Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 312
  • Last Modified:

PIX R515 6.3(3) VPN PPTP cannot ping internal hosts after authentication and connection

I have a PIX 515 firewall that seems to be configured for PPTP vpn access correctly.  I can connect as a user to the firewall but once connected I cannot ping any internal hosts nor connect through http to internal websites.

Here's my config:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
enable password
passwd
hostname Pix
domain-name
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
no names
name 10.10.10.37 Server1
name 10.10.10.35 Server2
name 10.10.10.36 Server3
name 10.10.10.40 Server4
name 10.10.10.4 Server5
name 10.10.10.8 Server6
name 10.10.10.69 Server7
name 10.10.10.34 Server8
name 10.10.10.5 Server9
name 10.10.10.9 Server10
name 10.10.10.254 Server11
name 10.10.10.38 Server12
name 10.10.10.121 Server13
name 10.10.10.7 Server14
name 10.10.10.43 Server15
access-list 115 permit ip 10.10.10.0 255.255.254.0 192.168.1.0 255.255.255.0
access-list 115 permit ip 10.10.10.0 255.255.254.0 192.168.2.0 255.255.255.0
access-list 115 deny ip 10.10.10.0 255.255.254.0 any
access-list outside_acl permit tcp any host w.x.y.z eq ftp
access-list outside_acl permit tcp any host w.x.y.z eq ftp-data
access-list outside_acl permit tcp any host w.x.y.z eq nntp
access-list outside_acl permit tcp any host w.x.y.z eq https
access-list outside_acl permit tcp any host w.x.y.z eq https
access-list outside_acl permit tcp any host w.x.y.z eq https
access-list outside_acl permit tcp any host w.x.y.z eq www
access-list outside_acl permit tcp any host w.x.y.z eq www
access-list outside_acl permit tcp any host w.x.y.z eq www
access-list outside_acl permit tcp any host w.x.y.z eq https
access-list outside_acl permit tcp any host w.x.y.z eq pptp
access-list outside_acl permit gre any host w.x.y.z
access-list outside_acl permit tcp any host w.x.y.z eq https
access-list outside_acl permit tcp any host w.x.y.z eq smtp
access-list outside_acl permit tcp any host w.x.y.z eq pcanywhere-data
access-list outside_acl permit udp any host w.x.y.z eq pcanywhere-status
access-list outside_acl permit tcp any host w.x.y.z eq www
access-list outside_acl permit tcp any host w.x.y.z eq www
access-list outside_acl permit gre any host w.x.y.z
access-list outside_acl permit tcp any host w.x.y.z eq pptp
access-list inside_acl permit icmp 10.0.0.0 255.255.255.0 any
access-list inside_acl permit tcp 10.0.0.0 255.255.255.0 any
access-list inside_acl permit udp 10.0.0.0 255.255.255.0 any
access-list inside_acl permit icmp 10.10.10.0 255.255.254.0 any
access-list inside_acl permit tcp 10.10.10.0 255.255.254.0 any
access-list inside_acl permit udp 10.10.10.0 255.255.254.0 any
access-list inside_acl permit ip 192.168.2.0 255.255.255.0 any
access-list inside_acl deny icmp any any
access-list inside_acl deny tcp any any
access-list inside_acl deny udp any any
access-list inside_acl permit ip any any
pager lines 60
logging on
logging trap informational
logging history debugging
logging host inside 10.10.10.10
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside w.x.y.z 255.255.255.192
ip address inside 10.10.10.97 255.255.254.0
ip address dmz 172.16.20.1 255.255.255.240
ip verify reverse-path interface outside
ip audit name AttackResponse attack action alarm drop
ip audit name InfoResponse info action alarm drop
ip audit interface outside InfoResponse
ip audit interface outside AttackResponse
ip audit interface inside InfoResponse
ip audit interface inside AttackResponse
ip audit info action alarm drop
ip audit attack action alarm drop
ip local pool vpnpool 192.168.2.1-192.168.2.5
pdm location 10.0.0.0 255.255.255.0 inside
pdm location 10.10.10.2 255.255.255.255 inside
pdm location 10.10.10.4 255.255.255.255 inside
pdm location 10.10.10.5 255.255.255.255 inside
pdm location 10.10.10.9 255.255.255.255 inside
pdm location 10.10.10.10 255.255.255.255 inside
pdm location 10.10.10.26 255.255.255.255 inside
pdm location 10.10.10.34 255.255.255.255 inside
pdm location 10.10.10.35 255.255.255.255 inside
pdm location 10.10.10.36 255.255.255.255 inside
pdm location 10.10.10.38 255.255.255.255 inside
pdm location 10.10.10.40 255.255.255.255 inside
pdm location 10.10.10.41 255.255.255.255 inside
pdm location 10.10.10.43 255.255.255.255 inside
pdm location 10.10.10.69 255.255.255.255 inside
pdm location 10.10.10.250 255.255.255.255 inside
pdm location 10.10.10.254 255.255.255.255 inside
pdm location 10.10.10.8 255.255.255.255 inside
pdm location 10.10.10.80 255.255.255.255 inside
pdm history enable
arp timeout 14400
global (outside) 1 w.x.y.z-w.x.y.z netmask 255.255.255.192
global (outside) 1 w.x.y.z netmask 255.255.255.192
global (dmz) 1 172.16.20.65-172.16.20.94 netmask 255.255.255.224
nat (inside) 0 access-list 115
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) w.x.y.z 10.10.10.2 netmask 255.255.255.255 0 0
static (inside,outside) w.x.y.z 10.10.10.5 netmask 255.255.255.255 0 0
static (inside,outside) w.x.y.z 10.10.10.9 netmask 255.255.255.255 0 0
static (inside,outside) w.x.y.z 10.10.10.254 netmask 255.255.255.255 0 0
static (inside,outside) w.x.y.z 10.10.10.34 netmask 255.255.255.255 0 0
static (inside,outside) w.x.y.z 10.10.10.35 netmask 255.255.255.255 0 0
static (inside,outside) w.x.y.z 10.10.10.36 netmask 255.255.255.255 0 0
static (inside,outside) w.x.y.z 10.10.10.40 netmask 255.255.255.255 0 0
static (inside,outside) w.x.y.z 10.10.10.43 netmask 255.255.255.255 0 0
static (inside,outside) w.x.y.z 10.10.10.250 netmask 255.255.255.255 0 0
static (inside,outside) w.x.y.z 10.10.10.38 netmask 255.255.255.255 0 0
static (inside,outside) w.x.y.z 10.10.10.4 netmask 255.255.255.255 0 0
static (inside,outside) w.x.y.z 10.10.10.41 netmask 255.255.255.255 0 0
static (inside,outside) w.x.y.z 10.10.10.26 netmask 255.255.255.255 0 0
static (inside,outside) w.x.y.z 10.10.10.47 netmask 255.255.255.255 0 0
access-group outside_acl in interface outside
access-group inside_acl in interface inside
route outside 0.0.0.0 0.0.0.0 63.80.71.193 1
route inside 10.0.0.0 255.255.255.0 10.10.10.30 1
timeout xlate 1:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa-server partnerauth protocol radius
aaa-server partnerauth (inside) host 10.10.10.10 xxxxxxx timeout 15
url-cache dst 1KB
http server enable
http 10.10.10.69 255.255.255.255 inside
http 10.10.10.80 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto map rtpmap 10 ipsec-isakmp
crypto map rtpmap 10 match address 115
crypto map rtpmap 10 set peer w.x.y.z
crypto map rtpmap 10 set transform-set myset
crypto map rtpmap 10 set security-association lifetime seconds 3600 kilobytes 4608000
crypto map rtpmap interface outside
isakmp enable outside
isakmp key xxxxxxxx address w.x.y.z netmask 255.255.255.240
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
vpngroup vpntest address-pool vpnpool
vpngroup vpntest dns-server 10.10.10.5 10.10.10.10
vpngroup vpntest wins-server 10.10.10.5 10.10.10.10
vpngroup vpntest idle-time 1800
vpngroup vpntest authentication-server partnerauth
vpngroup vpntest user-authentication
vpngroup vpntest password xxxxxx
telnet timeout 15
ssh 10.10.10.0 255.255.254.0 inside
ssh timeout 15
console timeout 0
vpdn group vpntest accept dialin pptp
vpdn group vpntest ppp authentication pap
vpdn group vpntest ppp authentication chap
vpdn group vpntest ppp authentication mschap
vpdn group vpntest ppp encryption mppe 128 required
vpdn group vpntest client configuration address local vpnpool
vpdn group vpntest client configuration dns 10.10.10.5 10.10.10.10
vpdn group vpntest client authentication aaa partnerauth
vpdn group vpntest pptp echo 60
vpdn enable outside
terminal width 80
: end
0
Topherdian
Asked:
Topherdian
  • 6
  • 6
1 Solution
 
lrmooreCommented:
On the VPN client, Networking, TCP/IP, check the block "use default gateway on remote network"

0
 
TopherdianAuthor Commented:
It's already checked.  The gentleman from cisco that I am talking with had me add the following access-list
access-list 116 permit ip 10.10.10.0 255.255.254.0 192.168.1.0 255.255.255.0
access-list 116 permit ip 10.10.10.0 255.255.254.0 192.168.2.0 255.255.255.0
access-list 116 deny ip 10.10.10.0 255.255.254.0 any

and change the nat statement from nat (inside) 0 access-list 115 to
nat (inside) 0 access-list 116

He seemed to think that having that access-list on both the nat (inside) 0 statement and the crypto map statement might cause a problem.

I still can connect instantly but cannot ping anything on the internal 10.10.10.0 network.
0
 
lrmooreCommented:
Which client are you using? The CIsco VPN client, or the MS PPTP client?
Can I assume that this PIX inside interface is the internal network's default gateway? If not, the gateway needs a route back to the 192.168.2.x subnet
0
Nothing ever in the clear!

This technical paper will help you implement VMware’s VM encryption as well as implement Veeam encryption which together will achieve the nothing ever in the clear goal. If a bad guy steals VMs, backups or traffic they get nothing.

 
TopherdianAuthor Commented:
PPTP client.  I changed the nat statement like I noted ahead and realized that I CAN get to internal sites just not ping.  Most likely because we are dropping pings at the inside interface.  The new problem I have is that now that the PPTP vpn works, the site to site vpn we had up doesn't work.

So is there some way I can have both working at once or is that too much to ask for?
0
 
lrmooreCommented:
Yes, you can have both.
You have the same acl used by two procesess. The PIX just does not like that:
   >nat (inside) 0 access-list 115
   >crypto map rtpmap 10 match address 115

Suggest creating a duplicate copy of 115, call it 116. Apply 115 to the nat, 116 to the crypto map

0
 
TopherdianAuthor Commented:
I've created a duplicate of 116 but if I do the following:

nat (inside) 0 access-list 116

Then I can now VPN in but I can no longer get to my lan to lan vpn.  Do I need to have another nat statement for the vpn to have it applied as well?  Like so:

nat (inside) 2 access-list 115
0
 
lrmooreCommented:
You need them on nat 0, not nat #
Can I assume that 192.168.1.x is the IP subnet accross the lan-lan VPN?

It should look like this (lose the "deny"):
access-list 115 permit ip 10.10.10.0 255.255.254.0 192.168.1.0 255.255.255.0
access-list 115 permit ip 10.10.10.0 255.255.254.0 192.168.2.0 255.255.255.0

access-list 116 permit ip 10.10.10.0 255.255.254.0 192.168.1.0 255.255.255.0
access-list 116 permit ip 10.10.10.0 255.255.254.0 192.168.2.0 255.255.255.0

nat (inside) 0 access-list 115
crypto map rtpmap 10 match address 116

Suggest you remove this ACL until this is sorted out:
>access-group inside_acl in interface inside

0
 
TopherdianAuthor Commented:
Yes 192.168.1.x is the IP subnet for the lan-lan VPN.

I've removed the deny and changed the access-lists to look like that.

Instead of the nat and crypto statements I have these.

nat (inside) 0 access-list 116
crypto map rtpmap 10 match address 115

I'll try removing the inside_acl in tonight and see if that does anything.
0
 
TopherdianAuthor Commented:
nope the lan to lan vpn is still down.  Should it matter which access list I put on the crypto map and nat (inside) commands if they are both the same?

I mean with both of these in the pix:

access-list 115 permit ip 10.10.10.0 255.255.254.0 192.168.1.0 255.255.255.0
access-list 115 permit ip 10.10.10.0 255.255.254.0 192.168.2.0 255.255.255.0
access-list 116 permit ip 10.10.10.0 255.255.254.0 192.168.1.0 255.255.255.0
access-list 116 permit ip 10.10.10.0 255.255.254.0 192.168.2.0 255.255.255.0

I could have either
nat (inside) 0 access-list 116
crypto map rtpmap 10 match address 115
or
nat (inside) 0 access-list 115
crypto map rtpmap 10 match address 116
and it wouldn't matter right?
0
 
lrmooreCommented:
It should not matter which goes where.
Any time you change any parameters of the crypto map, you need to re-apply the crypto map to the interface
 re-issue this command:
>crypto map rtpmap interface outside
0
 
lrmooreCommented:
Are you still working on this? Can we be of any more assistance?
Can you close out this question?
0
 
TopherdianAuthor Commented:
Yup.  It works now.  So I'll give you the points lrmoore because your answer above worked.
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 6
  • 6
Tackle projects and never again get stuck behind a technical roadblock.
Join Now