jetli87
asked on
Cisco VPN Question
I've successfully configure a cisco pix 501 VPN configuration for Vpn client access and PIX to PIX access, however what statement/command do i need to add to allow the LAN to ping/access the remote user pc connecting via VPN client.
i.e.
Remote User==connects via cisco VPN Client and gets the ip address 10.0.2.10==>
PIX 501 (LAN subnet: 10.0.1.0) ==also pix 501 is connected via VPN to anoter PIX 501==>
PIX 501 (LAN subnet: 192.168.168.0)
I can ping/connect from the Local LAN of both PIXs to one another, but niether can ping/connect to remote user at 10.0.2.10.
PLEASE Help!
i.e.
Remote User==connects via cisco VPN Client and gets the ip address 10.0.2.10==>
PIX 501 (LAN subnet: 10.0.1.0) ==also pix 501 is connected via VPN to anoter PIX 501==>
PIX 501 (LAN subnet: 192.168.168.0)
I can ping/connect from the Local LAN of both PIXs to one another, but niether can ping/connect to remote user at 10.0.2.10.
PLEASE Help!
can you post the config of the 501 you are using for remote access?
ASKER
Pix Config
access-list inbound permit icmp any any
access-list 100 permit ip 10.0.1.0 255.255.255.0 10.0.2.0 255.255.255.0
access-list vpn_nat_pool permit ip any 10.0.2.0 255.255.255.0
global (outside) 1 interface
nat (inside) 0 access-list 100
crypto ipsec transform-set trmset1 esp-aes-256 esp-sha-hmac
crypto dynamic-map map2 10 set transform-set trmset1
crypto map map1 10 ipsec-isakmp dynamic map2
crypto map map1 interface outside
isakmp enable outside
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes-256
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup remotegroup idle-time 1800
vpngroup dns-server idle-time 1800
vpngroup remote address-pool vpnpool1
vpngroup remote dns-server 10.0.1.5
vpngroup remote split-tunnel vpn_nat_pool
vpngroup remote idle-time 1800
vpngroup remote password ********
access-list inbound permit icmp any any
access-list 100 permit ip 10.0.1.0 255.255.255.0 10.0.2.0 255.255.255.0
access-list vpn_nat_pool permit ip any 10.0.2.0 255.255.255.0
global (outside) 1 interface
nat (inside) 0 access-list 100
crypto ipsec transform-set trmset1 esp-aes-256 esp-sha-hmac
crypto dynamic-map map2 10 set transform-set trmset1
crypto map map1 10 ipsec-isakmp dynamic map2
crypto map map1 interface outside
isakmp enable outside
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes-256
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup remotegroup idle-time 1800
vpngroup dns-server idle-time 1800
vpngroup remote address-pool vpnpool1
vpngroup remote dns-server 10.0.1.5
vpngroup remote split-tunnel vpn_nat_pool
vpngroup remote idle-time 1800
vpngroup remote password ********
can you post the entire config. according to this config you shouldn't be able to establish a VPN connection. Do you have a "sysopt connection permit-ipsec" line?
You can sanitize your config for the public IPs like this
Example,
Public IP = 1.1.1.1
Sanitized IP = X.X.X.1
domain = pix.example.com
to
sanitized domain = pix.XXXX.com
You can sanitize your config for the public IPs like this
Example,
Public IP = 1.1.1.1
Sanitized IP = X.X.X.1
domain = pix.example.com
to
sanitized domain = pix.XXXX.com
also, have you ran captures on your pix to check that the traffic seems to be going through as expected.
For example
pix(config)#capture cap_in interface inside
pix(config)#capture cap_out interface outside
now run the ping from the VPN client to a 10.0.1.X host
When you run
show capture cap_out
you should see come protocol 47 packets going to your outside interface from the remote vpn client
and when you run
show capture cap_in
you should see the icmp echo-request packets going to the 10.0.1.X host as well as the echo-reply
do you see both, none, etc.?
For example
pix(config)#capture cap_in interface inside
pix(config)#capture cap_out interface outside
now run the ping from the VPN client to a 10.0.1.X host
When you run
show capture cap_out
you should see come protocol 47 packets going to your outside interface from the remote vpn client
and when you run
show capture cap_in
you should see the icmp echo-request packets going to the 10.0.1.X host as well as the echo-reply
do you see both, none, etc.?
ASKER
PIX Version 6.3(5)
interface ethernet0 10baset
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password lrOrZOf.fJ6ZvsKc encrypted
passwd lrOrZOf.fJ6ZvsKc encrypted
hostname MyPix
domain-name tdl-enterprise.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list inbound permit icmp any any
access-list 100 permit ip 10.0.1.0 255.255.255.0 10.0.2.0 255.255.255.0
access-list vpn_nat_pool permit ip any 10.0.2.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 66.x.x.x 255.255.255.0
ip address inside 10.0.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnpool1 10.0.2.1-10.0.2.10
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 100
nat (inside) 1 10.0.1.0 255.255.255.0 0 0
route outside 0.0.0.0 0.0.0.0 66.x.x.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set trmset1 esp-aes-256 esp-sha-hmac
crypto dynamic-map map2 10 set transform-set trmset1
crypto map map1 10 ipsec-isakmp dynamic map2
crypto map map1 interface outside
isakmp enable outside
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes-256
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup remotegroup idle-time 1800
vpngroup dns-server idle-time 1800
vpngroup remote address-pool vpnpool1
vpngroup remote dns-server 10.0.1.5
vpngroup remote split-tunnel vpn_nat_pool
vpngroup remotei dle-time 1800
vpngroup remote password ********
telnet timeout 15
ssh timeout 5
console timeout 0
terminal width 80
interface ethernet0 10baset
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password lrOrZOf.fJ6ZvsKc encrypted
passwd lrOrZOf.fJ6ZvsKc encrypted
hostname MyPix
domain-name tdl-enterprise.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list inbound permit icmp any any
access-list 100 permit ip 10.0.1.0 255.255.255.0 10.0.2.0 255.255.255.0
access-list vpn_nat_pool permit ip any 10.0.2.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 66.x.x.x 255.255.255.0
ip address inside 10.0.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnpool1 10.0.2.1-10.0.2.10
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 100
nat (inside) 1 10.0.1.0 255.255.255.0 0 0
route outside 0.0.0.0 0.0.0.0 66.x.x.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set trmset1 esp-aes-256 esp-sha-hmac
crypto dynamic-map map2 10 set transform-set trmset1
crypto map map1 10 ipsec-isakmp dynamic map2
crypto map map1 interface outside
isakmp enable outside
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes-256
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup remotegroup idle-time 1800
vpngroup dns-server idle-time 1800
vpngroup remote address-pool vpnpool1
vpngroup remote dns-server 10.0.1.5
vpngroup remote split-tunnel vpn_nat_pool
vpngroup remotei dle-time 1800
vpngroup remote password ********
telnet timeout 15
ssh timeout 5
console timeout 0
terminal width 80
ASKER
while connect via VPN Client on the remote side, I have no issues with email, file sharing and etc...
but on the other side of the pix, the LAN, i can't ping/connect to the Remote client.
but on the other side of the pix, the LAN, i can't ping/connect to the Remote client.
Is there a firewall on the OS. If you're running XP SP2, by default that blocks icmp requests
Your config looks good to me. What OS are you running on the client you are trying to ping.
ASKER
no, there's no firewall on the os. I've tested it on a system unprotected on broadband connection with no firewall/anti-virus software and on a system with a firewall, still no luck.
ASKER
Actually, I the connection from the LAN to remote vpn client is okay, but from the other side of the 2nd pix (address 192.168.168.1 connected to pix 10.0.1.1), I can't connect to vpn client.
so, clients on 192.168.168.0 can connect to 10.0.1.0, but cannot connect to 10.0.2.0
sorry, i wasn't clear.
so, clients on 192.168.168.0 can connect to 10.0.1.0, but cannot connect to 10.0.2.0
sorry, i wasn't clear.
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER
thanks for your help cyclops!
No problem, sorry I couldn't give you the answer you were looking for. I believe this is one of the reasons why Cisco had the VPN Concentrator as the recommended way to connect remote users. Since Cisco introduced PIX 7.X, they seem to be removing the PIX, Concentrator, and IPS lines and moving to the ASA, which provides a more modular type of device.
If you're looking for a cheap firewall (along the lines of the 501) that will support what you want, you have to look at NetScreen, Checkpoint, etc.
Right now only the PIX 501 and 506E aren't upgradeable to version 7 (due to memory requirements). So if this is necessary, I'd recommend going with a NetScreen 5GT if I were you.
If you're looking for a cheap firewall (along the lines of the 501) that will support what you want, you have to look at NetScreen, Checkpoint, etc.
Right now only the PIX 501 and 506E aren't upgradeable to version 7 (due to memory requirements). So if this is necessary, I'd recommend going with a NetScreen 5GT if I were you.
Agree with Cyclops. You cannot get where you want to go with Cisco PIX 501's