?
Solved

cisco pix vpn setup

Posted on 2006-03-29
5
Medium Priority
?
391 Views
Last Modified: 2012-08-13
I just created the following config on our pix 515 for vpn connections, I get connected using the cisco vpn client v4.0.4
but I cannot ping any hosts via ip address. Can someone point me in the right direction. I'm sure someone out there has ran into this if you need the rest of the config let me know. thanks

ip local pool vpn_client 192.168.1.110-192.168.1.150
access-list no_nat_vpn permit ip any 192.168.1.0 255.255.255.0
nat(inside)0 access-list no_nat_vpn

isakmp policy 10 authentication pre-share
isakmp policy 10 encrypton des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp enable outside
isakmp identity address

sysopt connection permit-ipsec
access-list cryptomap_acl permit ip any 192.168.1.0 255.255.255.0

crypto ipsec transform-set vpnClient esp-des esp-md5-hmac
crypto dynamic-map dyn_map 10 set transform-set vpnClient
crypto map vpn_map 10 ipsec-isakmp dynamic dyn_map
crypto dynamic-map dyn_map 10 match address cryptomap_acl
crypto map vpn_map interface outside

vpngroup remote_group address-pool vpn_client
vpngroup remote_group dns-server 192.168.1.71
vpngroup remote_group default-domain company.com
vpngroup remote_group idle-time 3600
vpngroup remote_group password #######

vpngroup remote_group split-tunnel no_nat_vpn
0
Comment
Question by:rxn6057
  • 3
5 Comments
 
LVL 20

Accepted Solution

by:
calvinetter earned 2000 total points
ID: 16329098
>vpngroup remote_group dns-server 192.168.1.71
  This seems to indicate that your LAN behind the PIX is 192.168.1.x, is this correct?  If so, you're hitting a routing loop.  Cisco, unlike other VPN implementations, requires the VPN client pool to be *different* than the inside LAN(s) behind your PIX, & it *must* be different than the LAN in which the remote client resides.

  Run in this order:
clear crypto ipsec sa
clear crypto isakmp sa
no crypto map vpn_map interface outside
no vpngroup remote_group address-pool vpn_client
no ip local pool vpn_client 192.168.1.110-192.168.1.150
ip local pool vpn_client 10.209.22.110-10.209.22.150
access-list no_nat_vpn permit ip 192.168.1.0 255.255.255.0 10.209.22.0 255.255.255.0
access-list split_acl permit ip 192.168.1.0 255.255.255.0 10.209.22.0 255.255.255.0
no access-list no_nat_vpn permit ip any 192.168.1.0 255.255.255.0
no crypto dynamic-map dyn_map 10 match address cryptomap_acl
no access-list cryptomap_acl
vpngroup remote_group address-pool vpn_client
vpngroup remote_group split-tunnel split_acl
crypto map vpn_map interface outside
isakmp nat-traversal  <-- if PIX is 6.3 series, run this
clear xlate

Notes: Yes, you need 2 identical ACLs, 1 for 'nat 0' & 1 for split-tunneling. ACLs used for VPN must be specific - don't use "permit ip any".  Beware that 192.168.1.x is one of the world's most common subnets for SOHO networks, so you'll end up either forcing VPN users to change their home LAN's IP scheme, or changing the IP scheme behind the PIX.
  If at all possible, upgrade the VPN client(s) to 4.8 series; v4.0.4 shouldn't be used if the clients are XP SP2.

cheers
0
 
LVL 26

Expert Comment

by:Gary Cutri
ID: 16330659
I wouldn't recommend configuring split-tunneling as it's a potential security risk.  For example, the VPN client machine might be a Windows XP machine on a home LAN or hotel LAN and has a single Ethernet adapter installed in it. The Windows XP machine has a valid address on that network and connects to the corporate network through the VPN connectoid in the Network Connections window. At this point, any host that sets its default gateway to the IP address of the Windows XP computer can now access the corporate network resources.
0
 
LVL 20

Expert Comment

by:calvinetter
ID: 16333238
Agree with you garycutri on the security risks of split-tunneling.  But the reality is, most users get irate when they can't surf the web or check personal email while connected to VPN.
  rxn6057: all you can do is warn management of the risks, & let them decide. Which they'll no doubt decide "Do it anyway".

cheers all
0
 
LVL 10

Expert Comment

by:ngravatt
ID: 16333315
you need to add a rule to the firewall that lets the VPN IP address pool send and recieve echo and echo-reply packets to what ever IP address you want to ping.
0
 
LVL 20

Expert Comment

by:calvinetter
ID: 16335138
ngravatt: Actually no.  The "permit ip..." statements in the ACLs are also allowing ICMP traffic.  I've deployed many PIX VPNs like this - it works.

cheers
0

Featured Post

What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Originally, this post was published on Monitis Blog, you can check it here . It goes without saying that technology has transformed society and the very nature of how we live, work, and communicate in ways that would’ve been incomprehensible 5 ye…
WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question