Improve company productivity with a Business Account.Sign Up

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 321
  • Last Modified:

Cisco VPN Traffic stats show data coming in, but no data being sent

Wanted to ask you a quick question, I have been doing some work for a client on a Pix506 FW, and I have been working on installing and getting the VPN portion up and running. I have been able to connect the VPN client (4.6) to the FW, however in the stats, you can see that data is being received, however nothing is being sent. I have included the config below, any help would be appreciated.

PIX Version 6.3(5)                  
interface ethernet0 auto                        
interface ethernet1 auto                        
nameif ethernet0 outside security0                                  
nameif ethernet1 inside security 100                        
enable password 2KFQnbNIdI.2KYOU encrypted                                          
passwd 2KFQnbNIdI.2KYOU encrypted                                
hostname ExhibitPix                  
clock timezone EST -5                    
clock summer-time EDT recurring                              
fixup protocol dns maximum-length 512                                    
fixup protocol ftp 21                    
fixup protocol h323 h225 1720                            
fixup protocol h323 ras 1718-1719                                
fixup protocol http 80                      
fixup protocol ils 389                      
fixup protocol rsh 514                      
fixup protocol rtsp 554                      
fixup protocol sip 5060                      
fixup protocol sip udp 5060                          
fixup protocol skinny 2000                          
no fixup protocol smtp 25                        
fixup protocol s              
fixup protocol tftp 69                      
access-list outside_access_in remark Rule For SMTP                                                  
access-list outside_access_in permit tcp any host eq smtp                                                                        
access-list outside_access_in remark Rule For POP3                                                  
access-list outside_access_in permit tcp any host eq pop3                                                                        
access-list outside_access_in remark Rules For Handling ICMP Traffic                                                                    
access-list outside_access_in permit icmp any any echo-reply                                                            
access-list outside_access_in remark Traffic For FTP                                                    
access-list outside_access_in permit tcp any host 72.242.                                                      
access-list outside_access_in remark Rules For WWW                                                  
access-list outside_access_in permit tcp any host eq www                                                                      
access-list 101 permit ip                                                                            
access-list 101 remark Rule For IP Address For VPN Client                                                        
access-list 102 permit ip                                                                            
access-list 102 remark Additional Rule For VPN Pool                                                  
no pager        
logging on          
logging timestamp                
logging trap informational                          
logging history warnings                        
logging host inside                              
mtu outside 1500                
mtu inside 1500              
ip address outside                                                
ip address inside                                          
ip verify reverse-path interface outside                                        
ip audit info action alarm                          
ip audit attack action alarm                            
ip local pool ippool                                            
pdm location inside                                            
pdm location inside                                              
pdm logging informational 100                            
pdm history enable                  
arp timeout 14400                
global (outside) 1 interface                            
nat (inside) 0 access-list 101                              
nat (inside) 1 0.0.0.                          
static (inside,outside) tcp smtp smtp netmask 255.255                                                                                
.255.255 0 0            
static (inside,outside) tcp pop3 pop3 netmask 255.255                                                                                
.255.255 0 0            
static (inside,outside) tcp www www netmask 255.255.2                                                                                
55.255 0 0          
access-group outside_access_in in interface outside                                                  
conduit permit icmp any any                          
route outside 1                                              
timeout xlate 3:00:00                    
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00                                                                            
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00                                                              
timeout sip-disconnect 0:02:00 sip-invite 0:03:00                                                
timeout uauth 0:05:00 absolute                              
aaa-server TACACS+ protocol tacacs+                                  
aaa-server TACACS+ max-failed-attempts 3                                        
aaa-server TACACS+ deadtime 10                              
aaa-server RADIUS protocol radius                                
aaa-server RADIUS max-failed-attempts 3                                      
aaa-server RADIUS deadtime 10                            
aaa-server LOCAL protocol local                              
http server enable                  
http inside                                      
http inside                          
snmp-server location Tampa, Florida                                  
snmp-server contact Mecca Media                              
snmp-server community                            
snmp-server enable traps                        
floodguard enable                
sysopt connection permit-ipsec                              
crypto ipsec transform-set myset esp-des esp-md5-hmac                                                    
crypto dynamic-map IRE 10 set transform-set CLIENT                                                  
crypto dynamic-map dynmap 10 set transform-set myset                                                    
crypto map mymap 10 ipsec-isakmp dynamic dynmap                                              
crypto map mymap client configuration address initiate                          
crypto map mymap interface outside
isakmp enable outside
isakmp key ******** address netmask
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup exhibitnet address-pool ippool
vpngroup exhibitnet dns-server
vpngroup exhibitnet wins-server
vpngroup exhibitnet default-domain
vpngroup exhibitnet idle-time 1800
vpngroup exhibitnet password ********
vpngroup default-domain idle-time 1800
telnet inside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
: end
  • 2
  • 2
  • 2
2 Solutions
Add these;

access-list split permit ip

vpngroup exhitbitnet split-tunnel split

blakmoon91Author Commented:
Thanks so much for the quick reply, I just had a follow up question. I am testing the VPN and now under route details I see a route being translated instead of, so I think that is good, I also noticed though on my computer that when I establish a connection and do a ipconfig /all on my computer that I do have a IP address of 2.1 and the it does see the DNS and WINS servers correctly, however there is no default gateway listed. Also, I am not receiving any packets. Is this because we have specified the default-domain as exhibitservices, and my computer is on a differnet domain? Is there a way to disable this so that I can test this out? Your thoughts? Thanks again!!!
hmm. I'm not quite sure about that, how about you removing it and try if it works ?

NEW Internet Security Report Now Available!

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out this quarters report on the threats that shook the industry in Q4 2017.

>>>>Is this because we have specified the default-domain as exhibitservices, and my computer is on a differnet domain? Is there a way to disable this so that I can test this out? Your thoughts? Thanks again!!!

No, the default domain has nothing to do with it. Just add the following on the PIX:

isakmp nat-t

Then try the connection again.

If it still doesn't work, turn on the following debug on the PIX:

debug icmp trace
term mon

Then try to ping any host behind the PIX from the PC connected to the VPN. Check if the PIX is getting any packets.

blakmoon91Author Commented:
Guys, thanks so much for the help, both of you. I though splitting the points would be fair. Stressed, if you could explain just formy own knowledge what the nat-t switch does in conjunction with the isakmp I would appreciate it.
It has something to do with allowing encrypted traffic to pass through UDP 4500 instead of protocol ESP to get around the PAT restriction. When a VPN Client user's public IP is a PAT IP (port address translation) meaning a shared public IP, and the traffic is passing over the tunnel using ESP, the traffic gets dropped because the PAT device has no way of mapping ESP because it is portless. So the common symptom is that you can connect with the VPN Client but cannot pass any traffic. To get around that, UDP NAT transparency was introduced to allow traffic from VPN that is PATted to use UDP 4500 instead of ESP when passing traffic over the tunnel. Since UDP has port, the PAT device will have no problem mapping the traffic.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

KuppingerCole Reviews AlgoSec in Executive Report

Leading analyst firm, KuppingerCole reviews AlgoSec's Security Policy Management Solution, and the security challenges faced by companies today in their Executive View report.

  • 2
  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now