Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

VPN Access to Routed network behind PIX

Posted on 2004-09-20
9
Medium Priority
?
407 Views
Last Modified: 2013-11-16
I have a network 10.10.20.0/24.  I have VPN tunnels set up from clients to this network, they are assigned 10.254.254.0/24 addresses.  This works with no problems.  I have a dual homed Novell server 10.10.20.3 and 192.168.95.150 with a UNIX server at 192.168.95.24.  Here is the problem, I can make my VPN connection, but I cant PING the UNIX server.  If I SSH into the PIX I am able to ping the UNIX server.  Clients on the 10.10.20.0 network can connect with no problems, so I know that routing on the Novell server is working.  How do I configure the PIX to handle this?
0
Comment
Question by:snowsurfer
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
9 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 375 total points
ID: 12107784
Make sure that 192.168.95.0 255.255.255.0 is included in your nat_0 acl:

access-list nat_0 permit ip 192.168.95.0 255.255.255.0 10.254.254.0 255.255.255.0
0
 
LVL 5

Author Comment

by:snowsurfer
ID: 12114358
I tried that yesterday.  No luck.  I am wondering if the Novell server that is routing may be altering the packet in a way that the PIX doesnt like
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12114547
Does the Novell server (I hat calling a server a router, though Novell is better at it than Microsoft) have a route to the 10.254.254.0 subnet? I would assume so if you can access the Novell server itself from a VPN client...
If you can ping it from the PIX, it makes sense that you could ping it from the VPN client if the nat-0 acl is correct, split-tunnel acl (if used) is correct, and routing is OK...
0
Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.

 
LVL 5

Author Comment

by:snowsurfer
ID: 12115150
I am going to have to check on the routing on the Novell server, another team works on that.

"If you can ping it from the PIX, it makes sense that you could ping it from the VPN client if the nat-0 acl is correct, split-tunnel acl (if used) is correct, and routing is OK..."

Thats my problem, I dont understand where it is breaking down.  When connected to the PIX with SSH I can ping all the way through.  When connected with the VPN client I can ping as far as the Novell server.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12115442
Do you have a split-tunnel acl applied to the vpngroup in the PIX?
Can you post your complete PIX config?
0
 
LVL 5

Author Comment

by:snowsurfer
ID: 12117621
Here is the config with some privacy items stripped and ip addresses modified

PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ security50

fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 100 permit ip 10.10.20.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list 100 permit ip 10.10.20.0 255.255.255.0 10.254.254.0 255.255.255.0
access-list 100 permit ip 192.168.95.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list 100 permit ip host 192.168.0.3 host 10.10.20.8
access-list 100 permit tcp host 192.168.0.3 host 10.10.20.8 eq ftp
access-list 100 permit ip 192.168.0.0 255.255.255.0 10.10.20.0 255.255.255.0
access-list 100 permit ip 192.168.95.0 255.255.255.0 10.254.254.0 255.255.255.0
access-list outside_in permit tcp any host 200.200.200.200 eq smtp
access-list outside_in permit tcp any host 200.200.200.200 eq www
access-list outside_in permit tcp any host 200.200.200.200 eq ftp
access-list outside_in permit tcp any host 200.200.200.200 eq telnet
access-list outside_in permit udp any host 200.200.200.200 eq bootps
access-list outside_in permit udp any host 200.200.200.200 eq bootpc
access-list outside_in permit udp any host 200.200.200.200 eq tftp
access-list outside_in permit udp any host 200.200.200.200 eq 5004
access-list outside_in permit udp any host 200.200.200.200 eq 5005
access-list outside_in permit tcp any host 200.200.200.200 eq 5566
access-list outside_in permit udp any host 200.200.200.200 eq 5567
access-list outside_in permit udp any host 200.200.200.200 eq 5568
access-list outside_in permit tcp any host 200.200.200.200 eq 8080
access-list outside_in permit tcp any host 200.200.200.200 eq https
access-list split_tunnel permit ip 10.10.20.0 255.255.255.0 10.254.254.0 255.255.255.0
access-list split_tunnel permit ip 192.168.0.0 255.255.255.0 10.254.254.0 255.255.255.0
access-list split_tunnel permit ip 192.168.95.0 255.255.255.0 10.254.254.0 255.255.255.0
access-list dmz_in permit ip host 192.168.0.3 host 10.10.20.8
access-list dmz_in permit ip 192.168.0.0 255.255.255.0 any
access-list dmz_in permit ip host 200.200.200.200 any
pager lines 256
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
ip address outside 200.200.200.200 255.255.255.252
ip address inside 10.10.20.2 255.255.255.0
ip address DMZ 192.168.0.1 255.255.255.0

ip local pool testPool 10.254.254.10-10.254.254.254
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 100
nat (inside) 1 10.10.20.0 255.255.255.0 0 0
nat (inside) 1 10.254.254.0 255.255.255.0 0 0
nat (DMZ) 0 access-list 100
nat (DMZ) 1 192.168.0.0 255.255.255.0 0 0
static (DMZ,outside) tcp interface smtp 192.168.0.2 smtp netmask 255.255.255.255 0 0
static (DMZ,outside) tcp interface www 192.168.0.3 www netmask 255.255.255.255 0 0
static (DMZ,outside) tcp interface ftp 192.168.0.3 ftp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface telnet 10.10.20.10 telnet netmask 255.255.255.255 0 0
static (inside,outside) udp interface bootps 10.10.20.10 bootps netmask 255.255.255.255 0 0
static (inside,outside) udp interface bootpc 10.10.20.10 bootpc netmask 255.255.255.255 0 0
static (inside,outside) udp interface tftp 10.10.20.10 tftp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface www 10.10.20.10 www netmask 255.255.255.255 0 0
static (inside,outside) udp interface 5004 10.10.20.10 5004 netmask 255.255.255.255 0 0
static (inside,outside) udp interface 5005 10.10.20.10 5005 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 5566 10.10.20.10 5566 netmask 255.255.255.255 0 0
static (inside,outside) udp interface 5567 10.10.20.10 5567 netmask 255.255.255.255 0 0
static (inside,outside) udp interface 5568 10.10.20.10 5568 netmask 255.255.255.255 0 0
static (DMZ,outside) tcp interface 8080 192.168.0.2 8080 netmask 255.255.255.255 0 0
static (DMZ,outside) tcp interface https 192.168.0.2 https netmask 255.255.255.255 0 0
static (inside,DMZ) 10.10.20.8 10.10.20.8 netmask 255.255.255.255 0 0
access-group outside_in in interface outside
access-group dmz_in in interface DMZ
conduit permit icmp any any
route outside 0.0.0.0 0.0.0.0 200.200.200.201 1
route inside 192.168.95.0 255.255.255.0 10.10.20.3 1
timeout xlate 3:00:00
timeout conn 4:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute

floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set testset esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set tesset
crypto map testmap 10 ipsec-isakmp dynamic dynmap
crypto map testmap interface outside
isakmp enable outside
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup test address-pool testPool
vpngroup test dns-server 192.168.0.2
vpngroup test wins-server 10.10.20.4
vpngroup test split-tunnel split_tunnel
vpngroup test idle-time 1800
vpngroup test password ********
telnet 10.10.20.0 255.255.255.0 inside
telnet timeout 20
ssh timeout 60
console timeout 0
terminal width 80
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12117738
The only thing I can see is your icmp conduit
>conduit permit icmp any any

It doesn't like it when you try to use both a conduit and access-lists...

Shot in the dark, but you can try turning off proxy arp on the inside interface:

sysopt noproxyarp inside

and add
 sysopt ipsec pl-compatible

0
 
LVL 5

Author Comment

by:snowsurfer
ID: 12117841
Ill take a look, but I dont think the sysopt commands will work, Ill try posting a case to TAC
0
 
LVL 5

Author Comment

by:snowsurfer
ID: 12138407
I re-added the access-list nat_0 permit ip 192.168.95.0 255.255.255.0 10.254.254.0 255.255.255.0
today and it still didnt work, while troubleshooting we were playing with split tunnel, I removed split tunnel from my vpngroup with no chnage, when I added it back in all of a sudden everyhting started working.

For lrmoore being the only help, LRWINS
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Suggested Courses

670 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question