wcstrategy
asked on
Problem getting remote VPN working on PIX 506E
I am having trouble configuring a remote VPN client for a Cisco PIX 506. We had a contractor set up tunnels between our site and several others that work, but he did not set up anything for remote VPN clients. I am not very knowledgeable on configuring network devices, but I would like to get this working. Thus far I am just using the PDM and used the wizard to create the VPN. I can get connected and authenticated fine using a version 4.7 client, but once connected I cannot get to anything on the internal network (I had tried pinging the DNS servers at 192.168.12.5 and 192.168.12.6). I am sort of suspicious of the one line in the below config that seems (to my limited knowledge) to place associate part of our internal network with the outside interface. That line is "pdm location 192.168.12.0 255.255.255.192 outside".
Can someone look at this config and tell me what might be wrong? I would rather not wait until the consultant gets back from vacation next week to get this working.
Building configuration...
: Saved
:
PIX Version 6.3(4)
interface ethernet0 100full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ##hidden## encrypted
passwd ##hidden## encrypted
hostname WCS-PIX506
domain-name mydomain.com
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.12.5 RADIUS
object-group network ONE-NETS
network-object 192.168.50.0 255.255.255.0
network-object 192.168.1.0 255.255.255.0
network-object 172.31.0.0 255.255.255.0
network-object 172.29.9.0 255.255.255.0
object-group network TWO-NETS
network-object 192.168.8.0 255.255.252.0
object-group network WCS-NETS
network-object 192.168.12.0 255.255.255.0
object-group network REMOTE-NETS
group-object ONE-NETS
group-object TWO-NETS
object-group service VPN-Site2Site-TCP tcp
port-object eq www
port-object eq https
port-object eq imap4
port-object eq smtp
port-object eq domain
port-object eq telnet
port-object eq 135
port-object eq ldap
port-object eq 379
port-object eq 3268
object-group service VPN-Site2Site-UDP udp
port-object eq domain
port-object eq 135
access-list ACL-OUTSIDE permit icmp any any
access-list ACL-OUTSIDE permit tcp object-group REMOTE-NETS object-group WCS-NETS object-group VPN-Site2Site-TCP
access-list ACL-OUTSIDE permit udp object-group REMOTE-NETS object-group WCS-NETS object-group VPN-Site2Site-UDP
access-list ACL-OUTSIDE permit icmp object-group REMOTE-NETS object-group WCS-NETS
access-list ACL-OUTSIDE permit icmp any any echo-reply
access-list ACL-OUTSIDE permit icmp any any unreachable
access-list ACL-OUTSIDE permit icmp any any time-exceeded
access-list ACL-VPN-WCS2ONE permit ip object-group WCS-NETS object-group ONE-NETS
access-list NO-NAT permit ip object-group WCS-NETS object-group ONE-NETS
access-list NO-NAT permit ip object-group WCS-NETS object-group TWO-NETS
access-list NO-NAT permit ip any 192.168.12.0 255.255.255.192
access-list NO-NAT permit ip 192.168.12.0 255.255.254.0 192.168.14.0 255.255.255.128
access-list ACL-VPN-WCS2TWO permit ip object-group WCS-NETS object-group TWO-NETS
access-list WCS_users_splitTunnelAcl permit ip 192.168.12.0 255.255.254.0 any
access-list outside_cryptomap_dyn_580 permit ip any 192.168.14.0 255.255.255.128
pager lines 24
logging on
logging timestamp
logging buffered errors
logging trap debugging
logging history notifications
mtu outside 1500
mtu inside 1500
ip address outside 68.178.79.236 255.255.255.248
ip address inside 192.168.12.2 255.255.254.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip audit info action alarm
ip audit attack action alarm
ip local pool VPNPool 192.168.14.1-192.168.14.25
pdm location 69.10.64.0 255.255.255.0 inside
pdm location 69.10.64.0 255.255.255.0 outside
pdm location 172.29.9.0 255.255.255.0 outside
pdm location 172.31.0.0 255.255.255.0 outside
pdm location 192.168.1.0 255.255.255.0 outside
pdm location 192.168.8.0 255.255.252.0 outside
pdm location 192.168.50.0 255.255.255.0 outside
pdm location RADIUS 255.255.255.255 inside
pdm location 192.168.12.0 255.255.255.0 inside
pdm location 192.168.14.0 255.255.255.128 outside
pdm location 192.168.12.0 255.255.255.192 outside
pdm group WCS-NETS inside
pdm group ONE-NETS outside
pdm group TWO-NETS outside
pdm logging warnings 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NO-NAT
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group ACL-OUTSIDE in interface outside
route outside 0.0.0.0 0.0.0.0 68.178.79.233 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa-server WCSDC01 protocol radius
aaa-server WCSDC01 max-failed-attempts 3
aaa-server WCSDC01 deadtime 10
aaa-server WCSDC01 (inside) host RADIUS ##hidden## timeout 10
aaa authentication telnet console LOCAL
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
ntp server 192.5.41.40 source outside
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set 3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map DYNMAP 500 set transform-set 3DES-MD5
crypto dynamic-map DYNMAP 520 set transform-set 3DES-MD5
crypto dynamic-map DYNMAP 540 set transform-set 3DES-MD5
crypto dynamic-map DYNMAP 560 set transform-set 3DES-MD5
crypto dynamic-map DYNMAP 580 match address outside_cryptomap_dyn_580
crypto dynamic-map DYNMAP 580 set transform-set 3DES-MD5
crypto map VPN-MAP-OUT 101 ipsec-isakmp
crypto map VPN-MAP-OUT 101 match address ACL-VPN-WCS2ONE
crypto map VPN-MAP-OUT 101 set peer 147.31.204.97
crypto map VPN-MAP-OUT 101 set transform-set ESP-3DES-MD5
crypto map VPN-MAP-OUT 102 ipsec-isakmp
crypto map VPN-MAP-OUT 102 match address ACL-VPN-WCS2TWO
crypto map VPN-MAP-OUT 102 set peer 216.143.158.99
crypto map VPN-MAP-OUT 102 set transform-set ESP-3DES-MD5
crypto map VPN-MAP-OUT 500 ipsec-isakmp dynamic DYNMAP
crypto map VPN-MAP-OUT client authentication RADIUS
crypto map VPN-MAP-OUT interface outside
isakmp enable outside
isakmp key ******** address 147.31.204.97 netmask 255.255.255.255
isakmp key ******** address 216.143.158.99 netmask 255.255.255.255
isakmp identity address
isakmp keepalive 10 3
isakmp nat-traversal 30
isakmp policy 3 authentication pre-share
isakmp policy 3 encryption 3des
isakmp policy 3 hash md5
isakmp policy 3 group 2
isakmp policy 3 lifetime 86400
vpngroup WCS_users address-pool VPNPool
vpngroup WCS_users dns-server WCSDC01 192.168.12.6
vpngroup WCS_users wins-server WCSDC01 192.168.12.6
vpngroup WCS_users default-domain myADdomain.com
vpngroup WCS_users split-tunnel WCS_users_splitTunnelAcl
vpngroup WCS_users idle-time 1800
vpngroup WCS_users password ********
telnet 192.168.12.0 255.255.255.0 inside
telnet timeout 5
ssh 69.10.64.0 255.255.255.0 outside
ssh 69.10.64.0 255.255.255.0 inside
ssh 192.168.12.0 255.255.255.0 inside
ssh timeout 10
management-access inside
console timeout 0
username ##user1## password ##hidden## encrypted privilege 15
username ##user2## password ##hidden## encrypted privilege 15
username ##user3## password ##hidden## encrypted privilege 15
terminal width 80
Cryptochecksum:##hidden##
: end
[OK]
Can someone look at this config and tell me what might be wrong? I would rather not wait until the consultant gets back from vacation next week to get this working.
Building configuration...
: Saved
:
PIX Version 6.3(4)
interface ethernet0 100full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ##hidden## encrypted
passwd ##hidden## encrypted
hostname WCS-PIX506
domain-name mydomain.com
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.12.5 RADIUS
object-group network ONE-NETS
network-object 192.168.50.0 255.255.255.0
network-object 192.168.1.0 255.255.255.0
network-object 172.31.0.0 255.255.255.0
network-object 172.29.9.0 255.255.255.0
object-group network TWO-NETS
network-object 192.168.8.0 255.255.252.0
object-group network WCS-NETS
network-object 192.168.12.0 255.255.255.0
object-group network REMOTE-NETS
group-object ONE-NETS
group-object TWO-NETS
object-group service VPN-Site2Site-TCP tcp
port-object eq www
port-object eq https
port-object eq imap4
port-object eq smtp
port-object eq domain
port-object eq telnet
port-object eq 135
port-object eq ldap
port-object eq 379
port-object eq 3268
object-group service VPN-Site2Site-UDP udp
port-object eq domain
port-object eq 135
access-list ACL-OUTSIDE permit icmp any any
access-list ACL-OUTSIDE permit tcp object-group REMOTE-NETS object-group WCS-NETS object-group VPN-Site2Site-TCP
access-list ACL-OUTSIDE permit udp object-group REMOTE-NETS object-group WCS-NETS object-group VPN-Site2Site-UDP
access-list ACL-OUTSIDE permit icmp object-group REMOTE-NETS object-group WCS-NETS
access-list ACL-OUTSIDE permit icmp any any echo-reply
access-list ACL-OUTSIDE permit icmp any any unreachable
access-list ACL-OUTSIDE permit icmp any any time-exceeded
access-list ACL-VPN-WCS2ONE permit ip object-group WCS-NETS object-group ONE-NETS
access-list NO-NAT permit ip object-group WCS-NETS object-group ONE-NETS
access-list NO-NAT permit ip object-group WCS-NETS object-group TWO-NETS
access-list NO-NAT permit ip any 192.168.12.0 255.255.255.192
access-list NO-NAT permit ip 192.168.12.0 255.255.254.0 192.168.14.0 255.255.255.128
access-list ACL-VPN-WCS2TWO permit ip object-group WCS-NETS object-group TWO-NETS
access-list WCS_users_splitTunnelAcl permit ip 192.168.12.0 255.255.254.0 any
access-list outside_cryptomap_dyn_580 permit ip any 192.168.14.0 255.255.255.128
pager lines 24
logging on
logging timestamp
logging buffered errors
logging trap debugging
logging history notifications
mtu outside 1500
mtu inside 1500
ip address outside 68.178.79.236 255.255.255.248
ip address inside 192.168.12.2 255.255.254.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip audit info action alarm
ip audit attack action alarm
ip local pool VPNPool 192.168.14.1-192.168.14.25
pdm location 69.10.64.0 255.255.255.0 inside
pdm location 69.10.64.0 255.255.255.0 outside
pdm location 172.29.9.0 255.255.255.0 outside
pdm location 172.31.0.0 255.255.255.0 outside
pdm location 192.168.1.0 255.255.255.0 outside
pdm location 192.168.8.0 255.255.252.0 outside
pdm location 192.168.50.0 255.255.255.0 outside
pdm location RADIUS 255.255.255.255 inside
pdm location 192.168.12.0 255.255.255.0 inside
pdm location 192.168.14.0 255.255.255.128 outside
pdm location 192.168.12.0 255.255.255.192 outside
pdm group WCS-NETS inside
pdm group ONE-NETS outside
pdm group TWO-NETS outside
pdm logging warnings 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NO-NAT
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group ACL-OUTSIDE in interface outside
route outside 0.0.0.0 0.0.0.0 68.178.79.233 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa-server WCSDC01 protocol radius
aaa-server WCSDC01 max-failed-attempts 3
aaa-server WCSDC01 deadtime 10
aaa-server WCSDC01 (inside) host RADIUS ##hidden## timeout 10
aaa authentication telnet console LOCAL
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
ntp server 192.5.41.40 source outside
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set 3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map DYNMAP 500 set transform-set 3DES-MD5
crypto dynamic-map DYNMAP 520 set transform-set 3DES-MD5
crypto dynamic-map DYNMAP 540 set transform-set 3DES-MD5
crypto dynamic-map DYNMAP 560 set transform-set 3DES-MD5
crypto dynamic-map DYNMAP 580 match address outside_cryptomap_dyn_580
crypto dynamic-map DYNMAP 580 set transform-set 3DES-MD5
crypto map VPN-MAP-OUT 101 ipsec-isakmp
crypto map VPN-MAP-OUT 101 match address ACL-VPN-WCS2ONE
crypto map VPN-MAP-OUT 101 set peer 147.31.204.97
crypto map VPN-MAP-OUT 101 set transform-set ESP-3DES-MD5
crypto map VPN-MAP-OUT 102 ipsec-isakmp
crypto map VPN-MAP-OUT 102 match address ACL-VPN-WCS2TWO
crypto map VPN-MAP-OUT 102 set peer 216.143.158.99
crypto map VPN-MAP-OUT 102 set transform-set ESP-3DES-MD5
crypto map VPN-MAP-OUT 500 ipsec-isakmp dynamic DYNMAP
crypto map VPN-MAP-OUT client authentication RADIUS
crypto map VPN-MAP-OUT interface outside
isakmp enable outside
isakmp key ******** address 147.31.204.97 netmask 255.255.255.255
isakmp key ******** address 216.143.158.99 netmask 255.255.255.255
isakmp identity address
isakmp keepalive 10 3
isakmp nat-traversal 30
isakmp policy 3 authentication pre-share
isakmp policy 3 encryption 3des
isakmp policy 3 hash md5
isakmp policy 3 group 2
isakmp policy 3 lifetime 86400
vpngroup WCS_users address-pool VPNPool
vpngroup WCS_users dns-server WCSDC01 192.168.12.6
vpngroup WCS_users wins-server WCSDC01 192.168.12.6
vpngroup WCS_users default-domain myADdomain.com
vpngroup WCS_users split-tunnel WCS_users_splitTunnelAcl
vpngroup WCS_users idle-time 1800
vpngroup WCS_users password ********
telnet 192.168.12.0 255.255.255.0 inside
telnet timeout 5
ssh 69.10.64.0 255.255.255.0 outside
ssh 69.10.64.0 255.255.255.0 inside
ssh 192.168.12.0 255.255.255.0 inside
ssh timeout 10
management-access inside
console timeout 0
username ##user1## password ##hidden## encrypted privilege 15
username ##user2## password ##hidden## encrypted privilege 15
username ##user3## password ##hidden## encrypted privilege 15
terminal width 80
Cryptochecksum:##hidden##
: end
[OK]
ASKER
I made your suggested changes, but unfortunately nothing changed. Once connected remotely I was unable to ping any internal addresses. If it helps, I did a route print from my laptop while I was connected to the VPN:
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.0.1 192.168.0.17 25
68.178.79.236 255.255.255.255 192.168.0.1 192.168.0.17 1
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.0.0 255.255.255.0 192.168.0.17 192.168.0.17 25
192.168.0.1 255.255.255.255 192.168.0.17 192.168.0.17 1
192.168.0.17 255.255.255.255 127.0.0.1 127.0.0.1 25
192.168.0.255 255.255.255.255 192.168.0.17 192.168.0.17 25
192.168.12.0 255.255.254.0 192.168.14.1 192.168.14.1 1
192.168.14.0 255.255.255.0 192.168.14.1 192.168.14.1 25
192.168.14.1 255.255.255.255 127.0.0.1 127.0.0.1 25
192.168.14.255 255.255.255.255 192.168.14.1 192.168.14.1 25
224.0.0.0 240.0.0.0 192.168.0.17 192.168.0.17 25
224.0.0.0 240.0.0.0 192.168.14.1 192.168.14.1 25
255.255.255.255 255.255.255.255 192.168.0.17 192.168.0.17 1
255.255.255.255 255.255.255.255 192.168.14.1 192.168.14.1 1
Default Gateway: 192.168.0.1
==========================
Persistent Routes:
None
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.0.1 192.168.0.17 25
68.178.79.236 255.255.255.255 192.168.0.1 192.168.0.17 1
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.0.0 255.255.255.0 192.168.0.17 192.168.0.17 25
192.168.0.1 255.255.255.255 192.168.0.17 192.168.0.17 1
192.168.0.17 255.255.255.255 127.0.0.1 127.0.0.1 25
192.168.0.255 255.255.255.255 192.168.0.17 192.168.0.17 25
192.168.12.0 255.255.254.0 192.168.14.1 192.168.14.1 1
192.168.14.0 255.255.255.0 192.168.14.1 192.168.14.1 25
192.168.14.1 255.255.255.255 127.0.0.1 127.0.0.1 25
192.168.14.255 255.255.255.255 192.168.14.1 192.168.14.1 25
224.0.0.0 240.0.0.0 192.168.0.17 192.168.0.17 25
224.0.0.0 240.0.0.0 192.168.14.1 192.168.14.1 25
255.255.255.255 255.255.255.255 192.168.0.17 192.168.0.17 1
255.255.255.255 255.255.255.255 192.168.14.1 192.168.14.1 1
Default Gateway: 192.168.0.1
==========================
Persistent Routes:
None
How about what is in the VPN client status pages? Protected networks and local networks?
It looks like everything should be working. What kind of router/modem do you have on the client side? Does it support IPSEC passthrough?
Client is Vista or XP?
>version 4.7 client
Suggest upgrading to 4.8 or 5.0 client and trying again
It looks like everything should be working. What kind of router/modem do you have on the client side? Does it support IPSEC passthrough?
Client is Vista or XP?
>version 4.7 client
Suggest upgrading to 4.8 or 5.0 client and trying again
ASKER
I'm not positive what you mean by the client status pages.
I have tried this remotely via a local unsecured WAP that is apparently some sort of Actiontech, and at home through a Dlink that I know passes IPSEC (I used the Cisco VPN at a previous job through the same router).
Clients have both been XP, not Vista.
I am trying to get my hands on an updated client, but it will probably be next week.
While connected to the VPN, I can ping the internal IP address (192.168.12.2) of the Pix as well as the 192.168.14.1 address it assigned me when I connected, but nothing else internally. External connections work so split tunneling must be working. Does this help suggest athe cause of my problem?
I have tried this remotely via a local unsecured WAP that is apparently some sort of Actiontech, and at home through a Dlink that I know passes IPSEC (I used the Cisco VPN at a previous job through the same router).
Clients have both been XP, not Vista.
I am trying to get my hands on an updated client, but it will probably be next week.
While connected to the VPN, I can ping the internal IP address (192.168.12.2) of the Pix as well as the 192.168.14.1 address it assigned me when I connected, but nothing else internally. External connections work so split tunneling must be working. Does this help suggest athe cause of my problem?
status pages: when you launch the client and connect, on the VPN client interface there is a Status menu link at the top. Select Status | Statistics
Tunnel Details | Route Details
Do you see number of bytes received and sent increasing?
| Route Details
What networks do you see in the two columns?
If you can only access the inside IP of the PIX and nothing else, and every indication is that you should be able to access anything on the 192.168.12.x LAN, then the next question is: What is the default gateway of the LAN devices that you are trying to access?
Can you provide output of "C:\>route print" from one of the servers/pcs on the inside lan?
Tunnel Details | Route Details
Do you see number of bytes received and sent increasing?
| Route Details
What networks do you see in the two columns?
If you can only access the inside IP of the PIX and nothing else, and every indication is that you should be able to access anything on the 192.168.12.x LAN, then the next question is: What is the default gateway of the LAN devices that you are trying to access?
Can you provide output of "C:\>route print" from one of the servers/pcs on the inside lan?
ASKER
Here is a route print for a LAN PC. Internal clients have a gateway of 192.168.12.1 (our older Sonicwall), while the Pix is at 192.168.12.2.
==========================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.12.1 192.168.12.151 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.12.0 255.255.254.0 192.168.12.151 192.168.12.151 20
192.168.12.151 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.12.255 255.255.255.255 192.168.12.151 192.168.12.151 20
224.0.0.0 240.0.0.0 192.168.12.151 192.168.12.151 20
255.255.255.255 255.255.255.255 192.168.12.151 192.168.12.151 1
255.255.255.255 255.255.255.255 192.168.12.151 3 1
Default Gateway: 192.168.12.1
==========================
Persistent Routes:
None
==========================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.12.1 192.168.12.151 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.12.0 255.255.254.0 192.168.12.151 192.168.12.151 20
192.168.12.151 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.12.255 255.255.255.255 192.168.12.151 192.168.12.151 20
224.0.0.0 240.0.0.0 192.168.12.151 192.168.12.151 20
255.255.255.255 255.255.255.255 192.168.12.151 192.168.12.151 1
255.255.255.255 255.255.255.255 192.168.12.151 3 1
Default Gateway: 192.168.12.1
==========================
Persistent Routes:
None
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
That was the problem! I should have known this as I had to create routes on the Sonicwall for the VPN tunnels to the other offices. Thanks a lot for your help!
Let's check them off -
Vpn pool addresses different from local LAN subnet? Check
ip local pool VPNPool 192.168.14.1-192.168.14.25
VPN pool added to the NO_NAT acl? Check , but you might want to review the netmask
access-list NO-NAT permit ip 192.168.12.0 255.255.254.0 192.168.14.0 255.255.255.128
Suggest perhaps:
access-list NO-NAT permit ip 192.168.12.0 255.255.254.0 192.168.14.0 255.255.255.0
^
Acl applied to nat 0 ? - Check
nat (inside) 0 access-list NO-NAT
Split-tunnel applied correctly?
vpngroup WCS_users split-tunnel WCS_users_splitTunnelAcl
access-list WCS_users_splitTunnelAcl permit ip 192.168.12.0 255.255.254.0 any
Suggest (copy/paste this into PDM Tools/Command line/multiline):
no access-list WCS_users_splitTunnelAcl permit ip 192.168.12.0 255.255.254.0 any
access-list WCS_users_splitTunnelAcl permit ip 192.168.12.0 255.255.254.0 192.168.14.0 255.255.255.0
vpngroup WCS_users split-tunnel WCS_users_splitTunnelAcl
Nat traversal allowed? Check
isakmp nat-traversal 30
>pdm location 192.168.12.0 255.255.255.192 outside
This is irrelevant to the function of the PIX. You can delete it if you want.