VPN client and PIX firewall

I'm have my VPN client and it connect just fine remotely but when I try to access anything in the network nothing seems to work even when I try to access the internet I'm kind of new to this so any kind of help would suffice.  I should also note that I'm connecting to a 506e cisco PIX firewall.
mekkattiljjAsked:
Who is Participating?
 
terminalbCommented:
You also do not have a nat0 command. VPN traffic should not be natted. I agree with Keith above. Your Config could use some cleaning up
0
 
terminalbCommented:
Sounds like you do not have Split Tunneling enabled as well as correct access lists Can you post a sanitized copy of your configuration and I'll see what I can do for you here.

-Alex
0
 
calvinetterCommented:
Yes, not being able to access the Internet means that you don't have split tunneling enabled or it's misconfigured.  As for not being able to access internal resources, here's a checklist, assuming you're using IPSec:

- The "ip local pool" configured for the VPN clients must not overlap the LAN behind the PIX.
- Never use "permit ip any" in your VPN ACLs, be specific with the IP subnets.
- In order to reach hosts behind the PIX, the PIX must be their default gateway.
- The IP scheme of the VPN client PC must not overlap the LAN behind the PIX, nor the "ip local pool" range or you'll hit a routing loop.
- If the client PC has a software firewall enabled on it (Windows built-in or 3rd-party program), make sure you're allowing all traffic to/from the VPN client program ("cvpnd.exe").  And any present firewall must not be blocking ESP traffic inbound/outbound.
- If the client PC is connecting from behind some other router/firewall, make sure the following traffic isn't blocked to/from the client PC:
  UDP port 500
  UDP port 4500   <- if "isakmp nat-traversal" is configured on a 6.3 series PIX
  ESP protocol (protocol 50, *not* port 50)
  *For allowing ESP traffic on a SOHO router/firewall, the unit may have an option to enable "VPN passthrough" or "IPSec passthrough", or just specify "protocol 50" to/from the VPN server device.

Please post the complete but "sanitized" config (passwords removed, public IPs masked like so: x.x.x.82, but not mask out private IPs like 10.x.x.x, 192.168.x.x).

cheers
0
IT Degree with Certifications Included

Aspire to become a network administrator, network security analyst, or computer and information systems manager? Make the most of your experience as an IT professional by earning your B.S. in Network Operations and Security.

 
mekkattiljjAuthor Commented:
Here is my configs I thought that my split tunneling was enabled

PIX Version 6.3(4)
interface ethernet0 10full
interface ethernet1 10full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password  encrypted
passwd  encrypted
hostname firebox
domain-name
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 172.22.224.200 A8n
object-group service nexus tcp-udp
  port-object range 5000 5000
object-group network Proximities_VPN
  description Proximities_VPN
  network-object 172.16.1.233 255.255.255.255
object-group network Proximities_VPNinside
  description Proximities_VPNinside
  network-object 172.16.1.233 255.255.255.255
object-group service ProximitiesPortsin tcp
  description ProximitiesPortsin
  port-object range 5935 5935
  port-object range 3389 3389
object-group network AdvantageInside
  description AdvantageInside
  network-object 172.16.1.211 255.255.255.255
object-group network AdvantageOutside
  network-object 172.16.1.211 255.255.255.255
access-list 101 permit 172.16.1.0 172.16.1.0
access-list acl_out permit icmp any any
access-list thedudes_splitTunnelAcl permit ip 172.22.224.0 255.255.255.0 any
access-list thedudes_splitTunnelAcl permit ip 172.22.254.0 255.255.255.0 any
access-list thedudes_splitTunnelAcl permit ip 172.16.1.0 255.255.255.0 any
access-list Proximities_splitTunnelAcl permit tcp 172.22.254.0 255.255.255.0 any eq 3389
access-list Proximities_splitTunnelAcl permit tcp 172.22.254.0 255.255.255.0 any eq 5935
access-list Proximities_splitTunnelAcl permit icmp 172.22.254.0 255.255.255.0 host 172.22.254.254
access-list Proximities_splitTunnelAcl permit icmp 172.22.254.0 255.255.255.0 host 172.22.254.2
access-list Advantage_splitTunnelAcl_1 permit tcp host 172.22.224.15 any eq ssh
pager lines 24
logging on
icmp deny any outside
mtu outside 1500
mtu inside 1500
ip address outside 71.41.112.210 255.255.255.248
ip address inside 172.16.1.10 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip audit info action alarm
ip audit attack action alarm
ip local pool VPNDHCP2 192.168.1.100-192.168.1.102 mask 255.255.255.0
ip local pool VPNDHCP3 172.16.1.165-172.16.1.166 mask 255.255.255.0
ip local pool VPNDHCP 172.16.1.233-172.16.1.235 mask 255.255.255.0
ip local pool VPNDHCP1 172.16.1.210-172.16.1.211 mask 255.255.255.0
pdm location 172.22.224.84 255.255.255.255 inside
pdm location A8n 255.255.255.255 inside
pdm location 216.53.208.165 255.255.255.255 outside
pdm location 172.22.224.144 255.255.255.255 inside
pdm location 172.22.224.250 255.255.255.255 inside
pdm location 172.22.224.0 255.255.255.0 outside
pdm location 172.22.224.250 255.255.255.255 outside
pdm location A8n 255.255.255.255 outside
pdm location 172.22.225.0 255.255.255.0 outside
pdm location 172.22.225.250 255.255.255.255 inside
pdm location 172.22.224.195 255.255.255.255 inside
pdm location 172.22.226.0 255.255.255.0 inside
pdm location 172.16.1.0 255.255.255.0 inside
pdm location 172.16.1.1 255.255.255.255 inside
pdm location 172.22.224.1 255.255.255.255 inside
pdm location 172.16.1.10 255.255.255.255 inside
pdm location 172.22.224.0 255.255.255.0 inside
pdm location 172.22.224.45 255.255.255.255 inside
pdm location 172.22.254.2 255.255.255.255 inside
pdm location 172.16.1.233 255.255.255.255 inside
pdm location 172.16.1.233 255.255.255.255 outside
pdm location 172.16.1.166 255.255.255.255 inside
pdm location 172.16.2.0 255.255.255.0 inside
pdm location 172.16.0.0 255.255.0.0 inside
pdm location 172.16.1.166 255.255.255.255 outside
pdm location 172.16.1.165 255.255.255.255 inside
pdm location 172.16.1.211 255.255.255.255 inside
pdm location 172.16.1.211 255.255.255.255 outside
pdm group Proximities_VPN outside
pdm group Proximities_VPNinside inside
pdm group AdvantageInside inside
pdm group AdvantageOutside outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
global (inside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group acl_out in interface outside
router ospf 100
  log-adj-changes
rip inside passive version 1
route outside 0.0.0.0 0.0.0.0 71.41.112.209 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 172.22.224.84 255.255.255.255 inside
http A8n 255.255.255.255 inside
http 172.22.224.45 255.255.255.255 inside
http 172.16.1.166 255.255.255.255 inside
http 172.16.1.165 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server inside A8n /fireboxcon
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_MD5 mode transport
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto dynamic-map inside_dyn_map 1 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client configuration address respond
crypto map outside_map client authentication LOCAL
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic inside_dyn_map
crypto map inside_map client configuration address initiate
crypto map inside_map client configuration address respond
crypto map inside_map client authentication LOCAL
crypto map inside_map interface inside
isakmp enable outside
isakmp enable inside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp identity address
isakmp keepalive 20 5
isakmp nat-traversal 20
isakmp policy 40 authentication pre-share
isakmp policy 40 encryption 3des
isakmp policy 40 hash md5
isakmp policy 40 group 2
isakmp policy 40 lifetime 86400
vpngroup thedudes address-pool VPNDHCP3
vpngroup thedudes dns-server 172.22.224.16 172.22.224.17
vpngroup thedudes default-domain wnw.ucdp.net
vpngroup thedudes split-tunnel thedudes_splitTunnelAcl
vpngroup thedudes split-dns wnw.ucdp.net cfl.rr.com ns1.mpinet.com
vpngroup thedudes pfs
vpngroup thedudes idle-time 1800
vpngroup thedudes password ********
vpngroup Proximities address-pool VPNDHCP
vpngroup Proximities split-tunnel Proximities_splitTunnelAcl
vpngroup Proximities pfs
vpngroup Proximities idle-time 1800
vpngroup Proximities password ********
vpngroup Advantage address-pool VPNDHCP1
vpngroup Advantage split-tunnel Advantage_splitTunnelAcl_1
vpngroup Advantage pfs
vpngroup Advantage idle-time 1800
vpngroup Advantage password ********
telnet timeout 5
ssh A8n 255.255.255.255 inside
ssh 172.22.224.84 255.255.255.255 inside
ssh 172.16.1.166 255.255.255.255 inside
ssh timeout 5
management-access inside
console timeout 0
vpdn username
vpdn enable outside
vpdn enable inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
username Proximity3
username Proximity2
username Proximity1
username Advantage1
username dashyw0n
username kluckock
username Emperor1800
terminal width 80
Cryptochecksum:ea498cf9a3c48e80725c4c3b27208f47
0
 
mekkattiljjAuthor Commented:
I can also ping the outside interface but its not constant
0
 
Keith AlabasterEnterprise ArchitectCommented:
ip address inside 172.16.1.10 255.255.255.0
inside address

ip local pool VPNDHCP3 172.16.1.165-172.16.1.166 mask 255.255.255.0
ip local pool VPNDHCP 172.16.1.233-172.16.1.235 mask 255.255.255.0
ip local pool VPNDHCP1 172.16.1.210-172.16.1.211 mask 255.255.255.0
VPN's

Not sure if this will work....
0
 
calvinetterCommented:
Your VPN config needs quite a bit of work...  Just curious - is there a specific reason you wanted to have a separate IP pools for the different VPN groups, such as for monitoring access by their IPs? You can just have a single pool for multiple VPN groups.  Exactly Keith, the current VPN pools won't work because they overlap the internal LAN behind the PIX (see my previous post).  
  Do you have an internal router behind the PIX that's connecting other subnets, such as 172.22.224.0?  What's the internal layout of subnets, particularly in relation to 172.22.224.0?  A network diagram would help, & any other clarification you can provide.

cheers
0
 
Keith AlabasterEnterprise ArchitectCommented:
Which segment are you coming into, the 172 or 192 segment?
0
 
Keith AlabasterEnterprise ArchitectCommented:
Sorry Cal, I'd been looking at this for a while and hadn't refreshed. Apologies
0
 
calvinetterCommented:
Exactly right terminalb, no 'nat 0' statement!  First we need to find out just which subnets we need to specify for 'nat 0'.

?? keith? no worries!  ;)

cheers all
0
 
terminalbCommented:
In fact, regardless of the access-lists, wiihtout the nat (inside) 0 applied to crypto traffic your VPN will not work

_Alex
0
 
mekkattiljjAuthor Commented:
calvin the reason for seperate pools is exactly what you said different groups have access to different things on the network it was working fine before I must've hit save when I shouldn't have ; )...and yes we do have an internal router...I also just removed vpndhcp1 so that is not there in the config anymore....Keith I'm coming into the 172 segment.
0
 
mekkattiljjAuthor Commented:
like i said I'm kinda new to this I've messed with cisco before but not the pix I took the job over from someone who took another job and I'm kinda learning everything on the fly (school can teach you only so much)...anyways how would i put in the nat 0 statement?
0
 
calvinetterCommented:
>What's the internal layout of subnets, particularly in relation to 172.22.224.0?  A network diagram would help, & any other clarification you can provide.
  To quote myself above, please clarify the network layout.  I assume you need to get to the 172.22.224.0 subnet from the VPN clients? Is the PIX the default gateway for the router that handles the 172.22.224.0 subnet?  Before we put together the 'nat 0' & other config lines to fix this, we need better clarification.
   For a proper 'nat 0' config, we need to know what subnets you want your VPN clients to connect to.  Only the 172.22.224.0 subnet? Or also the inside subnet of 172.16.1.0?  Any other restrictions other than the Advantage group limited to only ssh?

cheers
0
 
mekkattiljjAuthor Commented:
x.x.1.10 is the outside interface x.x.1.1 is the inside interface x.x.x.1 is the gateway
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.