Solved

Cisco VPN Client to remote PIX can connect and authenticate - but cannot ping or access any remote server.

Posted on 2006-11-08
4
415 Views
Last Modified: 2013-11-16
I can trying to connect to a PIX with the Cisco VPN client over the internet.  The PIX is behind a Cisco router. I can sucessfully connect to the pix and authenticate and get an assigned IP address.  But I cannot ping or access any server on the remote lan once i am connected.  Any ideas?  the config is below...

pixfirewall> ENABLE                  
Password: *******                
pixfirewall# show conf                      
: Saved      
: Written by enable_15 at 07:50:53.259 UTC Tue Aug 29 2006                                                          
PIX Version 6.3(4)                  
interface ethernet0 auto                        
interface ethernet1 100full                          
nameif ethernet0 outside security0                                  
nameif ethernet1 inside security100                                  
enable password at7Tv2vza0k6CuRE encrypted                                          
passwd at7Tv2vza0k6CuRE encrypted sip 0:30:00 sip_media 0:02:00ug
hostname pixfirewall                    
domain-name ciscopix.com              
timeout x
fixup protocol dns maximum-length 512out uauth 0:05:00 absoluten 1:00:00 h
fixup protocol ftp 21                    
fixup protocol h323 h225 1720    
aaa-server TACACS+ proto
fixup protocol h323 ras 1718-1719                                
fixup protocol http 80
aaa-server TACACS+ ma
fixup protocol rsh 514                      
fixup protocol rtsp 554 h323 0:05:00 mgcp 0:05
fixup protocol sip 5060                    
aa
fixup protocol sip udp 5060rity100                    
fixup protocol skinny 2000r RADIUS protocol radiust
fixup protocol smtp 25                      
fixup protocol sqlnet 1521      
aaa-server RADIUS
fixup protocol tftp 69rotocol tacacs+crypted
names    
name 192.168.1.2 server                      
pager lines 24r RADIUS deadt
mtu outside 1500ed-attempts 3  
mtu inside 1500              
ip audit info action alarm 21                      
ip audit attack action alarm    
http 192.168.1.1 255.25
ip local pool pool1 192.168.1.5-192.168.1.7          
fixup protocol              
aa
pdm location 172.18.0.0 255.255.0.0 insidenside                                    
pdm location server 255.255.255.255 inside                        
http 192.168.1.0
pdm location 192.168.1.3 255.255.255.255 inside                                              

pdm location 192.168.1.0 255.255.255.0 inside      
snmp-server community public          
pdm logging informational 100mic-map outside_dyn_map 20 se
pdm history enable-3DES-MD555.255  
arp timeout 14400                
global (outside) 1 interface      
floodguard enable  
nat (inside) 1 0.0.0.0 0.0.0.0 0 0              
                   
isakmp policy 20 hash md5  
aaa-server TACACS+ deadtime 10policy 20 lifetime 864        
aaa-server RADIUS protocol radiusinorth password ********group mycomp
aaa-server RADIUS max-failed-attempts 3                                      
aaa-server RADIUS deadtime 10meout 5 1                  
s
vpdn group mycompipptp ppp authentic
http 192.168.1.3 255.255.255.255 inside              
vpngro      
vpdn group
http 192.168.1.0 255.255.255.0 inside0:30:00 sip_media                    
no snmp-server location                    
t
no snmp-server contact        
vpdn group bt
snmp-server community publichape timeout 0t uauth 0:05:0
no snmp-server enable traps                          
floodguard enable  
vpdn group bt
sysopt connection permit-ipsecmycompipptp ppp encryption mppe a
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac      
vpdn group mycompipptp ppp aut                          
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5 t          
vpngroup mycompinorth address-pool pool1
vpngroup mycompinorth dns-server server
vpngroup mycompinorth wins-server server
vpngroup mycompinorth idle-time 1800
vpngroup mycompinorth password ********
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group mycompipptp accept dialin pptp
vpdn group mycompipptp ppp authentication pap
vpdn group mycompipptp ppp authentication chap
vpdn group mycompipptp ppp authentication mschap
vpdn group mycompipptp ppp encryption mppe auto required
vpdn group mycompipptp client configuration address local pool1
vpdn group mycompipptp pptp echo 60
vpdn group mycompipptp client authentication local
vpdn username benchmark password ********
username notmyuserid notmypassword m0Kdddg8742klhdoKTK5E encrypted privilege 15
terminal width 80
Cryptochecksum:d7e2bf6d9ea41a3137b56e91f200737f
pixfirewall#
0
Comment
Question by:bdcwork
  • 2
4 Comments
 
LVL 32

Accepted Solution

by:
rsivanandan earned 500 total points
ID: 17900199
First of all, make sure that you choose the dhcp range for vpn clients to be different from your internal network.

Then add these to the config;

nat(inside) 0 access-list nonat

access-list nonat permit ip <InternalNetwork> <SubnetMask> <DHCPNetworkRange> <SubnetMask>

That should take care of it.

Cheers,
Rajesh
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 17901360
Your config is a little bit garbled...
Agree fully with Rajesh that your VPN client pool really needs to be a different IP subnet than the internal LAN.
And you are missing the nat 0 and acl..

I also suggest adding this line:
  isakmp nat-traversal 20



0
 

Author Comment

by:bdcwork
ID: 17905951
I will try it today and let everyone know...
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17949218
May I knw why grade B ?

Cheers,
Rajesh
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now