?
Solved

Cisco VPN Question

Posted on 2006-03-29
14
Medium Priority
?
552 Views
Last Modified: 2013-11-16
I've successfully configure a cisco pix 501 VPN configuration for Vpn client access and PIX to PIX access, however what statement/command do i need to add to allow the LAN to ping/access the remote user pc connecting via VPN client.

i.e.
Remote User==connects via cisco VPN Client and gets the ip address 10.0.2.10==>
PIX 501 (LAN subnet: 10.0.1.0) ==also pix 501 is connected via VPN to anoter PIX 501==>
PIX 501 (LAN subnet: 192.168.168.0)

I can ping/connect from the Local LAN of both PIXs to one another, but niether can ping/connect to remote user at 10.0.2.10.

PLEASE Help!
0
Comment
Question by:jetli87
  • 7
  • 6
14 Comments
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 16325190
can you post the config of the 501 you are using for remote access?
0
 
LVL 1

Author Comment

by:jetli87
ID: 16325242
Pix Config

access-list inbound permit icmp any any
access-list 100 permit ip 10.0.1.0 255.255.255.0 10.0.2.0 255.255.255.0
access-list vpn_nat_pool permit ip any 10.0.2.0 255.255.255.0

global (outside) 1 interface
nat (inside) 0 access-list 100

crypto ipsec transform-set trmset1 esp-aes-256 esp-sha-hmac
crypto dynamic-map map2 10 set transform-set trmset1
crypto map map1 10 ipsec-isakmp dynamic map2
crypto map map1 interface outside
isakmp enable outside
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes-256
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup remotegroup idle-time 1800
vpngroup dns-server idle-time 1800
vpngroup remote address-pool vpnpool1
vpngroup remote dns-server 10.0.1.5
vpngroup remote split-tunnel vpn_nat_pool
vpngroup remote idle-time 1800
vpngroup remote password ********
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 16325382
can you post the entire config.  according to this config you shouldn't be able to establish a VPN connection.  Do you have a "sysopt connection permit-ipsec" line?
You can sanitize your config for the public IPs like this
Example,
Public IP = 1.1.1.1
Sanitized IP = X.X.X.1
domain = pix.example.com
to
sanitized domain = pix.XXXX.com
0
Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as high-speed processing of the cloud.

 
LVL 25

Expert Comment

by:Cyclops3590
ID: 16325426
also, have you ran captures on your pix to check that the traffic seems to be going through as expected.

For example
pix(config)#capture cap_in interface inside
pix(config)#capture cap_out interface outside
now run the ping from the VPN client to a 10.0.1.X host
When you run
show capture cap_out
you should see come protocol 47 packets going to your outside interface from the remote vpn client
and when you run
show capture cap_in
you should see the icmp echo-request packets going to the 10.0.1.X host as well as the echo-reply
do you see both, none, etc.?
0
 
LVL 1

Author Comment

by:jetli87
ID: 16325477
PIX Version 6.3(5)
interface ethernet0 10baset
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password lrOrZOf.fJ6ZvsKc encrypted
passwd lrOrZOf.fJ6ZvsKc encrypted
hostname MyPix
domain-name tdl-enterprise.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list inbound permit icmp any any
access-list 100 permit ip 10.0.1.0 255.255.255.0 10.0.2.0 255.255.255.0
access-list vpn_nat_pool permit ip any 10.0.2.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 66.x.x.x 255.255.255.0
ip address inside 10.0.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnpool1 10.0.2.1-10.0.2.10
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 100
nat (inside) 1 10.0.1.0 255.255.255.0 0 0
route outside 0.0.0.0 0.0.0.0 66.x.x.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set trmset1 esp-aes-256 esp-sha-hmac
crypto dynamic-map map2 10 set transform-set trmset1
crypto map map1 10 ipsec-isakmp dynamic map2
crypto map map1 interface outside
isakmp enable outside
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes-256
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup remotegroup idle-time 1800
vpngroup dns-server idle-time 1800
vpngroup remote address-pool vpnpool1
vpngroup remote dns-server 10.0.1.5
vpngroup remote split-tunnel vpn_nat_pool
vpngroup remotei dle-time 1800
vpngroup remote password ********
telnet timeout 15
ssh timeout 5
console timeout 0

terminal width 80
0
 
LVL 1

Author Comment

by:jetli87
ID: 16325512
while connect via VPN Client on the remote side, I have no issues with email, file sharing and etc...

but on the other side of the pix, the LAN, i can't ping/connect to the Remote client.
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 16325671
Is there a firewall on the OS.  If you're running XP SP2, by default that blocks icmp requests
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 16325697
Your config looks good to me.  What OS are you running on the client you are trying to ping.
0
 
LVL 1

Author Comment

by:jetli87
ID: 16325730
no, there's no firewall on the os.  I've tested it on a system unprotected on broadband connection with no firewall/anti-virus software and on a system with a firewall, still no luck.
0
 
LVL 1

Author Comment

by:jetli87
ID: 16325984
Actually, I the connection from the LAN to remote vpn client is okay, but from the other side of the 2nd pix (address 192.168.168.1 connected to pix 10.0.1.1), I can't connect to vpn client.

so, clients on 192.168.168.0 can connect to 10.0.1.0, but cannot connect to 10.0.2.0

sorry, i wasn't clear.
0
 
LVL 25

Accepted Solution

by:
Cyclops3590 earned 2000 total points
ID: 16326112
Oh okay, that's not possible.  That involves packets going in and out the same interface on the pix hosting the remote access client which is not possible in the pre-7.X PIX OS.

Sorry.  You can ask around if you want to, but I've tried it and never got it working.  There might be a work around for this, but I've never tried.
0
 
LVL 1

Author Comment

by:jetli87
ID: 16326124
thanks for your help cyclops!
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 16326185
No problem, sorry I couldn't give you the answer you were looking for.  I believe this is one of the reasons why Cisco had the VPN Concentrator as the recommended way to connect remote users.  Since Cisco introduced PIX 7.X, they seem to be removing the PIX, Concentrator, and IPS lines and moving to the ASA, which provides a more modular type of device.

If you're looking for a cheap firewall (along the lines of the 501) that will support what you want, you have to look at NetScreen, Checkpoint, etc.

Right now only the PIX 501 and 506E aren't upgradeable to version 7 (due to memory requirements).  So if this is necessary, I'd recommend going with a NetScreen 5GT if I were you.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 16328013
Agree with Cyclops. You cannot get where you want to go with Cisco PIX 501's
0

Featured Post

[Webinar] Cloud and Mobile-First Strategy

Maybe you’ve fully adopted the cloud since the beginning. Or maybe you started with on-prem resources but are pursuing a “cloud and mobile first” strategy. Getting to that end state has its challenges. Discover how to build out a 100% cloud and mobile IT strategy in this webinar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
As many of you are aware about Scanpst.exe utility which is owned by Microsoft itself to repair inaccessible or damaged PST files, but the question is do you really think Scanpst.exe is capable to repair all sorts of PST related corruption issues?
Suggested Courses

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question