rickyclourenco
asked on
Cisco PIX Client Connectivity
We have client VPN connectivity using Cisco PIX 506 PPTP....
We also have a site to site connection with our branch office....
Our Subnet is 192.168.100.0/24
Branch Subnet: 192.168.133.0/24
VPN Client IP range is 192.168.100.224-255
PIX Internal is: 192.168.100.1
PIX External is: 63.x.x.129
Default Route on PIX is Interface Outside 0.0.0.0 0.0.0.0 Gateway 63.x.x.130
The VPN Clients are allowed to see the whole network, and can easily connect to anything on the 192.168.100.0/24 sub, however, they cannot connect to any device at the 192.168.133.0 BRANCH OFFICE, this is the error message in SYSLOG
2006-06-05 13:04:14 Local0.Info 192.168.100.1 Jun 05 2006 13:02:50: %PIX-6-110001: No route to 192.168.133.7 from 192.168.100.224
We also have a site to site connection with our branch office....
Our Subnet is 192.168.100.0/24
Branch Subnet: 192.168.133.0/24
VPN Client IP range is 192.168.100.224-255
PIX Internal is: 192.168.100.1
PIX External is: 63.x.x.129
Default Route on PIX is Interface Outside 0.0.0.0 0.0.0.0 Gateway 63.x.x.130
The VPN Clients are allowed to see the whole network, and can easily connect to anything on the 192.168.100.0/24 sub, however, they cannot connect to any device at the 192.168.133.0 BRANCH OFFICE, this is the error message in SYSLOG
2006-06-05 13:04:14 Local0.Info 192.168.100.1 Jun 05 2006 13:02:50: %PIX-6-110001: No route to 192.168.133.7 from 192.168.100.224
dasmcse
Shouldn't the VPN client pool be on another subnet? (i.e. VPN Client IP range is 192.168.200.224-255)
Yes, your VPN client pool should be different from your internal IP subnet.
What is happening is that PIX is confused, as VPN client is connected to outside interface while their IP subnet also exist on inside interface.
Change you VPN Pool to 192.168.101.0/255.255.255.
What is happening is that PIX is confused, as VPN client is connected to outside interface while their IP subnet also exist on inside interface.
Change you VPN Pool to 192.168.101.0/255.255.255.
ASKER
Changed the subnet, to 192.168.200.0/24 and still the same problem.....
2006-06-05 14:35:50 Local0.Info 192.168.100.1 Jun 05 2006 14:34:26: %PIX-6-110001: No route to 192.168.133.7 from 192.168.200.1
2006-06-05 14:35:50 Local0.Info 192.168.100.1 Jun 05 2006 14:34:26: %PIX-6-110001: No route to 192.168.133.7 from 192.168.200.1
You must have setup VPN for 192.168.133.0.24.
For which you must have configured an IPSec rule static Source IP and destination IP, so that PIX can encrypt that data.
Now the route to 192.168.133.0/24 exists only from your internal network.
You need to create another VPN from 192.168.200.0/24 to 192.168.133.0/24.
Then you will be able to access that network.
For which you must have configured an IPSec rule static Source IP and destination IP, so that PIX can encrypt that data.
Now the route to 192.168.133.0/24 exists only from your internal network.
You need to create another VPN from 192.168.200.0/24 to 192.168.133.0/24.
Then you will be able to access that network.
ASKER
the 192.168.133.0/24 subnet is connected VIA Site-to-site VPN...
Here is the only static route that is in the PIX....please tell me what other information you need, or give me a command to show all routes, or if you want I can paste the Running Config...
route outside 0.0.0.0 0.0.0.0 63.X.X.130 1 (default route)
Here is the only static route that is in the PIX....please tell me what other information you need, or give me a command to show all routes, or if you want I can paste the Running Config...
route outside 0.0.0.0 0.0.0.0 63.X.X.130 1 (default route)
ASKER
the 192.168.200.0/24 is a CLIENT VPN Connection PPTP....from MS to PIX...
You need to locate the access-list defining the traffic and the crypto map which is using this access-list.
access-list NAME/NUMBER permit ip 192.168.100.0 255.255.255.0 192.168.133.0 255.255.255.0
crypto map MAPNAME NUMBER match address NAME/NUMBER.
You must have these lines in your configuration.
The access-list defines which traffic is to be routed. Now since you have defined 192.168.100.0/24 as source, the firewall is giving error no route to 192.168.133.0/24 from 192.168.200.0/24.
Earlier when your VPN client had same IP as your internal subnet, then the problem was that VPN client was connected on outside interface and not on inside interface.
That is why you need to configure another VPN from 192.168.200.0/24 to 192.168.133.0/24.
access-list NAME/NUMBER permit ip 192.168.100.0 255.255.255.0 192.168.133.0 255.255.255.0
crypto map MAPNAME NUMBER match address NAME/NUMBER.
You must have these lines in your configuration.
The access-list defines which traffic is to be routed. Now since you have defined 192.168.100.0/24 as source, the firewall is giving error no route to 192.168.133.0/24 from 192.168.200.0/24.
Earlier when your VPN client had same IP as your internal subnet, then the problem was that VPN client was connected on outside interface and not on inside interface.
That is why you need to configure another VPN from 192.168.200.0/24 to 192.168.133.0/24.
ASKER
I don't understand what you mean by Configure another VPN...
This is what is in my run config...
access-list inside_outbound_nat0_acl permit ip 192.168.100.0 255.255.255.0 LAN_IN 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 192.168.100.0 255.255.255.0 India_LAN 255.255.255.0
access-list inside_outbound_nat0_acl permit ip any 192.168.200.0 255.255.255.0
access-list outside_cryptomap_20 permit ip 192.168.100.0 255.255.255.0 192.168.133.0 255.255.255.0
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 220.x.x.49
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
I have added,
access-list outside_cryptomap_20 permit ip 192.168.200.0 255.255.255.0 192.168.133.0 255.255.255.0 <-- is this right? still does not work
This is what is in my run config...
access-list inside_outbound_nat0_acl permit ip 192.168.100.0 255.255.255.0 LAN_IN 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 192.168.100.0 255.255.255.0 India_LAN 255.255.255.0
access-list inside_outbound_nat0_acl permit ip any 192.168.200.0 255.255.255.0
access-list outside_cryptomap_20 permit ip 192.168.100.0 255.255.255.0 192.168.133.0 255.255.255.0
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 220.x.x.49
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
I have added,
access-list outside_cryptomap_20 permit ip 192.168.200.0 255.255.255.0 192.168.133.0 255.255.255.0 <-- is this right? still does not work
Now same would be required to be added on the other side firewall. i.e On the firewall at 192.168.133.0/24 end.
access-list ACL_name permit ip 192.168.133.0 255.255.255.0 192.168.200.0 255.255.255.0
Then it will work.
access-list ACL_name permit ip 192.168.133.0 255.255.255.0 192.168.200.0 255.255.255.0
Then it will work.
ASKER
OK, but FYI, it still says NO ROUTE in syslog....
Ok , I got it.
You need to enable the traffic to come and go on same interface.
same-security-traffic permit intra-interface
Here is the link to the cisco document. Its exactly what you want.
Its an exmaple, of how to enable VPN clients to access second network using first.
Please go thru it.
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008046f307.shtml.
You need to enable the traffic to come and go on same interface.
same-security-traffic permit intra-interface
Here is the link to the cisco document. Its exactly what you want.
Its an exmaple, of how to enable VPN clients to access second network using first.
Please go thru it.
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008046f307.shtml.
ASKER
Thanks, I'll get back to you on it
ASKER
Sorry, I'm not sure what to do...is the document for 7.0? because I have 6.3....here is my running config, if you can help, that would be great....I'm going to increase the point total...
Building configuration...
: Saved
:
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password qdyS6uz8sBHuqX1a encrypted
passwd y5x5HMqF1phMPAse encrypted
hostname pixfirewallUSA
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
access-list inside_outbound_nat0_acl permit ip 192.168.100.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 192.168.100.0 255.255.255.0 192.168.133.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip any 192.168.200.0 255.255.255.0
access-list outside_cryptomap_20 permit ip 192.168.100.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list outside_cryptomap_20 permit ip 192.168.100.0 255.255.255.0 192.168.133.0 255.255.255.0
access-list outside_cryptomap_20 permit ip 192.168.200.0 255.255.255.0 192.168.133.0 255.255.255.0
access-list inside_access_out permit tcp object-group PPTP object-group OPPTP object-group OutPPTP
access-list inside_access_out permit tcp 192.168.100.0 255.255.255.0 any eq ftp
access-list inside_access_out permit tcp 192.168.100.0 255.255.255.0 any eq pop3
access-list inside_access_out permit tcp 192.168.100.0 255.255.255.0 any eq aol
access-list inside_access_out permit tcp 192.168.100.0 255.255.255.0 any eq 1863
access-list inside_access_out permit tcp 192.168.100.0 255.255.255.0 any eq 3389
access-list inside_access_out permit tcp 192.168.100.0 255.255.255.0 any eq citrix-ica
access-list inside_access_out permit tcp 192.168.100.0 255.255.255.0 any eq ssh
access-list inside_access_out permit tcp 192.168.100.0 255.255.255.0 any eq nntp
access-list inside_access_out permit tcp 192.168.100.0 255.255.255.0 any eq pptp
access-list inside_access_out permit tcp 192.168.100.0 255.255.255.0 any eq 47
access-list inside_access_out permit tcp 192.168.100.0 255.255.255.0 any eq www
access-list inside_access_out permit tcp 192.168.100.0 255.255.255.0 any eq 8070
access-list inside_access_out permit tcp 192.168.100.0 255.255.255.0 any eq https
access-list outside_access_in permit icmp any host 63.xxx.xxx.129 echo-reply
pager lines 24
logging on
logging timestamp
logging trap informational
logging facility 16
mtu outside 1500
mtu inside 1500
ip address outside 63.xxx.xxx.129 255.255.255.128
ip address inside 192.168.100.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool VPNPool 192.168.200.1-192.168.200.
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group outside_access_in in interface outside
access-group inside_access_out in interface inside
route outside 0.0.0.0 0.0.0.0 63.xxx.xxx.130 1
route outside 192.168.200.0 255.255.255.0 63.xxx.xxx.130 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
no snmp-server location
no snmp-server contact
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 220.xxx.xxx.49
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 220.xxx.xxx.49 netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 1
isakmp policy 20 lifetime 86400
isakmp policy 40 authentication pre-share
isakmp policy 40 encryption 3des
isakmp policy 40 hash md5
isakmp policy 40 group 2
isakmp policy 40 lifetime 86400
telnet timeout 10
ssh timeout 5
console timeout 0
vpdn enable outside
username admin password 6VEv0NP2AGo7T9u. encrypted privilege 15
terminal width 80
Cryptochecksum:0a60296362a
: end
[OK]
Building configuration...
: Saved
:
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password qdyS6uz8sBHuqX1a encrypted
passwd y5x5HMqF1phMPAse encrypted
hostname pixfirewallUSA
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
access-list inside_outbound_nat0_acl permit ip 192.168.100.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 192.168.100.0 255.255.255.0 192.168.133.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip any 192.168.200.0 255.255.255.0
access-list outside_cryptomap_20 permit ip 192.168.100.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list outside_cryptomap_20 permit ip 192.168.100.0 255.255.255.0 192.168.133.0 255.255.255.0
access-list outside_cryptomap_20 permit ip 192.168.200.0 255.255.255.0 192.168.133.0 255.255.255.0
access-list inside_access_out permit tcp object-group PPTP object-group OPPTP object-group OutPPTP
access-list inside_access_out permit tcp 192.168.100.0 255.255.255.0 any eq ftp
access-list inside_access_out permit tcp 192.168.100.0 255.255.255.0 any eq pop3
access-list inside_access_out permit tcp 192.168.100.0 255.255.255.0 any eq aol
access-list inside_access_out permit tcp 192.168.100.0 255.255.255.0 any eq 1863
access-list inside_access_out permit tcp 192.168.100.0 255.255.255.0 any eq 3389
access-list inside_access_out permit tcp 192.168.100.0 255.255.255.0 any eq citrix-ica
access-list inside_access_out permit tcp 192.168.100.0 255.255.255.0 any eq ssh
access-list inside_access_out permit tcp 192.168.100.0 255.255.255.0 any eq nntp
access-list inside_access_out permit tcp 192.168.100.0 255.255.255.0 any eq pptp
access-list inside_access_out permit tcp 192.168.100.0 255.255.255.0 any eq 47
access-list inside_access_out permit tcp 192.168.100.0 255.255.255.0 any eq www
access-list inside_access_out permit tcp 192.168.100.0 255.255.255.0 any eq 8070
access-list inside_access_out permit tcp 192.168.100.0 255.255.255.0 any eq https
access-list outside_access_in permit icmp any host 63.xxx.xxx.129 echo-reply
pager lines 24
logging on
logging timestamp
logging trap informational
logging facility 16
mtu outside 1500
mtu inside 1500
ip address outside 63.xxx.xxx.129 255.255.255.128
ip address inside 192.168.100.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool VPNPool 192.168.200.1-192.168.200.
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group outside_access_in in interface outside
access-group inside_access_out in interface inside
route outside 0.0.0.0 0.0.0.0 63.xxx.xxx.130 1
route outside 192.168.200.0 255.255.255.0 63.xxx.xxx.130 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
no snmp-server location
no snmp-server contact
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 220.xxx.xxx.49
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 220.xxx.xxx.49 netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 1
isakmp policy 20 lifetime 86400
isakmp policy 40 authentication pre-share
isakmp policy 40 encryption 3des
isakmp policy 40 hash md5
isakmp policy 40 group 2
isakmp policy 40 lifetime 86400
telnet timeout 10
ssh timeout 5
console timeout 0
vpdn enable outside
username admin password 6VEv0NP2AGo7T9u. encrypted privilege 15
terminal width 80
Cryptochecksum:0a60296362a
: end
[OK]
Yes, the document is for 7.0
The Hub feature is available in version 7.0.
You need this feature so that your firewall can act as Hub and enable the Clients to connect to the spoke.
Sorry, It cannot be done on 6.3.
The Hub feature is available in version 7.0.
You need this feature so that your firewall can act as Hub and enable the Clients to connect to the spoke.
Sorry, It cannot be done on 6.3.
ASKER
so there is NO WAY for this to be done on 6.3, its impossible for VPN Clients to connect to the other side of the Tunnel....??
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.