Solved

Cisco PIX 515E VPN Trouble Accessing Network.

Posted on 2006-07-12
8
224 Views
Last Modified: 2010-04-17
Currently I have a Cisco PIX 515E.  I have a VPN running on this firewall and as of three days ago when I would connect to the network, I would not be able to access anything.  When I check the status of the Cisco VPN Software (on the statistics tab) it shows there is a key next to the network ip address and sometimes it shows no key.  How can I go about troubleshooting this situation?  Even when there was a key next to the ip address I still could not access the network.  I believe the VPN is starting to flake out.  On the status tab it shows packets bypassed and discarded. Nothing is going in or out.

Any suggestions will be greatly appreciated.

Thank you in advance.
0
Comment
Question by:cbones
  • 4
  • 4
8 Comments
 
LVL 32

Expert Comment

by:rsivanandan
Comment Utility
Is the ip pool configured at pix for VPN is the same as the internal network, this is not good.

You need to have configured on the pix not to nat the connections coming back to you, typically it would be like this;

access-list nonat permit ip <corporate ip> <netmask> <vpnassignedip> netmask

nat (inside) 0 access-list nonat

If possible configuration will tells us more.

Cheers,
Rajesh
 
 
 
0
 

Author Comment

by:cbones
Comment Utility
Here is the configuration...I XXX over some of the information...



PIX Version 6.3(3)
interface ethernet0 10full
interface ethernet1 100full
interface ethernet2 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
enable password FKoAdbRMH5AH5Jup encrypted
passwd 4Az39VjLXL/1H.91 encrypted
hostname XXXXXXXX
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list FROM_OUTSIDE permit tcp any host xxx.xxx.xxx.xxx eq www
access-list FROM_OUTSIDE permit tcp any host xxx.xxx.xxx.xxx eq https
access-list FROM_OUTSIDE permit tcp any host xxx.xxx.xxx.xxx eq 433
access-list FROM_OUTSIDE permit tcp any host xxx.xxx.xxx.xxx eq ssh
access-list FROM_OUTSIDE permit tcp any host xxx.xxx.xxx.xxx eq https
access-list FROM_OUTSIDE permit tcp any host xxx.xxx.xxx.xxx eq www
access-list 101 permit ip 192.0.0.0 255.0.0.0 172.16.10.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
ip address inside 192.168.1.120 255.255.255.0
ip address dmz 192.168.113.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool XXXXXXX 172.16.10.1-172.16.10.50
pdm history enable
arp timeout 14400
global (outside) 1 xxx.xxx.xxx.xxx
global (dmz) 1 192.168.113.50-192.168.113.150
nat (inside) 0 access-list 101
nat (inside) 1 192.0.0.0 255.0.0.0 0 0
nat (dmz) 0 access-list 101
nat (dmz) 1 192.168.113.0 255.255.255.0 0 0
static (inside,outside) xxx.xxx.xxx.xxx 192.168.1.244 netmask 255.255.255.255 0 0
static (inside,outside) xxx.xxx.xxx.xxx 192.168.1.16 netmask 255.255.255.255 0 0
static (dmz,outside) xxx.xxx.xxx.xxx 192.168.113.3 netmask 255.255.255.255 0 0
access-group FROM_OUTSIDE in interface outside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
route inside 192.1.2.0 255.255.255.0 192.168.1.1 1
route inside 192.168.3.0 255.255.255.0 192.168.1.1 1
route inside 192.168.5.0 255.255.255.0 192.168.1.1 1
route inside 192.168.7.0 255.255.255.0 192.168.1.1 1
route inside 192.168.9.0 255.255.255.0 192.168.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set XXXXXXXSET esp-3des esp-md5-hmac
crypto dynamic-map CISCO 4 set transform-set XXXXXXXSET
crypto map XXXXXXX VPN 10 ipsec-isakmp dynamic CISCO
crypto map XXXXXXX VPN client configuration address initiate
crypto map XXXXXXX VPN client authentication LOCAL
crypto map XXXXXXX VPN interface outside
isakmp enable outside
isakmp identity address
isakmp client configuration address-pool local XXXXXXX outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup XXXXXXXX address-pool XXXXXXX
vpngroup XXXXXXXX split-tunnel 101
vpngroup XXXXXXXX idle-time 1800
vpngroup XXXXXXX password ********
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 30
ssh timeout 10
management-access inside
console timeout 0



Thank you!!!
0
 
LVL 32

Expert Comment

by:rsivanandan
Comment Utility
>>access-list 101 permit ip 192.0.0.0 255.0.0.0 172.16.10.0 255.255.255.0

Make the above as;

access-list 101 permit ip 192.0.0.0 255.255.255.0 172.16.10.0 255.255.255.0

and

access-list 102 permit ip 192.0.0.0 255.255.255.0 172.16.10.0 255.255.255.0

>>vpngroup XXXXXXXX split-tunnel 101

vpngroup XXXXXXXX split-tunnel 102

Cheers,
Rajesh
0
 

Author Comment

by:cbones
Comment Utility
I tried this but it did not work.  After I made the changes, on the vpn clients status tab it shows a key next to the public ip but not next to the internal network ip.  The strange thing is this does not happen to everyone, just a handfull of people..(including myself)...




Thanks.
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 32

Expert Comment

by:rsivanandan
Comment Utility
Good, we will try one by one. Now the turn for looking at the client side. What OS are you using and which client. Windows XP is seen to have any client less that 4.8, if it is not 4.8 upgrade that software piece.

Cheers,
Rajesh
0
 

Author Comment

by:cbones
Comment Utility
The majority of the clients are running on XP...I am running on XP Pro...Some of the other people are running on XP Home...We are using Cisco VPN Client Version 3.6.3...



Thank you.
0
 
LVL 32

Accepted Solution

by:
rsivanandan earned 500 total points
Comment Utility
Oh man, that is a lot lot lot lot older software and I don't even know if it will uninstall properly. For testing, can you uninstall it and install 4.8 on a pc and see if it helps ?

Cheers,
Rajesh
0
 

Author Comment

by:cbones
Comment Utility
Thank you for all your help but I am still not sure what is causing this problem.  I have tried newer versions of Cisco VPN Client and still have problems connecting.  


Thank you for all your help and your fast responses.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Hello , This is a short article on how would you go about enabling traceoptions on a Juniper router . Traceoptions are similar to Cisco debug commands but these traceoptions are implemented in Juniper networks router . The following demonstr…
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now