?
Solved

Cisco PIX Client Connectivity

Posted on 2006-06-05
19
Medium Priority
?
480 Views
Last Modified: 2007-12-19
We have client VPN connectivity using Cisco PIX 506  PPTP....

We also have a site to site connection with our branch office....

Our Subnet is 192.168.100.0/24
Branch Subnet: 192.168.133.0/24

VPN Client IP range is 192.168.100.224-255

PIX Internal is: 192.168.100.1
PIX External is: 63.x.x.129
Default Route on PIX is Interface Outside  0.0.0.0 0.0.0.0 Gateway 63.x.x.130


The VPN Clients are allowed to see the whole network, and can easily connect to anything on the 192.168.100.0/24 sub, however, they cannot connect to any device at the 192.168.133.0 BRANCH OFFICE, this is the error message in SYSLOG

2006-06-05 13:04:14      Local0.Info      192.168.100.1      Jun 05 2006 13:02:50: %PIX-6-110001: No route to 192.168.133.7 from 192.168.100.224
0
Comment
Question by:rickyclourenco
  • 8
  • 7
16 Comments
 
LVL 4

Expert Comment

by:dasmcse
ID: 16835167
Shouldn't the VPN client pool be on another subnet? (i.e. VPN Client IP range is 192.168.200.224-255)
0
 
LVL 13

Expert Comment

by:prashsax
ID: 16835366
Yes, your VPN client pool should be different from your internal IP subnet.

What is happening is that PIX is confused, as VPN client is connected to outside interface while their IP subnet also exist on inside interface.

Change you VPN Pool to 192.168.101.0/255.255.255.240.
0
 
LVL 3

Author Comment

by:rickyclourenco
ID: 16835600
Changed the subnet,  to 192.168.200.0/24 and still the same problem.....

2006-06-05 14:35:50      Local0.Info      192.168.100.1      Jun 05 2006 14:34:26: %PIX-6-110001: No route to 192.168.133.7 from 192.168.200.1
0
What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

 
LVL 13

Expert Comment

by:prashsax
ID: 16835662
You must have setup VPN for 192.168.133.0.24.

For which you must have configured an IPSec rule static Source IP and destination IP, so that PIX can encrypt that data.
Now the route to 192.168.133.0/24 exists only from your internal network.

You need to create another VPN from 192.168.200.0/24 to 192.168.133.0/24.

Then you will be able to access that network.
0
 
LVL 3

Author Comment

by:rickyclourenco
ID: 16835990
the 192.168.133.0/24 subnet is connected VIA Site-to-site VPN...

Here is the only static route that is in the PIX....please tell me what other information you need, or give me a command to show all routes, or if you want I can paste the Running Config...

route outside 0.0.0.0 0.0.0.0 63.X.X.130 1  (default route)

0
 
LVL 3

Author Comment

by:rickyclourenco
ID: 16835999
the 192.168.200.0/24 is a CLIENT VPN Connection PPTP....from MS to PIX...
0
 
LVL 13

Expert Comment

by:prashsax
ID: 16836113
You need to locate the access-list defining the traffic and the crypto map which is using this access-list.

access-list NAME/NUMBER permit ip 192.168.100.0 255.255.255.0 192.168.133.0 255.255.255.0

crypto map MAPNAME NUMBER match address NAME/NUMBER.


You must have these lines in your configuration.

The access-list defines which traffic is to be routed. Now since you have defined 192.168.100.0/24 as source, the firewall is giving error no route to 192.168.133.0/24 from 192.168.200.0/24.

Earlier when your VPN client had same IP as your internal subnet, then the problem was that VPN client was connected on outside interface and not on inside interface.

That is why you need to configure another VPN from 192.168.200.0/24 to 192.168.133.0/24.

0
 
LVL 3

Author Comment

by:rickyclourenco
ID: 16836301
I don't understand what you mean by Configure another VPN...


This is what is in my run config...

access-list inside_outbound_nat0_acl permit ip 192.168.100.0 255.255.255.0 LAN_IN 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 192.168.100.0  255.255.255.0 India_LAN 255.255.255.0
access-list inside_outbound_nat0_acl permit ip any 192.168.200.0 255.255.255.0
access-list outside_cryptomap_20 permit ip 192.168.100.0  255.255.255.0 192.168.133.0 255.255.255.0

crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 220.x.x.49
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside


I have added,

access-list outside_cryptomap_20 permit ip 192.168.200.0  255.255.255.0 192.168.133.0 255.255.255.0  <-- is this right? still does not work

0
 
LVL 13

Expert Comment

by:prashsax
ID: 16836365
Now same would be required to be added on the other side firewall. i.e On the firewall at 192.168.133.0/24 end.

access-list ACL_name permit ip 192.168.133.0  255.255.255.0 192.168.200.0 255.255.255.0

Then it will work.

0
 
LVL 3

Author Comment

by:rickyclourenco
ID: 16836478
OK, but FYI, it still says NO ROUTE in syslog....
0
 
LVL 13

Expert Comment

by:prashsax
ID: 16836629
Ok , I got it.

You need to enable the traffic to come and go on same interface.

same-security-traffic permit intra-interface

Here is the link to the cisco document. Its exactly what you want.

Its an exmaple, of how to enable VPN clients to access  second network using first.

Please go thru it.
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008046f307.shtml.

0
 
LVL 3

Author Comment

by:rickyclourenco
ID: 16836752
Thanks, I'll get back to you on it
0
 
LVL 3

Author Comment

by:rickyclourenco
ID: 16844664
Sorry, I'm not sure what to do...is the document for 7.0?  because I have 6.3....here is my running config, if you can help, that would be great....I'm going to increase the point total...

Building configuration...
: Saved
:
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password qdyS6uz8sBHuqX1a encrypted
passwd y5x5HMqF1phMPAse encrypted
hostname pixfirewallUSA
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
access-list inside_outbound_nat0_acl permit ip 192.168.100.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 192.168.100.0 255.255.255.0 192.168.133.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip any 192.168.200.0 255.255.255.0
access-list outside_cryptomap_20 permit ip 192.168.100.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list outside_cryptomap_20 permit ip 192.168.100.0 255.255.255.0 192.168.133.0 255.255.255.0
access-list outside_cryptomap_20 permit ip 192.168.200.0 255.255.255.0 192.168.133.0 255.255.255.0
access-list inside_access_out permit tcp object-group PPTP object-group OPPTP object-group OutPPTP
access-list inside_access_out permit tcp 192.168.100.0 255.255.255.0 any eq ftp
access-list inside_access_out permit tcp 192.168.100.0 255.255.255.0 any eq pop3
access-list inside_access_out permit tcp 192.168.100.0 255.255.255.0 any eq aol
access-list inside_access_out permit tcp 192.168.100.0 255.255.255.0 any eq 1863
access-list inside_access_out permit tcp 192.168.100.0 255.255.255.0 any eq 3389
access-list inside_access_out permit tcp 192.168.100.0 255.255.255.0 any eq citrix-ica
access-list inside_access_out permit tcp 192.168.100.0 255.255.255.0 any eq ssh
access-list inside_access_out permit tcp 192.168.100.0 255.255.255.0 any eq nntp
access-list inside_access_out permit tcp 192.168.100.0 255.255.255.0 any eq pptp
access-list inside_access_out permit tcp 192.168.100.0 255.255.255.0 any eq 47
access-list inside_access_out permit tcp 192.168.100.0 255.255.255.0 any eq www
access-list inside_access_out permit tcp 192.168.100.0 255.255.255.0 any eq 8070
access-list inside_access_out permit tcp 192.168.100.0 255.255.255.0 any eq https
access-list outside_access_in permit icmp any host 63.xxx.xxx.129 echo-reply
pager lines 24
logging on
logging timestamp
logging trap informational
logging facility 16
mtu outside 1500
mtu inside 1500
ip address outside 63.xxx.xxx.129 255.255.255.128
ip address inside 192.168.100.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool VPNPool 192.168.200.1-192.168.200.255
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group outside_access_in in interface outside
access-group inside_access_out in interface inside
route outside 0.0.0.0 0.0.0.0 63.xxx.xxx.130 1
route outside 192.168.200.0 255.255.255.0 63.xxx.xxx.130 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
no snmp-server location
no snmp-server contact
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 220.xxx.xxx.49
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 220.xxx.xxx.49 netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 1
isakmp policy 20 lifetime 86400
isakmp policy 40 authentication pre-share
isakmp policy 40 encryption 3des
isakmp policy 40 hash md5
isakmp policy 40 group 2
isakmp policy 40 lifetime 86400
telnet timeout 10
ssh timeout 5
console timeout 0
vpdn enable outside
username admin password 6VEv0NP2AGo7T9u. encrypted privilege 15
terminal width 80
Cryptochecksum:0a60296362a1c3574c48849e6811d47f
: end
[OK]
0
 
LVL 13

Expert Comment

by:prashsax
ID: 16845094
Yes, the document is for 7.0

The Hub feature is available in version 7.0.
You need this feature so that your firewall can act as Hub and enable the Clients to connect to the spoke.

Sorry, It cannot be done on 6.3.



0
 
LVL 3

Author Comment

by:rickyclourenco
ID: 16845289

so there is NO WAY for this to be done on 6.3, its impossible for VPN Clients to connect to the other side of the Tunnel....??
0
 
LVL 13

Accepted Solution

by:
prashsax earned 1400 total points
ID: 16845330
AFAIK, they cannot access that network like this.

All you can do now is to setup a Terminal Server. SO that they can login to it and then access the other network from that server.

0

Featured Post

Granular recovery for Microsoft Exchange

With Veeam Explorer for Microsoft Exchange you can choose the Exchange Servers and restore points you’re interested in, and Veeam Explorer will present the contents of those mailbox stores for browsing, searching and exporting.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Make the most of your online learning experience.
This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question