Solved

Cisco VPN Client to remote PIX can connect and authenticate - but cannot ping or access any remote server.

Posted on 2006-11-08
4
431 Views
Last Modified: 2013-11-16
I can trying to connect to a PIX with the Cisco VPN client over the internet.  The PIX is behind a Cisco router. I can sucessfully connect to the pix and authenticate and get an assigned IP address.  But I cannot ping or access any server on the remote lan once i am connected.  Any ideas?  the config is below...

pixfirewall> ENABLE                  
Password: *******                
pixfirewall# show conf                      
: Saved      
: Written by enable_15 at 07:50:53.259 UTC Tue Aug 29 2006                                                          
PIX Version 6.3(4)                  
interface ethernet0 auto                        
interface ethernet1 100full                          
nameif ethernet0 outside security0                                  
nameif ethernet1 inside security100                                  
enable password at7Tv2vza0k6CuRE encrypted                                          
passwd at7Tv2vza0k6CuRE encrypted sip 0:30:00 sip_media 0:02:00ug
hostname pixfirewall                    
domain-name ciscopix.com              
timeout x
fixup protocol dns maximum-length 512out uauth 0:05:00 absoluten 1:00:00 h
fixup protocol ftp 21                    
fixup protocol h323 h225 1720    
aaa-server TACACS+ proto
fixup protocol h323 ras 1718-1719                                
fixup protocol http 80
aaa-server TACACS+ ma
fixup protocol rsh 514                      
fixup protocol rtsp 554 h323 0:05:00 mgcp 0:05
fixup protocol sip 5060                    
aa
fixup protocol sip udp 5060rity100                    
fixup protocol skinny 2000r RADIUS protocol radiust
fixup protocol smtp 25                      
fixup protocol sqlnet 1521      
aaa-server RADIUS
fixup protocol tftp 69rotocol tacacs+crypted
names    
name 192.168.1.2 server                      
pager lines 24r RADIUS deadt
mtu outside 1500ed-attempts 3  
mtu inside 1500              
ip audit info action alarm 21                      
ip audit attack action alarm    
http 192.168.1.1 255.25
ip local pool pool1 192.168.1.5-192.168.1.7          
fixup protocol              
aa
pdm location 172.18.0.0 255.255.0.0 insidenside                                    
pdm location server 255.255.255.255 inside                        
http 192.168.1.0
pdm location 192.168.1.3 255.255.255.255 inside                                              

pdm location 192.168.1.0 255.255.255.0 inside      
snmp-server community public          
pdm logging informational 100mic-map outside_dyn_map 20 se
pdm history enable-3DES-MD555.255  
arp timeout 14400                
global (outside) 1 interface      
floodguard enable  
nat (inside) 1 0.0.0.0 0.0.0.0 0 0              
                   
isakmp policy 20 hash md5  
aaa-server TACACS+ deadtime 10policy 20 lifetime 864        
aaa-server RADIUS protocol radiusinorth password ********group mycomp
aaa-server RADIUS max-failed-attempts 3                                      
aaa-server RADIUS deadtime 10meout 5 1                  
s
vpdn group mycompipptp ppp authentic
http 192.168.1.3 255.255.255.255 inside              
vpngro      
vpdn group
http 192.168.1.0 255.255.255.0 inside0:30:00 sip_media                    
no snmp-server location                    
t
no snmp-server contact        
vpdn group bt
snmp-server community publichape timeout 0t uauth 0:05:0
no snmp-server enable traps                          
floodguard enable  
vpdn group bt
sysopt connection permit-ipsecmycompipptp ppp encryption mppe a
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac      
vpdn group mycompipptp ppp aut                          
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5 t          
vpngroup mycompinorth address-pool pool1
vpngroup mycompinorth dns-server server
vpngroup mycompinorth wins-server server
vpngroup mycompinorth idle-time 1800
vpngroup mycompinorth password ********
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group mycompipptp accept dialin pptp
vpdn group mycompipptp ppp authentication pap
vpdn group mycompipptp ppp authentication chap
vpdn group mycompipptp ppp authentication mschap
vpdn group mycompipptp ppp encryption mppe auto required
vpdn group mycompipptp client configuration address local pool1
vpdn group mycompipptp pptp echo 60
vpdn group mycompipptp client authentication local
vpdn username benchmark password ********
username notmyuserid notmypassword m0Kdddg8742klhdoKTK5E encrypted privilege 15
terminal width 80
Cryptochecksum:d7e2bf6d9ea41a3137b56e91f200737f
pixfirewall#
0
Comment
Question by:bdcwork
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 32

Accepted Solution

by:
rsivanandan earned 500 total points
ID: 17900199
First of all, make sure that you choose the dhcp range for vpn clients to be different from your internal network.

Then add these to the config;

nat(inside) 0 access-list nonat

access-list nonat permit ip <InternalNetwork> <SubnetMask> <DHCPNetworkRange> <SubnetMask>

That should take care of it.

Cheers,
Rajesh
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 17901360
Your config is a little bit garbled...
Agree fully with Rajesh that your VPN client pool really needs to be a different IP subnet than the internal LAN.
And you are missing the nat 0 and acl..

I also suggest adding this line:
  isakmp nat-traversal 20



0
 

Author Comment

by:bdcwork
ID: 17905951
I will try it today and let everyone know...
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17949218
May I knw why grade B ?

Cheers,
Rajesh
0

Featured Post

On Demand Webinar: Networking for the Cloud Era

Ready to improve network connectivity? Watch this webinar to learn how SD-WANs and a one-click instant connect tool can boost provisions, deployment, and management of your cloud connection.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…
Visualize your data even better in Access queries. Given a date and a value, this lesson shows how to compare that value with the previous value, calculate the difference, and display a circle if the value is the same, an up triangle if it increased…
Suggested Courses

631 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question