• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 554
  • Last Modified:

Remote Access VPN user cannot access LAN (Cisco VPN client connecting to Pix 501)

I'm trying to allow remote access VPN access to our LAN, using a Pix501 and Cisco VPN Client 4.8.

The LAN has 172.16.27.0/24 and the router is on 172.16.27.254.

I'm struggling with specifying an appropriate pool for local addresses to be used by remote VPN clients. I tried 172.16.27.129-134 but somehow remote clients are then unable to connect to anything on the LAN. The log tells me that the connection is being accepted, but the traffic back to the remote client does not seem to get there, even though 172.16.27.0/24 -> 172.16.27.128/29 is exempt from NAT.

I was wondering that because this exemption is for within the subnet, it may not work, and I also read somewhere that you should not allocate IP addresses to remote clients that are also on your LAN, i.e. that you have to use a different subnet.

That's why I created a second remote access VPN, this time allocating 172.17.1.0/28 to remote clients, but that doesn't work either. A remote client cannot see anything on the 172.16.27.x network.

I've tried enabling and disabling split tunnelling, I've tried enabling and disabling Allow Local LAN Access in the VPN client, but I'm stuck.

How does the Pix know to route 172.17.1.x traffic to 172.16.27.x ? Do I need to add a route somewhere?
0
int21dotorg
Asked:
int21dotorg
  • 2
  • 2
1 Solution
 
int21dotorgAuthor Commented:
Here's the running config:

Result of firewall command: "show run"
 
: Saved
:
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxxxxxxxxxxxxxxx
passwd xxxxxxxxxxxxxxxxxxxxxxx
hostname xxxxxxxxxxxxx
domain-name xxxxxxxx
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
names
name 172.16.27.33 EMEAtest01
name 192.168.1.0 ParisLAN
name xxxxxxxxxxx ParisPublicIP
name 192.168.1.16 ParisBeheer16
name 192.168.1.128 ParisUserLAN
name 192.168.1.15 ParisBeheer15
name 192.168.1.14 ParisBeheer14
name 192.168.1.13 ParisBeheer13
name 192.168.39.0 ItalyLan
name xxxxxxxx EMEAWeb1
name xxxxxxxx 209.18.97.226 EMEAHub1
access-list inside_access_in permit ip any any
access-list inside_access_in permit icmp any any
access-list outside_access_in permit icmp any any echo-reply
access-list outside_access_in permit tcp any host 213.201.163.163 eq www
access-list outside_access_in permit tcp any host 213.201.163.163 eq https
access-list inside_outbound_nat0_acl permit ip 172.16.27.0 255.255.255.0 172.17.1.0 255.255.255.240
access-list inside_outbound_nat0_acl permit ip host EMEAtest01 172.17.1.0 255.255.255.224
access-list inside_outbound_nat0_acl permit ip 172.16.27.0 255.255.255.0 host ParisBeheer14
access-list inside_outbound_nat0_acl permit ip 172.16.27.0 255.255.255.0 host ParisBeheer15
access-list inside_outbound_nat0_acl permit ip 172.16.27.0 255.255.255.0 host ParisBeheer16
access-list inside_outbound_nat0_acl permit ip 172.16.27.0 255.255.255.0 host ParisBeheer13
access-list inside_outbound_nat0_acl permit ip 172.16.27.0 255.255.255.0 ParisUserLAN 255.255.255.128
access-list inside_outbound_nat0_acl permit ip 172.16.27.0 255.255.255.0 ItalyLan 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 172.16.27.0 255.255.255.0 host EMEAWeb1
access-list inside_outbound_nat0_acl permit ip 172.16.27.0 255.255.255.0 host EMEAHub1
access-list outside_cryptomap_dyn_80 permit ip any 172.17.1.0 255.255.255.240
access-list emea-it-pub_splitTunnelAcl permit ip host EMEAtest01 any
access-list emea-it-remote_splitTunnelAcl permit ip 172.16.27.0 255.255.255.0 any
access-list outside_cryptomap_dyn_100 permit ip any 172.17.1.0 255.255.255.224
access-list outside_cryptomap_20 permit ip 172.16.27.0 255.255.255.0 host ParisBeheer14
access-list outside_cryptomap_20 permit ip 172.16.27.0 255.255.255.0 host ParisBeheer15
access-list outside_cryptomap_20 permit ip 172.16.27.0 255.255.255.0 host ParisBeheer16
access-list outside_cryptomap_20 permit ip 172.16.27.0 255.255.255.0 host ParisBeheer13
access-list outside_cryptomap_20 permit ip 172.16.27.0 255.255.255.0 ParisUserLAN 255.255.255.128
access-list outside_cryptomap_40 permit ip 172.16.27.0 255.255.255.0 ItalyLan 255.255.255.0
access-list outside_cryptomap_60 permit ip 172.16.27.0 255.255.255.0 host EMEAWeb1
access-list outside_cryptomap_60 permit ip 172.16.27.0 255.255.255.0 host EMEAHub1
pager lines 24
logging on
mtu outside 1500
mtu inside 1500
ip address outside 213.201.163.162 255.255.255.240
ip address inside 172.16.27.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool emea-it-remote 172.17.1.1-172.17.1.10
ip local pool emea-it-pub 172.17.1.11-172.17.1.20
pdm location xxxxxxxx 255.255.255.255 inside
pdm location xxxxxxxxxxx 255.255.255.255 outside
pdm location xxxxxxxxx 255.255.255.255 inside
pdm location xxxxxxxx 255.255.255.255 outside
pdm location xxxxxxxx 255.255.255.224 outside
pdm location xxxxxxxxxx 255.255.255.0 outside
pdm location xxxxxxxx 255.255.255.255 outside
pdm location xxxxxxx 255.255.255.255 outside
pdm location xxxxxxxxxxx 255.255.255.255 outside
pdm location xxxxxxxxxx 255.255.255.255 outside
pdm location xxxxxxxxxx 255.255.255.255 outside
pdm location xxxxxxxxxxxx 255.255.255.128 outside
pdm location xxxxxxxxxx 255.255.255.0 outside
pdm location xxxxxxxxx 255.255.255.255 outside
pdm location xxxxxxxxxxxx 255.255.255.255 outside
pdm location xxxxxxxxx 255.255.255.255 outside
pdm logging debugging 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 172.16.27.0 255.255.255.0 0 0
static (inside,outside) 213.201.163.163 EMEAtest01 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 213.201.163.161 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 82.204.39.44 255.255.255.255 outside
http 83.98.246.210 255.255.255.255 outside
http 195.144.94.170 255.255.255.255 outside
http 172.16.27.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 80 match address outside_cryptomap_dyn_80
crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 100 match address outside_cryptomap_dyn_100
crypto dynamic-map outside_dyn_map 100 set transform-set ESP-3DES-MD5
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer ParisPublicIP
crypto map outside_map 20 set transform-set ESP-DES-MD5
crypto map outside_map 40 ipsec-isakmp
crypto map outside_map 40 match address outside_cryptomap_40
crypto map outside_map 40 set peer 82.88.68.108
crypto map outside_map 40 set transform-set ESP-3DES-MD5
crypto map outside_map 60 ipsec-isakmp
crypto map outside_map 60 match address outside_cryptomap_60
crypto map outside_map 60 set peer 216.109.137.254
crypto map outside_map 60 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address ParisPublicIP netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address 82.88.68.108 netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address 216.109.137.254 netmask 255.255.255.255 no-xauth no-config-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
isakmp policy 40 authentication pre-share
isakmp policy 40 encryption des
isakmp policy 40 hash md5
isakmp policy 40 group 1
isakmp policy 40 lifetime 86400
vpngroup emea-it-remote address-pool emea-it-remote
vpngroup emea-it-remote split-tunnel emea-it-remote_splitTunnelAcl
vpngroup emea-it-remote idle-time 1800
vpngroup emea-it-remote password ********
vpngroup emea-it-pub address-pool emea-it-pub
vpngroup emea-it-pub split-tunnel emea-it-pub_splitTunnelAcl
vpngroup emea-it-pub idle-time 1800
vpngroup emea-it-pub password ********
telnet xxxxxxxx 255.255.255.255 outside
telnet xxxxxxxx 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
management-access inside
console timeout 0
dhcpd address 172.16.27.1-172.16.27.32 inside
dhcpd dns 213.201.128.21 213.201.191.18
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:xxxxxxxxxxxxxxx

: end
0
 
calvinetterCommented:
>I also read somewhere ...that you have to use a different subnet.
  Correct.
>How does the Pix know to route 172.17.1.x traffic to 172.16.27.x ? Do I need to add a route somewhere?
  It knows how to do so after you've properly setup your VPN parameters (non-overlapping ip pool, assigned the pool to the vpngroup, etc).  *No* you don't have to setup a route manually.

Run these commands *in this order*:
------------------------------------------
no access-group inside_access_in in interface inside  <- redundant, unnecessary ACL
no crypto dynamic-map outside_dyn_map 100 match address outside_cryptomap_dyn_100
no crypto dynamic-map outside_dyn_map 20
no crypto dynamic-map outside_dyn_map 40
no crypto dynamic-map outside_dyn_map 60
no crypto dynamic-map outside_dyn_map 80
no access-list inside_outbound_nat0_acl permit ip 172.16.27.0 255.255.255.0 172.17.1.0 255.255.255.240
access-list inside_outbound_nat0_acl permit ip 172.16.27.0 255.255.255.0 172.17.1.0 255.255.255.0
access-list splitter permit ip 172.16.27.0 255.255.255.0 172.17.1.0 255.255.255.0
no vpngroup emea-it-remote address-pool emea-it-remote
no vpngroup emea-it-remote split-tunnel emea-it-remote_splitTunnelAcl
no vpngroup emea-it-pub address-pool emea-it-pub
no vpngroup emea-it-pub split-tunnel emea-it-pub_splitTunnelAcl
no ip local pool emea-it-remote
no ip local pool emea-it-pub
ip local pool vpnpool 172.17.1.1-172.17.1.30
vpngroup emea-it-remote address-pool vpnpool
vpngroup emea-it-remote split-tunnel splitter
vpngroup emea-it-pub address-pool vpnpool
vpngroup emea-it-pub split-tunnel splitter
no access-list emea-it-pub_splitTunnelAcl
no access-list emea-it-remote_splitTunnelAcl
no access-list outside_cryptomap_dyn_100
clear xlate
crypto map outside_map interface outside
write mem   <- save config before trying to add "isakmp nat-traversal"

   NOTE: you want "isakmp nat-traversal" especially for VPN clients, but your PIX version has a
         bug that may cause the PIX to reload when issuing this command!
clear xlate
isakmp nat-traversal
write mem

Now the VPN clients should be able to ping the 172.16.27.x subnet behind the PIX, assuming the remote LAN they reside on does *not* overlap either: 172.16.27.x or 172.17.1.x.  If you were trying to get the VPN clients to ping across the site-to-site VPN tunnels to the remote LANs such as 'ItalyLan', sorry but this just isn't possible with PIX version 6.x.
  BTW, your PIX version - 6.3(1) is quite a buggy version; highly suggest you upgrade to 6.3(5) if possible (assuming you have current SmartNet support contract on your PIX).  
  And if the PIX keeps reloading when issuing "isakmp nat-traversal" (& thus doesn't save it in the config) then you'll pretty much be stuck with VPN client functionality not working properly for the most part; this command helps VPN clients connect & pass data when they're behind a NAT device (router/firewall), which 99% of VPN clients are.

cheers
0
 
int21dotorgAuthor Commented:
It works!! Thanks so much!
And fortunately the PIX didn't reload after isakmp nat-traversal.

This may be pushing it, but can you explain in broad terms what was wrong? I used PDM's VPN wizard with pretty much standard settings, and as far as I can tell there were no overlapping IP pools and the pools were correctly assigned to the vpn group? Was it that emea-it-remote and emea-it-pub were using the same subnet but defined as different pools? (Strange you can't define subnet masks for these IP pools)
0
 
calvinetterCommented:
Great! Glad to hear it didn't suddenly reboot on you!

>...can you explain in broad terms what was wrong?
One of the biggest things was using "permit ip any" in your crypto ACL(s), ie:
       access-list outside_cryptomap_dyn_100 permit ip any 172.17.1.0 255.255.255.224
Other things to keep in mind:  when using split-tunneling, use a separate ACL for specifying "split-tunnel <ACL>" in vpngroups, and this ACL must be a "duplicate" of your 'nat 0' ACL if only one line (or an entry thereof if multiple lines long in the 'nat 0' ACL). And "isakmp nat-traversal" is a must, as mentioned previously.

>(Strange you can't define subnet masks for these IP pools)
  Actually the PIX will let you specify a mask, eg:
ip local pool mypool_A 10.2.2.1-10.2.2.10 mask 255.255.255.240
  BUT, make absolutely sure your crypto ACLs ('nat 0' & split-tunnel ACLs) use the same subnet mask so the traffic is matched correctly.

Notice that one of the previous pools' IP range didn't match up with the subnet masks you were using:
  ip local pool emea-it-pub 172.17.1.11-172.17.1.20  --> in your 'nat 0' ACL you used the mask 255.255.255.240 which does *not* include these IPs, but your "outside_cryptomap_dyn_100" ACL used the more correct mask 255.255.255.240.
   With subnet mask 255.255.255.240, the valid range of usable IPs for the subnet which includes 172.17.1.11 is:
172.17.1.1 - 172.17.1.14.   The next subnet's IP range is: 172.17.1.17-.30 (.16 is the subnet address, .31 is broadcast).
  Notice I used 172.17.1.1-30 with a 255.255.255.0 mask: that's fine, since all these IPs fall within the correct range (.1-.254).

cheers
0

Featured Post

How to Use the Help Bell

Need to boost the visibility of your question for solutions? Use the Experts Exchange Help Bell to confirm priority levels and contact subject-matter experts for question attention.  Check out this how-to article for more information.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now