cisco pix vpn setup

Posted on 2006-03-29
Last Modified: 2012-08-13
I just created the following config on our pix 515 for vpn connections, I get connected using the cisco vpn client v4.0.4
but I cannot ping any hosts via ip address. Can someone point me in the right direction. I'm sure someone out there has ran into this if you need the rest of the config let me know. thanks

ip local pool vpn_client
access-list no_nat_vpn permit ip any
nat(inside)0 access-list no_nat_vpn

isakmp policy 10 authentication pre-share
isakmp policy 10 encrypton des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp enable outside
isakmp identity address

sysopt connection permit-ipsec
access-list cryptomap_acl permit ip any

crypto ipsec transform-set vpnClient esp-des esp-md5-hmac
crypto dynamic-map dyn_map 10 set transform-set vpnClient
crypto map vpn_map 10 ipsec-isakmp dynamic dyn_map
crypto dynamic-map dyn_map 10 match address cryptomap_acl
crypto map vpn_map interface outside

vpngroup remote_group address-pool vpn_client
vpngroup remote_group dns-server
vpngroup remote_group default-domain
vpngroup remote_group idle-time 3600
vpngroup remote_group password #######

vpngroup remote_group split-tunnel no_nat_vpn
Question by:rxn6057
    LVL 20

    Accepted Solution

    >vpngroup remote_group dns-server
      This seems to indicate that your LAN behind the PIX is 192.168.1.x, is this correct?  If so, you're hitting a routing loop.  Cisco, unlike other VPN implementations, requires the VPN client pool to be *different* than the inside LAN(s) behind your PIX, & it *must* be different than the LAN in which the remote client resides.

      Run in this order:
    clear crypto ipsec sa
    clear crypto isakmp sa
    no crypto map vpn_map interface outside
    no vpngroup remote_group address-pool vpn_client
    no ip local pool vpn_client
    ip local pool vpn_client
    access-list no_nat_vpn permit ip
    access-list split_acl permit ip
    no access-list no_nat_vpn permit ip any
    no crypto dynamic-map dyn_map 10 match address cryptomap_acl
    no access-list cryptomap_acl
    vpngroup remote_group address-pool vpn_client
    vpngroup remote_group split-tunnel split_acl
    crypto map vpn_map interface outside
    isakmp nat-traversal  <-- if PIX is 6.3 series, run this
    clear xlate

    Notes: Yes, you need 2 identical ACLs, 1 for 'nat 0' & 1 for split-tunneling. ACLs used for VPN must be specific - don't use "permit ip any".  Beware that 192.168.1.x is one of the world's most common subnets for SOHO networks, so you'll end up either forcing VPN users to change their home LAN's IP scheme, or changing the IP scheme behind the PIX.
      If at all possible, upgrade the VPN client(s) to 4.8 series; v4.0.4 shouldn't be used if the clients are XP SP2.

    LVL 26

    Expert Comment

    by:Gary Cutri
    I wouldn't recommend configuring split-tunneling as it's a potential security risk.  For example, the VPN client machine might be a Windows XP machine on a home LAN or hotel LAN and has a single Ethernet adapter installed in it. The Windows XP machine has a valid address on that network and connects to the corporate network through the VPN connectoid in the Network Connections window. At this point, any host that sets its default gateway to the IP address of the Windows XP computer can now access the corporate network resources.
    LVL 20

    Expert Comment

    Agree with you garycutri on the security risks of split-tunneling.  But the reality is, most users get irate when they can't surf the web or check personal email while connected to VPN.
      rxn6057: all you can do is warn management of the risks, & let them decide. Which they'll no doubt decide "Do it anyway".

    cheers all
    LVL 10

    Expert Comment

    you need to add a rule to the firewall that lets the VPN IP address pool send and recieve echo and echo-reply packets to what ever IP address you want to ping.
    LVL 20

    Expert Comment

    ngravatt: Actually no.  The "permit ip..." statements in the ACLs are also allowing ICMP traffic.  I've deployed many PIX VPNs like this - it works.


    Featured Post

    Looking for New Ways to Advertise?

    Engage with tech pros in our community with native advertising, as a Vendor Expert, and more.

    Join & Write a Comment

    Article by: IanTh
    Hi Guys After a whole weekend getting wake on lan over the internet working, I thought I would share the experience. Your firewall has to have a port forward for port 9 udp to your local broadcast x.x.x.255 but if that doesnt work, do it to a …
    Hi All,  Recently I have installed and configured a Sonicwall NS220 in the network as a firewall and Internet access gateway. All was working fine until users started reporting that they cannot use the Cisco VPN client to connect to the customer'…
    Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
    Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

    755 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now