[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 464
  • Last Modified:

Ping problem throught VPN session with Pix 515

Hi everyone,

We just switched our Linksys routeur for a PIX515. Now, I'm still able to connect with my clients throught VPN but I can't ping or Telnet any address on their LAN. I want to know what line of config I need to add to those configuration to be able to ping or telnet throught the VPN session. Next is the configuration of our PIX 515 and further down, the configuration of the PIX501 I'm connecting to :

PIX515 Configuration

: Saved
: Written by enable_15 at 09:54:20.382 EDT Thu Apr 27 2006
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security4
enable password VIF8.p2gn2p.h8ZQ encrypted
passwd VIF8.p2gn2p.h8ZQ encrypted
hostname pix515-qc
domain-name fiable.local
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol dns maximum-length 4096
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 10.10.254.1 Dave_Cauchon
name 10.10.10.3 srvweb
name 192.168.121.1 scosyn
name 10.10.10.4 demo_ogasys
name 10.10.10.2 srvmail
name 192.168.121.143 serveur2003
access-list dmz permit ip 192.168.121.0 255.255.255.0 10.10.254.0 255.255.255.0
access-list dmz remark ACCES DU WAN VERS LE DMZ
access-list dmz remark ACCES DU WAN SUR LE SERVEUR MAIL
access-list dmz permit tcp any host 195.188.210.76 eq pop3
access-list dmz permit tcp any host 195.188.210.76 eq smtp
access-list dmz permit tcp any host 195.188.210.76 eq ftp
access-list dmz permit tcp any host 195.188.210.76 eq ftp-data
access-list dmz remark ACCES DU WAN SUR LE SERVEUR NETSERV
access-list dmz permit tcp any host 195.188.210.74 eq www
access-list dmz permit tcp any host 195.188.210.74 eq https
access-list dmz permit tcp any host 195.188.210.74 eq ftp
access-list dmz permit tcp any host 195.188.210.74 eq ftp-data
access-list dmz remark ACCES DU WAN SUR LE SERVEUR DEMO OGASYS
access-list dmz permit tcp any host 195.188.210.77 eq www
access-list dmz permit tcp any host 195.188.210.77 eq 3389
access-list splitter remark ACCESS-LIST POUR CLIENT VPN
access-list splitter permit ip 192.168.121.0 255.255.255.0 10.10.254.0 255.255.255.0
access-list acces_dmz remark ACCES DE L'INTERNE VERS LE DMZ
access-list acces_dmz remark POUR ACCEDER SERVEUR MAIL de L'INTERNE
access-list acces_dmz permit tcp any host srvmail eq pop3
access-list acces_dmz permit tcp any host srvmail eq smtp
access-list acces_dmz permit tcp any host srvmail eq ftp
access-list acces_dmz permit tcp any host srvmail eq ftp-data
access-list acces_dmz remark POUR DONNER ACCES AU SERVEUR 2003 AU DMZ
access-list acces_dmz permit tcp host serveur2003 host srvmail
access-list acces_dmz permit tcp host serveur2003 host demo_ogasys
access-list acces_dmz permit tcp host serveur2003 host srvweb
access-list acces_dmz remark POUR ACCEDER AU SERVEUR DEMO_OGASYS
access-list acces_dmz permit tcp any host demo_ogasys eq 3389
access-list acces_dmz permit tcp any host demo_ogasys eq 5900
access-list acces_dmz permit tcp any host demo_ogasys eq www
access-list acces_dmz remark POUR ACCEDER AVEC VNC DANS LE DMZ
access-list acces_dmz permit tcp host 192.168.121.170 any eq 5900
access-list acces_dmz permit tcp host 192.168.121.171 any eq 5900
access-list acces_dmz permit tcp host 192.168.121.169 any eq 5900
access-list acces_dmz remark POUR ACCEDER AU SERVEUR DE WEB DE L'INTERNE
access-list acces_dmz permit tcp any host srvweb eq www
access-list acces_dmz permit tcp any host srvweb eq https
access-list acces_dmz permit tcp any host srvweb eq 3389
access-list acces_dmz permit tcp any host srvweb eq ftp
access-list acces_dmz permit tcp any host srvweb eq ftp-data
access-list acces_dmz permit tcp any host srvweb eq 2356
access-list acces_dmz remark POUR ENLEVER L'ACCES DU RESEAU 121 AU DMZ
access-list acces_dmz deny ip 192.168.121.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list acces_dmz remark POUR PERMETTRE DE FAIRE DU WEB
access-list acces_dmz permit ip 192.168.121.0 255.255.255.0 any
access-list dmz_interne remark ACCES DMZ VERS L'INTERNE
access-list dmz_interne permit tcp host srvweb host scosyn eq 2356
access-list dmz_interne remark POUR ENLEVER L'ACCES DU DMZ VERS LE RESEAU 121
access-list dmz_interne deny ip 10.10.10.0 255.255.255.0 192.168.121.0 255.255.255.0
access-list dmz_interne remark POUR PERMETTRE DE FAIRE DU WEB
access-list dmz_interne permit ip 10.10.10.0 255.255.255.0 any
pager lines 24
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside 195.188.210.75 255.255.255.248
ip address inside 192.168.121.250 255.255.255.0
ip address dmz 10.10.10.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool tigroupool Dave_Cauchon
pdm history enable
arp timeout 14400
global (outside) 1 interface
global (dmz) 1 10.10.10.50-10.10.10.150
nat (inside) 0 access-list dmz
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz) 1 10.10.10.0 255.255.255.0 0 0
static (dmz,outside) 195.188.210.76 srvmail netmask 255.255.255.255 0 0
static (dmz,outside) 195.188.210.74 srvweb netmask 255.255.255.255 0 0
static (dmz,outside) 195.188.210.77 demo_ogasys netmask 255.255.255.255 0 0
static (inside,dmz) scosyn scosyn netmask 255.255.255.255 0 0
access-group dmz in interface outside
access-group acces_dmz in interface inside
access-group dmz_interne in interface dmz
conduit permit icmp any any
conduit permit tcp any any
route outside 0.0.0.0 0.0.0.0 195.188.210.73 1
route inside 10.10.121.0 255.255.255.0 192.168.121.254 1
route inside 192.168.77.0 255.255.255.0 192.168.121.254 1
route inside 192.168.120.0 255.255.255.0 192.168.121.254 1
route inside 192.168.122.0 255.255.255.0 192.168.121.254 1
timeout xlate 0:05:00
timeout conn 24:00:00 half-closed 4:00:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
ntp authenticate
ntp server 132.163.4.101 source outside
ntp server 132.163.4.102 source outside prefer
http server enable
http 192.168.121.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto dynamic-map cisco 1 set transform-set myset
crypto map dyn-map 20 ipsec-isakmp dynamic cisco
crypto map dyn-map interface outside
isakmp enable outside
isakmp keepalive 10
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup tigrouvpn address-pool tigroupool
vpngroup tigrouvpn dns-server serveur2003
vpngroup tigrouvpn wins-server serveur2003
vpngroup tigrouvpn default-domain fiable.local
vpngroup tigrouvpn split-tunnel splitter
vpngroup tigrouvpn idle-time 1800
vpngroup tigrouvpn password ********
telnet 192.168.121.0 255.255.255.0 inside
telnet timeout 30
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:8202e09e488e8649190a74926f21f0ca
: end

PIX501 Configuration

: Saved
: Written by enable_15 at 15:27:05.122 UTC Wed May 3 2006
PIX Version 6.3(5)
interface ethernet0 10baset
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password i6UxfZXAJDRy0dDX encrypted
passwd i6UxfZXAJDRy0dDX encrypted
hostname pix-maddison
domain-name maddison.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 101 permit ip 192.168.115.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list 101 permit ip 192.168.115.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list 101 permit ip 192.168.115.0 255.255.255.0 192.168.122.0 255.255.255.0
access-list 101 permit ip 192.168.115.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list 101 permit tcp host 199.243.181.75 any eq telnet
access-list splitter permit ip 192.168.115.0 255.255.255.0 192.168.1.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 66.39.251.209 255.255.255.248
ip address inside 192.168.115.17 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool iccpool 192.168.1.1-192.168.1.10
ip local pool ippool 192.168.5.1
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface telnet 192.168.115.10 telnet netmask 255.255.255.255 0 0
access-group 101 in interface outside
conduit permit tcp any any
conduit permit icmp any any
route outside 0.0.0.0 0.0.0.0 65.93.252.209 1
timeout xlate 3:00:00
timeout conn 24:00:00 half-closed 3:00:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
ntp authenticate
ntp server 132.163.4.102 source outside prefer
http server enable
http 192.168.115.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map cisco 1 set transform-set myset
crypto map dyn-map 20 ipsec-isakmp dynamic cisco
crypto map dyn-map interface outside
isakmp enable outside
isakmp key iccctrl address 0.0.0.0 netmask 0.0.0.0
isakmp keepalive 10
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup iccvpn address-pool iccpool
vpngroup iccvpn default-domain maddison.com
vpngroup iccvpn split-tunnel splitter
vpngroup iccvpn idle-time 86400
vpngroup iccvpn password ********
telnet 192.168.1.1 255.255.255.255 outside
telnet 192.168.115.0 255.255.255.0 inside
telnet timeout 30
ssh timeout 5
console timeout 0
vpdn group 1 accept dialin pptp
vpdn group 1 ppp authentication mschap
vpdn group 1 ppp encryption mppe 40
vpdn group 1 client configuration address local ippool
vpdn group 1 pptp echo 60
vpdn group 1 client authentication local
vpdn username iccvpn password ********
vpdn enable outside
terminal width 80
Cryptochecksum:596cc24e884bc881572f816032d617f6
: end
1$
0
icctechnologies
Asked:
icctechnologies
1 Solution
 
mikebernhardtCommented:
I can't give you an answer because I'm not familiar enough with PIX VPN. But I can tell you that you'll get a better response if you post this under Hardware-routers/switches.
0

Featured Post

How to Use the Help Bell

Need to boost the visibility of your question for solutions? Use the Experts Exchange Help Bell to confirm priority levels and contact subject-matter experts for question attention.  Check out this how-to article for more information.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now