Improve company productivity with a Business Account.Sign Up

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 354
  • Last Modified:

VPN from outside of ISP with PIX 506E

I have a PIX 506E.  I can establish a VPN from inside and outside my ISP, but when I am outside the ISP, I cannot access the network I am VPNed into.  For example, I can ping and vnc to a server when I am using the same ISP, but when I am establishing the VPN through another ISP I cannot ping or vnc to the server.  I also gave the VPN client total access to all network nodes, but for some reason I am only able to access the server.  Any ideas would be much appreciated.  I need this established soon for an outside software vendor to do some remote troubleshooting.  I'll post the config as soon as I can.
  • 2
  • 2
1 Solution
fletchmanAuthor Commented:
Here is my config:

PIX Version 6.3(3)                  
interface ethernet0 auto                        
interface ethernet1 auto                        
nameif ethernet0 outside security0                                  
nameif ethernet1 inside security100                                  
enable password /v2a6EDy6zMfLXc6 encrypted                                          
passwd /v2a6EDy6zMfLXc6 encrypted                                
hostname justice                
fixup protocol dns maximum-length 512                                    
fixup protocol ftp 21                    
fixup protocol h323 h225 1720                            
fixup protocol h323 ras 1718-1719                                
fixup protocol http 80                      
fixup protocol rsh 514                      
fixup protocol rtsp 554                      
fixup protocol sip 5060                      
fixup protocol sip udp 5060                          
fixup protocol skinny 2000                          
fixup protocol smtp 25                      
fixup protocol sqlnet 1521                          
fixup protocol tftp 69                      
access-list Support_splitTunnelAcl permit ip any any                                                    
access-list inside_outbound_nat0_acl permit ip any                                                                          
access-list outside_cryptomap_dyn_20 permit ip any                                                                          
pager lines 24              
mtu outside 1500                
mtu inside 1500              
ip address outside                                          
ip address inside                                          
ip audit info action alarm                          
ip audit attack action alarm                            
ip local pool Support                                        
pdm location inside                                            
pdm logging informational 100                            
pdm history enable                  
arp timeout 14400                
global (outside) 1 interface                            
nat (inside) 0 access-list inside_outbound_nat0_acl                                                  
nat (inside) 1 0 0                                  
static (inside,outside) tcp interface pcanywhere-data pcanywhere-                                                                        
etmask 0 0                          
static (inside,outside) udp interface 5631 5631 netmask                                                                                
 0 0    
static (inside,outside) tcp interface 5632 5632 netmask                                                                                
 0 0    
static (inside,outside) udp interface pcanywhere-status pcanywhere-stat                                                                                
us netmask 0 0                              
route outside 1                                          
timeout xlate 0:05:00                    
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00                                                                            
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00                                                              
timeout uauth 0:05:00 absolute                              
aaa-server TACACS+ protocol tacacs+                                  
aaa-server RADIUS protocol radius                                
aaa-server LOCAL protocol local                              
http server enable                  
http inside                                  
no snmp-server location                      
no snmp-server contact                      
snmp-server community public                            
no snmp-server enable traps                          
floodguard enable                
sysopt connection permit-ipsec                              
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac                                                          
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20                                                                            
crypto dynamic-map outside_dyn_map 20 set                                      
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 5
isakmp policy 20 lifetime 86400
vpngroup Support address-pool Support
vpngroup Support dns-server
vpngroup Support wins-server
vpngroup Support default-domain jail
vpngroup Support split-tunnel Support_splitTunnelAcl
vpngroup Support idle-time 1800
vpngroup Support password ********
telnet inside
telnet timeout 15
ssh timeout 5
console timeout 0
username sds8828 password EyeLWAkMkzGJkPKP encrypted privilege 15
terminal width 80
: end
>ip address outside  
Is this the real IP? You get a private IP address from your ISP? If so, this is your biggest problem. Nowhere outside the same ISP can you get routed to this IP address...

fletchmanAuthor Commented:
The public IP is  I just emailed the ISP to see what the subnet and gateway will be for me to set it up that way.  I know the shouldn't work.  The ISP is routing all of the traffic that is pointed to to  I use it on 3COM VPNs, and it works fine.  I'm wondering if I need to put in some kind of ACL to allow the authenticated traffic outside of the ISP or what.  
I think I'm reading your last sentence correctly.  Even if I authenticate, when I try to ping or vnc the traffic doesn't know where to go, huh?
Picture is clearer now. ISP NAT's your private IP to a Public IP. No access-restrictions of any kind on the ISP end?

A couple of suggestions:
   >isakmp policy 20 group 5  <== DES normally only uses Group 1 or 2

i would make this acl more specific:
>access-list inside_outbound_nat0_acl permit ip any    
access-list inside_outbound_nat0_acl permit ip    

Same here:
>access-list outside_cryptomap_dyn_20 permit ip any  
 access-list outside_cryptomap_dyn_20 permit ip  

>access-list Support_splitTunnelAcl permit ip any any      
access-list Support_splitTunnelAcl permit ip any          

 >ip address inside
Make sure that all of your internal hosts point to this IP as their default gateway...
You can try adding this also..
  sysopt ipsec pl-compatible
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Building an Effective Phishing Protection Program

Join Director of Product Management Todd OBoyle on April 26th as he covers the key elements of a phishing protection program. Whether you’re an old hat at phishing education or considering starting a program -- we'll discuss critical components that should be in any program.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now