toddlemay
asked on
VPN not allowing access to correct remote subnet
I am having a problem with the remote access VPN that we have setup on our PIX515E running IOS 7.2(2). The problem is that the VPN clients need to be able to access 10.100.0.0 255.255.0.0 but right now they can only access 10.100.1.0 255.255.255.0 which is the subnet of our inside interface. When we originally setup the VPN on the PIX, it was working the way that it needs to be, something over the past few months has caused this to stop working. The only thing that I can think of if the failover that we have implemented. When the secondary PIX boots up, I get the warning "WARNING: tunnel-group <PhoenixVPN> does not exist" but when I do a show run, it appears to be configured. I am probably just missing something simple, any help would be appreciated.
Here is a show run, some item have been removed, let me know if i removed something that is needed...
PIX Version 7.2(2)
!
hostname AZ-PIX01
names
!
interface Ethernet0
nameif Outside
security-level 0
ip address x.x.x.98 255.255.255.0 standby x.x.x.99
!
interface Ethernet1
nameif inside
security-level 100
ip address 10.100.1.20 255.255.255.0 standby 10.100.1.19
!
interface Ethernet2
nameif Net_ASPx
security-level 60
ip address 172.16.24.2 255.255.255.0 standby 172.16.24.3
!
interface Ethernet3
nameif SVS_GiftCard
security-level 60
ip address 172.16.25.1 255.255.255.0 standby 172.16.25.6
!
interface Ethernet4
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet5
description STATE Failover Interface
!
ftp mode passive
clock timezone Arizona -7
clock summer-time MST recurring
dns domain-lookup inside
dns server-group DefaultDNS
name-server AZ-DC01
domain-name XXXXX.Local
access-list Net_ASPx extended permit tcp 137.66.248.0 255.255.248.0 172.16.24.0 255.255.255.0 eq lpd
access-list Net_ASPx extended permit tcp 137.66.248.0 255.255.248.0 172.16.24.0 255.255.255.0 eq 9100
access-list Net_ASPx extended permit icmp 137.66.248.0 255.255.248.0 172.16.24.0 255.255.255.0
access-list Net_ASPx extended permit icmp any any echo-reply
access-list Outside_In extended permit tcp any host x.x.x.101 eq 1433
access-list Outside_In extended permit icmp any any echo-reply
access-list Outside_In extended permit tcp any host x.x.x.101 eq ftp
access-list Outside_In extended permit tcp any host x.x.x.101 eq ftp-data
access-list Outside_In extended permit tcp any host x.x.x.109 eq 1433
access-list Outside_In extended permit tcp any host x.x.x.109 eq ftp
access-list Outside_In extended permit tcp any host x.x.x.109 eq ftp-data
access-list Outside_In extended permit icmp any any
access-list Outside_In extended permit tcp any host x.x.x.100 eq www
access-list Outside_In extended permit tcp any host x.x.x.100 eq https
access-list Outside_In extended permit tcp any host x.x.x.100 eq smtp
access-list Outside_In extended permit tcp any host x.x.x.102 eq ssh
access-list Outside_In extended permit tcp any host x.x.x.102 eq smtp
access-list svs_giftcard extended permit icmp any any
access-list inside_nat0_outbound extended permit ip 10.100.0.0 255.255.0.0 10.100.2.0 255.255.255.0
access-list Outside_20_cryptomap extended permit ip 10.100.1.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list PhoenixVPN_splitTunnelAcl standard permit 10.100.0.0 255.255.0.0
access-list VPN_Outside_In extended permit ip 10.100.2.0 255.255.255.0 10.100.0.0 255.255.0.0
pager lines 24
logging enable
logging asdm informational
logging class ip asdm debugging
mtu Outside 1500
mtu inside 1500
mtu Net_ASPx 1500
mtu SVS_GiftCard 1500
ip local pool VPN 10.100.2.1-10.100.2.254 mask 255.255.255.0
failover
failover link Failover Ethernet5
failover interface ip Failover 172.16.26.1 255.255.255.0 standby 172.16.26.2
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm-522.bin
asdm history enable
arp timeout 14400
global (Outside) 1 interface
global (Net_ASPx) 1 172.16.24.4-172.16.24.199
global (SVS_GiftCard) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 10.100.0.0 255.255.0.0
static (inside,Net_ASPx) 172.16.24.201 10.100.1.201 netmask 255.255.255.255
static (inside,Net_ASPx) 172.16.24.203 PRN_IKON2 netmask 255.255.255.255
static (inside,Net_ASPx) 172.16.24.206 PRN_HRCANN netmask 255.255.255.255
static (inside,Net_ASPx) 172.16.24.250 PRN_PRCHECK netmask 255.255.255.255
static (inside,Net_ASPx) 172.16.24.251 10.100.1.251 netmask 255.255.255.255
static (inside,Net_ASPx) 172.16.24.221 PRN_HP4SI netmask 255.255.255.255
static (inside,Net_ASPx) 172.16.24.204 PRN_HP5SI netmask 255.255.255.255
static (inside,Net_ASPx) 172.16.24.200 PRN_TOSHIBA1 netmask 255.255.255.255
static (inside,Net_ASPx) 172.16.24.230 PRN_IKON1 netmask 255.255.255.255
static (inside,Net_ASPx) 172.16.24.21 10.100.1.21 netmask 255.255.255.255
static (inside,Net_ASPx) 172.16.24.22 10.100.1.22 netmask 255.255.255.255
static (inside,Outside) x.x.x.101 MSSQL netmask 255.255.255.255
static (inside,Outside) x.x.x.109 TESTSQL netmask 255.255.255.255
static (inside,Outside) x.x.x.100 az-mail01 netmask 255.255.255.255
static (inside,Outside) x.x.x.102 Barracuda_PHX netmask 255.255.255.255
static (inside,Net_ASPx) 172.16.24.240 10.100.1.240 netmask 255.255.255.255
access-group Outside_In in interface Outside
access-group Net_ASPx in interface Net_ASPx
access-group svs_giftcard in interface SVS_GiftCard
route Outside 0.0.0.0 0.0.0.0 x.x.x.97 1
route inside 10.100.0.0 255.255.0.0 10.100.1.225 1
route inside 172.28.16.33 255.255.255.255 Cisco_Frame 1
route inside 192.168.1.0 255.255.255.0 10.100.1.17 1
route inside 192.168.254.0 255.255.255.0 10.100.1.17 1
route Net_ASPx 137.66.253.0 255.255.255.0 Net_ASPx_CiscoVPN 1
route Net_ASPx 137.66.128.0 255.255.128.0 Net_ASPx_CiscoVPN 1
route SVS_GiftCard 66.20.45.228 255.255.255.255 172.16.25.2 1
route SVS_GiftCard 66.20.45.237 255.255.255.255 172.16.25.2 1
route SVS_GiftCard 66.20.45.238 255.255.255.255 172.16.25.2 1
route SVS_GiftCard 216.72.27.0 255.255.255.0 172.16.25.2 1
route SVS_GiftCard 216.76.27.210 255.255.255.255 172.16.25.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server VPN protocol radius
aaa-server VPN host AZ-DC01
timeout 5
key
group-policy PhoenixVPN internal
group-policy PhoenixVPN attributes
wins-server value 10.100.1.3
dns-server value 10.100.1.3 192.168.1.14
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter value VPN_Outside_In
vpn-tunnel-protocol IPSec l2tp-ipsec
password-storage disable
ip-comp enable
group-lock value PhoenixVPN
ipsec-udp enable
ipsec-udp-port 10000
split-tunnel-policy tunnelspecified
split-tunnel-network-list value PhoenixVPN_splitTunnelAcl
default-domain value x.local
user-authentication-idle-t imeout none
ip-phone-bypass disable
leap-bypass disable
nem enable
nac disable
nac-sq-period 300
nac-reval-period 36000
nac-default-acl none
address-pools value VPN
client-firewall none
http server enable
http 10.100.1.4 255.255.255.255 inside
http 10.100.1.254 255.255.255.255 inside
http 10.100.2.0 255.255.255.0 inside
http 10.100.3.0 255.255.255.0 inside
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map Outside_dyn_map 20 set pfs
crypto dynamic-map Outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map Outside_map 20 match address Outside_20_cryptomap
crypto map Outside_map 20 set peer y.y.y.180
crypto map Outside_map 20 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5
crypto map Outside_map 20 set security-association lifetime seconds 86400
crypto map Outside_map 65535 ipsec-isakmp dynamic Outside_dyn_map
crypto map Outside_map interface Outside
crypto isakmp enable Outside
crypto isakmp policy 10
authentication pre-share
encryption aes
hash sha
group 5
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group y.y.y.180 type ipsec-l2l
tunnel-group y.y.y.180 ipsec-attributes
pre-shared-key *
tunnel-group PhoenixVPN type ipsec-ra
tunnel-group PhoenixVPN general-attributes
address-pool VPN
authentication-server-grou p VPN
accounting-server-group VPN
default-group-policy PhoenixVPN
tunnel-group PhoenixVPN ipsec-attributes
pre-shared-key *
isakmp ikev1-user-authentication (inside) none
tunnel-group PhoenixVPN ppp-attributes
authentication pap
authentication ms-chap-v2
authentication eap-proxy
telnet timeout 5
ssh 10.100.1.0 255.255.255.0 inside
ssh 10.100.2.0 255.255.255.0 inside
ssh timeout 10
ssh version 2
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect pptp
!
service-policy global_policy global
ntp authenticate
ntp server 192.43.244.18 prefer
prompt hostname context priority state
: end
Here is a show run, some item have been removed, let me know if i removed something that is needed...
PIX Version 7.2(2)
!
hostname AZ-PIX01
names
!
interface Ethernet0
nameif Outside
security-level 0
ip address x.x.x.98 255.255.255.0 standby x.x.x.99
!
interface Ethernet1
nameif inside
security-level 100
ip address 10.100.1.20 255.255.255.0 standby 10.100.1.19
!
interface Ethernet2
nameif Net_ASPx
security-level 60
ip address 172.16.24.2 255.255.255.0 standby 172.16.24.3
!
interface Ethernet3
nameif SVS_GiftCard
security-level 60
ip address 172.16.25.1 255.255.255.0 standby 172.16.25.6
!
interface Ethernet4
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet5
description STATE Failover Interface
!
ftp mode passive
clock timezone Arizona -7
clock summer-time MST recurring
dns domain-lookup inside
dns server-group DefaultDNS
name-server AZ-DC01
domain-name XXXXX.Local
access-list Net_ASPx extended permit tcp 137.66.248.0 255.255.248.0 172.16.24.0 255.255.255.0 eq lpd
access-list Net_ASPx extended permit tcp 137.66.248.0 255.255.248.0 172.16.24.0 255.255.255.0 eq 9100
access-list Net_ASPx extended permit icmp 137.66.248.0 255.255.248.0 172.16.24.0 255.255.255.0
access-list Net_ASPx extended permit icmp any any echo-reply
access-list Outside_In extended permit tcp any host x.x.x.101 eq 1433
access-list Outside_In extended permit icmp any any echo-reply
access-list Outside_In extended permit tcp any host x.x.x.101 eq ftp
access-list Outside_In extended permit tcp any host x.x.x.101 eq ftp-data
access-list Outside_In extended permit tcp any host x.x.x.109 eq 1433
access-list Outside_In extended permit tcp any host x.x.x.109 eq ftp
access-list Outside_In extended permit tcp any host x.x.x.109 eq ftp-data
access-list Outside_In extended permit icmp any any
access-list Outside_In extended permit tcp any host x.x.x.100 eq www
access-list Outside_In extended permit tcp any host x.x.x.100 eq https
access-list Outside_In extended permit tcp any host x.x.x.100 eq smtp
access-list Outside_In extended permit tcp any host x.x.x.102 eq ssh
access-list Outside_In extended permit tcp any host x.x.x.102 eq smtp
access-list svs_giftcard extended permit icmp any any
access-list inside_nat0_outbound extended permit ip 10.100.0.0 255.255.0.0 10.100.2.0 255.255.255.0
access-list Outside_20_cryptomap extended permit ip 10.100.1.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list PhoenixVPN_splitTunnelAcl standard permit 10.100.0.0 255.255.0.0
access-list VPN_Outside_In extended permit ip 10.100.2.0 255.255.255.0 10.100.0.0 255.255.0.0
pager lines 24
logging enable
logging asdm informational
logging class ip asdm debugging
mtu Outside 1500
mtu inside 1500
mtu Net_ASPx 1500
mtu SVS_GiftCard 1500
ip local pool VPN 10.100.2.1-10.100.2.254 mask 255.255.255.0
failover
failover link Failover Ethernet5
failover interface ip Failover 172.16.26.1 255.255.255.0 standby 172.16.26.2
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm-522.bin
asdm history enable
arp timeout 14400
global (Outside) 1 interface
global (Net_ASPx) 1 172.16.24.4-172.16.24.199
global (SVS_GiftCard) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 10.100.0.0 255.255.0.0
static (inside,Net_ASPx) 172.16.24.201 10.100.1.201 netmask 255.255.255.255
static (inside,Net_ASPx) 172.16.24.203 PRN_IKON2 netmask 255.255.255.255
static (inside,Net_ASPx) 172.16.24.206 PRN_HRCANN netmask 255.255.255.255
static (inside,Net_ASPx) 172.16.24.250 PRN_PRCHECK netmask 255.255.255.255
static (inside,Net_ASPx) 172.16.24.251 10.100.1.251 netmask 255.255.255.255
static (inside,Net_ASPx) 172.16.24.221 PRN_HP4SI netmask 255.255.255.255
static (inside,Net_ASPx) 172.16.24.204 PRN_HP5SI netmask 255.255.255.255
static (inside,Net_ASPx) 172.16.24.200 PRN_TOSHIBA1 netmask 255.255.255.255
static (inside,Net_ASPx) 172.16.24.230 PRN_IKON1 netmask 255.255.255.255
static (inside,Net_ASPx) 172.16.24.21 10.100.1.21 netmask 255.255.255.255
static (inside,Net_ASPx) 172.16.24.22 10.100.1.22 netmask 255.255.255.255
static (inside,Outside) x.x.x.101 MSSQL netmask 255.255.255.255
static (inside,Outside) x.x.x.109 TESTSQL netmask 255.255.255.255
static (inside,Outside) x.x.x.100 az-mail01 netmask 255.255.255.255
static (inside,Outside) x.x.x.102 Barracuda_PHX netmask 255.255.255.255
static (inside,Net_ASPx) 172.16.24.240 10.100.1.240 netmask 255.255.255.255
access-group Outside_In in interface Outside
access-group Net_ASPx in interface Net_ASPx
access-group svs_giftcard in interface SVS_GiftCard
route Outside 0.0.0.0 0.0.0.0 x.x.x.97 1
route inside 10.100.0.0 255.255.0.0 10.100.1.225 1
route inside 172.28.16.33 255.255.255.255 Cisco_Frame 1
route inside 192.168.1.0 255.255.255.0 10.100.1.17 1
route inside 192.168.254.0 255.255.255.0 10.100.1.17 1
route Net_ASPx 137.66.253.0 255.255.255.0 Net_ASPx_CiscoVPN 1
route Net_ASPx 137.66.128.0 255.255.128.0 Net_ASPx_CiscoVPN 1
route SVS_GiftCard 66.20.45.228 255.255.255.255 172.16.25.2 1
route SVS_GiftCard 66.20.45.237 255.255.255.255 172.16.25.2 1
route SVS_GiftCard 66.20.45.238 255.255.255.255 172.16.25.2 1
route SVS_GiftCard 216.72.27.0 255.255.255.0 172.16.25.2 1
route SVS_GiftCard 216.76.27.210 255.255.255.255 172.16.25.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server VPN protocol radius
aaa-server VPN host AZ-DC01
timeout 5
key
group-policy PhoenixVPN internal
group-policy PhoenixVPN attributes
wins-server value 10.100.1.3
dns-server value 10.100.1.3 192.168.1.14
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter value VPN_Outside_In
vpn-tunnel-protocol IPSec l2tp-ipsec
password-storage disable
ip-comp enable
group-lock value PhoenixVPN
ipsec-udp enable
ipsec-udp-port 10000
split-tunnel-policy tunnelspecified
split-tunnel-network-list value PhoenixVPN_splitTunnelAcl
default-domain value x.local
user-authentication-idle-t
ip-phone-bypass disable
leap-bypass disable
nem enable
nac disable
nac-sq-period 300
nac-reval-period 36000
nac-default-acl none
address-pools value VPN
client-firewall none
http server enable
http 10.100.1.4 255.255.255.255 inside
http 10.100.1.254 255.255.255.255 inside
http 10.100.2.0 255.255.255.0 inside
http 10.100.3.0 255.255.255.0 inside
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map Outside_dyn_map 20 set pfs
crypto dynamic-map Outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map Outside_map 20 match address Outside_20_cryptomap
crypto map Outside_map 20 set peer y.y.y.180
crypto map Outside_map 20 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5
crypto map Outside_map 20 set security-association lifetime seconds 86400
crypto map Outside_map 65535 ipsec-isakmp dynamic Outside_dyn_map
crypto map Outside_map interface Outside
crypto isakmp enable Outside
crypto isakmp policy 10
authentication pre-share
encryption aes
hash sha
group 5
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group y.y.y.180 type ipsec-l2l
tunnel-group y.y.y.180 ipsec-attributes
pre-shared-key *
tunnel-group PhoenixVPN type ipsec-ra
tunnel-group PhoenixVPN general-attributes
address-pool VPN
authentication-server-grou
accounting-server-group VPN
default-group-policy PhoenixVPN
tunnel-group PhoenixVPN ipsec-attributes
pre-shared-key *
isakmp ikev1-user-authentication (inside) none
tunnel-group PhoenixVPN ppp-attributes
authentication pap
authentication ms-chap-v2
authentication eap-proxy
telnet timeout 5
ssh 10.100.1.0 255.255.255.0 inside
ssh 10.100.2.0 255.255.255.0 inside
ssh timeout 10
ssh version 2
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect pptp
!
service-policy global_policy global
ntp authenticate
ntp server 192.43.244.18 prefer
prompt hostname context priority state
: end
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
Sorry ignore my last post....
ASKER
Perfect! I can't believe I didnt think of that.
You should add the following also to Outside_20_cryptomap
access-list Outside_20_cryptomap line 2 permit ip 10.100.0.0 255.255.255.0 192.168.1.0 255.255.255.0
Regards