Solved

Cisco PIX VPN Clients no Traffic

Posted on 2006-06-14
12
905 Views
Last Modified: 2012-05-05
I have a problem with getting this pix to work good. I always been
configuring pix with vpn client setup but this time i just cant resolve
the issue.

When setup the vpn connection, all goes well. Allthough traffic is not
passing to the lan...


below the output of the vpn clients


sh cry ipsec sa
  #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
    #pkts decaps: 3, #pkts decrypt: 3, #pkts verify 3


sh cry isa sa
Total     : 1
Embryonic : 0
        dst               src        state     pending     created
    195.x.x.1     83.x.x.10    QM_IDLE         0           1


When i remove the isakmp nat-traversal 20 statement, i get:
sh cry ipsec sa
  #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
    #pkts decaps: 0, #pkts decrypt: 0 #pkts verify 0


no traffic at all...


here's a copy of my vpn config:


access-list split permit ip 192.168.6.0 255.255.255.0 192.168.123.0
255.255.255.0
access-list nonat permit ip 192.168.6.0 255.255.255.0 192.168.123.0
255.255.255.0


ip address outside dhcp setroute retry 4


global (outside) 1 interface
global (inside) 1 interface
global (intf2) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (intf2) 1 0.0.0.0 0.0.0.0 0 0


sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 90 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
isakmp enable outside
isakmp identity address
isakmp nat-traversal 10
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup digicore address-pool ippool
vpngroup xxsx plit-tunnel split
vpngroup xxx idle-time 1800
vpngroup xxx password ********


I also tried installing a updated version of the cisco client, but this
didnt help much. I can connect to other sites without a problem with
the same client.


0
Comment
Question by:phylaxict
  • 4
  • 4
  • 2
12 Comments
 
LVL 10

Expert Comment

by:Sorenson
ID: 16902112
Can you send the ip addresses of the two internal interfaces?
Packets are going into the pix, but they are not returning.  Could there be an internal route issue?  ie:  do internal clients that you are trying to connect to, know that they need to use this pix to get to 192.168..123.0 (ip pool on pix used by vpn clients)?
0
 
LVL 1

Author Comment

by:phylaxict
ID: 16902907
Hi Sorenson,

Thanks a lot for your time. I have seen the issue before with the packets only beeing decrypted and none beeing encrypted in te output of the pix. This most of the time was resolvable by using other authentication and encryprtion protocotols. Unfortunally this time i am getting the same problem with all kinds of phase settings.

The inside ip is: 192.168.6.254, the intf2 ip is 192.168.11.253

Thanks a lot in advance
0
 
LVL 10

Expert Comment

by:Sorenson
ID: 16903038
Any access-lists on the inside interface?  What type of traffic did you try to send and receive?  Is syslog turned on for this? any additional clues in the logging?
0
 
LVL 32

Accepted Solution

by:
rsivanandan earned 250 total points
ID: 16903874
Try this;

no crypto map mymap interface outside
crypto map mymap interface outside

Cheers,
Rajesh
0
 
LVL 1

Author Comment

by:phylaxict
ID: 16910004
I think its better to post the whole configuration in here afterall to keep things clearer. Be aware the pix uses 3 interfaces. 1 is connected to a dmz, and 1 is connected to a lan which has several subnets.

pager lines 24
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside dhcp setroute retry 4
ip address inside 192.168.11.253 255.255.255.0
ip address intf2 192.168.6.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool ippool 192.168.247.1-192.168.247.254
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
global (inside) 1 interface
global (intf2) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (intf2) 1 0.0.0.0 0.0.0.0 0 0
static (intf2,outside) tcp interface 7002 testserver 7002 netmask 255.255.255.255 0 0
static (intf2,outside) tcp interface www webserver www netmask 255.255.255.255 0 0
static (intf2,outside) tcp interface 3000 gprshost 3000 netmask 255.255.255.255 0 0
static (intf2,outside) tcp interface 7667 gprshost 7667 netmask 255.255.255.255 0 0
static (intf2,outside) tcp interface 15666 192.168.6.5 15666 netmask 255.255.255.255 0 0
static (intf2,inside) webserver webserver netmask 255.255.255.255 0 0
static (inside,intf2) webserver webserver netmask 255.255.255.255 0 0
static (intf2,inside) gprshost gprshost netmask 255.255.255.255 0 0
static (intf2,inside) testserver testserver netmask 255.255.255.255 0 0
static (intf2,inside) webmapserver webmapserver netmask 255.255.255.255 0 0
static (inside,intf2) gprshost gprshost netmask 255.255.255.255 0 0
static (inside,intf2) testserver testserver netmask 255.255.255.255 0 0
static (inside,intf2) webmapserver webmapserver netmask 255.255.255.255 0 0
static (intf2,inside) server****server****netmask 255.255.255.255 0 0
static (inside,intf2) server****server****netmask 255.255.255.255 0 0
static (inside,intf2) securebase securebase netmask 255.255.255.255 0 0
static (intf2,inside) securebase securebase netmask 255.255.255.255 0 0
access-group outside_to_inside in interface outside
access-group inside_to_intf2 in interface inside
access-group dmz_to_outside in interface intf2
conduit permit icmp any any
route inside 192.168.5.0 255.255.255.0 192.168.11.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server outside *.*.*.* /
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 90 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
isakmp enable outside
isakmp identity address
isakmp nat-traversal 10
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup ********* address-pool ippool
vpngroup ********* split-tunnel split
vpngroup ********* idle-time 1800
vpngroup ********* password ********


@Sorenson : I tried both icmp and rdp traffic for testing purposes. Syslog is not turned on. Loggin within the vpn client does not show extra information, it seems to be all allright.

@rsivanandan , i tried that, but it didnt help im affraid.




0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 
LVL 1

Author Comment

by:phylaxict
ID: 16910007
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
0
 
LVL 10

Assisted Solution

by:Sorenson
Sorenson earned 250 total points
ID: 16910560
currently:
ippool 192.168.247.1-192.168.247.254  (addresses going to vpn clients)
access-list split permit ip 192.168.6.0 255.255.255.0 192.168.123.0 255.255.255.0
access-list nonat permit ip 192.168.6.0 255.255.255.0 192.168.123.0 255.255.255.0
nat (inside) 0 access-list nonat
ip address inside 192.168.11.253 255.255.255.0
ip address intf2 192.168.6.254 255.255.255.0


Your split and nonat access-lists indicate that you want to vpn into your intf2 interface
if this is true you need to add the following:

remove access-list split and nonat   (no access-list split, and no access-list nonat)
access-list split permit ip 192.168.6.0 255.255.255.0 192.168.247.0 255.255.255.0
access-list nonat permit ip 192.168.6.0 255.255.255.0 192.168.247.0 255.255.255.0
nat (intf2) 0 access-list nonat
vpngroup ********* split-tunnel split


If you want to vpn to inside addresses (192.168.11.x) then do this:
no access-list split
no access-list nonat
access-list split permit ip 192.168.11.0 255.255.255.0 192.168.247.0 255.255.255.0
access-list nonat permit ip 192.168.11.0 255.255.255.0 192.168.247.0 255.255.255.0
nat (inside) 0 access-list nonat
vpngroup ********* split-tunnel split

If you want to vpn to both inside and intf2 addresses (192.168.11.x and 192.168.6.x) then do this:
no access-list split
no access-list nonat

access-list split permit ip 192.168.6.0 255.255.255.0 192.168.247.0 255.255.255.0
access-list split permit ip 192.168.11.0 255.255.255.0 192.168.247.0 255.255.255.0
access-list nonatinside permit ip 192.168.6.0 255.255.255.0 192.168.247.0 255.255.255.0
access-list nonatintf2 permit ip 192.168.11.0 255.255.255.0 192.168.247.0 255.255.255.0

nat (inside) 0 access-list nonatinside
nat (intf2) 0 access-list nonatintf2

vpngroup ********* split-tunnel split





0
 
LVL 10

Expert Comment

by:Sorenson
ID: 16910571
in your current configuration, return packets are trying to go back to the vpn client, but they are being nat'd before (because the nonat and split are wrong).  That is why you have the one-way traffic.
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 16910693
Agree with Sorenson, the split access-list is not correct.

Cheers,
Rajesh
0
 
LVL 1

Author Comment

by:phylaxict
ID: 17137162
thanks for the help, sorry for the late response.
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Healthcare organizations in the United States must adhere to the guidance of both the HIPAA (Health Insurance Portability and Accountability Act) and HITECH (Health Information Technology for Economic and Clinical Health Act) for securing and protec…
Big data transfers via information superhighways require special attention and protection. Learn more about the IT-regulations of the country where your server is located. Analyze cloud providers and their encryption systems for safe data transit. S…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now