We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!
Solved
PIX VPN conected but no access
Posted on 2006-11-20
I setup the VPN on my PIX firewall. It is setup for radius server on the inside. I have one PAT port and one static Nat port. I VPN into either and it lets me connect perfectly, but no access to anything. It is like I am not connected at all. The PIX is setup site-to-site with 2 other locations, and I am just trying to make this a remote access server. Any help!! I don't see any problems with my access list, but maybe I am blind.
Config
: Saved
: Written by enable_15 at 11:55:12.971 EST Mon Nov 20 2006
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ****** encrypted
passwd *********encrypted
hostname pixfirewall
domain-name ciscopix.com
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 160 permit ip 192.168.70.0 255.255.255.0 192.168.1.0
255.255.255.0
access-list allow_ping permit icmp any any echo-reply
access-list allow_ping permit icmp any any time-exceeded
access-list allow_ping permit icmp any any unreachable
access-list 170 permit ip 192.168.70.0 255.255.255.0 192.168.60.0
255.255.255.0
access-list 150 permit ip 192.168.70.0 255.255.255.0 192.168.60.0
255.255.255.0
access-list 150 permit ip 192.168.70.0 255.255.255.0 192.168.1.0
255.255.255.0
access-list 150 permit ip any 192.168.70.96 255.255.255.240
access-list 100 permit tcp any host 67.59.38.11 eq www
access-list 100 permit tcp any host 67.59.38.11 eq https
access-list outside_cryptomap_dyn_20 permit ip any 192.168.70.96
255.255.255.240
no pager
logging on
logging monitor debugging
logging buffered debugging
mtu outside 1500
mtu inside 1500
ip address outside 67.59.38.10 255.255.255.0
ip address inside 192.168.70.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool cl-pool 192.168.70.101-192.168.70.
pdm location 192.168.70.0 255.255.255.0 inside
pdm location 192.168.70.190 255.255.255.255 inside
pdm location 192.168.1.0 255.255.255.0 outside
pdm location 192.168.60.0 255.255.255.0 outside
pdm location 192.168.80.0 255.255.255.0 outside
pdm location 192.168.80.0 255.255.255.240 outside
pdm location 192.168.70.185 255.255.255.255 inside
pdm location 192.168.70.96 255.255.255.240 outside
pdm location 192.168.70.102 255.255.255.255 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 150
nat (inside) 1 192.168.70.0 255.255.255.0 0 0
static (inside,outside) 67.59.38.11 192.168.70.190 netmask
255.255.255.255 0 0
access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0 67.59.38.9 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 5
aaa-server RADIUS deadtime 30
aaa-server RADIUS (inside) host 192.168.70.185 **** timeout 30
aaa-server LOCAL protocol local
http server enable
http 192.168.70.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
sysopt connection permit-l2tp
crypto ipsec transform-set gb-set esp-aes-256 esp-md5-hmac
crypto ipsec transform-set is-set esp-3des esp-sha-hmac
crypto ipsec transform-set cl-set esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 3600
crypto dynamic-map outside_dyn_map 20 match address
outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set is-set
crypto map gb-map 1 ipsec-isakmp
crypto map gb-map 1 match address 160
crypto map gb-map 1 set peer 63.88.189.251
crypto map gb-map 1 set transform-set gb-set
crypto map gb-map 2 ipsec-isakmp
crypto map gb-map 2 match address 170
crypto map gb-map 2 set peer 134.215.204.218
crypto map gb-map 2 set transform-set is-set
crypto map gb-map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map gb-map interface outside
isakmp enable outside
isakmp key ********** address 63.88.189.251
netmask 255.255.255.255
isakmp key ********* address 134.215.204.218
netmask 255.255.255.255
isakmp key ******** address 0.0.0.0 netmask
0.0.0.0
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption aes-256
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 5400
isakmp policy 2 authentication pre-share
isakmp policy 2 encryption 3des
isakmp policy 2 hash sha
isakmp policy 2 group 2
isakmp policy 2 lifetime 5400
isakmp policy 3 authentication pre-share
isakmp policy 3 encryption 3des
isakmp policy 3 hash sha
isakmp policy 3 group 2
isakmp policy 3 lifetime 86400
telnet 192.168.70.0 255.255.255.0 inside
telnet timeout 15
ssh timeout 60
console timeout 0
vpdn group PPTP-VPDN-GROUP accept dialin pptp
vpdn group PPTP-VPDN-GROUP ppp authentication mschap
vpdn group PPTP-VPDN-GROUP ppp encryption mppe 40
vpdn group PPTP-VPDN-GROUP client configuration address local cl-pool
vpdn group PPTP-VPDN-GROUP client configuration dns 192.168.70.185
vpdn group PPTP-VPDN-GROUP client configuration wins 192.168.70.185
vpdn group PPTP-VPDN-GROUP client authentication aaa RADIUS
vpdn group PPTP-VPDN-GROUP client accounting RADIUS
vpdn group PPTP-VPDN-GROUP pptp echo 60
vpdn enable outside
vpdn enable inside
dhcpd address 192.168.70.2-192.168.70.10
dhcpd dns 192.168.70.185 64.186.63.132
dhcpd wins 192.168.70.185 192.168.60.10
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain domain.local
dhcpd auto_config outside
dhcpd enable inside
username ****** password ******* encrypted privilege 15
terminal width 80
Cryptochecksum:***********
: end
Config
: Saved
: Written by enable_15 at 11:55:12.971 EST Mon Nov 20 2006
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ****** encrypted
passwd *********encrypted
hostname pixfirewall
domain-name ciscopix.com
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 160 permit ip 192.168.70.0 255.255.255.0 192.168.1.0
255.255.255.0
access-list allow_ping permit icmp any any echo-reply
access-list allow_ping permit icmp any any time-exceeded
access-list allow_ping permit icmp any any unreachable
access-list 170 permit ip 192.168.70.0 255.255.255.0 192.168.60.0
255.255.255.0
access-list 150 permit ip 192.168.70.0 255.255.255.0 192.168.60.0
255.255.255.0
access-list 150 permit ip 192.168.70.0 255.255.255.0 192.168.1.0
255.255.255.0
access-list 150 permit ip any 192.168.70.96 255.255.255.240
access-list 100 permit tcp any host 67.59.38.11 eq www
access-list 100 permit tcp any host 67.59.38.11 eq https
access-list outside_cryptomap_dyn_20 permit ip any 192.168.70.96
255.255.255.240
no pager
logging on
logging monitor debugging
logging buffered debugging
mtu outside 1500
mtu inside 1500
ip address outside 67.59.38.10 255.255.255.0
ip address inside 192.168.70.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool cl-pool 192.168.70.101-192.168.70.
pdm location 192.168.70.0 255.255.255.0 inside
pdm location 192.168.70.190 255.255.255.255 inside
pdm location 192.168.1.0 255.255.255.0 outside
pdm location 192.168.60.0 255.255.255.0 outside
pdm location 192.168.80.0 255.255.255.0 outside
pdm location 192.168.80.0 255.255.255.240 outside
pdm location 192.168.70.185 255.255.255.255 inside
pdm location 192.168.70.96 255.255.255.240 outside
pdm location 192.168.70.102 255.255.255.255 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 150
nat (inside) 1 192.168.70.0 255.255.255.0 0 0
static (inside,outside) 67.59.38.11 192.168.70.190 netmask
255.255.255.255 0 0
access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0 67.59.38.9 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 5
aaa-server RADIUS deadtime 30
aaa-server RADIUS (inside) host 192.168.70.185 **** timeout 30
aaa-server LOCAL protocol local
http server enable
http 192.168.70.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
sysopt connection permit-l2tp
crypto ipsec transform-set gb-set esp-aes-256 esp-md5-hmac
crypto ipsec transform-set is-set esp-3des esp-sha-hmac
crypto ipsec transform-set cl-set esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 3600
crypto dynamic-map outside_dyn_map 20 match address
outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set is-set
crypto map gb-map 1 ipsec-isakmp
crypto map gb-map 1 match address 160
crypto map gb-map 1 set peer 63.88.189.251
crypto map gb-map 1 set transform-set gb-set
crypto map gb-map 2 ipsec-isakmp
crypto map gb-map 2 match address 170
crypto map gb-map 2 set peer 134.215.204.218
crypto map gb-map 2 set transform-set is-set
crypto map gb-map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map gb-map interface outside
isakmp enable outside
isakmp key ********** address 63.88.189.251
netmask 255.255.255.255
isakmp key ********* address 134.215.204.218
netmask 255.255.255.255
isakmp key ******** address 0.0.0.0 netmask
0.0.0.0
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption aes-256
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 5400
isakmp policy 2 authentication pre-share
isakmp policy 2 encryption 3des
isakmp policy 2 hash sha
isakmp policy 2 group 2
isakmp policy 2 lifetime 5400
isakmp policy 3 authentication pre-share
isakmp policy 3 encryption 3des
isakmp policy 3 hash sha
isakmp policy 3 group 2
isakmp policy 3 lifetime 86400
telnet 192.168.70.0 255.255.255.0 inside
telnet timeout 15
ssh timeout 60
console timeout 0
vpdn group PPTP-VPDN-GROUP accept dialin pptp
vpdn group PPTP-VPDN-GROUP ppp authentication mschap
vpdn group PPTP-VPDN-GROUP ppp encryption mppe 40
vpdn group PPTP-VPDN-GROUP client configuration address local cl-pool
vpdn group PPTP-VPDN-GROUP client configuration dns 192.168.70.185
vpdn group PPTP-VPDN-GROUP client configuration wins 192.168.70.185
vpdn group PPTP-VPDN-GROUP client authentication aaa RADIUS
vpdn group PPTP-VPDN-GROUP client accounting RADIUS
vpdn group PPTP-VPDN-GROUP pptp echo 60
vpdn enable outside
vpdn enable inside
dhcpd address 192.168.70.2-192.168.70.10
dhcpd dns 192.168.70.185 64.186.63.132
dhcpd wins 192.168.70.185 192.168.60.10
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain domain.local
dhcpd auto_config outside
dhcpd enable inside
username ****** password ******* encrypted privilege 15
terminal width 80
Cryptochecksum:***********
: end
[X]
Welcome to Experts Exchange
Add your voice to the tech community where 5M+ people just like you are talking about what matters.
- Help others & share knowledge
- Earn cash & points
- Learn & ask questions
4-
2
- +1
8 Comments
Cisco does not recommend that the IP pool for the VPN overlaps or is on the same subnet as that of the internal network. I would recommend that you change your IP pool to something other than 192.168.70.0/24. Once you create a new IP pool, add an access-list entry to acl 150 for the new pool.
e.g
ip local pool pptp_pool 10.10.10.1-10.10.10.20 mask 255.255.255.0
access-list 150 permit ip 192.168.70.0 255.255.255.0 10.10.10.0 255.255.255
e.g
ip local pool pptp_pool 10.10.10.1-10.10.10.20 mask 255.255.255.0
access-list 150 permit ip 192.168.70.0 255.255.255.0 10.10.10.0 255.255.255
Agree w/ stressedout2004 - if your 'ip local pool' overlaps any of the subnets that the PIX knows about, then you'll hit a routing loop, as you've already seen. The client VPN pool also mustn't overlap any of the remote LANs on the other side of the site-site VPN links, nor the IP range of the LAN where the remote VPN client PC resides on, or again you'll hit a routing loop.
You should also add this to your config:
isakmp nat-traversal
I also hope you're not trying to access any of the remote site-site LANs (eg 192.168.1.x) directly from the remote VPN client - even if your client VPN pool doesn't overlap anything, you won't be able to get from the remote VPN client & across the site-site VPN link to the other sites. PIX 6.x series won't let you do this "U-turn" (aka hairpinning), since traffic would have to enter & exit the same interface in order to get out to the other VPN site. Only PIX 7.x series supports hairpinning, & 7.x is only supported on PIX 515 or above.
A workaround would be to connect to a local PC/server on the 192.168.70.x subnet, then from there you'd be able to get over the site-site VPN links.
Once you've made your changes to the client VPN pool, run this:
clear xlate
crypto map gb-map interface outside <- important to re-apply VPN settings anytime you change the VPN config
cheers
You should also add this to your config:
isakmp nat-traversal
I also hope you're not trying to access any of the remote site-site LANs (eg 192.168.1.x) directly from the remote VPN client - even if your client VPN pool doesn't overlap anything, you won't be able to get from the remote VPN client & across the site-site VPN link to the other sites. PIX 6.x series won't let you do this "U-turn" (aka hairpinning), since traffic would have to enter & exit the same interface in order to get out to the other VPN site. Only PIX 7.x series supports hairpinning, & 7.x is only supported on PIX 515 or above.
A workaround would be to connect to a local PC/server on the 192.168.70.x subnet, then from there you'd be able to get over the site-site VPN links.
Once you've made your changes to the client VPN pool, run this:
clear xlate
crypto map gb-map interface outside <- important to re-apply VPN settings anytime you change the VPN config
cheers
Are you still with us, Tabitha?
Do you need more information? We're here to help but only if you come back and dialog with us...
Do you need more information? We're here to help but only if you come back and dialog with us...
Yes, I am still here. I tryied the different IP subnet, but not the other ones. I will work on that by this weekend.
Featured Post
WatchGuard's newest access point includes an 802.11ac Wave 2 chipset, providing the fastest speeds for VoIP, video and music streaming, and large data file transfers. Additionally, enjoy the benefits of strong security as the 3rd radio delivers dedicated WIPS protection!
Question has a verified solution.
If you are experiencing a similar issue, please ask a related question
If you use NetMotion Mobility on your PC and plan to upgrade to Windows 10, it may not work unless you take these steps.
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market. Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Suggested Courses
Course of the Month9 days, 12 hours left to enroll
722 members asked questions and received personalized solutions in the past 7 days.
Join the community of 500,000 technology professionals and ask your questions.