Solved

PIX R515 6.3(3) VPN PPTP cannot ping internal hosts after authentication and connection

Posted on 2004-09-22
12
288 Views
Last Modified: 2012-05-11
I have a PIX 515 firewall that seems to be configured for PPTP vpn access correctly.  I can connect as a user to the firewall but once connected I cannot ping any internal hosts nor connect through http to internal websites.

Here's my config:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
enable password
passwd
hostname Pix
domain-name
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
no names
name 10.10.10.37 Server1
name 10.10.10.35 Server2
name 10.10.10.36 Server3
name 10.10.10.40 Server4
name 10.10.10.4 Server5
name 10.10.10.8 Server6
name 10.10.10.69 Server7
name 10.10.10.34 Server8
name 10.10.10.5 Server9
name 10.10.10.9 Server10
name 10.10.10.254 Server11
name 10.10.10.38 Server12
name 10.10.10.121 Server13
name 10.10.10.7 Server14
name 10.10.10.43 Server15
access-list 115 permit ip 10.10.10.0 255.255.254.0 192.168.1.0 255.255.255.0
access-list 115 permit ip 10.10.10.0 255.255.254.0 192.168.2.0 255.255.255.0
access-list 115 deny ip 10.10.10.0 255.255.254.0 any
access-list outside_acl permit tcp any host w.x.y.z eq ftp
access-list outside_acl permit tcp any host w.x.y.z eq ftp-data
access-list outside_acl permit tcp any host w.x.y.z eq nntp
access-list outside_acl permit tcp any host w.x.y.z eq https
access-list outside_acl permit tcp any host w.x.y.z eq https
access-list outside_acl permit tcp any host w.x.y.z eq https
access-list outside_acl permit tcp any host w.x.y.z eq www
access-list outside_acl permit tcp any host w.x.y.z eq www
access-list outside_acl permit tcp any host w.x.y.z eq www
access-list outside_acl permit tcp any host w.x.y.z eq https
access-list outside_acl permit tcp any host w.x.y.z eq pptp
access-list outside_acl permit gre any host w.x.y.z
access-list outside_acl permit tcp any host w.x.y.z eq https
access-list outside_acl permit tcp any host w.x.y.z eq smtp
access-list outside_acl permit tcp any host w.x.y.z eq pcanywhere-data
access-list outside_acl permit udp any host w.x.y.z eq pcanywhere-status
access-list outside_acl permit tcp any host w.x.y.z eq www
access-list outside_acl permit tcp any host w.x.y.z eq www
access-list outside_acl permit gre any host w.x.y.z
access-list outside_acl permit tcp any host w.x.y.z eq pptp
access-list inside_acl permit icmp 10.0.0.0 255.255.255.0 any
access-list inside_acl permit tcp 10.0.0.0 255.255.255.0 any
access-list inside_acl permit udp 10.0.0.0 255.255.255.0 any
access-list inside_acl permit icmp 10.10.10.0 255.255.254.0 any
access-list inside_acl permit tcp 10.10.10.0 255.255.254.0 any
access-list inside_acl permit udp 10.10.10.0 255.255.254.0 any
access-list inside_acl permit ip 192.168.2.0 255.255.255.0 any
access-list inside_acl deny icmp any any
access-list inside_acl deny tcp any any
access-list inside_acl deny udp any any
access-list inside_acl permit ip any any
pager lines 60
logging on
logging trap informational
logging history debugging
logging host inside 10.10.10.10
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside w.x.y.z 255.255.255.192
ip address inside 10.10.10.97 255.255.254.0
ip address dmz 172.16.20.1 255.255.255.240
ip verify reverse-path interface outside
ip audit name AttackResponse attack action alarm drop
ip audit name InfoResponse info action alarm drop
ip audit interface outside InfoResponse
ip audit interface outside AttackResponse
ip audit interface inside InfoResponse
ip audit interface inside AttackResponse
ip audit info action alarm drop
ip audit attack action alarm drop
ip local pool vpnpool 192.168.2.1-192.168.2.5
pdm location 10.0.0.0 255.255.255.0 inside
pdm location 10.10.10.2 255.255.255.255 inside
pdm location 10.10.10.4 255.255.255.255 inside
pdm location 10.10.10.5 255.255.255.255 inside
pdm location 10.10.10.9 255.255.255.255 inside
pdm location 10.10.10.10 255.255.255.255 inside
pdm location 10.10.10.26 255.255.255.255 inside
pdm location 10.10.10.34 255.255.255.255 inside
pdm location 10.10.10.35 255.255.255.255 inside
pdm location 10.10.10.36 255.255.255.255 inside
pdm location 10.10.10.38 255.255.255.255 inside
pdm location 10.10.10.40 255.255.255.255 inside
pdm location 10.10.10.41 255.255.255.255 inside
pdm location 10.10.10.43 255.255.255.255 inside
pdm location 10.10.10.69 255.255.255.255 inside
pdm location 10.10.10.250 255.255.255.255 inside
pdm location 10.10.10.254 255.255.255.255 inside
pdm location 10.10.10.8 255.255.255.255 inside
pdm location 10.10.10.80 255.255.255.255 inside
pdm history enable
arp timeout 14400
global (outside) 1 w.x.y.z-w.x.y.z netmask 255.255.255.192
global (outside) 1 w.x.y.z netmask 255.255.255.192
global (dmz) 1 172.16.20.65-172.16.20.94 netmask 255.255.255.224
nat (inside) 0 access-list 115
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) w.x.y.z 10.10.10.2 netmask 255.255.255.255 0 0
static (inside,outside) w.x.y.z 10.10.10.5 netmask 255.255.255.255 0 0
static (inside,outside) w.x.y.z 10.10.10.9 netmask 255.255.255.255 0 0
static (inside,outside) w.x.y.z 10.10.10.254 netmask 255.255.255.255 0 0
static (inside,outside) w.x.y.z 10.10.10.34 netmask 255.255.255.255 0 0
static (inside,outside) w.x.y.z 10.10.10.35 netmask 255.255.255.255 0 0
static (inside,outside) w.x.y.z 10.10.10.36 netmask 255.255.255.255 0 0
static (inside,outside) w.x.y.z 10.10.10.40 netmask 255.255.255.255 0 0
static (inside,outside) w.x.y.z 10.10.10.43 netmask 255.255.255.255 0 0
static (inside,outside) w.x.y.z 10.10.10.250 netmask 255.255.255.255 0 0
static (inside,outside) w.x.y.z 10.10.10.38 netmask 255.255.255.255 0 0
static (inside,outside) w.x.y.z 10.10.10.4 netmask 255.255.255.255 0 0
static (inside,outside) w.x.y.z 10.10.10.41 netmask 255.255.255.255 0 0
static (inside,outside) w.x.y.z 10.10.10.26 netmask 255.255.255.255 0 0
static (inside,outside) w.x.y.z 10.10.10.47 netmask 255.255.255.255 0 0
access-group outside_acl in interface outside
access-group inside_acl in interface inside
route outside 0.0.0.0 0.0.0.0 63.80.71.193 1
route inside 10.0.0.0 255.255.255.0 10.10.10.30 1
timeout xlate 1:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa-server partnerauth protocol radius
aaa-server partnerauth (inside) host 10.10.10.10 xxxxxxx timeout 15
url-cache dst 1KB
http server enable
http 10.10.10.69 255.255.255.255 inside
http 10.10.10.80 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto map rtpmap 10 ipsec-isakmp
crypto map rtpmap 10 match address 115
crypto map rtpmap 10 set peer w.x.y.z
crypto map rtpmap 10 set transform-set myset
crypto map rtpmap 10 set security-association lifetime seconds 3600 kilobytes 4608000
crypto map rtpmap interface outside
isakmp enable outside
isakmp key xxxxxxxx address w.x.y.z netmask 255.255.255.240
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
vpngroup vpntest address-pool vpnpool
vpngroup vpntest dns-server 10.10.10.5 10.10.10.10
vpngroup vpntest wins-server 10.10.10.5 10.10.10.10
vpngroup vpntest idle-time 1800
vpngroup vpntest authentication-server partnerauth
vpngroup vpntest user-authentication
vpngroup vpntest password xxxxxx
telnet timeout 15
ssh 10.10.10.0 255.255.254.0 inside
ssh timeout 15
console timeout 0
vpdn group vpntest accept dialin pptp
vpdn group vpntest ppp authentication pap
vpdn group vpntest ppp authentication chap
vpdn group vpntest ppp authentication mschap
vpdn group vpntest ppp encryption mppe 128 required
vpdn group vpntest client configuration address local vpnpool
vpdn group vpntest client configuration dns 10.10.10.5 10.10.10.10
vpdn group vpntest client authentication aaa partnerauth
vpdn group vpntest pptp echo 60
vpdn enable outside
terminal width 80
: end
0
Comment
Question by:Topherdian
  • 6
  • 6
12 Comments
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
On the VPN client, Networking, TCP/IP, check the block "use default gateway on remote network"

0
 

Author Comment

by:Topherdian
Comment Utility
It's already checked.  The gentleman from cisco that I am talking with had me add the following access-list
access-list 116 permit ip 10.10.10.0 255.255.254.0 192.168.1.0 255.255.255.0
access-list 116 permit ip 10.10.10.0 255.255.254.0 192.168.2.0 255.255.255.0
access-list 116 deny ip 10.10.10.0 255.255.254.0 any

and change the nat statement from nat (inside) 0 access-list 115 to
nat (inside) 0 access-list 116

He seemed to think that having that access-list on both the nat (inside) 0 statement and the crypto map statement might cause a problem.

I still can connect instantly but cannot ping anything on the internal 10.10.10.0 network.
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
Which client are you using? The CIsco VPN client, or the MS PPTP client?
Can I assume that this PIX inside interface is the internal network's default gateway? If not, the gateway needs a route back to the 192.168.2.x subnet
0
 

Author Comment

by:Topherdian
Comment Utility
PPTP client.  I changed the nat statement like I noted ahead and realized that I CAN get to internal sites just not ping.  Most likely because we are dropping pings at the inside interface.  The new problem I have is that now that the PPTP vpn works, the site to site vpn we had up doesn't work.

So is there some way I can have both working at once or is that too much to ask for?
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
Comment Utility
Yes, you can have both.
You have the same acl used by two procesess. The PIX just does not like that:
   >nat (inside) 0 access-list 115
   >crypto map rtpmap 10 match address 115

Suggest creating a duplicate copy of 115, call it 116. Apply 115 to the nat, 116 to the crypto map

0
 

Author Comment

by:Topherdian
Comment Utility
I've created a duplicate of 116 but if I do the following:

nat (inside) 0 access-list 116

Then I can now VPN in but I can no longer get to my lan to lan vpn.  Do I need to have another nat statement for the vpn to have it applied as well?  Like so:

nat (inside) 2 access-list 115
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
You need them on nat 0, not nat #
Can I assume that 192.168.1.x is the IP subnet accross the lan-lan VPN?

It should look like this (lose the "deny"):
access-list 115 permit ip 10.10.10.0 255.255.254.0 192.168.1.0 255.255.255.0
access-list 115 permit ip 10.10.10.0 255.255.254.0 192.168.2.0 255.255.255.0

access-list 116 permit ip 10.10.10.0 255.255.254.0 192.168.1.0 255.255.255.0
access-list 116 permit ip 10.10.10.0 255.255.254.0 192.168.2.0 255.255.255.0

nat (inside) 0 access-list 115
crypto map rtpmap 10 match address 116

Suggest you remove this ACL until this is sorted out:
>access-group inside_acl in interface inside

0
 

Author Comment

by:Topherdian
Comment Utility
Yes 192.168.1.x is the IP subnet for the lan-lan VPN.

I've removed the deny and changed the access-lists to look like that.

Instead of the nat and crypto statements I have these.

nat (inside) 0 access-list 116
crypto map rtpmap 10 match address 115

I'll try removing the inside_acl in tonight and see if that does anything.
0
 

Author Comment

by:Topherdian
Comment Utility
nope the lan to lan vpn is still down.  Should it matter which access list I put on the crypto map and nat (inside) commands if they are both the same?

I mean with both of these in the pix:

access-list 115 permit ip 10.10.10.0 255.255.254.0 192.168.1.0 255.255.255.0
access-list 115 permit ip 10.10.10.0 255.255.254.0 192.168.2.0 255.255.255.0
access-list 116 permit ip 10.10.10.0 255.255.254.0 192.168.1.0 255.255.255.0
access-list 116 permit ip 10.10.10.0 255.255.254.0 192.168.2.0 255.255.255.0

I could have either
nat (inside) 0 access-list 116
crypto map rtpmap 10 match address 115
or
nat (inside) 0 access-list 115
crypto map rtpmap 10 match address 116
and it wouldn't matter right?
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
It should not matter which goes where.
Any time you change any parameters of the crypto map, you need to re-apply the crypto map to the interface
 re-issue this command:
>crypto map rtpmap interface outside
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
Are you still working on this? Can we be of any more assistance?
Can you close out this question?
0
 

Author Comment

by:Topherdian
Comment Utility
Yup.  It works now.  So I'll give you the points lrmoore because your answer above worked.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now