Solved

Pix 501

Posted on 2006-11-01
21
230 Views
Last Modified: 2010-04-10
The vpn works fine but I can no connect to the internet, unless I connect the cable from the modem to put one. Then the vpn stops working. If i connect the cable back to the wan port the vpn works but the internet stops working. This is new to me can some explain this to me. And is there a script that I can wite for the pix???
0
Comment
Question by:macc1212
  • 8
  • 8
  • 2
  • +1
21 Comments
 
LVL 10

Expert Comment

by:0xSaPx0
ID: 17851317
If you post the configuration, we can dissect it and help you out. Just log into the pix via the console cable and cut and paste the output of "show-run" make sure you remove any passwd or enable lines.

0xSaPx0
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17851525
Make sure you hide the 2nd and 3rd octect of your public ip information when you paste it here.

Do you have split-tunneling enabled on your PIX vpn ?

Cheers,
Rajesh
0
 

Author Comment

by:macc1212
ID: 17851674
PIX Version 6.3(5)                  
interface ethernet0 auto                        
interface ethernet1 100full                          
nameif ethernet0 outside security0                                  
nameif ethernet1 inside security100                                  
enable password ecCwMh0COe94IjJK encrypted                                          
passwd ecCwMh0COe94IjJK encrypted                                
hostname rcsnet              
domain-name sms.siemens.com                          
fixup protocol dns maximum-length 512                                    
fixup protocol ftp 21                    
fixup protocol h323 h225 1720                            
fixup protocol h323 ras 1718-1719                                
fixup protocol http 80                      
fixup protocol rsh 514                      
fixup protocol rtsp 554                      
fixup protocol sip 5060                      
fixup protocol sip udp 5060                          
fixup protocol skinny 2000                          
fixup protocol smtp 25                      
fixup protocol sqlnet 1521                          
fixup protocol tftp 69                      
names    
access-list outside_c-map_20 permit ip host ##### ##### 255.255.2                                                                                
55.248      
pager lines 24              
logging on          
logging timestamp                
logging buffered notifications                              
logging history notifications                            
logging queue 0              
icmp permit #.#.#.# 255.255.248.0 outside                                            
mtu outside 1500                
mtu inside 1500              
ip address outside #.#.#.# 255.255.255.0                                            
ip address inside #.#.#.# 255.255.255.0                                          
ip audit info action alarm                          
ip audit attack action alarm                            
pdm logging informational 100                            
pdm history enable                  
arp timeout 14400                
nat (inside) 0 access-list outside_c-map_20                                          
route outside 0.0.0.0 0.0.0.0 #.#.#.#                                            
timeout xlate 1:00:00                    
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00                                                                            
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00                                                              
timeout sip-disconnect 0:02:00 sip-invite 0:03:00                                                
timeout uauth 0:05:00 absolute                              
aaa-server TACACS+ protocol tacacs+                                  
aaa-server TACACS+ max-failed-attempts 3                                        
aaa-server TACACS+ deadtime 10                              
aaa-server RADIUS protocol radius                                
aaa-server RADIUS max-failed-attempts 3                                      
aaa-server RADIUS deadtime 10                            
aaa-server LOCAL protocol local                              
aaa authentication telnet console LOCAL                                      
http server enable                  
http #.#.#.# 255.255.255.248 outside                                          
http #.#.#.# 255.255.248.0 outside                                      
http #.#.#.# 255.255.255.0 inside                                    
http #.#.#.# 255.255.255.255 inside                                        
no snmp-server location                      
no snmp-server contact                      
snmp-server community !S13m3n3S!                                
no snmp-server enable traps                          
floodguard enable                
sysopt connection permit-ipsec                              
sysopt connection permit-ipsec                              
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_c-map_20
crypto map outside_map 20 set pfs group2
crypto map outside_map 20 set peer #.#.#.#
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 20 set security-association lifetime seconds 3600 kilobyt
es 4608000
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address #.#.#.# netmask 255.255.255.255 no-xauth no-co
nfig-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
telnet timeout 5
ssh #.#.#.# 255.255.248.0 outside
ssh timeout 60
console timeout 0
terminal width 80
Cryptochecksum:59d620c4dbee6a283257f3a9755ac581
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17851713
This looks to me like a site to site vpn ? aren't we talking about client vpn ?

Cheers,
Rajesh
0
 

Author Comment

by:macc1212
ID: 17855733
Yes this is a lan to lan vpn.
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17855909
Change this >>access-list outside_c-map_20 permit ip host ##### ##### 255.255.2

To reflect the SiteA network and Site B network respectively on both ends.

access-list outside_c-map_20 permit ip <NetworkA> <Mask> <NetworkB> <Mask>

The above goes on the NetworkA side PIX.

access-list outside_c-map_20 permit ip <NetworkB> <Mask> <NetworkA> <Mask>

The above goes on the NetworkB side PIX

Then save the configuration, do a 'clear xlate'.

Then try.

Cheers,
Rajesh


0
 

Author Comment

by:macc1212
ID: 17856135
Will this allow me to access the internet with the other computers on the netwotk?
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17856257
Yes, it would.

Only the traffic destined for the other network will be passed through the VPN tunnel and all other traffic destined for internet will go to internet.

Cheers,
Rajesh
0
 

Author Comment

by:macc1212
ID: 17856306
how would i write the script
access-list outside_c-map_20 permit ip host 10.10.12.11 255.255.2                                                                                
55.248  
Where do I plug the Network A and Network B
What is the Net A and Net B
Is it the outside ip A and the inside Ip B.
Please explain
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 
LVL 79

Expert Comment

by:lrmoore
ID: 17857256
For internal users to use the internet, add these:

 global (outside) 10 interface
 nat (inside) 10 0 0
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17857744
NetworkA------PIX-----------------------VPN----------------PIX---------NetworkB

Now you know what is NetworkA and NetworkB right ?

Cheers,
Rajesh
0
 

Author Comment

by:macc1212
ID: 17895183
when i try to put the sript in the pix I get (??????)
0
 

Author Comment

by:macc1212
ID: 17895184
Please explain where I would plug in my ip addresses for the network a and network b.
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17895452
access-list outside_c-map_20 permit ip <networkA> <subnet mask> <networkB> <subnet mask>

This has to be done on networkA.

 access-list outside_c-map_20 permit ip <networkB> <subnet mask> <networkA> <subnet mask>    

The above has to be done at the networkB.

Cheers,
Rajesh                                                        
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17895458
Here NetworkA means your internal network at Site A (You have masked all the ip addresses in the output you posted here, so I don't know what is your internal network). Similarly NetworkB means your internal network at Site B.

Cheers,
Rajesh
0
 

Author Comment

by:macc1212
ID: 17895523
Can I just write a line to give access to th B side
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17895846
that is what the above access-list does wrt your configuration.

Cheers,
Rajesh
0
 

Author Comment

by:macc1212
ID: 17896225
logging on
logging timestamp
logging buffered 5
logging history 5
logging queue 0
no clock timezone
timeout xlate 1:00:00
http server enable
http 129.73.116.77 255.255.255.248 outside
http 64.46.232.0 255.255.248.0 outside
snmp-server community !S13m3n44!
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
no dhcpd enable inside
no dhcpd auto_config outside
no dhcpd address 192.168.1.2-192.168.1.33 inside
no global (outside) 1 interface
no nat (inside) 1 0.0.0.0 0.0.0.0
no nat (inside) 0 0.0.0.0 0.0.0.0
icmp permit 64.46.777.0 255.255.248.0 outside
ip address outside 70.89.654.41 255.255.255.0
ip address inside 10.24.54.1 255.255.255.0
route outside 0.0.0.0 0.0.0.0 70.89.438.42
access-list outside_c-map_20 permit ip host 10.24.160.# 129.73.116.44 255.255.255.0
nat (inside) 0 access-list outside_c-map_20
isakmp enable outside
isakmp key ####### address 12.46.0.193 netmask 255.255.255.255 no-xauth no-config-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_c-map_20
crypto map outside_map 20 set pfs group2
crypto map outside_map 20 set peer 12.46.135.193
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 20 set security-association lifetime seconds 3600 kilobytes 4608000
crypto map outside_map interface outside
hostname rcsnet
domain-name sms.siemens.com
ca gen rsa key 1024
ssh 64.46.65.0 255.255.248.0 outside
ssh timeout 60
passwd 3333
enable password 3333
ca save all
Write Mem
Exit
This is the script that is kicking my butt can some one solve this. I can use the vpn but I can not get on the internet.
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 17896458
>I can use the vpn but I can not get on the internet.

That's because you have this:
>no global (outside) 1 interface
>no nat (inside) 1 0.0.0.0 0.0.0.0

I'll repeat my first post. Remove the "no" from those two lines of your script
  global (outside) 1 interface
  nat (inside) 1 0.0.0.0 0.0.0.0

Done. Now you can get on the Internet


0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
If your business is like most, chances are you still need to maintain a fax infrastructure for your staff. It’s hard to believe that a communication technology that was thriving in the mid-80s could still be an essential part of your team’s modern I…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now