Atlanta_Mike
asked on
PIX 515E only connects through firewall to public address
The following is the config. I have several issues.
1) I can connect to the VPN no problem. I can remote desktop to the separate servers, but can only connect using the public IP address. Shouldn't I be able to connect using the internal address?
2) The client where I have connected through the VPN can't browse the internet.
99.999.x.x represents the public IP range.
Building configuration...
: Saved
:
PIX Version 6.2(1)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security10
nameif ethernet3 intf3 security15
enable password ESXy/N53AGN.9NRk encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname PIX
domain-name website.net
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list outside_access_in permit tcp any host 99.999.253.133 range 700 701
access-list outside_access_in permit tcp any host 99.999.253.133 eq 1024
access-list outside_access_in permit tcp any host 99.999.253.136 eq www
access-list outside_access_in permit tcp any eq ftp host 99.999.253.136 eq ftp
access-list outside_access_in permit tcp any host 99.999.253.134 eq www
access-list outside_access_in deny ip any any
access-list outside_cryptomap_dyn_20 permit ip any 10.50.10.0 255.255.255.224
access-list inside_access_in permit tcp any any
pager lines 24
interface ethernet0 100full
interface ethernet1 auto
interface ethernet2 auto shutdown
interface ethernet3 auto shutdown
mtu outside 1500
mtu inside 1500
mtu intf2 1500
mtu intf3 1500
ip address outside 99.999.253.131 255.255.255.240
ip address inside 10.50.10.131 255.255.255.0
ip address intf2 127.0.0.1 255.255.255.255
ip address intf3 127.0.0.1 255.255.255.255
ip audit info action alarm
ip audit attack action alarm
ip local pool VPNPool 10.50.10.137-10.50.10.140
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
failover ip address intf2 0.0.0.0
failover ip address intf3 0.0.0.0
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 99.999.253.133 10.50.10.133 netmask 255.255.255.255 0 0
static (inside,outside) 99.999.253.134 10.50.10.134 netmask 255.255.255.255 0 0
static (inside,outside) 99.999.253.135 10.50.10.135 netmask 255.255.255.255 0 0
static (inside,outside) 99.999.253.136 10.50.10.136 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 99.999.253.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
ntp server 217.162.232.173 source outside
ntp server 24.73.74.251 source outside
ntp server 68.216.79.113 source outside prefer
http server enable
http 10.50.10.135 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
no sysopt route dnat
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup vpn address-pool VPNPool
vpngroup vpn dns-server 68.70.15.246 68.70.15.247
vpngroup vpn idle-time 1800
vpngroup vpn password ********
telnet timeout 5
ssh timeout 5
vpdn group PPTP-VPDN-GROUP accept dialin pptp
vpdn group PPTP-VPDN-GROUP ppp authentication mschap
vpdn group PPTP-VPDN-GROUP ppp encryption mppe auto
vpdn group PPTP-VPDN-GROUP client configuration address local VPNPool
vpdn group PPTP-VPDN-GROUP client configuration dns 68.70.15.246 68.70.15.247
vpdn group PPTP-VPDN-GROUP pptp echo 60
vpdn group PPTP-VPDN-GROUP client authentication local
vpdn username vpn password *********
vpdn enable outside
vpdn enable inside
dhcpd address 10.50.10.10-10.50.10.20 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd enable inside
terminal width 80
Cryptochecksum:1fb985c7063
: end
[OK]
1) I can connect to the VPN no problem. I can remote desktop to the separate servers, but can only connect using the public IP address. Shouldn't I be able to connect using the internal address?
2) The client where I have connected through the VPN can't browse the internet.
99.999.x.x represents the public IP range.
Building configuration...
: Saved
:
PIX Version 6.2(1)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security10
nameif ethernet3 intf3 security15
enable password ESXy/N53AGN.9NRk encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname PIX
domain-name website.net
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list outside_access_in permit tcp any host 99.999.253.133 range 700 701
access-list outside_access_in permit tcp any host 99.999.253.133 eq 1024
access-list outside_access_in permit tcp any host 99.999.253.136 eq www
access-list outside_access_in permit tcp any eq ftp host 99.999.253.136 eq ftp
access-list outside_access_in permit tcp any host 99.999.253.134 eq www
access-list outside_access_in deny ip any any
access-list outside_cryptomap_dyn_20 permit ip any 10.50.10.0 255.255.255.224
access-list inside_access_in permit tcp any any
pager lines 24
interface ethernet0 100full
interface ethernet1 auto
interface ethernet2 auto shutdown
interface ethernet3 auto shutdown
mtu outside 1500
mtu inside 1500
mtu intf2 1500
mtu intf3 1500
ip address outside 99.999.253.131 255.255.255.240
ip address inside 10.50.10.131 255.255.255.0
ip address intf2 127.0.0.1 255.255.255.255
ip address intf3 127.0.0.1 255.255.255.255
ip audit info action alarm
ip audit attack action alarm
ip local pool VPNPool 10.50.10.137-10.50.10.140
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
failover ip address intf2 0.0.0.0
failover ip address intf3 0.0.0.0
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 99.999.253.133 10.50.10.133 netmask 255.255.255.255 0 0
static (inside,outside) 99.999.253.134 10.50.10.134 netmask 255.255.255.255 0 0
static (inside,outside) 99.999.253.135 10.50.10.135 netmask 255.255.255.255 0 0
static (inside,outside) 99.999.253.136 10.50.10.136 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 99.999.253.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
ntp server 217.162.232.173 source outside
ntp server 24.73.74.251 source outside
ntp server 68.216.79.113 source outside prefer
http server enable
http 10.50.10.135 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
no sysopt route dnat
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup vpn address-pool VPNPool
vpngroup vpn dns-server 68.70.15.246 68.70.15.247
vpngroup vpn idle-time 1800
vpngroup vpn password ********
telnet timeout 5
ssh timeout 5
vpdn group PPTP-VPDN-GROUP accept dialin pptp
vpdn group PPTP-VPDN-GROUP ppp authentication mschap
vpdn group PPTP-VPDN-GROUP ppp encryption mppe auto
vpdn group PPTP-VPDN-GROUP client configuration address local VPNPool
vpdn group PPTP-VPDN-GROUP client configuration dns 68.70.15.246 68.70.15.247
vpdn group PPTP-VPDN-GROUP pptp echo 60
vpdn group PPTP-VPDN-GROUP client authentication local
vpdn username vpn password *********
vpdn enable outside
vpdn enable inside
dhcpd address 10.50.10.10-10.50.10.20 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd enable inside
terminal width 80
Cryptochecksum:1fb985c7063
: end
[OK]
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.