phylaxict
asked on
Cisco PIX VPN Clients no Traffic
I have a problem with getting this pix to work good. I always been
configuring pix with vpn client setup but this time i just cant resolve
the issue.
When setup the vpn connection, all goes well. Allthough traffic is not
passing to the lan...
below the output of the vpn clients
sh cry ipsec sa
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 3, #pkts decrypt: 3, #pkts verify 3
sh cry isa sa
Total : 1
Embryonic : 0
dst src state pending created
195.x.x.1 83.x.x.10 QM_IDLE 0 1
When i remove the isakmp nat-traversal 20 statement, i get:
sh cry ipsec sa
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 0, #pkts decrypt: 0 #pkts verify 0
no traffic at all...
here's a copy of my vpn config:
access-list split permit ip 192.168.6.0 255.255.255.0 192.168.123.0
255.255.255.0
access-list nonat permit ip 192.168.6.0 255.255.255.0 192.168.123.0
255.255.255.0
ip address outside dhcp setroute retry 4
global (outside) 1 interface
global (inside) 1 interface
global (intf2) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (intf2) 1 0.0.0.0 0.0.0.0 0 0
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 90 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
isakmp enable outside
isakmp identity address
isakmp nat-traversal 10
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup digicore address-pool ippool
vpngroup xxsx plit-tunnel split
vpngroup xxx idle-time 1800
vpngroup xxx password ********
I also tried installing a updated version of the cisco client, but this
didnt help much. I can connect to other sites without a problem with
the same client.
configuring pix with vpn client setup but this time i just cant resolve
the issue.
When setup the vpn connection, all goes well. Allthough traffic is not
passing to the lan...
below the output of the vpn clients
sh cry ipsec sa
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 3, #pkts decrypt: 3, #pkts verify 3
sh cry isa sa
Total : 1
Embryonic : 0
dst src state pending created
195.x.x.1 83.x.x.10 QM_IDLE 0 1
When i remove the isakmp nat-traversal 20 statement, i get:
sh cry ipsec sa
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 0, #pkts decrypt: 0 #pkts verify 0
no traffic at all...
here's a copy of my vpn config:
access-list split permit ip 192.168.6.0 255.255.255.0 192.168.123.0
255.255.255.0
access-list nonat permit ip 192.168.6.0 255.255.255.0 192.168.123.0
255.255.255.0
ip address outside dhcp setroute retry 4
global (outside) 1 interface
global (inside) 1 interface
global (intf2) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (intf2) 1 0.0.0.0 0.0.0.0 0 0
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 90 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
isakmp enable outside
isakmp identity address
isakmp nat-traversal 10
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup digicore address-pool ippool
vpngroup xxsx plit-tunnel split
vpngroup xxx idle-time 1800
vpngroup xxx password ********
I also tried installing a updated version of the cisco client, but this
didnt help much. I can connect to other sites without a problem with
the same client.
ASKER
Hi Sorenson,
Thanks a lot for your time. I have seen the issue before with the packets only beeing decrypted and none beeing encrypted in te output of the pix. This most of the time was resolvable by using other authentication and encryprtion protocotols. Unfortunally this time i am getting the same problem with all kinds of phase settings.
The inside ip is: 192.168.6.254, the intf2 ip is 192.168.11.253
Thanks a lot in advance
Thanks a lot for your time. I have seen the issue before with the packets only beeing decrypted and none beeing encrypted in te output of the pix. This most of the time was resolvable by using other authentication and encryprtion protocotols. Unfortunally this time i am getting the same problem with all kinds of phase settings.
The inside ip is: 192.168.6.254, the intf2 ip is 192.168.11.253
Thanks a lot in advance
Any access-lists on the inside interface? What type of traffic did you try to send and receive? Is syslog turned on for this? any additional clues in the logging?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I think its better to post the whole configuration in here afterall to keep things clearer. Be aware the pix uses 3 interfaces. 1 is connected to a dmz, and 1 is connected to a lan which has several subnets.
pager lines 24
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside dhcp setroute retry 4
ip address inside 192.168.11.253 255.255.255.0
ip address intf2 192.168.6.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool ippool 192.168.247.1-192.168.247. 254
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
global (inside) 1 interface
global (intf2) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (intf2) 1 0.0.0.0 0.0.0.0 0 0
static (intf2,outside) tcp interface 7002 testserver 7002 netmask 255.255.255.255 0 0
static (intf2,outside) tcp interface www webserver www netmask 255.255.255.255 0 0
static (intf2,outside) tcp interface 3000 gprshost 3000 netmask 255.255.255.255 0 0
static (intf2,outside) tcp interface 7667 gprshost 7667 netmask 255.255.255.255 0 0
static (intf2,outside) tcp interface 15666 192.168.6.5 15666 netmask 255.255.255.255 0 0
static (intf2,inside) webserver webserver netmask 255.255.255.255 0 0
static (inside,intf2) webserver webserver netmask 255.255.255.255 0 0
static (intf2,inside) gprshost gprshost netmask 255.255.255.255 0 0
static (intf2,inside) testserver testserver netmask 255.255.255.255 0 0
static (intf2,inside) webmapserver webmapserver netmask 255.255.255.255 0 0
static (inside,intf2) gprshost gprshost netmask 255.255.255.255 0 0
static (inside,intf2) testserver testserver netmask 255.255.255.255 0 0
static (inside,intf2) webmapserver webmapserver netmask 255.255.255.255 0 0
static (intf2,inside) server****server****netmas k 255.255.255.255 0 0
static (inside,intf2) server****server****netmas k 255.255.255.255 0 0
static (inside,intf2) securebase securebase netmask 255.255.255.255 0 0
static (intf2,inside) securebase securebase netmask 255.255.255.255 0 0
access-group outside_to_inside in interface outside
access-group inside_to_intf2 in interface inside
access-group dmz_to_outside in interface intf2
conduit permit icmp any any
route inside 192.168.5.0 255.255.255.0 192.168.11.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server outside *.*.*.* /
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 90 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
isakmp enable outside
isakmp identity address
isakmp nat-traversal 10
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup ********* address-pool ippool
vpngroup ********* split-tunnel split
vpngroup ********* idle-time 1800
vpngroup ********* password ********
@Sorenson : I tried both icmp and rdp traffic for testing purposes. Syslog is not turned on. Loggin within the vpn client does not show extra information, it seems to be all allright.
@rsivanandan , i tried that, but it didnt help im affraid.
pager lines 24
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside dhcp setroute retry 4
ip address inside 192.168.11.253 255.255.255.0
ip address intf2 192.168.6.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool ippool 192.168.247.1-192.168.247.
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
global (inside) 1 interface
global (intf2) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (intf2) 1 0.0.0.0 0.0.0.0 0 0
static (intf2,outside) tcp interface 7002 testserver 7002 netmask 255.255.255.255 0 0
static (intf2,outside) tcp interface www webserver www netmask 255.255.255.255 0 0
static (intf2,outside) tcp interface 3000 gprshost 3000 netmask 255.255.255.255 0 0
static (intf2,outside) tcp interface 7667 gprshost 7667 netmask 255.255.255.255 0 0
static (intf2,outside) tcp interface 15666 192.168.6.5 15666 netmask 255.255.255.255 0 0
static (intf2,inside) webserver webserver netmask 255.255.255.255 0 0
static (inside,intf2) webserver webserver netmask 255.255.255.255 0 0
static (intf2,inside) gprshost gprshost netmask 255.255.255.255 0 0
static (intf2,inside) testserver testserver netmask 255.255.255.255 0 0
static (intf2,inside) webmapserver webmapserver netmask 255.255.255.255 0 0
static (inside,intf2) gprshost gprshost netmask 255.255.255.255 0 0
static (inside,intf2) testserver testserver netmask 255.255.255.255 0 0
static (inside,intf2) webmapserver webmapserver netmask 255.255.255.255 0 0
static (intf2,inside) server****server****netmas
static (inside,intf2) server****server****netmas
static (inside,intf2) securebase securebase netmask 255.255.255.255 0 0
static (intf2,inside) securebase securebase netmask 255.255.255.255 0 0
access-group outside_to_inside in interface outside
access-group inside_to_intf2 in interface inside
access-group dmz_to_outside in interface intf2
conduit permit icmp any any
route inside 192.168.5.0 255.255.255.0 192.168.11.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server outside *.*.*.* /
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 90 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
isakmp enable outside
isakmp identity address
isakmp nat-traversal 10
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup ********* address-pool ippool
vpngroup ********* split-tunnel split
vpngroup ********* idle-time 1800
vpngroup ********* password ********
@Sorenson : I tried both icmp and rdp traffic for testing purposes. Syslog is not turned on. Loggin within the vpn client does not show extra information, it seems to be all allright.
@rsivanandan , i tried that, but it didnt help im affraid.
ASKER
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
in your current configuration, return packets are trying to go back to the vpn client, but they are being nat'd before (because the nonat and split are wrong). That is why you have the one-way traffic.
Agree with Sorenson, the split access-list is not correct.
Cheers,
Rajesh
Cheers,
Rajesh
ASKER
thanks for the help, sorry for the late response.
Packets are going into the pix, but they are not returning. Could there be an internal route issue? ie: do internal clients that you are trying to connect to, know that they need to use this pix to get to 192.168..123.0 (ip pool on pix used by vpn clients)?