[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

PIX Firewall VPN Server configuration details clarification regarding IP address assignment to remote access Cisco VPN clients

Posted on 2006-06-08
6
Medium Priority
?
293 Views
Last Modified: 2010-04-12
Shouldn't the range of IP addresses specified for assignment to Cisco remote access VPN clients (connecting to a PIX515 FW configured as a VPN server), be a group of addresses from the internal LAN network they are attempting to connect to?

Specifically, since our LAN behind the PIX Inside interface is a 192.168.0.0/24 network shouldn't the "IP Local Pool" command in my PIX config also contain 192.168.0.0 network addresses for assignment to our remote access Cisco VPN clients?

My remote access clients using Cisco VPN Client v4.8.00 can connect to our PIX FW set up as a VPN server but they cannot access any LAN resources, PING any LAN hosts, or browse the Web (and yes the PIX inside interface is the LAN gateway - 192.168.0.1)

I fear I made a mistake using the PIX PDM GUI VPN wizard to try to enable VPN remote access.  I entered the IP addresses 192.168.0.180 - 192.168.0.190 for the "pool of Local IP addresses for VPN clients" and now the show run config has these lines containing IP addresses shown below that I do not understand:

access-list inside_outbound_NAT0_acl permit ip any 192.168.0.176 255.255.255.240
access-list inside_outbound_NAT0_acl permit ip 192.168.0.0 255.255.255.0 192.168.0.176 255.255.255.240

Thanx in advance for any help or pointers - my job does not permit me hours & hours to search out detailed configuration information for the "easily configurable via GUI appliance based firewall solution for SMBs" I made the mistake of purchasing!
0
Comment
Question by:dealvis
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 19

Expert Comment

by:nodisco
ID: 16870174
hi there

<<Shouldn't the range of IP addresses specified for assignment to Cisco remote access VPN clients (connecting to a PIX515 FW configured as a VPN server), be a group of addresses from the internal LAN network they are attempting to connect to?
No - you should use a different range.  Packets from your inside network going to the vpn pool will not go to the pix as the destination address will be in their own network range - so will not be sent to the default gateway.

If you change your ip pool to 192.168.10.1-192.168.10.254 for example and your access list to :
access-list inside_outbound_NAT0_acl permit ip 192.168.0.0 255.255.255.0 192.168.10.0 255.255.255.0
You should be able to access correctly.

If you have any issues - post your config and we can assist

hth

0
 

Author Comment

by:dealvis
ID: 16872436
TY hth for that very helpful clarification.  I changed all references in PIX config where 192.168.0.176/28 appeared to 10.1.0.0 255.255.0.0 ,including IP Pool, NAT0 acl, and both cryptomap acls.

Remote access Cisco VPN clients can still connect successfully, but there is still no more functionality than before the config change (meaning they still can't browse the network or the web or ping LAN (192.168.0.0/24) hosts, etc.)

I noticed the test laptop (remote VPN client) was indeed assigned a 10.1.0.1 IP but the default Subnet Mask rather than the 255.255.0.0 I (thought) I specified in the PIX config statements? Anyway here are most of the key PIX config parameters involved:

access-list Remote_Users_splitTunnelAcl permit ip 192.168.0.0 255.255.255.0 any

access-list inside_outbound_nat0_acl permit ip any 10.1.0.0 255.255.0.0
access-list inside_outbound_nat0_acl permit ip 192.168.0.0 255.255.255.0 10.1.0.0 255.255.0.0
access-list outside_cryptomap_dyn_20 permit ip any 10.1.0.0 255.255.0.0
access-list outside_cryptomap_dyn_40 permit ip any 10.1.0.0 255.255.0.0

ip local pool RAUpool 10.1.0.1-10.1.0.254  

nat (inside) 0 access-list inside_outbound_nat0_acl  

sysopt connection permit-ipsec                              
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac                                                            
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5                                                                    
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5                                                                    
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup Remote_Users address-pool RAUpool
vpngroup Remote_Users dns-server 192.168.0.200 206.246.140.95
vpngroup Remote_Users wins-server 192.168.0.200
vpngroup Remote_Users default-domain bccweb.org
vpngroup Remote_Users split-tunnel Remote_Users_splitTunnelAcl
vpngroup Remote_Users idle-time 1800
vpngroup Remote_Users password ********

Feedback on obvious errors in the PIX config would be greatly appreciated - Thx!



0
 
LVL 11

Expert Comment

by:prueconsulting
ID: 16872743
Are your acl's taking hits properly ?

show access-list and you will see the hits.

The Nat 0 acl tells the PIX what to consider interesting traffic and send down the VPN connection.

You will have to allow icmp to be able to ping if I am not mistaken.

0
 

Author Comment

by:dealvis
ID: 16874711
Many Thanks to both Experts who responded with assistance.  If you are configuring "Split Tunnel" vpn access you may want to read on...

 I gave up and contacted Cisco today and let the Tech in to our PIX.  The problem preventing my Cisco Remote Access VPN Client from connecting to our internal LAN segment (192.168.0.0 255.255.255.0) behind the PIX inside interface [after successfully negotiating an IP-Sec tunnel to the PIX's outside interface] was this (incorrect) PIX access-list statement in the configuration:


access-list Remote_Users_splitTunnelAcl permit ip 192.168.0.0 255.255.255.0 any

The Cisco Support Tech changed the destination from "any" to "192.168.1.0 255.255.255.0" (after 20 minutes of searching the PIX config).

So corrected it now looks like this:

access-list Remote_Users_splitTunnelAcl permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0

192.168.1.0 255.255.255.0 is the network I.D. of the vpn local address pool configured on the PIX:

ip local pool RAUpool 192.168.1.1-192.168.1.254 mask 255.255.255.0

Lessons Learned:

Don't use the PIX PDM (Browser based GUI) to configure VPN server settings on the PIX (It was the PDM VPN Wizard that added the problem Split Tunneling entry)  

I am happy that now the remote access client can browse the internal network and web without any issues now.

Thanks again ExEx
 


0
 

Accepted Solution

by:
CetusMOD earned 0 total points
ID: 17064261
PAQed with points refunded (125)

CetusMOD
Community Support Moderator
0

Featured Post

Tech or Treat!

Submit an article about your scariest tech experience—and the solution—and you’ll be automatically entered to win one of 4 fantastic tech gadgets.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Sometimes, you want your microsoft VPN to route all the traffic to the remote network. Usually your employer network. This makes it possible to access all the nodes inside this remote LAN, even if they have no "public DNS" entries. To do so, you wo…
This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question