Cisco VPN Question

I've successfully configure a cisco pix 501 VPN configuration for Vpn client access and PIX to PIX access, however what statement/command do i need to add to allow the LAN to ping/access the remote user pc connecting via VPN client.

i.e.
Remote User==connects via cisco VPN Client and gets the ip address 10.0.2.10==>
PIX 501 (LAN subnet: 10.0.1.0) ==also pix 501 is connected via VPN to anoter PIX 501==>
PIX 501 (LAN subnet: 192.168.168.0)

I can ping/connect from the Local LAN of both PIXs to one another, but niether can ping/connect to remote user at 10.0.2.10.

PLEASE Help!
LVL 1
jetli87Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Cyclops3590Commented:
can you post the config of the 501 you are using for remote access?
0
jetli87Author Commented:
Pix Config

access-list inbound permit icmp any any
access-list 100 permit ip 10.0.1.0 255.255.255.0 10.0.2.0 255.255.255.0
access-list vpn_nat_pool permit ip any 10.0.2.0 255.255.255.0

global (outside) 1 interface
nat (inside) 0 access-list 100

crypto ipsec transform-set trmset1 esp-aes-256 esp-sha-hmac
crypto dynamic-map map2 10 set transform-set trmset1
crypto map map1 10 ipsec-isakmp dynamic map2
crypto map map1 interface outside
isakmp enable outside
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes-256
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup remotegroup idle-time 1800
vpngroup dns-server idle-time 1800
vpngroup remote address-pool vpnpool1
vpngroup remote dns-server 10.0.1.5
vpngroup remote split-tunnel vpn_nat_pool
vpngroup remote idle-time 1800
vpngroup remote password ********
0
Cyclops3590Commented:
can you post the entire config.  according to this config you shouldn't be able to establish a VPN connection.  Do you have a "sysopt connection permit-ipsec" line?
You can sanitize your config for the public IPs like this
Example,
Public IP = 1.1.1.1
Sanitized IP = X.X.X.1
domain = pix.example.com
to
sanitized domain = pix.XXXX.com
0
Managing Security Policy in a Changing Environment

The enterprise network environment is evolving rapidly as companies extend their physical data centers to embrace cloud computing and software-defined networking. This new reality means that the challenge of managing the security policy is much more dynamic and complex.

Cyclops3590Commented:
also, have you ran captures on your pix to check that the traffic seems to be going through as expected.

For example
pix(config)#capture cap_in interface inside
pix(config)#capture cap_out interface outside
now run the ping from the VPN client to a 10.0.1.X host
When you run
show capture cap_out
you should see come protocol 47 packets going to your outside interface from the remote vpn client
and when you run
show capture cap_in
you should see the icmp echo-request packets going to the 10.0.1.X host as well as the echo-reply
do you see both, none, etc.?
0
jetli87Author Commented:
PIX Version 6.3(5)
interface ethernet0 10baset
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password lrOrZOf.fJ6ZvsKc encrypted
passwd lrOrZOf.fJ6ZvsKc encrypted
hostname MyPix
domain-name tdl-enterprise.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list inbound permit icmp any any
access-list 100 permit ip 10.0.1.0 255.255.255.0 10.0.2.0 255.255.255.0
access-list vpn_nat_pool permit ip any 10.0.2.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 66.x.x.x 255.255.255.0
ip address inside 10.0.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnpool1 10.0.2.1-10.0.2.10
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 100
nat (inside) 1 10.0.1.0 255.255.255.0 0 0
route outside 0.0.0.0 0.0.0.0 66.x.x.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set trmset1 esp-aes-256 esp-sha-hmac
crypto dynamic-map map2 10 set transform-set trmset1
crypto map map1 10 ipsec-isakmp dynamic map2
crypto map map1 interface outside
isakmp enable outside
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes-256
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup remotegroup idle-time 1800
vpngroup dns-server idle-time 1800
vpngroup remote address-pool vpnpool1
vpngroup remote dns-server 10.0.1.5
vpngroup remote split-tunnel vpn_nat_pool
vpngroup remotei dle-time 1800
vpngroup remote password ********
telnet timeout 15
ssh timeout 5
console timeout 0

terminal width 80
0
jetli87Author Commented:
while connect via VPN Client on the remote side, I have no issues with email, file sharing and etc...

but on the other side of the pix, the LAN, i can't ping/connect to the Remote client.
0
Cyclops3590Commented:
Is there a firewall on the OS.  If you're running XP SP2, by default that blocks icmp requests
0
Cyclops3590Commented:
Your config looks good to me.  What OS are you running on the client you are trying to ping.
0
jetli87Author Commented:
no, there's no firewall on the os.  I've tested it on a system unprotected on broadband connection with no firewall/anti-virus software and on a system with a firewall, still no luck.
0
jetli87Author Commented:
Actually, I the connection from the LAN to remote vpn client is okay, but from the other side of the 2nd pix (address 192.168.168.1 connected to pix 10.0.1.1), I can't connect to vpn client.

so, clients on 192.168.168.0 can connect to 10.0.1.0, but cannot connect to 10.0.2.0

sorry, i wasn't clear.
0
Cyclops3590Commented:
Oh okay, that's not possible.  That involves packets going in and out the same interface on the pix hosting the remote access client which is not possible in the pre-7.X PIX OS.

Sorry.  You can ask around if you want to, but I've tried it and never got it working.  There might be a work around for this, but I've never tried.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
jetli87Author Commented:
thanks for your help cyclops!
0
Cyclops3590Commented:
No problem, sorry I couldn't give you the answer you were looking for.  I believe this is one of the reasons why Cisco had the VPN Concentrator as the recommended way to connect remote users.  Since Cisco introduced PIX 7.X, they seem to be removing the PIX, Concentrator, and IPS lines and moving to the ASA, which provides a more modular type of device.

If you're looking for a cheap firewall (along the lines of the 501) that will support what you want, you have to look at NetScreen, Checkpoint, etc.

Right now only the PIX 501 and 506E aren't upgradeable to version 7 (due to memory requirements).  So if this is necessary, I'd recommend going with a NetScreen 5GT if I were you.
0
lrmooreCommented:
Agree with Cyclops. You cannot get where you want to go with Cisco PIX 501's
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.