again about PIX and VPN

I performed the command to allow VPN on my PIX-501. Installed the Cisco VPN client on the remote computer and it is not connecting. I'm a touch confused. Does this setup a connection to the cisco which will allow me to have a remote system login to the Domain.. or is it setting up a pipe to a specific workstation? In which case I would need to install a VPN client on the inside station as well?? I also want to make sure that I have everything correct. Thanks, See below..

PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ***** encrypted
passwd ****** encrypted
hostname *****
domain-name *****.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside permit udp any 64.60.8.160 255.255.255.224 eq pcanywhere-sta
tus
access-list outside permit tcp any 64.60.8.160 255.255.255.224 eq domain
access-list outside permit udp any 64.60.8.160 255.255.255.224 eq domain
access-list outside permit tcp any 64.60.8.160 255.255.255.224 eq 2604
access-list outside permit udp any 64.60.8.160 255.255.255.224 eq 2604
access-list outside permit tcp any 64.60.8.160 255.255.255.224 eq aol
access-list outside permit udp any 64.60.8.160 255.255.255.224 eq 5190
access-list outside permit tcp any 64.60.8.160 255.255.255.224 eq 5131
access-list outside permit udp any 64.60.8.160 255.255.255.224 eq 5131
access-list outside permit udp any 64.60.8.160 255.255.255.224 eq 5631
access-list outside permit tcp any 64.60.8.160 255.255.255.224 eq 5632
access-list outside permit tcp any 64.60.8.160 255.255.255.224 eq 5900
access-list outside permit udp any 64.60.8.160 255.255.255.224 eq 5900
access-list outside permit tcp any 64.60.8.160 255.255.255.224 eq 2512
access-list outside permit udp any 64.60.8.160 255.255.255.224 eq 2512
access-list outside permit tcp any 64.60.8.160 255.255.255.224 eq 2513
access-list outside permit udp any 64.60.8.160 255.255.255.224 eq 2513
access-list outside permit tcp any 64.60.8.160 255.255.255.224 eq pcanywhere-dat
a
access-list outside permit tcp any 64.60.8.160 255.255.255.224 eq ssh
access-list outside permit icmp any any
access-list outside permit tcp any host 64.60.8.162 eq smtp
access-list outside permit tcp any host 64.60.8.162 eq pop3
access-list outside permit tcp any host 64.60.8.162 eq ftp
access-list outside permit tcp any host 64.60.8.162 eq www
access-list outside permit tcp any host 64.60.8.162 eq 8080
access-list outside permit tcp any host 64.60.8.162 eq https
access-list outside permit tcp any 64.60.8.160 255.255.255.224 eq 5500
access-list outside permit udp any 64.60.8.160 255.255.255.224 eq 5500
access-list outside permit tcp any 64.60.8.160 255.255.255.224 eq 3389
access-list 101 permit ip 10.10.10.0 255.255.255.0 10.10.11.0 255.255.255.0
pager lines 24
logging on
logging monitor debugging
logging buffered critical
logging trap informational
logging host inside 10.10.10.200 17/1514
mtu outside 1500
mtu inside 1500
ip address outside 64.60.8.190 255.255.255.224
ip address inside 10.10.10.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool ippool 10.10.10.1-10.10.10.253
pdm location 70.93.69.0 255.255.255.0 outside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 64.60.8.162 10.10.10.250 netmask 255.255.255.255 0 0
static (inside,outside) 64.60.8.163 10.10.10.200 netmask 255.255.255.255 0 0
static (inside,outside) 64.60.8.164 10.10.10.12 netmask 255.255.255.255 0 0
static (inside,outside) 64.60.8.165 10.10.10.14 netmask 255.255.255.255 0 0
static (inside,outside) 64.60.8.166 10.10.10.251 netmask 255.255.255.255 0 0
static (inside,outside) 64.60.8.167 10.10.10.16 netmask 255.255.255.255 0 0
static (inside,outside) 64.60.8.168 10.10.10.34 netmask 255.255.255.255 0 0
static (inside,outside) 64.60.8.169 10.10.10.25 netmask 255.255.255.255 0 0
access-group outside in interface outside
route outside 0.0.0.0 0.0.0.0 64.60.8.161 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 70.93.69.0 255.255.255.0 outside
http 10.10.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server outside 70.93.69.69 \
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
isakmp enable outside
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup vpn3000 address-pool ippool
vpngroup vpn3000 dns-server 10.10.10.250
vpngroup vpn3000 wins-server 10.10.10.250
vpngroup vpn3000 default-domain ******.com
vpngroup vpn3000 split-tunnel 101
vpngroup vpn3000 idle-time 1800
vpngroup vpn3000 password ********
telnet 70.93.69.0 255.255.255.0 outside
telnet 10.10.10.0 255.255.255.0 inside
telnet timeout 30
ssh 0.0.0.0 0.0.0.0 outside
ssh 70.93.69.0 255.255.255.0 outside
ssh 10.10.10.0 255.255.255.0 inside
ssh timeout 60
console timeout 0
dhcpd address 10.10.10.220-10.10.10.249 inside
dhcpd dns 64.60.0.17 64.60.0.18
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain ******.com
dhcpd auto_config outside
dhcpd enable inside
username ****** password ******* encrypted privilege 15
terminal width 80
banner exec ****
banner login ***
Cryptochecksum:***
: end
[OK]
Bill WarrenIT ManagerAsked:
Who is Participating?
 
lrmooreCommented:
The VPN connection is a "pipe" between the remote client and the PIX itself. This lets the remote client appear as if it is on the local LAN as far as other clients are concerned.

It appears as though you may have a simple typo error

>ip local pool ippool 10.10.10.1-10.10.10.253
It appears from the access-list 101 that you intended to have the pool in .11..
To fix it:

  no ip local pool ippool 10.10.10.1-10.10.10.253
  ip local pool ippool 10.10.11.1-10.10.11.253


0
 
harbor235Commented:
Ae you using the vpn3000 username and the correct password as inputed in the config? Are you receiving any error messages? Configure the VPN client to log all information, we want to see the log messages generated when trying to connect. I would use a different subnet for my ippool, something other than the inside interface subnet.

harbor235
0
 
Bill WarrenIT ManagerAuthor Commented:
How do I accees those logs? sorry everything is pretty new to me but once I know... I know... haha.... y'know.
0
How do you know if your security is working?

Protecting your business doesn’t have to mean sifting through endless alerts and notifications. With WatchGuard Total Security Suite, you can feel confident that your business is secure, meaning you can get back to the things that have been sitting on your to-do list.

 
lrmooreCommented:
We need to fix the obvious error in the pix configuration before we start troubleshooting log files..

Let's take it one step at a time.. make the chages I suggested. You must make that change if you want it to work at all.

I'll recap...

//-- access-list 101 get's applied to nat zero, and defines traffic from inside subnet to ippool subnet
access-list 101 permit ip 10.10.10.0 255.255.255.0 10.10.11.0 255.255.255.0
                                                                                   ^^ This should be your pool
//-- BUT, your IP pool does not match your access-list 101
ip local pool ippool 10.10.10.1-10.10.10.253

//-- you MUST change your pool to match:
no ip local pool ippool 10.10.10.1-10.10.10.253
ip local pool ippool 10.10.11.1-10.10.11.253
                                     ^^
//-- since the pool was gone momentarily, this config might also drop out and needs to be re-entered
vpngroup vpn3000 address-pool ippool



0
 
Bill WarrenIT ManagerAuthor Commented:
Alright... I've got that now.... I made those changes but still no good with the client yet. It says.. contacting the security Gateway at (the Outside IP). But still no connection. Does that give us any indications?
0
 
Bill WarrenIT ManagerAuthor Commented:
lrmoore, did I loose you on this?
0
 
lrmooreCommented:
Sorry for the delay, no you didn't lose me..

Can you post your "new" config with the changes?

It appears that this line may not be there:
  vpngroup vpn3000 address-pool ippool

If a client can't get an IP address, it just hangs for a while, then craps out.
If a client gets an IP address, it will connect just fine, but if the address is in the wrong subnet that does not match the no-nat access-list, then it can't ping or connect to anything.
If a client gets a proper IP address, and the address matches the no-nat acl, but still can't ping, then it could be an internal routing problem (perhaps the PIX is not the actual default gateway for remote hosts)
If a client gets a proper IP address, and can ping remote resources, but can't connect to them, that's usually a Netbios name resolution issue (DNS/WINS)
If none of the above, then look at the remote and local LAN. Is your client local LAN 10.10.10.x and your LAN behind the PIX is also 10.10.10.x ? I doubt that because most home LAN's are 192.168.0.0 | 192.168.1.0
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.