Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Cisco PIX 515E VPN Trouble Accessing Network.

Posted on 2006-07-12
8
Medium Priority
?
279 Views
Last Modified: 2010-04-17
Currently I have a Cisco PIX 515E.  I have a VPN running on this firewall and as of three days ago when I would connect to the network, I would not be able to access anything.  When I check the status of the Cisco VPN Software (on the statistics tab) it shows there is a key next to the network ip address and sometimes it shows no key.  How can I go about troubleshooting this situation?  Even when there was a key next to the ip address I still could not access the network.  I believe the VPN is starting to flake out.  On the status tab it shows packets bypassed and discarded. Nothing is going in or out.

Any suggestions will be greatly appreciated.

Thank you in advance.
0
Comment
Question by:cbones
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
8 Comments
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17096729
Is the ip pool configured at pix for VPN is the same as the internal network, this is not good.

You need to have configured on the pix not to nat the connections coming back to you, typically it would be like this;

access-list nonat permit ip <corporate ip> <netmask> <vpnassignedip> netmask

nat (inside) 0 access-list nonat

If possible configuration will tells us more.

Cheers,
Rajesh
 
 
 
0
 

Author Comment

by:cbones
ID: 17098451
Here is the configuration...I XXX over some of the information...



PIX Version 6.3(3)
interface ethernet0 10full
interface ethernet1 100full
interface ethernet2 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
enable password FKoAdbRMH5AH5Jup encrypted
passwd 4Az39VjLXL/1H.91 encrypted
hostname XXXXXXXX
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list FROM_OUTSIDE permit tcp any host xxx.xxx.xxx.xxx eq www
access-list FROM_OUTSIDE permit tcp any host xxx.xxx.xxx.xxx eq https
access-list FROM_OUTSIDE permit tcp any host xxx.xxx.xxx.xxx eq 433
access-list FROM_OUTSIDE permit tcp any host xxx.xxx.xxx.xxx eq ssh
access-list FROM_OUTSIDE permit tcp any host xxx.xxx.xxx.xxx eq https
access-list FROM_OUTSIDE permit tcp any host xxx.xxx.xxx.xxx eq www
access-list 101 permit ip 192.0.0.0 255.0.0.0 172.16.10.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
ip address inside 192.168.1.120 255.255.255.0
ip address dmz 192.168.113.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool XXXXXXX 172.16.10.1-172.16.10.50
pdm history enable
arp timeout 14400
global (outside) 1 xxx.xxx.xxx.xxx
global (dmz) 1 192.168.113.50-192.168.113.150
nat (inside) 0 access-list 101
nat (inside) 1 192.0.0.0 255.0.0.0 0 0
nat (dmz) 0 access-list 101
nat (dmz) 1 192.168.113.0 255.255.255.0 0 0
static (inside,outside) xxx.xxx.xxx.xxx 192.168.1.244 netmask 255.255.255.255 0 0
static (inside,outside) xxx.xxx.xxx.xxx 192.168.1.16 netmask 255.255.255.255 0 0
static (dmz,outside) xxx.xxx.xxx.xxx 192.168.113.3 netmask 255.255.255.255 0 0
access-group FROM_OUTSIDE in interface outside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
route inside 192.1.2.0 255.255.255.0 192.168.1.1 1
route inside 192.168.3.0 255.255.255.0 192.168.1.1 1
route inside 192.168.5.0 255.255.255.0 192.168.1.1 1
route inside 192.168.7.0 255.255.255.0 192.168.1.1 1
route inside 192.168.9.0 255.255.255.0 192.168.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set XXXXXXXSET esp-3des esp-md5-hmac
crypto dynamic-map CISCO 4 set transform-set XXXXXXXSET
crypto map XXXXXXX VPN 10 ipsec-isakmp dynamic CISCO
crypto map XXXXXXX VPN client configuration address initiate
crypto map XXXXXXX VPN client authentication LOCAL
crypto map XXXXXXX VPN interface outside
isakmp enable outside
isakmp identity address
isakmp client configuration address-pool local XXXXXXX outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup XXXXXXXX address-pool XXXXXXX
vpngroup XXXXXXXX split-tunnel 101
vpngroup XXXXXXXX idle-time 1800
vpngroup XXXXXXX password ********
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 30
ssh timeout 10
management-access inside
console timeout 0



Thank you!!!
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17098477
>>access-list 101 permit ip 192.0.0.0 255.0.0.0 172.16.10.0 255.255.255.0

Make the above as;

access-list 101 permit ip 192.0.0.0 255.255.255.0 172.16.10.0 255.255.255.0

and

access-list 102 permit ip 192.0.0.0 255.255.255.0 172.16.10.0 255.255.255.0

>>vpngroup XXXXXXXX split-tunnel 101

vpngroup XXXXXXXX split-tunnel 102

Cheers,
Rajesh
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 

Author Comment

by:cbones
ID: 17104713
I tried this but it did not work.  After I made the changes, on the vpn clients status tab it shows a key next to the public ip but not next to the internal network ip.  The strange thing is this does not happen to everyone, just a handfull of people..(including myself)...




Thanks.
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17105469
Good, we will try one by one. Now the turn for looking at the client side. What OS are you using and which client. Windows XP is seen to have any client less that 4.8, if it is not 4.8 upgrade that software piece.

Cheers,
Rajesh
0
 

Author Comment

by:cbones
ID: 17106816
The majority of the clients are running on XP...I am running on XP Pro...Some of the other people are running on XP Home...We are using Cisco VPN Client Version 3.6.3...



Thank you.
0
 
LVL 32

Accepted Solution

by:
rsivanandan earned 2000 total points
ID: 17109221
Oh man, that is a lot lot lot lot older software and I don't even know if it will uninstall properly. For testing, can you uninstall it and install 4.8 on a pc and see if it helps ?

Cheers,
Rajesh
0
 

Author Comment

by:cbones
ID: 17161400
Thank you for all your help but I am still not sure what is causing this problem.  I have tried newer versions of Cisco VPN Client and still have problems connecting.  


Thank you for all your help and your fast responses.
0

Featured Post

How to Use the Help Bell

Need to boost the visibility of your question for solutions? Use the Experts Exchange Help Bell to confirm priority levels and contact subject-matter experts for question attention.  Check out this how-to article for more information.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this tutorial I will show you with short command examples how to obtain a packet footprint of all traffic flowing thru your Juniper device running ScreenOS. I do not know the exact firmware requirement, but I think the fprofile command is availab…
The Cisco RV042 router is a popular small network interfacing device that is often used as an internet gateway. Network administrators need to get at the management interface to make settings, change passwords, etc. This access is generally done usi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question