Solved

PIX Firewall VPN Server configuration details clarification regarding IP address assignment to remote access Cisco VPN clients

Posted on 2006-06-08
6
285 Views
Last Modified: 2010-04-12
Shouldn't the range of IP addresses specified for assignment to Cisco remote access VPN clients (connecting to a PIX515 FW configured as a VPN server), be a group of addresses from the internal LAN network they are attempting to connect to?

Specifically, since our LAN behind the PIX Inside interface is a 192.168.0.0/24 network shouldn't the "IP Local Pool" command in my PIX config also contain 192.168.0.0 network addresses for assignment to our remote access Cisco VPN clients?

My remote access clients using Cisco VPN Client v4.8.00 can connect to our PIX FW set up as a VPN server but they cannot access any LAN resources, PING any LAN hosts, or browse the Web (and yes the PIX inside interface is the LAN gateway - 192.168.0.1)

I fear I made a mistake using the PIX PDM GUI VPN wizard to try to enable VPN remote access.  I entered the IP addresses 192.168.0.180 - 192.168.0.190 for the "pool of Local IP addresses for VPN clients" and now the show run config has these lines containing IP addresses shown below that I do not understand:

access-list inside_outbound_NAT0_acl permit ip any 192.168.0.176 255.255.255.240
access-list inside_outbound_NAT0_acl permit ip 192.168.0.0 255.255.255.0 192.168.0.176 255.255.255.240

Thanx in advance for any help or pointers - my job does not permit me hours & hours to search out detailed configuration information for the "easily configurable via GUI appliance based firewall solution for SMBs" I made the mistake of purchasing!
0
Comment
Question by:dealvis
6 Comments
 
LVL 19

Expert Comment

by:nodisco
ID: 16870174
hi there

<<Shouldn't the range of IP addresses specified for assignment to Cisco remote access VPN clients (connecting to a PIX515 FW configured as a VPN server), be a group of addresses from the internal LAN network they are attempting to connect to?
No - you should use a different range.  Packets from your inside network going to the vpn pool will not go to the pix as the destination address will be in their own network range - so will not be sent to the default gateway.

If you change your ip pool to 192.168.10.1-192.168.10.254 for example and your access list to :
access-list inside_outbound_NAT0_acl permit ip 192.168.0.0 255.255.255.0 192.168.10.0 255.255.255.0
You should be able to access correctly.

If you have any issues - post your config and we can assist

hth

0
 

Author Comment

by:dealvis
ID: 16872436
TY hth for that very helpful clarification.  I changed all references in PIX config where 192.168.0.176/28 appeared to 10.1.0.0 255.255.0.0 ,including IP Pool, NAT0 acl, and both cryptomap acls.

Remote access Cisco VPN clients can still connect successfully, but there is still no more functionality than before the config change (meaning they still can't browse the network or the web or ping LAN (192.168.0.0/24) hosts, etc.)

I noticed the test laptop (remote VPN client) was indeed assigned a 10.1.0.1 IP but the default Subnet Mask rather than the 255.255.0.0 I (thought) I specified in the PIX config statements? Anyway here are most of the key PIX config parameters involved:

access-list Remote_Users_splitTunnelAcl permit ip 192.168.0.0 255.255.255.0 any

access-list inside_outbound_nat0_acl permit ip any 10.1.0.0 255.255.0.0
access-list inside_outbound_nat0_acl permit ip 192.168.0.0 255.255.255.0 10.1.0.0 255.255.0.0
access-list outside_cryptomap_dyn_20 permit ip any 10.1.0.0 255.255.0.0
access-list outside_cryptomap_dyn_40 permit ip any 10.1.0.0 255.255.0.0

ip local pool RAUpool 10.1.0.1-10.1.0.254  

nat (inside) 0 access-list inside_outbound_nat0_acl  

sysopt connection permit-ipsec                              
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac                                                            
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5                                                                    
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5                                                                    
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup Remote_Users address-pool RAUpool
vpngroup Remote_Users dns-server 192.168.0.200 206.246.140.95
vpngroup Remote_Users wins-server 192.168.0.200
vpngroup Remote_Users default-domain bccweb.org
vpngroup Remote_Users split-tunnel Remote_Users_splitTunnelAcl
vpngroup Remote_Users idle-time 1800
vpngroup Remote_Users password ********

Feedback on obvious errors in the PIX config would be greatly appreciated - Thx!



0
 
LVL 11

Expert Comment

by:prueconsulting
ID: 16872743
Are your acl's taking hits properly ?

show access-list and you will see the hits.

The Nat 0 acl tells the PIX what to consider interesting traffic and send down the VPN connection.

You will have to allow icmp to be able to ping if I am not mistaken.

0
 

Author Comment

by:dealvis
ID: 16874711
Many Thanks to both Experts who responded with assistance.  If you are configuring "Split Tunnel" vpn access you may want to read on...

 I gave up and contacted Cisco today and let the Tech in to our PIX.  The problem preventing my Cisco Remote Access VPN Client from connecting to our internal LAN segment (192.168.0.0 255.255.255.0) behind the PIX inside interface [after successfully negotiating an IP-Sec tunnel to the PIX's outside interface] was this (incorrect) PIX access-list statement in the configuration:


access-list Remote_Users_splitTunnelAcl permit ip 192.168.0.0 255.255.255.0 any

The Cisco Support Tech changed the destination from "any" to "192.168.1.0 255.255.255.0" (after 20 minutes of searching the PIX config).

So corrected it now looks like this:

access-list Remote_Users_splitTunnelAcl permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0

192.168.1.0 255.255.255.0 is the network I.D. of the vpn local address pool configured on the PIX:

ip local pool RAUpool 192.168.1.1-192.168.1.254 mask 255.255.255.0

Lessons Learned:

Don't use the PIX PDM (Browser based GUI) to configure VPN server settings on the PIX (It was the PDM VPN Wizard that added the problem Split Tunneling entry)  

I am happy that now the remote access client can browse the internal network and web without any issues now.

Thanks again ExEx
 


0
 

Accepted Solution

by:
CetusMOD earned 0 total points
ID: 17064261
PAQed with points refunded (125)

CetusMOD
Community Support Moderator
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Suggested Solutions

Using Windows 2008 RRAS, I was able to successfully VPN into the network, but I was having problems restricting my test user from accessing certain things on the network.  I used Google in order to try to find out how to stop people from accessing c…
Secure VPN Connection terminated locally by the Client.  Reason 442: Failed to enable Virtual Adapter. If you receive this error on Windows 8 or Windows 8.1 while trying to connect with the Cisco VPN Client then the solution is a simple registry f…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now