Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Client vpn help (along with existing pix-pix vpn)

Posted on 2006-05-08
2
Medium Priority
?
259 Views
Last Modified: 2013-11-16
I am currently trying to configure a VPN client so that it can connect from the outside into my local lan.

Again, the configuration is setup as such:
VPN client -> Pix -> rtr -> local lan

At the moment, I have a PIX - > PIX PTP vpn configured and running.

I can connect my vpn client from the outside with no problems.

I can ping the "outside" interface of the router (10.74.31.2) but if I try to ping something on my local lan (192.168.0.x) from my VPN'd client nothing seems to pass through. My first thought was that it is a natting issue on the router but I cant seem to get it to work.

From my local lan I can ping the VPN'd client.

Below are my configs:

PIX:
hostname pixfirewall
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names

!Used for Pix-pix vpn - this is functioning fine.
access-list 199 permit ip 10.1.56.0 255.255.255.0 10.74.31.0 255.255.255.0
access-list 199 permit ip 10.1.16.0 255.255.255.0 10.74.31.0 255.255.255.0
access-list 199 permit ip 10.1.63.0 255.255.255.0 10.74.31.0 255.255.255.0
access-list 199 permit udp any any eq isakmp
access-list 199 permit esp any any
access-list 199 permit ah any any
access-list 199 permit icmp any any echo-reply
access-list 199 permit icmp any any time-exceeded
access-list 199 permit icmp any any unreachable
access-list 199 permit tcp any any eq www
access-list 199 permit gre host 10.74.254.1 host 10.74.0.31

!This is the ip pool for my vpn clients
access-list 199 permit ip 192.168.1.0 255.255.255.0 any
access-list 199 permit udp 192.168.1.0 255.255.255.0 any
access-list 199 permit tcp 192.168.1.0 255.255.255.0 any
access-list 102 permit gre host 10.74.0.31 host 10.74.254.1
access-list 102 permit ip 10.74.31.0 255.255.255.0 10.1.56.0 255.255.255.0
access-list 102 permit ip 10.74.31.0 255.255.255.0 10.1.63.0 255.255.255.0
access-list 102 permit ip 10.74.31.0 255.255.255.0 10.1.16.0 255.255.255.0

!No Nat for VPN
access-list 101 permit gre host 10.74.0.31 host 10.74.254.1
access-list 101 permit ip 10.74.31.0 255.255.255.0 10.1.56.0 255.255.255.0
access-list 101 permit ip 10.74.31.0 255.255.255.0 10.1.63.0 255.255.255.0
access-list 101 permit ip 10.74.31.0 255.255.255.0 10.1.16.0 255.255.255.0
access-list 101 permit ip 10.74.31.0 255.255.255.0 192.168.1.0 255.255.255.0

pager lines 24
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 100full
interface ethernet3 auto shutdown
interface ethernet4 10full shutdown
interface ethernet5 10full shutdown
mtu outside 1500
mtu inside 1500
mtu local 1500
mtu intf3 1500
mtu intf4 1500
mtu intf5 1500
ip address outside 66.9.177.xxx 255.255.255.224

!This is the range of my local private subnet
ip address inside 192.168.0.11 255.255.255.0

!this is the range for my router subnet
ip address local 10.74.31.1 255.255.255.0
ip address intf3 127.0.0.1 255.255.255.255
ip address intf4 127.0.0.1 255.255.255.255
ip address intf5 127.0.0.1 255.255.255.255
ip audit info action alarm
ip audit attack action alarm
ip local pool ippool 192.168.1.1-192.168.1.254
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
failover ip address local 0.0.0.0
failover ip address intf3 0.0.0.0
failover ip address intf4 0.0.0.0
failover ip address intf5 0.0.0.0
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (local) 0 access-list 101
nat (local) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 10.74.254.1 10.74.254.1 netmask 255.255.255.255 0 0
access-group 199 in interface outside
route outside 0.0.0.0 0.0.0.0 66.9.177.xxx 1
route inside 10.74.0.31 255.255.255.255 10.74.31.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
snmp-server host inside 192.168.0.151
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set cmeset esp-3des esp-md5-hmac
crypto dynamic-map dynmap 30 set transform-set cmeset
crypto map cmevpn 10 ipsec-isakmp dynamic dynmap
crypto map cmevpn 20 ipsec-isakmp
crypto map cmevpn 20 match address 102
crypto map cmevpn 20 set peer 64.125.177.134
crypto map cmevpn 20 set transform-set cmeset
crypto map cmevpn interface outside
isakmp enable outside
isakmp key ******** address 64.125.177.134 netmask 255.255.255.255
isakmp identity address
isakmp policy 9 authentication pre-share
isakmp policy 9 encryption 3des
isakmp policy 9 hash md5
isakmp policy 9 group 1
isakmp policy 9 lifetime 86400
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup vpn3000 address-pool ippool
vpngroup vpn3000 dns-server 192.168.0.42
vpngroup vpn3000 wins-server 192.168.0.42
vpngroup vpn3000 default-domain xxx.com
vpngroup vpn3000 idle-time 1800
vpngroup vpn3000 password ********
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 60



ROUTER CONFIG


Building configuration...

Current configuration : 3133 bytes
!
! Last configuration change at 09:53:38 CDT Mon May 8 2006
! NVRAM config last updated at 09:41:44 CDT Mon May 8 2006
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
service password-encryption
no service dhcp
!
hostname rhoroutervpn
!
boot system flash
logging buffered 8192 debugging
no logging console


clock timezone CST -6
clock summer-time CDT recurring
ip subnet-zero
!
!
!
ip multicast-routing
ip cef
!
isdn switch-type basic-ni
call rsvp-sync
!
!
!
!
!
!
!
!USED FOR PIX-PIX tunnel
interface Loopback0
ip address 10.74.0.31 255.255.255.255
!USED FOR PIX-PIX tunnel
interface Tunnel0
ip address 10.74.1.86 255.255.255.252
ip pim sparse-mode
tunnel source 10.74.0.31
tunnel destination 10.74.254.1
!
interface FastEthernet0/0
description connection to local LAN
ip address 192.168.0.251 255.255.255.0
no ip redirects
ip nat inside
ip route-cache flow
speed 100
full-duplex
!
interface FastEthernet0/1
description connection to Intellispace router
ip address 10.74.31.2 255.255.255.0
no ip redirects
ip accounting output-packets
ip nat outside
ip pim sparse-mode
ip route-cache flow
load-interval 30
speed 100
full-duplex
!

ip nat inside source route-map route101 interface FastEthernet0/1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 10.74.31.1
ip route 10.71.0.0 255.255.255.0 Tunnel0
ip flow-export version 5
ip flow-export destination 192.168.0.151 9996
no ip http server
ip pim rp-address 10.71.0.5
ip mroute 10.71.0.0 255.255.255.0 Tunnel0
!
access-list 111 permit ip any any
dialer-list 1 protocol ip permit
dialer-list 1 protocol ipx permit
route-map route101 permit 20
match ip address 111
!
!
!
!
!
!

!
line con 0
line aux 0
line vty 0 4
exec-timeout 19 59
!
ntp clock-period 17179996
ntp server 192.5.5.250
ntp server 17.254.0.31
end
0
Comment
Question by:jkeazirian
2 Comments
 
LVL 9

Accepted Solution

by:
stressedout2004 earned 1000 total points
ID: 16636243
You are missing the NAT 0 for the inside interface. Just add the commands below and you should be able to reach the 192.168.0.x network from the VPN Client.

access-list 103 permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0
nat (inside) 0 access-list 103
clear xlate.

Also, although not related to your issue, the following route is incorrect.

route inside 10.74.0.31 255.255.255.255 10.74.31.2 1

If you want to reach the router's loopback address from the inside network, that route should be:

route inside 10.74.0.31 255.255.255.255 192.168.0.251

Or if you want to get to it from the DMZ ("local" interface), then it should be:

route local 10.74.0.31 255.255.255.255 10.74.31.2

0
 

Author Comment

by:jkeazirian
ID: 16638891
Good catch stressedout.  I spent a good 45 minutes trying to solve that before you helped me out.  I am disappointed I didn't notice it.

Thanks
0

Featured Post

The IT Degree for Career Advancement

Earn your B.S. in Network Operations and Security and become a network and IT security expert. This WGU degree program curriculum was designed with tech-savvy, self-motivated students in mind – allowing you to use your technical expertise, to address real-world business problems.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
When speed and performance are vital to revenue, companies must have complete confidence in their cloud environment.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Suggested Courses

578 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question