We help IT Professionals succeed at work.

VPN to pix 506e NAT issue

DCProfessional
on
1,505 Views
Last Modified: 2013-11-05
I know there are a million questions and answers on this topic -- however this is for a network of 200+ users in a doctors office with remote locations...and if I make one wrong mode and I'm toast :)

I've setup a VPN connection, and it connects...but i can't ping or do any traffic.

Now, I know it's an ACL issue...but I'm not confident on playing with this and not breaking it.


Currently, this is the entries I entered through ssh for VPN connection (And by enter, I mean PDM doesn't work too well on that pix so I have to do it off of my previous configs)




vpngroup XXXXeyedoctors password *****
ip local pool XXXXeyevpn 10.10.4.10-10.10.4.14
vpngroup XXXXeyedoctors address-pool XXXXeyevpn
vpngroup XXXXeyedoctors dns-server 10.10.3.2
vpngroup XXXXeyedoctors wins-server 10.10.3.2
vpngroup XXXXeyedoctors default-domain XXXXeye.local
isakmp policy 21 authen pre-share
isakmp policy 21 encrypt 3des
isakmp policy 21 hash md5
isakmp policy 21 group 2
isakmp enable outside
access-list XXXXeyedoctors_splitTunnelAcl permit ip 10.10.3.0 255.255.255.0  any
access-list no-nat line 5 permit ip 10.10.3.0 255.255.255.0  10.10.4.8 255.255.255.248
nat (inside) 0 access-list no-nat
access-list outside_cryptomap_dyn_20 permit ip any  10.10.4.8 255.255.255.248
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 86400 kilobytes 50000
crypto map leevpnmap 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map leevpnmap interface outside
vpngroup XXXXeyedoctors split-tunnel XXXXeyedoctors_splitTunnelAcl
sysopt connection permit-ipsec
      
Comment
Watch Question

Systems Architect
CERTIFIED EXPERT
Top Expert 2008
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION

Author

Commented:
Didn't work -- still can't ping internal IP.

This site has two site to site pix VPN tunnels to it.


: Saved
: Written by enable_15 at 11:49:38.137 UTC Fri Aug 17 2007
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password **************** encrypted
passwd ********** encrypted
hostname PixVilXXX
domain-name XXXXEye.local
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
object-group service RDP tcp
  port-object range 3389 3389
access-list leevpn permit ip 10.10.1.0 255.255.255.0 10.10.3.0 255.255.255.0
access-list leevpn permit ip 10.10.3.0 255.255.255.0 10.10.1.0 255.255.255.0
access-list no-nat permit ip 10.10.3.0 255.255.255.0 10.10.1.0 255.255.255.0
access-list no-nat permit ip 10.10.1.0 255.255.255.0 10.10.3.0 255.255.255.0
access-list no-nat permit ip 10.10.2.0 255.255.255.0 10.10.3.0 255.255.255.0
access-list no-nat permit ip 10.10.3.0 255.255.255.0 10.10.2.0 255.255.255.0
access-list no-nat permit ip 10.10.3.0 255.255.255.0 10.10.4.8 255.255.255.248
access-list eusvpn permit ip 10.10.2.0 255.255.255.0 10.10.3.0 255.255.255.0
access-list eusvpn permit ip 10.10.3.0 255.255.255.0 10.10.2.0 255.255.255.0
access-list out2in permit tcp any interface outside eq 3389
access-list out2in permit tcp any interface outside eq 3390
access-list XXXXeyedoctors_splitTunnelAcl permit ip 10.10.3.0 255.255.255.0 any
access-list outside_cryptomap_dyn_20 permit ip any 10.10.4.8 255.255.255.248
pager lines 24
logging on
logging console debugging
logging monitor notifications
mtu outside 1500
mtu inside 1500
ip address outside 12.15x.xx.xx 255.255.255.240
ip address inside 10.10.3.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool XXXXeyevpn 10.10.4.10-10.10.4.14
pdm location 10.10.1.0 255.255.255.0 inside
pdm location 10.10.2.0 255.255.255.0 inside
pdm location 10.0.0.0 255.0.0.0 inside
pdm location 10.10.1.0 255.255.255.0 outside
pdm location 10.10.2.0 255.255.255.0 outside
pdm location 10.10.3.0 255.255.255.0 outside
pdm location 10.10.3.3 255.255.255.255 inside
pdm location 10.10.3.6 255.255.255.255 inside
pdm location 10.10.3.200 255.255.255.255 inside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list no-nat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) udp interface 3390 10.10.3.6 domain netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 3389 10.10.3.3 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 3390 10.10.3.200 3390 netmask 255.255.255.255 0 0
access-group out2in in interface outside
route outside 0.0.0.0 0.0.0.0 12.15x.xx.xxx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 0.0.0.0 0.0.0.0 outside
http 10.10.3.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server outside 204.15.13x.xxx /villXXXXeye.cfg
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set leevpnset esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 86400 kilobytes 50000
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map leevpnmap 2 ipsec-isakmp
crypto map leevpnmap 2 match address leevpn
crypto map leevpnmap 2 set peer 12.15x.xx.xxx
crypto map leevpnmap 2 set transform-set leevpnset
crypto map leevpnmap 3 ipsec-isakmp
crypto map leevpnmap 3 match address eusvpn
crypto map leevpnmap 3 set peer 12.154.16.162
crypto map leevpnmap 3 set transform-set leevpnset
crypto map leevpnmap 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map leevpnmap interface outside
isakmp enable outside
isakmp key ******** address 12.15x.xx.xxx netmask 255.255.255.255
isakmp key ******** address 12.15x.xx.xxx netmask 255.255.255.255
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 86400
isakmp policy 21 authentication pre-share
isakmp policy 21 encryption 3des
isakmp policy 21 hash md5
isakmp policy 21 group 2
isakmp policy 21 lifetime 86400
vpngroup XXXXeyedoctors address-pool XXXXeyevpn
vpngroup XXXXeyedoctors dns-server 10.10.3.2
vpngroup XXXXeyedoctors wins-server 10.10.3.2
vpngroup XXXXeyedoctors default-domain XXXXeye.local
vpngroup XXXXeyedoctors split-tunnel XXXXeyedoctors_splitTunnelAcl
vpngroup XXXXeyedoctors idle-time 1800
vpngroup XXXXeyedoctors password ********
telnet 10.0.0.0 255.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
console timeout 0
dhcpd address 10.10.3.21-10.10.3.254 inside
dhcpd dns 10.10.3.2 12.18x.xx.xxx
dhcpd wins 10.10.1.2
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain XXXXEye.local
dhcpd auto_config outside
dhcpd enable inside
username cflhd password ************* encrypted privilege 2
terminal width 80
Cryptochecksum:125fb6c8127fb78fe73b463f8d6f3b89

Author

Commented:
let me correct, it does work! :) I just cant ping
Les MooreSystems Architect
CERTIFIED EXPERT
Top Expert 2008

Commented:
You still have "any" in your crypto acl. It is imperative that you change this.
>access-list outside_cryptomap_dyn_20 permit ip any 10.10.4.8 255.255.255.248

You did not make the change I suggested.

And I don't see these entries that need to be there:
 
 isakmp nat-traversal 20
 isakmp identity address

Author

Commented:
I did make the changes, I just posted a previous config as I didn't feel like changing tftp :)
You trying to ping my name or ip and what address are you trying to ping? A new config will help

Author

Commented:
Brian,

Pinging by both IP and hostname.

The config above is correct, just adding what lrmoore told me to add :)
If you made the corrections that lrmoore stated above, I see no reason why it wouldn't work. What is your subnet at the remote client end?

Author

Commented:
Well, I'm not too concerned with pinging as I am with the functionality of the VPN, which lrmoore did help resolve.

Thanks to all.
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.