn group 1 ppp authentication pap
vpdn group 1 ppp authentication chap
vpdn group 1 ppp authentication mschap
vpdn group 1 ppp encryption mppe 40
vpdn group 1 client configuration address local vpnpool
vpdn group 1 pptp echo 60
vpdn group 1 client authentication local
vpdn username *** password ********
vpdn username *** password ********
vpdn username *** password ********
vpdn username *** password ********
vpdn enable outside
dhcpd address 192.168.0.156-192.168.0.20
dhcpd dns xxx.xxx.xxx.xxx dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd enable inside
terminal width 80
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
My bad, I completely misread averyb's post. His/her "nat 0" config section is right, and the access-list equivalents of the conduit statements are right, too. However, the tunnel still won't pass traffic without the sysopt statement, or without explicitly allowing traffic from 192.168.2.x to enter the outside interface using an access-list (keep in mind that this alternative leaves you mildly open to source address spoofing attacks unless you filter them out at your edge router(s), but allows you to apply access list restrictions to the traffic in the VPN tunnels, if you need to do that).
given
>vpdn enable outside
Then jasperomalley's suggestion to use sysopt
> sysopt connection permit-ipsec
should be:
sysopt connection permit-pptp
You are using Microsoft PPTP vpn client, not IPSEC vpn client.
The advice to change your nat 0 access-list to include the vpnpool of addresses (192.168.2.x) is spot on and is a must if you want this to work.
>vpdn enable outside
Then jasperomalley's suggestion to use sysopt
> sysopt connection permit-ipsec
should be:
sysopt connection permit-pptp
You are using Microsoft PPTP vpn client, not IPSEC vpn client.
The advice to change your nat 0 access-list to include the vpnpool of addresses (192.168.2.x) is spot on and is a must if you want this to work.
ASKER
Sorry for the confusion, networks behind my firewall include 192.168.0.0, 192.168.1.0, 192.168.2.0 and 192.168.3.0
VPN Pool is the 192.168.2.1 - 192.168.2.254
here is my complete config, with the changes you suggested above. After making the changes i was still unable to ping 192.168.0.0 network or any other network, still times out. I am only concerned about pinging the 192.168.0.0 network from the VPN.
User Access Verification
Password:
Type help or '?' for a list of available commands.
pixfirewall> en
Password: ********
pixfirewall# sh conf
: Saved
: Written by enable_15 at 06:38:18.564 UTC Fri Sep 10 2004
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ********* encrypted
passwd ******** encrypted
hostname pixfirewall
domain-name cisco.com
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol http 407
fixup protocol http 1417-1418
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list 101 permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list 101 permit ip 192.168.3.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list 101 permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 101 permit ip 192.168.3.0 255.255.255.0 192.168.2.0 255.255.255.0
pager lines 24
logging on
mtu outside 1500
mtu inside 1500
ip address outside xx.240.107.238 255.255.255.240
ip address inside 192.168.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnpool 192.168.2.1-192.168.2.254
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) xx.xxx.107.231 192.168.0.246 netmask 255.255.255.255 0 0
static (inside,outside) xx.xxx.107.233 192.168.0.248 netmask 255.255.255.255 0 0
static (inside,outside) xx.xxx.107.232 192.168.0.232 netmask 255.255.255.255 0 0
static (inside,outside) xx.xxx.107.226 192.168.0.239 netmask 255.255.255.255 0 0
static (inside,outside) xx.xxx.107.236 192.168.3.10 netmask 255.255.255.255 0 0
conduit permit icmp any any echo-reply
conduit permit gre any any
route outside 0.0.0.0 0.0.0.0 xx.xxx.107.225 1
route inside 192.168.3.0 255.255.255.0 192.168.0.253 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.0.1 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community cisco
no snmp-server enable traps
floodguard enable
sysopt connection permit-pptp
crypto ipsec transform-set ***** esp-3des esp-md5-hmac
crypto map corvette 1 ipsec-isakmp
crypto map corvette 1 match address 101
crypto map corvette 1 set peer xx.xxx.183.178
crypto map corvette 1 set transform-set impala
crypto map corvette interface outside
isakmp enable outside
isakmp key ******** address xx.xxx.183.178 netmask 255.255.255.255
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 1000
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 10
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0
vpdn group 1 accept dialin pptp
vpdn group 1 ppp authentication pap
vpdn group 1 ppp authentication chap
vpdn group 1 ppp authentication mschap
vpdn group 1 ppp encryption mppe 40
vpdn group 1 client configuration address local vpnpool
vpdn group 1 pptp echo 60
vpdn group 1 client authentication local
vpdn username cary password ********
vpdn username aps password ********
vpdn username aaron password ********
vpdn username dan password ********
vpdn enable outside
dhcpd address 192.168.0.156-192.168.0.20
dhcpd dns xxx.xx.100.125 xxx.xx.1.125
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd enable inside
terminal width 80
Cryptochecksum:c250adfd506
Hope this helps, am not sure if the crypto maps have anything to do with this problem.
VPN Pool is the 192.168.2.1 - 192.168.2.254
here is my complete config, with the changes you suggested above. After making the changes i was still unable to ping 192.168.0.0 network or any other network, still times out. I am only concerned about pinging the 192.168.0.0 network from the VPN.
User Access Verification
Password:
Type help or '?' for a list of available commands.
pixfirewall> en
Password: ********
pixfirewall# sh conf
: Saved
: Written by enable_15 at 06:38:18.564 UTC Fri Sep 10 2004
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ********* encrypted
passwd ******** encrypted
hostname pixfirewall
domain-name cisco.com
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol http 407
fixup protocol http 1417-1418
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list 101 permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list 101 permit ip 192.168.3.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list 101 permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 101 permit ip 192.168.3.0 255.255.255.0 192.168.2.0 255.255.255.0
pager lines 24
logging on
mtu outside 1500
mtu inside 1500
ip address outside xx.240.107.238 255.255.255.240
ip address inside 192.168.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnpool 192.168.2.1-192.168.2.254
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) xx.xxx.107.231 192.168.0.246 netmask 255.255.255.255 0 0
static (inside,outside) xx.xxx.107.233 192.168.0.248 netmask 255.255.255.255 0 0
static (inside,outside) xx.xxx.107.232 192.168.0.232 netmask 255.255.255.255 0 0
static (inside,outside) xx.xxx.107.226 192.168.0.239 netmask 255.255.255.255 0 0
static (inside,outside) xx.xxx.107.236 192.168.3.10 netmask 255.255.255.255 0 0
conduit permit icmp any any echo-reply
conduit permit gre any any
route outside 0.0.0.0 0.0.0.0 xx.xxx.107.225 1
route inside 192.168.3.0 255.255.255.0 192.168.0.253 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.0.1 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community cisco
no snmp-server enable traps
floodguard enable
sysopt connection permit-pptp
crypto ipsec transform-set ***** esp-3des esp-md5-hmac
crypto map corvette 1 ipsec-isakmp
crypto map corvette 1 match address 101
crypto map corvette 1 set peer xx.xxx.183.178
crypto map corvette 1 set transform-set impala
crypto map corvette interface outside
isakmp enable outside
isakmp key ******** address xx.xxx.183.178 netmask 255.255.255.255
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 1000
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 10
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0
vpdn group 1 accept dialin pptp
vpdn group 1 ppp authentication pap
vpdn group 1 ppp authentication chap
vpdn group 1 ppp authentication mschap
vpdn group 1 ppp encryption mppe 40
vpdn group 1 client configuration address local vpnpool
vpdn group 1 pptp echo 60
vpdn group 1 client authentication local
vpdn username cary password ********
vpdn username aps password ********
vpdn username aaron password ********
vpdn username dan password ********
vpdn enable outside
dhcpd address 192.168.0.156-192.168.0.20
dhcpd dns xxx.xx.100.125 xxx.xx.1.125
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd enable inside
terminal width 80
Cryptochecksum:c250adfd506
Hope this helps, am not sure if the crypto maps have anything to do with this problem.
Clearing out some config--
no access-list 101 permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0 <There is no 192.168.1.0 network configured>
no access-list 101 permit ip 192.168.3.0 255.255.255.0 192.168.1.0 255.255.255.0 <There is no 192.168.1.0 ot 192.168.3.0 network configured>
no conduit permit icmp any any echo-reply <See * below>
no conduit permit gre any any <See * below>
Adding in the correct config--
access-list 101 permit gre any any <See * below>
access-list 101 permit icmp any any echo-reply <See * below>
access-group 101 in interface outside <See * below>
access-list 102 permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0
nat (inside) 0 access-list 102
* These commands won't actually do anything since none of your internal IP's have a public mapping--unless you didn't post that part of the config. I am not sure what the conduits did for you. All of the new access-list 101 commands take the functional place of your existing conduit commands, but considering the rest of your posted config--won't allow traffic across your firewall.
The access-list 102 allows all ip traffic from the VPN IP segment to go onto your internal network.
Please remember, if you didn't post your entire config, then what I am saying might not be accurate. .