• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 310
  • Last Modified:

CISCO PIX 515e vpn issue (cant ping all the hosts in the LAN)


I have another problem with the cisco pix.
the topology is like this in the network:

internet - linux router/gateway (doing NAT) - switch - local area connection
i have the pix in the local area connection but with a public ip i routed in the linux machine.
outside of the pix has a public ip
inside is in the same network as the other computers from the local area network

i managed to configure the pix, i can connect to it to the outside interface, i followed pete's tutorial and i get an ip from another subnet and everything is fine.
what it isnt fine is that i can only ping the lan hosts that have the pix as gateway, cant ping them w/o making the pix their gateway. i think i shouldve been able to ping any host from the LAN being that eth1 (inside) is directly connected to the lan.

ill copy paste the pix config now here

PIX Version 7.2(1)
hostname pix
domain-name ...
enable password ... encrypted
interface Ethernet0
 nameif outside
 security-level 0
 ip address ... ...
interface Ethernet1
 nameif inside
 security-level 100
 ip address
interface Ethernet2
 no nameif
 no security-level
 no ip address
passwd ... encrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name ...
access-list vpn3000_splitTunnelAcl standard permit
access-list outside_cryptomap extended permit ip any
access-list inside_nat0_outbound extended permit ip
pager lines 24
mtu inside 1500
mtu outside 1500
ip local pool pool mask
asdm image flash:/asdm-521.bin
no asdm history enable
arp timeout 14400
global (outside) 101 ...-...
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101
route outside ... 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy vpn3000 internal
group-policy vpn3000 attributes
 wins-server value
 dns-server value
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value vpn3000_splitTunnelAcl
 default-domain value technet.ro
username ... encrypted privilege 0
username ...attributes
 vpn-group-policy vpn3000
username ... encrypted privilege 0
 vpn-group-policy vpn3000
http server enable
http inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5
crypto map outside_map 20 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption des
 hash md5
 group 2
 lifetime 86400
crypto isakmp policy 65535
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
tunnel-group vpn3000 type ipsec-ra
tunnel-group vpn3000 general-attributes
 address-pool pool
 default-group-policy vpn3000
tunnel-group vpn3000 ipsec-attributes
 pre-shared-key ...
telnet timeout 5
ssh timeout 5
console timeout 0
class-map inspection_default
 match default-inspection-traffic
policy-map type inspect dns preset_dns_map
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
service-policy global_policy global
prompt hostname context

is there something wrong in there?
thanks a lot
  • 9
  • 5
  • 2
5 Solutions
Pete LongTechnical ConsultantCommented:
This is normal behaviour :( you could try Port forwarding

UDP 4500 Nat-Traversal*
TCP 10000 (Cisco VPN clients can use this port if its been set on the client)
Protocol 50 (ESP)

back to the PIX - from the router but Im not sure that would work either

lyncksAuthor Commented:
you mean port forwarding on the linux router?
and what did you mean with the last thing?
i didnt understand

Given that your vpn clients get an ip address in a different ip subnet from the rest of the LAN, then of course only those that have the pix as their gateway can be accessed.
Add a static route on the Linux box for the subnet you give the clients from the local pool - and make sure the PIX inside IP is the gateway.
The IT Degree for Career Advancement

Earn your B.S. in Network Operations and Security and become a network and IT security expert. This WGU degree program curriculum was designed with tech-savvy, self-motivated students in mind – allowing you to use your technical expertise, to address real-world business problems.

lyncksAuthor Commented:
that seems like a good idea.
quick question, if i change it so that the vpn clients get an ip from the same subnet, will the packets be routed through the pix w/o setting the inside_pix ip to the other computers in the LAN?
lyncksAuthor Commented:
just tried what i said earlier
ive excluded a block of 20 ips from the lan dhcp server and put those 20 ips in the pool of the cisco pix.
ive setup the pix to not do any nat/pat and now i can ping any host in the lan (pix is in routed mode).

now i have an issue that keeps bugging me and had it from the beggining. the connection breaks after 3-4 minutes and i have no idea why
this is what i get in the cisco client log

105    17:08:52.609  08/02/07  Sev=Info/4      IKE/0x63000017
Marking IKE SA for deletion  (I_Cookie=7293FD6EE4310FEE R_Cookie=8CDFACC0CCCB8A8E) reason = DEL_REASON_PEER_NOT_RESPONDING

106    17:08:52.609  08/02/07  Sev=Info/4      IKE/0x63000013

107    17:08:53.109  08/02/07  Sev=Info/4      IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=7293FD6EE4310FEE R_Cookie=8CDFACC0CCCB8A8E) reason = DEL_REASON_PEER_NOT_RESPONDING

108    17:08:53.109  08/02/07  Sev=Info/4      CM/0x63100013
Phase 1 SA deleted cause by DEL_REASON_PEER_NOT_RESPONDING.  0 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system

could it be the 3g connection, but i doubt that cause it has random moments when it disconnects.
thanks a lot
Don't do it. Best practice is to use a different IP subnet for the VPN clients to draw from. That's the only way the required acls can make any sense.
Simply add the route to the Linux box (I'm assuming it is the default gateway for the other systems) and you should be good to go.
lyncksAuthor Commented:
weird thing happens now.
i can ping any host in the lan, but i cant connect to any of them, it just hangs there. am i missing something?
lyncksAuthor Commented:
how can i add that route exactly?
the vpn client pool is
the lan block is
from where to wehre should i add it?
I don't know that much about linux, but you should have a network setup interface where you can add static routes.
metric  1
lyncksAuthor Commented:
finally your first reply made sense, i think im too stressed out right now as in a few hours some clients come to see this stuff working
so you want me to add on the linux router a route to through (inside ip of the pix)

thanks a lot for the replies if this was the answer
Yes, that is exactly what you need to do.
lyncksAuthor Commented:
thanks a lot guys, that makes sense a lot now, i must wait a few hours before i can do that, only big boss has access to the linux router...
Pete LongTechnical ConsultantCommented:
Thanks  - Sorry for dissapearing (work), but you were in much better hands

Glad you are fixed :)

lyncksAuthor Commented:
quick question here:
on the linux gateway there is another LAN network in a different subnet.
what must i do to be able to ping that network too?
add that network to the split tunnel acl
add that network to the nat0 acl
add a route statement on the PIX
  route inside some.other.net.0 10.10.18.linux
lyncksAuthor Commented:
hi lrmoore.
it worked, just seen you replied here
i already had opened another question and please put this answer there so i can give you those 500 points
thanks a lot

Featured Post

The Growing Need for Data Analysts

As the amount of data rapidly increases in our world, so does the need for qualified data analysts. WGU's MS in Data Analytics and maximize your leadership opportunities as a data engineer, business analyst, information research scientist, and more.

  • 9
  • 5
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now