Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Cisco VPN client 4.8 can't access internet and clients LAN when connected to Cisco pix 515

Posted on 2006-05-16
10
Medium Priority
?
277 Views
Last Modified: 2010-04-12
I have configured Cisco PIX 515 with VPN. VPN working w/o problem however client can't access his LAN or internet when connected to VPN. Cisco have tree interfaces: outside, insede and dmz. Originaly I am creat two vpn tunnels one for inside and second for dmz with diferent users.

If somebody can help to me resolve this issue it will be great.

here is my config:
asdm image flash:/asdm-511.bin
asdm location 192.168.1.15 255.255.255.255 inside
asdm location 192.168.10.13 255.255.255.255 DMZ
asdm location 192.168.10.96 255.255.255.224 DMZ
asdm location 192.168.1.96 255.255.255.224 inside
asdm history enable
: Saved
:
PIX Version 7.1(1)
!
hostname beast
domain-name domain.com

names
!
interface Ethernet0
 nameif outside
 security-level 0
 ip address 83.96.142.114 255.255.255.240
!
interface Ethernet1
 nameif inside
 security-level 100
 ip address 192.168.1.254 255.255.255.0
!
interface Ethernet2
 nameif DMZ
 security-level 50
 ip address 192.168.10.254 255.255.255.0
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
clock timezone EST +5
dns domain-lookup inside
dns domain-lookup DMZ
dns server-group DefaultDNS
 domain-name domain.com
dns server-group VPNDMZ
 name-server 192.168.10.13
 domain-name domain.net
dns server-group VPNLoacal
 name-server 192.168.1.10
 name-server 192.168.1.15
 domain-name domain.com
same-security-traffic permit intra-interface
!ports for primary mail server
object-group service ACTMAIL tcp
 port-object eq aol
 port-object eq pop3
 port-object eq https
 port-object eq www
 port-object eq smtp
 port-object eq imap4
!ports for secondery mail server
object-group service MAIL tcp
 port-object eq pop3
 port-object eq https
 port-object eq www
 port-object eq smtp
 port-object eq imap4
!other servera
object-group service Bird tcp
 port-object eq https
 port-object eq www
 port-object range 8000 8100
object-group service DNS tcp-udp
 port-object eq domain
access-list inside_nat0_outbound extended permit ip any 192.168.10.96 255.255.255.224
access-list inside_nat0_outbound extended permit ip any 192.168.1.96 255.255.255.224
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 172.31.255.0 255.255.255.128
access-list VPNDMZ_splitTunnelAcl standard permit any
access-list outside_cryptomap_dyn_20 extended permit ip any 192.168.10.96 255.255.255.224
access-list VPNLocal_splitTunnelAcl standard permit any
access-list outside_cryptomap_dyn_40 extended permit ip any 192.168.1.96 255.255.255.224
access-list outside_access_in extended permit tcp any host 83.96.142.115 object-group ACT-MAIL
access-list outside_access_in extended permit tcp any host 83.96.142.121 object-group MAIL
access-list inside_access_in extended permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list inside_access_in extended permit ip any any
access-list DMZ_access_in extended permit ip any any
access-list outside_nat0_inbound extended permit ip any 192.168.10.96 255.255.255.224
access-list 3 extended permit ip any any
access-list DMZ_nat0_outbound extended permit ip any 192.168.20.96 255.255.255.224
access-list DMZ_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 172.31.255.0 255.255.255.128
access-list MyDMZ_splitTunnelAcl standard permit any
access-list outside_cryptomap_dyn_60 extended permit ip any 192.168.20.96 255.255.255.224
access-list VPN_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list outside_cryptomap_dyn_80 extended permit ip 192.168.10.0 255.255.255.0 172.31.255.0 255.255.255.128
access-list outside_cryptomap_dyn_80 extended permit ip any 172.31.255.0 255.255.255.128
access-list outside_cryptomap_dyn_80 extended permit ip 192.168.1.0 255.255.255.0 172.31.255.0 255.255.255.128
pager lines 24
logging enable
logging asdm-buffer-size 512
logging asdm informational
logging mail errors
logging from-address ciscopix@domain.com
logging recipient-address ss@domain.com level emergencies
logging debug-trace
logging class ip mail errors
logging class sys mail errors
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
ip local pool VPNDMZ 192.168.10.96-192.168.10.127 mask 255.255.255.0
ip local pool VPNLocal 192.168.1.96-192.168.1.127 mask 255.255.255.0
ip local pool MyDMZ 192.168.20.96-192.168.20.127 mask 255.255.255.0
ip local pool VPN 172.31.255.0-172.31.255.64 mask 255.255.255.0
ip verify reverse-path interface outside
icmp permit 66.28.3.0 255.255.255.0 outside
icmp permit 66.250.250.0 255.255.254.0 outside
icmp permit host 67.103.15.94 outside
icmp deny any outside
icmp permit any inside
asdm image flash:/asdm-511.bin
asdm history enable
arp timeout 14400
global (outside) 1 83.96.142.126 netmask 255.255.255.255
nat (outside) 0 access-list outside_nat0_inbound outside
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 192.168.1.0 255.255.255.0
nat (DMZ) 0 access-list DMZ_nat0_outbound
static (inside,outside) 83.96.142.115 192.168.1.15 netmask 255.255.255.255
static (DMZ,outside) 83.96.142.121 192.168.10.13 netmask 255.255.255.255
static (inside,outside) 83.96.142.120 192.168.1.223 netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group DMZ_access_in in interface DMZ
route outside 0.0.0.0 0.0.0.0 83.96.142.113 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy MyDMZ internal
group-policy MyDMZ attributes
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value MyDMZ_splitTunnelAcl
group-policy VPNLocal internal
group-policy VPNLocal attributes
 wins-server value 192.168.1.10 192.168.1.15
 dns-server value 192.168.1.10 192.168.1.15
 password-storage enable
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value VPNLocal_splitTunnelAcl
 default-domain value domain.com
group-policy VPNDMZ internal
group-policy VPNDMZ attributes
 dns-server value 192.168.10.13
 password-storage enable
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value VPNDMZ_splitTunnelAcl
 default-domain value domain.net
 split-dns value act-forex.ru
 nem enable
group-policy VPN internal
group-policy VPN attributes
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value VPN_splitTunnelAcl
username fox password 0TM.xCRk.P4nWrgF encrypted privilege 0
username fox attributes
 vpn-group-policy VPNLocal
username bird password CuJh9yaNbuDBkVKY encrypted privilege 0
username bird attributes
 vpn-group-policy VPNDMZ
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-AES-256-MD5
crypto dynamic-map outside_dyn_map 20 set reverse-route
crypto dynamic-map outside_dyn_map 40 match address outside_cryptomap_dyn_40
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-AES-192-MD5
crypto dynamic-map outside_dyn_map 60 match address outside_cryptomap_dyn_60
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 80 match address outside_cryptomap_dyn_80
crypto dynamic-map outside_dyn_map 80 set transform-set ESP-DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes
isakmp policy 10 hash sha
isakmp policy 10 group 5
isakmp policy 10 lifetime 86400
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption aes
isakmp policy 30 hash sha
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400
isakmp policy 50 authentication pre-share
isakmp policy 50 encryption 3des
isakmp policy 50 hash sha
isakmp policy 50 group 2
isakmp policy 50 lifetime 86400
isakmp policy 70 authentication pre-share
isakmp policy 70 encryption des
isakmp policy 70 hash md5
isakmp policy 70 group 2
isakmp policy 70 lifetime 86400
isakmp nat-traversal  20
isakmp ipsec-over-tcp port 10000
tunnel-group VPNDMZ type ipsec-ra
tunnel-group VPNDMZ general-attributes
 address-pool (DMZ) VPNDMZ
 address-pool VPNDMZ
 authorization-server-group LOCAL
 default-group-policy VPNDMZ
 strip-realm
 authorization-required
tunnel-group VPNDMZ ipsec-attributes
 pre-shared-key *
 chain
tunnel-group VPNLocal type ipsec-ra
tunnel-group VPNLocal general-attributes
 address-pool (outside) VPNLocal
 address-pool VPNLocal
 default-group-policy VPNLocal
tunnel-group VPNLocal ipsec-attributes
 pre-shared-key *
tunnel-group MyDMZ type ipsec-ra
tunnel-group MyDMZ general-attributes
 address-pool MyDMZ
 default-group-policy MyDMZ
tunnel-group MyDMZ ipsec-attributes
 pre-shared-key *
tunnel-group VPN type ipsec-ra
tunnel-group VPN general-attributes
 address-pool VPN
 default-group-policy VPN
tunnel-group VPN ipsec-attributes
 pre-shared-key *
no vpn-addr-assign aaa
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
smtp-server 192.168.1.15
Cryptochecksum:
: end
0
Comment
Question by:sstikhin
  • 5
  • 5
10 Comments
 
LVL 9

Expert Comment

by:stressedout2004
ID: 16694882
Your split tunneling rule is incorrect. What group-policy is in use? Let me know and I will give you the command you need.
0
 

Author Comment

by:sstikhin
ID: 16701711
My primary VPM group is VPNDMZ

Here is all what I have for this group:
ip local pool VPNDMZ 192.168.10.96-192.168.10.127 mask 255.255.255.0
access-list VPNDMZ_splitTunnelAcl standard permit any
group-policy VPNDMZ internal
group-policy VPNDMZ attributes
 dns-server value 192.168.10.13
 password-storage enable
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value VPNDMZ_splitTunnelAcl
0
 
LVL 9

Expert Comment

by:stressedout2004
ID: 16702884
Ok, and what networks should the users using this group be able to access to? Should they be able to access networks on the inside(192.168.1.0/24) as well as the DMZ network (192.168.10.0/24)?
0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 

Author Comment

by:sstikhin
ID: 16703855
192,168.10.0/24 plus cliens LAN and internet. No access to 192.168.1.0/24
0
 
LVL 9

Accepted Solution

by:
stressedout2004 earned 1000 total points
ID: 16705089
access-list VPNDMZ_splitTunnelAcl standard permit 192.168.10.0 255.255.255.0
no access-list VPNDMZ_splitTunnelAcl standard permit any
0
 

Author Comment

by:sstikhin
ID: 16774707
Thank you for your help. Both VPN tunnels are working as they suppose to.

 

Can I ask you one more question?

As you can see from my configuration I have two inside interfaces - inside and DMZ. I need to give full access from inside to DMZ and restricted access from DMZ to inside.

I have two hosts in DMZ, which should access following ports on the "inside” interface side: 53 (TCP/UDP), 25 (TCP), 80 (TCP), 443(TCP). When I create “rules” for these ports, it is not working until I create "Translate Exemption Rules". Option "Enable traffic through the firewall without address translation” unchecked.
0
 

Author Comment

by:sstikhin
ID: 16774854
Here is my latest config (part of it):
access-list outside_int remark NATing for mail.actforex.com
access-list outside_int extended permit tcp any host 68.96.142.115 object-group MAIL
access-list outside_int remark Terminal access to Admin-PC
access-list outside_int extended permit tcp any host 68.96.142.120 eq 3389
access-list outside_int extended permit tcp any host 68.96.142.117 eq www
access-list outside_int extended permit tcp any host 68.96.142.121 object-group MAIL
access-list outside_int extended permit tcp any host 68.96.142.118 object-group act-svr
access-list outside_int extended permit udp any host 68.96.142.119 object-group act-srvr-udp
access-list outside_int extended permit udp any host 68.96.142.118 object-group act-srvr-udp
access-list outside_int extended permit tcp any host 68.96.142.119 object-group act-svr
access-list outside_int extended permit tcp any host 68.96.142.122 object-group DMZ-MAIL
access-list inside_int extended permit tcp host Mail any
access-list inside_nat0_outbound extended permit ip any 192.168.1.96 255.255.255.224
access-list inside_nat0_outbound extended permit ip any 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list inside_access_in extended permit tcp 192.168.1.0 255.255.255.0 host 192.168.10.10 eq 3389
access-list DMZ_nat0_outbound extended permit ip any 192.168.10.0 255.255.255.0
access-list DMZ_nat0_outbound extended permit ip any 192.168.10.96 255.255.255.224
access-list outside_cryptomap_dyn_20_1 extended permit ip any 192.168.1.96 255.255.255.224
access-list VPNLocal_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list VPNDMZ_splitTunnelAcl standard permit 192.168.10.0 255.255.255.0
access-list outside_cryptomap_dyn_40 extended permit ip any 192.168.10.96 255.255.255.224
access-list dmz_splitTunnelAcl standard permit any
access-list DMZ_access_in extended permit tcp 192.168.10.0 255.255.255.0 192.168.1.0 255.255.255.0 eq smtp
access-list DMZ_access_in extended permit udp host 192.168.10.13 192.168.1.0 255.255.255.0 object-group DNS
access-list DMZ_access_in extended permit ip any any
access-list DMZ_access_in extended permit tcp host 192.168.10.13 192.168.1.0 255.255.255.0 object-group DNS
!
nat-control
global (outside) 1 68.96.142.126 netmask 255.255.255.255
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 192.168.1.0 255.255.255.0 dns
nat (DMZ) 0 access-list DMZ_nat0_outbound
static (inside,outside) 68.96.142.115 Mail netmask 255.255.255.255
static (inside,outside) 68.96.142.120 192.168.1.223 netmask 255.255.255.255
static (DMZ,outside) 68.96.142.118 192.168.10.23 netmask 255.255.255.255
static (DMZ,outside) 68.96.142.119 192.168.10.24 netmask 255.255.255.255
static (DMZ,outside) 68.96.142.121 192.168.10.13 netmask 255.255.255.255
static (DMZ,outside) 68.96.142.116 192.168.10.17 netmask 255.255.255.255
static (DMZ,outside) 68.96.142.117 192.168.10.11 netmask 255.255.255.255
static (DMZ,outside) 68.96.142.122 192.168.10.10 netmask 255.255.255.255
access-group outside_int in interface outside
access-group inside_access_in in interface inside
access-group DMZ_access_in in interface DMZ


Here is how it should looks:
                     WAN
                 /\    ||   /\
everything   |    ||    |  everything
                  |    ||    |
                  |    ||    |
                  |    ||    |
                  ___||__
LAN----------[   PIX  ]-----------DMZ
                  ---------
everything------------>
                <----------53,25,ICMP(all)
0
 
LVL 9

Expert Comment

by:stressedout2004
ID: 16776185
First, you can remove the access-group applied on the inside interface.  There's no use applying an access-group on the inside interface if everything is allowed to flow from the inside network going to the interface. By default, all traffic coming from the inside network is allowed. It's up to you though, Im just suggesting that you clean up your configuration a little bit.

Should you decide to remove it, the commands would be:

no access-group inside_access_in in interface inside  --> disable access-group on the interface
clear configure access-list inside_access_in  ---> deletes all access-entries pertaining to inside_access_in

Secondly, to achieve your requirements, run the following commands:

no access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0
static (inside, DMZ) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
clear configure access-list DMZ_access_in
access-list DMZ_access_in extended permit tcp 192.168.10.0 255.255.255.0 192.168.1.0 255.255.255.0 eq smtp
access-list DMZ_access_in extended permit udp host 192.168.10.13 192.168.1.0 255.255.255.0 object-group DNS
access-list DMZ_access_in extended permit tcp host 192.168.10.13 192.168.1.0 255.255.255.0 object-group DNS
access-list DMZ_access_in extended deny ip 192.168.10.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list DMZ_access_in extended permit ip any any

I don't know what port you have on object-group DNS, but I will leave it up to you to configure the necessary ACLs for dmz to inside communication. Take note, for inside to dmz, you don't need to create any rule. Only for dmz to inside. Just a reminder the order of the access-rules is important, it is checked from top to bottom.

0
 
LVL 9

Expert Comment

by:stressedout2004
ID: 16776187
BTW, do a clear xlate after you do the changes.
0
 

Author Comment

by:sstikhin
ID: 16786752
This is a totaly NEW configuration I just finished several days ago.

I'm stack with the access. I had some time to play with it. I will try to do what you suggesting and check what happenes.

I have two mail servers at DMZ which should send email to my corp mail system, also this two mail servers should access my DNS for resolving unknown addresses.
(here are ports which should be open for DMZ to LAN; TCP 25,53,80,443   UDP 53,123,161:162; all ICMP)

Thank you for your time and pricless help resolving my issue.
0

Featured Post

Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses
Course of the Month11 days, 22 hours left to enroll

564 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question