We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you two Citrix podcasts. Learn about 2020 trends and get answers to your biggest Citrix questions!Listen Now

x

Cisco VPN Question

jetli87
jetli87 asked
on
Medium Priority
604 Views
Last Modified: 2013-11-16
I've successfully configure a cisco pix 501 VPN configuration for Vpn client access and PIX to PIX access, however what statement/command do i need to add to allow the LAN to ping/access the remote user pc connecting via VPN client.

i.e.
Remote User==connects via cisco VPN Client and gets the ip address 10.0.2.10==>
PIX 501 (LAN subnet: 10.0.1.0) ==also pix 501 is connected via VPN to anoter PIX 501==>
PIX 501 (LAN subnet: 192.168.168.0)

I can ping/connect from the Local LAN of both PIXs to one another, but niether can ping/connect to remote user at 10.0.2.10.

PLEASE Help!
Comment
Watch Question

Cyclops3590Sr Software Engineer
CERTIFIED EXPERT

Commented:
can you post the config of the 501 you are using for remote access?

Author

Commented:
Pix Config

access-list inbound permit icmp any any
access-list 100 permit ip 10.0.1.0 255.255.255.0 10.0.2.0 255.255.255.0
access-list vpn_nat_pool permit ip any 10.0.2.0 255.255.255.0

global (outside) 1 interface
nat (inside) 0 access-list 100

crypto ipsec transform-set trmset1 esp-aes-256 esp-sha-hmac
crypto dynamic-map map2 10 set transform-set trmset1
crypto map map1 10 ipsec-isakmp dynamic map2
crypto map map1 interface outside
isakmp enable outside
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes-256
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup remotegroup idle-time 1800
vpngroup dns-server idle-time 1800
vpngroup remote address-pool vpnpool1
vpngroup remote dns-server 10.0.1.5
vpngroup remote split-tunnel vpn_nat_pool
vpngroup remote idle-time 1800
vpngroup remote password ********
Cyclops3590Sr Software Engineer
CERTIFIED EXPERT

Commented:
can you post the entire config.  according to this config you shouldn't be able to establish a VPN connection.  Do you have a "sysopt connection permit-ipsec" line?
You can sanitize your config for the public IPs like this
Example,
Public IP = 1.1.1.1
Sanitized IP = X.X.X.1
domain = pix.example.com
to
sanitized domain = pix.XXXX.com
Cyclops3590Sr Software Engineer
CERTIFIED EXPERT

Commented:
also, have you ran captures on your pix to check that the traffic seems to be going through as expected.

For example
pix(config)#capture cap_in interface inside
pix(config)#capture cap_out interface outside
now run the ping from the VPN client to a 10.0.1.X host
When you run
show capture cap_out
you should see come protocol 47 packets going to your outside interface from the remote vpn client
and when you run
show capture cap_in
you should see the icmp echo-request packets going to the 10.0.1.X host as well as the echo-reply
do you see both, none, etc.?

Author

Commented:
PIX Version 6.3(5)
interface ethernet0 10baset
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password lrOrZOf.fJ6ZvsKc encrypted
passwd lrOrZOf.fJ6ZvsKc encrypted
hostname MyPix
domain-name tdl-enterprise.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list inbound permit icmp any any
access-list 100 permit ip 10.0.1.0 255.255.255.0 10.0.2.0 255.255.255.0
access-list vpn_nat_pool permit ip any 10.0.2.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 66.x.x.x 255.255.255.0
ip address inside 10.0.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnpool1 10.0.2.1-10.0.2.10
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 100
nat (inside) 1 10.0.1.0 255.255.255.0 0 0
route outside 0.0.0.0 0.0.0.0 66.x.x.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set trmset1 esp-aes-256 esp-sha-hmac
crypto dynamic-map map2 10 set transform-set trmset1
crypto map map1 10 ipsec-isakmp dynamic map2
crypto map map1 interface outside
isakmp enable outside
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes-256
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup remotegroup idle-time 1800
vpngroup dns-server idle-time 1800
vpngroup remote address-pool vpnpool1
vpngroup remote dns-server 10.0.1.5
vpngroup remote split-tunnel vpn_nat_pool
vpngroup remotei dle-time 1800
vpngroup remote password ********
telnet timeout 15
ssh timeout 5
console timeout 0

terminal width 80

Author

Commented:
while connect via VPN Client on the remote side, I have no issues with email, file sharing and etc...

but on the other side of the pix, the LAN, i can't ping/connect to the Remote client.
Cyclops3590Sr Software Engineer
CERTIFIED EXPERT

Commented:
Is there a firewall on the OS.  If you're running XP SP2, by default that blocks icmp requests
Cyclops3590Sr Software Engineer
CERTIFIED EXPERT

Commented:
Your config looks good to me.  What OS are you running on the client you are trying to ping.

Author

Commented:
no, there's no firewall on the os.  I've tested it on a system unprotected on broadband connection with no firewall/anti-virus software and on a system with a firewall, still no luck.

Author

Commented:
Actually, I the connection from the LAN to remote vpn client is okay, but from the other side of the 2nd pix (address 192.168.168.1 connected to pix 10.0.1.1), I can't connect to vpn client.

so, clients on 192.168.168.0 can connect to 10.0.1.0, but cannot connect to 10.0.2.0

sorry, i wasn't clear.
Sr Software Engineer
CERTIFIED EXPERT
Commented:
Oh okay, that's not possible.  That involves packets going in and out the same interface on the pix hosting the remote access client which is not possible in the pre-7.X PIX OS.

Sorry.  You can ask around if you want to, but I've tried it and never got it working.  There might be a work around for this, but I've never tried.

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts

Author

Commented:
thanks for your help cyclops!
Cyclops3590Sr Software Engineer
CERTIFIED EXPERT

Commented:
No problem, sorry I couldn't give you the answer you were looking for.  I believe this is one of the reasons why Cisco had the VPN Concentrator as the recommended way to connect remote users.  Since Cisco introduced PIX 7.X, they seem to be removing the PIX, Concentrator, and IPS lines and moving to the ASA, which provides a more modular type of device.

If you're looking for a cheap firewall (along the lines of the 501) that will support what you want, you have to look at NetScreen, Checkpoint, etc.

Right now only the PIX 501 and 506E aren't upgradeable to version 7 (due to memory requirements).  So if this is necessary, I'd recommend going with a NetScreen 5GT if I were you.
Les MooreSr. Systems Engineer
CERTIFIED EXPERT
Top Expert 2008

Commented:
Agree with Cyclops. You cannot get where you want to go with Cisco PIX 501's
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.