PIX VPN - unable to access remote network after connect

Posted on 2006-05-10
Last Modified: 2013-11-16
I am able to connect via vpn client, but go no further.
I have not had pblms in 10 other sites, the only difference here is this Comcast SMC cable modem/router (small business connection),
though I will never rule out config mistakes.


Internet --->  SMC Cable router ---> PIX ---> LAN

subnet between Cable router & PIX is 172.16.1.x
LAN subnet is 192.168.1.x

I believe I am passing all traffic from the cheesy cable router through to the pix - (as you might think, the config options are limited).
I am mapping ports to an internal Mail server.
There are no LAN or internet access issues.

 : Saved
 PIX Version 6.3(5)
 interface ethernet0 auto
 interface ethernet1 auto
 nameif ethernet0 outside security0
 nameif ethernet1 inside security100
 enable password X0h2.pTd5q5kBMWT encrypted
 passwd oc9JQ.Zyj.5tHB/R encrypted
 hostname pixfirewall
 fixup protocol dns maximum-length 512
 fixup protocol ftp 21
 fixup protocol h323 h225 1720
 fixup protocol h323 ras 1718-1719
 fixup protocol http 80
 fixup protocol rsh 514
 fixup protocol rtsp 554
 fixup protocol sip 5060
 fixup protocol sip udp 5060
 fixup protocol skinny 2000
 fixup protocol smtp 25
 fixup protocol sqlnet 1521
 fixup protocol tftp 69
 <--- More --->                names
 access-list split permit
 access-list inside_outbound_nat0_acl permit ip any
 access-list InboundACL permit tcp any host
 pager lines 24
 icmp deny any outside
 mtu outside 1500
 mtu inside 1500
 ip address outside
 ip address inside
 ip audit info action alarm
 ip audit attack action alarm
 ip local pool vpnpool
 pdm location inside
 pdm logging informational 100
 pdm history enable
 arp timeout 14400
 global (outside) 1 interface
 nat (inside) 0 access-list inside_outbound_nat0_acl
 nat (inside) 1 0 0
 static (inside,outside) netmask 0 0
 access-group InboundACL in interface outside
 route outside 1
 timeout xlate 0:05:00
 <--- More --->                timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
 timeout sip-disconnect 0:02:00 sip-invite 0:03:00
 timeout uauth 0:05:00 absolute
 aaa-server TACACS+ protocol tacacs+
 aaa-server TACACS+ max-failed-attempts 3
 aaa-server TACACS+ deadtime 10
 aaa-server RADIUS protocol radius
 aaa-server RADIUS max-failed-attempts 3
 aaa-server RADIUS deadtime 10
 aaa-server LOCAL protocol local
 http server enable
 http inside
 no snmp-server location
 no snmp-server contact
 snmp-server community public
 no snmp-server enable traps
 floodguard enable
 crypto ipsec transform-set myset esp-des esp-md5-hmac
 crypto dynamic-map dymap 100 set transform-set myset
 crypto map mymap 100 ipsec-isakmp dynamic dymap
 crypto map mymap interface outside
 isakmp enable outside
 isakmp key ******** address netmask
 <--- More --->                isakmp identity address
 isakmp client configuration address-pool local vpnpool outside
 isakmp nat-traversal 20
 isakmp policy 10 authentication pre-share
 isakmp policy 10 encryption des
 isakmp policy 10 hash md5
 isakmp policy 10 group 2
 isakmp policy 10 lifetime 86400
 vpngroup vpn01 address-pool vpnpool
 vpngroup vpn01 dns-server
 vpngroup vpn01 default-domain MW.local
 vpngroup vpn01 split-tunnel split
 vpngroup vpn01 idle-time 1800
 vpngroup vpn01 password ********
 telnet inside
 telnet timeout 5
 ssh timeout 5
 console timeout 0
 dhcpd lease 3600
 dhcpd ping_timeout 750
 dhcpd auto_config outside
 terminal width 80
 : end
 <--- More --->                 pixfirewall#
Question by:artthegeek
    LVL 3

    Author Comment

    I should add -
    The company has only one public IP here.
    The public MX (mail) record points to the cable router's public ip & is then mapped from there to the outside pix interface, which in turn maps to the server (as you can see from the config).
    LVL 2

    Expert Comment

    I have had similar issues trying to use an IPSec Tunnel using the Cisco client to a PIX over SBC Yahoo DSL. Yahoo claims their home "modem" does not support AH or ESP protocols. You might want to verify this with Comcast before spending any more cycles on this.


    LVL 79

    Expert Comment

    The problem is that you are using same IP subnet for both internal and vpn clients. They really need to be two distinct networks:

    >ip address inside
    >ip local pool vpnpool

    Because then, this acl makes no sense:
    >access-list inside_outbound_nat0_acl permit ip any

    Try this:

     ip local pool vpnpool2
     no access-list inside_outbound_nat0_acl
     access-list inside_outbound_nat0_acl permit ip
     nat (inside) 0 access-list inside_outbound_nat0_acl
     vpngroup vpn01 address-pool vpnpool2

    LVL 3

    Author Comment

    L -
    Unfortunately, no go - but thanks for the reminder.

    One thing: I can get into the mail server via RDP using the address (the subnet between the PIX and the router) after connecting via VPN, but not to the (local lan inside the PIX).

    LVL 9

    Accepted Solution

    Try adding the following line:

    sysopt connection permit-ipsec

    I don't see it in the configuration. Try it and let us know.
    LVL 3

    Author Comment

    That's it !  Thank you.
     Now the big question: Why?
    LVL 3

    Author Comment

    I answer my own question:

    Because all inbound sessions must be explicitly permitted by an access list or a conduit, the sysopt connection permit-ipsec command is used to permit all inbound IPSec authenticated cipher sessions.
    LVL 9

    Expert Comment

    Yup, right on the money.
    LVL 79

    Expert Comment

    good catch, stressedout2004!

    Featured Post

    What Should I Do With This Threat Intelligence?

    Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

    Join & Write a Comment

    Have you experienced traffic destined through a Cisco ASA firewall disappears and you do not know if the traffic stops in the firewall or somewhere else? The solution is the capture feature. This feature was released in 6.2(1) and works in all firew…
    From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
    how to add IIS SMTP to handle application/Scanner relays into office 365.
    Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

    728 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    19 Experts available now in Live!

    Get 1:1 Help Now