Solved

PIX 515E only connects through firewall to public address

Posted on 2006-06-27
2
537 Views
Last Modified: 2013-11-16
The following is the config. I have several issues.

1) I can connect to the VPN no problem. I can remote desktop to the separate servers, but can only connect using the public IP address. Shouldn't I be able to connect using the internal address?

2) The client where I have connected through the VPN can't browse the internet.



99.999.x.x represents the public IP range.


Building configuration...
: Saved
:
PIX Version 6.2(1)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security10
nameif ethernet3 intf3 security15
enable password ESXy/N53AGN.9NRk encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname PIX
domain-name website.net
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list outside_access_in permit tcp any host 99.999.253.133 range 700 701
access-list outside_access_in permit tcp any host 99.999.253.133 eq 1024
access-list outside_access_in permit tcp any host 99.999.253.136 eq www
access-list outside_access_in permit tcp any eq ftp host 99.999.253.136 eq ftp
access-list outside_access_in permit tcp any host 99.999.253.134 eq www
access-list outside_access_in deny ip any any
access-list outside_cryptomap_dyn_20 permit ip any 10.50.10.0 255.255.255.224
access-list inside_access_in permit tcp any any
pager lines 24
interface ethernet0 100full
interface ethernet1 auto
interface ethernet2 auto shutdown
interface ethernet3 auto shutdown
mtu outside 1500
mtu inside 1500
mtu intf2 1500
mtu intf3 1500
ip address outside 99.999.253.131 255.255.255.240
ip address inside 10.50.10.131 255.255.255.0
ip address intf2 127.0.0.1 255.255.255.255
ip address intf3 127.0.0.1 255.255.255.255
ip audit info action alarm
ip audit attack action alarm
ip local pool VPNPool 10.50.10.137-10.50.10.140
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
failover ip address intf2 0.0.0.0
failover ip address intf3 0.0.0.0
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 99.999.253.133 10.50.10.133 netmask 255.255.255.255 0 0
static (inside,outside) 99.999.253.134 10.50.10.134 netmask 255.255.255.255 0 0
static (inside,outside) 99.999.253.135 10.50.10.135 netmask 255.255.255.255 0 0
static (inside,outside) 99.999.253.136 10.50.10.136 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 99.999.253.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
ntp server 217.162.232.173 source outside
ntp server 24.73.74.251 source outside
ntp server 68.216.79.113 source outside prefer
http server enable
http 10.50.10.135 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
no sysopt route dnat
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup vpn address-pool VPNPool
vpngroup vpn dns-server 68.70.15.246 68.70.15.247
vpngroup vpn idle-time 1800
vpngroup vpn password ********
telnet timeout 5
ssh timeout 5
vpdn group PPTP-VPDN-GROUP accept dialin pptp
vpdn group PPTP-VPDN-GROUP ppp authentication mschap
vpdn group PPTP-VPDN-GROUP ppp encryption mppe auto
vpdn group PPTP-VPDN-GROUP client configuration address local VPNPool
vpdn group PPTP-VPDN-GROUP client configuration dns 68.70.15.246 68.70.15.247
vpdn group PPTP-VPDN-GROUP pptp echo 60
vpdn group PPTP-VPDN-GROUP client authentication local
vpdn username vpn password *********
vpdn enable outside
vpdn enable inside
dhcpd address 10.50.10.10-10.50.10.20 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd enable inside
terminal width 80
Cryptochecksum:1fb985c7063843c4bfdb03fb51411c3f
: end
[OK]

0
Comment
Question by:Atlanta_Mike
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 32

Accepted Solution

by:
rsivanandan earned 250 total points
ID: 16998877
Couple of suggestions;

1. It is very very important and advisible that you have a VPNPool that is different from your internal network. DO THIS;

So the problem seems to be your PIX is natting all the connections. What you need to do is to disable nat if the traffic is flowing through VPN tunnel. For that lets say you changed your VPN pool to 10.50.20.0/24

Then add these;

access-list nonat permit ip 10.50.10.0 255.255.255.0 10.50.20.0 255.255.255.0

nat (inside) 0 access-list nonat

Then try accessing the servers.

Cheers,
Rajesh
0
 
LVL 19

Assisted Solution

by:nodisco
nodisco earned 250 total points
ID: 17000045
Rajesh is correct - change the ip local pool to a different range and you should not have this issue:
ip local pool VPNPool 10.50.20.1-10.50.20.254


I would also recommend you remove these lines from your config:
access-list inside_access_in permit tcp any any
access-group inside_access_in in interface inside
Permitting all tcp traffic in to the inside interface is by default denying all udp and icmp traffic also - It does not look like this was put here by design.  By default, all traffic is allowed from the inside out so there is no need for this access list.

I would upgrade your OS to the latest 6.x release - 6.3(5)........your version 6.2(1) is quite out of date.

hope this helps
0

Featured Post

Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question