Solved

CIsco PIX 506e VPN routing problems

Posted on 2007-04-04
25
1,613 Views
Last Modified: 2008-01-09
OK
I have a cisco pix 506e that i use as a vpn server.
When i establish a vpn session, i am able to reach the local subnet with no probs.
I however have some remote offices that i need to reach. I have a cisco 3600 router that I use to terminate my frame-relay connections on.  Now, when i am in the office on the local subnet, using the 3640 router as the gateway, I am able to reach ALL my remote offices, and do whatever i need to do there. But when i VPN in, i cannot ping, i cannot telnet or do anything to those remote offices. When i traceroute i just get stars all the way. I have entered the routing entries in the PIX (Vpn Server), but it does not seem to be using those routes. I have checked, and split tunnel does work. I have removed split tunnel, and still cannot reach the remote subnets. Strangely from the PIx itself, i am able to ping, or telnet to the remote routers. SO the issue seems to be specific to the vpn aspect (configurations) for the device.

0
Comment
Question by:Protorian
  • 15
  • 8
  • 2
25 Comments
 
LVL 20

Expert Comment

by:RPPreacher
ID: 18850072
Can you provide a basic network diagram?
0
 
LVL 10

Expert Comment

by:Sorenson
ID: 18850088
Verify that the 3600 router has a route back to your ip local pool addresses, and that the route is propagated to the remote routers as well.  Verify that the split-tunnel command includes all of the remote subnets.  Also verify that there is no inbound acl on the inside interface that would stop the traffic.  If that doesnt help, please post a sanitzied config of the pix, as well as a "show ip int brief and show ip route" of the 3600 and a "show ip int brief and show ip route" of one of the remote sites.
0
 

Author Comment

by:Protorian
ID: 18850783
Here is the pix config.


PIX Version 6.3(5)
interface ethernet0 100full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password AAAAAAAAAAAAAAAAAA encrypted
passwd AAAAAAAAAAAAA encrypted
hostname HELLO
domain-name HELLO
clock timezone CST -6
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.1.0 Router_Serial
access-list outside_access_in permit ip any any
access-list inside_access_in permit ip any any
access-list inside_outbound_nat0_acl permit ip 172.16.17.0 255.255.255.192 172.16.17.48 255.255.255.240
access-list inside_outbound_nat0_acl permit ip any 172.16.17.48 255.255.255.240
access-list outside_cryptomap_dyn_20 permit ip any 172.16.17.48 255.255.255.240
access-list VPN_splitTunnelAcl permit ip 172.16.17.0 255.255.255.192 any
pager lines 24
icmp permit host X.X.X.X outside
icmp deny any outside
icmp permit any inside
icmp permit 172.16.0.0 255.255.0.0 inside
mtu outside 1500
mtu inside 1500
ip address outside X.X.X.X 255.255.255.224
ip address inside 172.16.17.14 255.255.255.192
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnpool 172.16.17.53-172.16.17.58
pdm location 172.16.17.24 255.255.255.255 inside
pdm location 172.16.43.0 255.255.255.0 outside
pdm location 172.16.17.48 255.255.255.240 outside
pdm location 172.16.17.12 255.255.255.255 inside
pdm location 172.16.0.0 255.255.0.0 inside
pdm location Router_Serial 255.255.255.0 inside
pdm location 172.16.17.38 255.255.255.255 inside
pdm location 172.16.33.0 255.255.255.0 inside
pdm location 172.16.99.0 255.255.255.0 inside
pdm location 172.16.17.64 255.255.255.248 inside
pdm location 172.16.51.0 255.255.255.0 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 200.32.198.1 1
route inside 172.16.0.0 255.255.0.0 172.16.17.6 2
route inside 172.16.17.64 255.255.255.248 172.16.17.59 1
route inside 172.16.33.0 255.255.255.0 172.16.17.1 1
route inside 172.16.51.0 255.255.255.0 172.16.17.1 1
route inside 172.16.99.0 255.255.255.0 172.16.17.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa-server DATA protocol tacacs+
aaa-server DATA max-failed-attempts 3
aaa-server DATA deadtime 10
aaa-server DATA (inside) host 172.16.17.12 datadep timeout 10
ntp server 131.107.1.10 source outside prefer
http server enable
http 172.16.17.0 255.255.255.192 inside
snmp-server host inside 172.16.17.38
snmp-server community datadep
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
sysopt connection permit-l2tp
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication DATA LOCAL
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup VPN address-pool vpnpool
vpngroup VPN dns-server 200.32.248.1 200.32.218.132
vpngroup VPN split-tunnel VPN_splitTunnelAcl
vpngroup VPN idle-time 1800
vpngroup VPN password ********
telnet 172.16.17.0 255.255.255.192 inside
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn enable outside
username lguild password AAAAAAAAAAAAAAAAAA encrypted privilege 15
terminal width 80
banner login
banner login
banner login
banner login
banner login                        This is a private network.  Your IP Address
banner login                        has been logged.  It is unlawful to attempt
banner login                        to access this network if you are not properly
Cryptochecksum:cafef814db8d0dc307ac72fd0ad3a112
: end

DATA-PIX#
0
 

Author Comment

by:Protorian
ID: 18850912
http://protorian.50megs.com/vpn.jpg

There is a simple network diagram
0
 

Author Comment

by:Protorian
ID: 18850920
Please note that the very same pix is used as our internet gateway.
0
 
LVL 20

Expert Comment

by:RPPreacher
ID: 18850935
On the remote routers (1751) do you have routes to the VPN pool showing the 3640 as the next hop?

Can you post a show ip route from the 1751?
0
 

Author Comment

by:Protorian
ID: 18850944
Here is the Show IP Int Brief for the 3640



BTL_DATA_WAN#sho ip int bri
Interface              IP-Address      OK? Method Status                Protocol
FastEthernet0/0        172.16.17.6     YES NVRAM  up                    up
Serial0/0              unassigned      YES NVRAM  up                    up
Serial0/0.1            192.168.1.5     YES NVRAM  up                    up
Serial0/0.2            192.168.1.9     YES NVRAM  up                    up
Serial0/0.3            192.168.30.1    YES NVRAM  up                    up
Serial0/0.4            192.168.1.13    YES NVRAM  up                    up
Serial0/0.5            192.168.1.17    YES NVRAM  up                    up
Serial0/0.6            192.168.1.21    YES NVRAM  up                    up
Serial0/0.7            192.168.1.25    YES NVRAM  up                    up
Serial0/0.8            192.168.1.29    YES NVRAM  up                    up
Serial0/0.9            192.168.1.33    YES NVRAM  up                    up
Serial0/0.10           192.168.1.37    YES NVRAM  up                    up
Serial0/0.11           192.168.1.41    YES NVRAM  up                    up
Serial0/0.12           192.168.1.45    YES NVRAM  up                    up
Serial0/0.13           192.168.22.1    YES NVRAM  up                    up
Serial0/0.14           192.168.1.1     YES NVRAM  down                  down
Serial0/0.15           172.16.112.2    YES NVRAM  up                    up
Serial0/0.16           192.168.1.49    YES NVRAM  up                    up
Serial0/0.17           192.168.1.53    YES NVRAM  up                    up
Serial0/0.18           192.25.10.1     YES NVRAM  up                    up
Serial0/0.19           192.168.1.57    YES NVRAM  down                  down
Serial0/0.99           10.1.1.1        YES NVRAM  down                  down
Serial0/1              unassigned      YES NVRAM  administratively down down
Serial0/2              unassigned      YES NVRAM  administratively down down
Serial0/3              unassigned      YES NVRAM  administratively down down
Group-Async0           unassigned      YES NVRAM  down                  down

0
 

Author Comment

by:Protorian
ID: 18850952
Sho ip route


BTL_DATA_WAN#sho ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, * - candidate default
       U - per-user static route, o - ODR, P - periodic downloaded static route
       T - traffic engineered route

Gateway of last resort is 172.16.17.14 to network 0.0.0.0

     192.168.30.0/30 is subnetted, 1 subnets
C       192.168.30.0 is directly connected, Serial0/0.3
     192.25.10.0/30 is subnetted, 1 subnets
C       192.25.10.0 is directly connected, Serial0/0.18
     172.16.0.0/16 is variably subnetted, 32 subnets, 5 masks
D       172.16.251.0/24 [90/40514560] via 192.168.1.50, Serial0/0.16
D       172.16.200.0/24 [90/40537600] via 192.168.1.6, Serial0/0.1
D       172.16.60.0/24 [90/2172416] via 192.168.1.54, Serial0/0.17
D       172.16.52.0/24 [90/40514560] via 192.168.1.30, Serial0/0.8
D       172.16.53.0/24 [90/40537600] via 192.168.1.42, Serial0/0.11
D       172.16.54.0/24 [90/40514560] via 192.168.1.46, Serial0/0.12
S       172.16.50.0/24 [1/0] via 172.16.17.1
S       172.16.51.0/24 [1/0] via 172.16.17.1
D       172.16.42.0/24 [90/20514560] via 192.168.1.18, Serial0/0.5
D       172.16.43.0/24 [90/20514560] via 192.168.1.22, Serial0/0.6
D       172.16.32.0/24 [90/20514560] via 192.168.1.14, Serial0/0.4
S       172.16.33.0/24 [1/0] via 172.16.17.1
S       172.16.25.0/24 [1/0] via 172.16.17.1
D       172.16.26.0/24 [90/40514560] via 192.168.1.10, Serial0/0.2
D       172.16.27.0/24 [90/20514560] via 192.168.1.26, Serial0/0.7
D       172.16.23.0/24 [90/40537600] via 192.168.1.6, Serial0/0.1
C       172.16.17.0/26 is directly connected, FastEthernet0/0
D       172.16.0.0/16 [90/20514560] via 192.168.30.2, Serial0/0.3
D       172.16.33.32/29 [90/20514560] via 192.168.1.14, Serial0/0.4
S       172.16.126.0/24 [1/0] via 172.16.17.1
S       172.16.121.0/24 [1/0] via 192.25.10.2
C       172.16.112.0/30 is directly connected, Serial0/0.15
D       172.16.33.80/29 [90/40537600] via 192.168.1.42, Serial0/0.11
D       172.16.33.72/29 [90/40514560] via 192.168.1.30, Serial0/0.8
S       172.16.100.0/24 [1/0] via 172.16.17.1
S       172.16.99.0/24 [1/0] via 172.16.17.1
D       172.16.84.0/24 [90/40514560] via 192.168.1.38, Serial0/0.10
S       172.16.17.64/29 [1/0] via 172.16.17.59
S       172.16.82.0/24 [1/0] via 192.168.30.2
D       172.16.83.0/24 [90/20514560] via 192.168.1.34, Serial0/0.9
D       172.16.72.0/24 [90/40514560] via 192.168.22.2, Serial0/0.13
S       172.16.75.0/24 [1/0] via 172.16.17.1
     192.168.22.0/30 is subnetted, 1 subnets
C       192.168.22.0 is directly connected, Serial0/0.13
     192.168.254.0/29 is subnetted, 1 subnets
C       192.168.254.0 is directly connected, FastEthernet0/0
     192.168.1.0/30 is subnetted, 13 subnets
C       192.168.1.40 is directly connected, Serial0/0.11
C       192.168.1.44 is directly connected, Serial0/0.12
C       192.168.1.32 is directly connected, Serial0/0.9
C       192.168.1.36 is directly connected, Serial0/0.10
C       192.168.1.48 is directly connected, Serial0/0.16
C       192.168.1.52 is directly connected, Serial0/0.17
C       192.168.1.8 is directly connected, Serial0/0.2
C       192.168.1.12 is directly connected, Serial0/0.4
C       192.168.1.4 is directly connected, Serial0/0.1
C       192.168.1.24 is directly connected, Serial0/0.7
C       192.168.1.28 is directly connected, Serial0/0.8
C       192.168.1.16 is directly connected, Serial0/0.5
C       192.168.1.20 is directly connected, Serial0/0.6
S*   0.0.0.0/0 [1/0] via 172.16.17.14
0
 

Author Comment

by:Protorian
ID: 18850958
Show ip  of remote router...


FRZ-MGMT#sho ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is 192.168.1.21 to network 0.0.0.0

     192.168.30.0/30 is subnetted, 1 subnets
D       192.168.30.0 [90/21024000] via 192.168.1.21, 6d18h, Serial0.1
     172.16.0.0/16 is variably subnetted, 32 subnets, 5 masks
D       172.16.251.0/24 [90/41026560] via 192.168.1.21, 14:28:29, Serial0.1
D       172.16.200.0/24 [90/41049600] via 192.168.1.21, 6d18h, Serial0.1
D       172.16.60.0/24 [90/21026560] via 192.168.1.21, 6d18h, Serial0.1
D       172.16.52.0/24 [90/41026560] via 192.168.1.21, 6d18h, Serial0.1
D       172.16.53.0/24 [90/41049600] via 192.168.1.21, 6d18h, Serial0.1
D       172.16.54.0/24 [90/41026560] via 192.168.1.21, 6d18h, Serial0.1
D EX    172.16.50.0/24 [170/20514560] via 192.168.1.21, 6d18h, Serial0.1
D EX    172.16.51.0/24 [170/20514560] via 192.168.1.21, 6d18h, Serial0.1
D       172.16.42.0/24 [90/21026560] via 192.168.1.21, 6d18h, Serial0.1
C       172.16.43.0/24 is directly connected, FastEthernet0
D       172.16.32.0/24 [90/21026560] via 192.168.1.21, 6d18h, Serial0.1
D EX    172.16.33.0/24 [170/20514560] via 192.168.1.21, 6d18h, Serial0.1
D EX    172.16.25.0/24 [170/20514560] via 192.168.1.21, 6d18h, Serial0.1
D       172.16.26.0/24 [90/41026560] via 192.168.1.21, 6d18h, Serial0.1
D       172.16.27.0/24 [90/21026560] via 192.168.1.21, 6d18h, Serial0.1
D       172.16.23.0/24 [90/41049600] via 192.168.1.21, 6d18h, Serial0.1
D       172.16.17.0/26 [90/20514560] via 192.168.1.21, 6d18h, Serial0.1
D       172.16.0.0/16 [90/21026560] via 192.168.1.21, 6d18h, Serial0.1
D       172.16.33.32/29 [90/21026560] via 192.168.1.21, 6d18h, Serial0.1
D EX    172.16.126.0/24 [170/20514560] via 192.168.1.21, 6d18h, Serial0.1
D EX    172.16.121.0/24 [170/21024000] via 192.168.1.21, 6d18h, Serial0.1
D       172.16.112.0/30 [90/21024000] via 192.168.1.21, 6d18h, Serial0.1
D       172.16.33.80/29 [90/41049600] via 192.168.1.21, 6d18h, Serial0.1
D       172.16.33.72/29 [90/41026560] via 192.168.1.21, 6d18h, Serial0.1
D EX    172.16.100.0/24 [170/20514560] via 192.168.1.21, 6d18h, Serial0.1
D EX    172.16.99.0/24 [170/20514560] via 192.168.1.21, 6d18h, Serial0.1
D       172.16.84.0/24 [90/41026560] via 192.168.1.21, 6d06h, Serial0.1
D EX    172.16.17.64/29 [170/20514560] via 192.168.1.21, 21:43:46, Serial0.1
D EX    172.16.82.0/24 [170/21024000] via 192.168.1.21, 6d18h, Serial0.1
D       172.16.83.0/24 [90/21026560] via 192.168.1.21, 6d18h, Serial0.1
D       172.16.72.0/24 [90/41026560] via 192.168.1.21, 2d21h, Serial0.1
D EX    172.16.75.0/24 [170/20514560] via 192.168.1.21, 6d18h, Serial0.1
     192.168.22.0/30 is subnetted, 1 subnets
D       192.168.22.0 [90/41024000] via 192.168.1.21, 6d18h, Serial0.1
     192.168.1.0/30 is subnetted, 13 subnets
D       192.168.1.40 [90/41024000] via 192.168.1.21, 6d18h, Serial0.1
D       192.168.1.44 [90/41024000] via 192.168.1.21, 6d18h, Serial0.1
D       192.168.1.32 [90/21024000] via 192.168.1.21, 6d18h, Serial0.1
D       192.168.1.36 [90/41024000] via 192.168.1.21, 6d06h, Serial0.1
D       192.168.1.48 [90/41024000] via 192.168.1.21, 15:06:53, Serial0.1
D       192.168.1.52 [90/21024000] via 192.168.1.21, 6d18h, Serial0.1
D       192.168.1.8 [90/41024000] via 192.168.1.21, 6d18h, Serial0.1
D       192.168.1.12 [90/21024000] via 192.168.1.21, 6d18h, Serial0.1
D       192.168.1.4 [90/41024000] via 192.168.1.21, 6d18h, Serial0.1
D       192.168.1.24 [90/21024000] via 192.168.1.21, 6d18h, Serial0.1
D       192.168.1.28 [90/41024000] via 192.168.1.21, 6d18h, Serial0.1
D       192.168.1.16 [90/21024000] via 192.168.1.21, 6d18h, Serial0.1
C       192.168.1.20 is directly connected, Serial0.1
D*EX 0.0.0.0/0 [170/20514560] via 192.168.1.21, 6d18h, Serial0.1
FRZ-MGMT#
0
 
LVL 10

Expert Comment

by:Sorenson
ID: 18851025
Change the ip pool to a subnet that is not in use within the organization already...

!
no ip local pool vpnpool 172.16.17.53-172.16.17.58
ip local pool vpnpool 10.1.1.1 - 10.1.1.254    (or some other subnet)
!

As the pix is the internet connection for all sites, you should not need to update routing for the remote ends, as they will push the unknown network back to the pix via the default routes.
0
 

Author Comment

by:Protorian
ID: 18851043
http://protorian.50megs.com/vpn-1.jpg

Update diagram, with some ip addresses
0
 

Author Comment

by:Protorian
ID: 18851051
If i change the pool to an unused block of ips will i still be able to communicate with the internal 172.16.17.0 subnet?
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 
LVL 10

Expert Comment

by:Sorenson
ID: 18851158
Yes.  The ip pool should be a seperate subnet from the inside networks.  The nat 0 and the split tunnel and crypto  access lists will need to be updated as well.

The split tunnel access list should look like

access-list splittunnel permit ip x.x.x.x y.y.y.y 10.1.1.0 255.255.255.0

where each x.x.x.x y.y.y.y is inside networks.  Then only traffic to those networks will be encrypted and the traffic to the internet will not come up the pipe.

0
 

Author Comment

by:Protorian
ID: 18853050
i dont get it..
i tried adding in the changes u suggested.
But it still does not work..

could u copy from the above config and show me the changes u suggest? please
0
 

Author Comment

by:Protorian
ID: 18853288
i could use a second subnet on the block
My initial servers reside on 172.16.17.0  255.255.255.192
i want to limit the amount of users to vpn in, so i can put them on 172.16.17.64 255.255.255.248.
0
 
LVL 10

Expert Comment

by:Sorenson
ID: 18853379
i can run the config for you.  Is this the only vpn you have setup?  It would be easiest to remove it and rebuild it.

0
 

Author Comment

by:Protorian
ID: 18853461
THis is the only VPN i have to build.

I have removed the config from the pix and reconfigured the pix, from the beginning. But using the wizards.
I get teh VPN established, but the remote user cannot reach anything on the network.

The internal network is 172.16.17.0 255.255.255.192.
The Vpn block of addresses is 172.16.17.64 255.255.255.248
when u vpn in, you get an address from 172.16.17.65 - 70. Thats fine..
but u cannot reach 172.16.17.0 255.255.255.192...
Thats the prob..

0
 
LVL 10

Accepted Solution

by:
Sorenson earned 300 total points
ID: 18853488
I believe this will work, we may need to tune it.  I saw that you were trying to TACACS+ auth to a server.  What type of server is it?  Once the vpn is up and established, it is fairly easy to add extended authentication for it.

! out with the old
!
no isakmp enable outside
no crypto map outside_map interface outside
no crypto dynamic-map outside_dyn_map
no crypto map outside_map
!
no access-list inside_outbound_nat0_acl permit ip 172.16.17.0 255.255.255.192 172.16.17.48 255.255.255.240
no access-list inside_outbound_nat0_acl permit ip any 172.16.17.48 255.255.255.240
no access-list outside_cryptomap_dyn_20 permit ip any 172.16.17.48 255.255.255.240
no nat (inside) 0 access-list inside_outbound_nat0_acl
!
no vpngroup VPN
!
no ip local pool vpnpool 172.16.17.53-172.16.17.58
!


! in with the new
!
access-list VPN_SplitTunnelACL permit ip 172.16.0.0 255.255.0.0 10.254.254.0 255.255.255.0
!
access-list VPN_TrafficACL permit ip 172.16.0.0 255.255.0.0 10.254.254.0 255.255.255.0
!
nat (inside) 0 access-list VPN_TrafficACL
!

crypto dynamic-map dynmap 10 set transform-set ESP-3DES-MD5
crypto map ClientVPN 10 ipsec-isakmp dynamic dynmap
crypto map ClientVPN interface outside
!
ip local pool vpnpool 10.254.254.1-10.254.254.254
!
isakmp identity address
isakmp nat-traversal
isakmp enable outside
!
vpngroup VPN address-pool vpnpool
vpngroup VPN dns-server x.x.x.x   (internal DNS server)
vpngroup VPN wins-server x.x.x.x  (internal wins server)
vpngroup VPN idle-time 1800
vpngroup VPN password xxxxxxxx
vpngroup VPN default-domain ADFQDNDOMAIN.INT    (internal AD domain name ie: contoso.int )
vpngroup VPN split-tunnel VPN_SplitTunnelACL
!
0
 
LVL 10

Expert Comment

by:Sorenson
ID: 18853504
The ip pool should never be on the same subnet as one used inside the pix.

Change the ip pool to something else, in the example I have 10.254.254.x as the vpn subnet.

Also the wizards add a bunch of unneccesary noise into the configs.
0
 
LVL 10

Expert Comment

by:Sorenson
ID: 18853533
After I reread the posting by you I noticed that the 172.16.17 addresses were on different subnets, in which case they conflict with the routing statement in the pix.
the line : route inside 172.16.0.0 255.255.0.0 172.16.17.6  will need to be removed, and each subnet added manually (so that the 172.16.17. addresses of the vpn pool are not caught up in the generic route statement)
0
 
LVL 10

Expert Comment

by:Sorenson
ID: 18853539
I would think it would be easier to leave the 172.16.x.x routing alone and change the ip pool to something different.
0
 

Author Comment

by:Protorian
ID: 18854208
THIS IS MY LATEST CONFIG...
:
PIX Version 6.3(5)
interface ethernet0 100full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password AAAAAAAAAAA encrypted
passwd AAAAAAAAAAA
hostname DATA-VPN
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list BTLDATAVPN_SplitTunnelACL permit ip 172.16.0.0 255.255.0.0 172.16.18.0 255.255.255.248
access-list BTLDATAVPN_TrafficACL permit ip 172.16.0.0 255.255.0.0 172.17.1.0 255.255.255.248
access-list BTLDATAVPN_TrafficACL permit ip 172.16.0.0 255.255.0.0 172.16.18.0 255.255.255.248
pager lines 24
logging on
mtu outside 1500
mtu inside 1500
ip address outside B.B.B.B 255.255.255.240
ip address inside 172.16.17.14 255.255.255.192
ip audit info action alarm
ip audit attack action alarm
ip local pool VPN_POOL 172.16.18.1-172.16.18.6
pdm location 0.0.0.0 255.255.255.240 outside
pdm location 172.16.17.12 255.255.255.255 inside
pdm location 172.16.33.0 255.255.255.0 inside
pdm location 172.16.99.0 255.255.255.0 inside
pdm location 172.16.0.0 255.255.0.0 inside
pdm location 172.17.1.0 255.255.255.248 outside
pdm logging debugging 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list BTLDATAVPN_TrafficACL
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 200.32.198.1 1
route inside 172.16.33.0 255.255.255.0 172.16.17.1 1
route inside 172.16.99.0 255.255.255.0 172.16.17.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa-server DATA-ACS protocol tacacs+
aaa-server DATA-ACS max-failed-attempts 3
aaa-server DATA-ACS deadtime 10
aaa-server DATA-ACS (inside) host 172.16.17.12 datadep timeout 10
http server enable
http 172.16.17.0 255.255.255.192 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map dynmap 10 set transform-set ESP-3DES-SHA
crypto map ClientVPN 10 ipsec-isakmp dynamic dynmap
crypto map BTLDATAVPN 10 ipsec-isakmp dynamic dynmap
crypto map BTLDATAVPN interface outside
isakmp enable outside
isakmp identity address
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup BTLDATAVPN address-pool VPN_POOL
vpngroup BTLDATAVPN dns-server 200.32.248.1
vpngroup BTLDATAVPN default-domain btl.net
vpngroup BTLDATAVPN split-tunnel BTLDATAVPN_SplitTunnelACL
vpngroup BTLDATAVPN idle-time 1800
vpngroup BTLDATAVPN password ********
telnet 172.16.17.0 255.255.255.192 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 172.16.17.15-172.16.17.62 inside
dhcpd lease 3600
dhcpd ping_timeout 750
username lguild password k11Gsr1Ph0XCVGRK encrypted privilege 15
terminal width 80
Cryptochecksum:dfc144ae7162240c039ec40457162102
: end

0
 

Author Comment

by:Protorian
ID: 18854211
The vpn connects, and everything, but cannot reach the 172.16.17.0 subnet


0
 

Author Comment

by:Protorian
ID: 18854424
When i vpn in, and try do a tracert to a router (172.16.17.,6) on the i get all stars..

I have a route on the 172.16.17.6:  ip route 172.16.18.0 255.255.255.248 172.16.17.14 (Pix inside) interface.

when i do an ipconfig. i get

172.16.18.1
255.255.0.0
and no gateway, i assume this is due to the split tunnel..


0
 

Author Comment

by:Protorian
ID: 18854431
ok..
Its working now...

In the 172.16.17.6, i had a duplicate route...

Thankx..
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Join & Write a Comment

For a while, I have wanted to connect my HTC Incredible to my corporate network to take advantage of the phone's powerful capabilities. I searched online and came up with varied answers from "it won't work" to super complicated statements that I did…
I've written this article to illustrate how we can implement a Dynamic Multipoint VPN (DMVPN) with both hub and spokes having a dynamically assigned non-broadcast multiple-access (NBMA) network IP (public IP). Here is the basic setup of DMVPN Pha…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now