• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 719
  • Last Modified:

VPN not allowing access to correct remote subnet

I am having a problem with the remote access VPN that we have setup on our PIX515E running IOS 7.2(2). The problem is that the VPN clients need to be able to access 10.100.0.0 255.255.0.0 but right now they can only access 10.100.1.0 255.255.255.0 which is the subnet of our inside interface. When we originally setup the VPN on the PIX, it was working the way that it needs to be, something over the past few months has caused this to stop working. The only thing that I can think of if the failover that we have implemented. When the secondary PIX boots up, I get the warning "WARNING: tunnel-group <PhoenixVPN> does not exist" but when I do a show run, it appears to be configured. I am probably just missing something simple, any help would be appreciated.

Here is a show run, some item have been removed, let me know if i removed something that is needed...

PIX Version 7.2(2)
!
hostname AZ-PIX01
names
!
interface Ethernet0
 nameif Outside
 security-level 0
 ip address x.x.x.98 255.255.255.0 standby x.x.x.99
!
interface Ethernet1
 nameif inside
 security-level 100
 ip address 10.100.1.20 255.255.255.0 standby 10.100.1.19
!
interface Ethernet2
 nameif Net_ASPx
 security-level 60
 ip address 172.16.24.2 255.255.255.0 standby 172.16.24.3
!
interface Ethernet3
 nameif SVS_GiftCard
 security-level 60
 ip address 172.16.25.1 255.255.255.0 standby 172.16.25.6
!
interface Ethernet4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet5
 description STATE Failover Interface
!
ftp mode passive
clock timezone Arizona -7
clock summer-time MST recurring
dns domain-lookup inside
dns server-group DefaultDNS
 name-server AZ-DC01
 domain-name XXXXX.Local
access-list Net_ASPx extended permit tcp 137.66.248.0 255.255.248.0 172.16.24.0 255.255.255.0 eq lpd
access-list Net_ASPx extended permit tcp 137.66.248.0 255.255.248.0 172.16.24.0 255.255.255.0 eq 9100
access-list Net_ASPx extended permit icmp 137.66.248.0 255.255.248.0 172.16.24.0 255.255.255.0
access-list Net_ASPx extended permit icmp any any echo-reply
access-list Outside_In extended permit tcp any host x.x.x.101 eq 1433
access-list Outside_In extended permit icmp any any echo-reply
access-list Outside_In extended permit tcp any host x.x.x.101 eq ftp
access-list Outside_In extended permit tcp any host x.x.x.101 eq ftp-data
access-list Outside_In extended permit tcp any host x.x.x.109 eq 1433
access-list Outside_In extended permit tcp any host x.x.x.109 eq ftp
access-list Outside_In extended permit tcp any host x.x.x.109 eq ftp-data
access-list Outside_In extended permit icmp any any
access-list Outside_In extended permit tcp any host x.x.x.100 eq www
access-list Outside_In extended permit tcp any host x.x.x.100 eq https
access-list Outside_In extended permit tcp any host x.x.x.100 eq smtp
access-list Outside_In extended permit tcp any host x.x.x.102 eq ssh
access-list Outside_In extended permit tcp any host x.x.x.102 eq smtp
access-list svs_giftcard extended permit icmp any any
access-list inside_nat0_outbound extended permit ip 10.100.0.0 255.255.0.0 10.100.2.0 255.255.255.0
access-list Outside_20_cryptomap extended permit ip 10.100.1.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list PhoenixVPN_splitTunnelAcl standard permit 10.100.0.0 255.255.0.0
access-list VPN_Outside_In extended permit ip 10.100.2.0 255.255.255.0 10.100.0.0 255.255.0.0
pager lines 24
logging enable
logging asdm informational
logging class ip asdm debugging
mtu Outside 1500
mtu inside 1500
mtu Net_ASPx 1500
mtu SVS_GiftCard 1500
ip local pool VPN 10.100.2.1-10.100.2.254 mask 255.255.255.0
failover
failover link Failover Ethernet5
failover interface ip Failover 172.16.26.1 255.255.255.0 standby 172.16.26.2
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm-522.bin
asdm history enable
arp timeout 14400
global (Outside) 1 interface
global (Net_ASPx) 1 172.16.24.4-172.16.24.199
global (SVS_GiftCard) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 10.100.0.0 255.255.0.0
static (inside,Net_ASPx) 172.16.24.201 10.100.1.201 netmask 255.255.255.255
static (inside,Net_ASPx) 172.16.24.203 PRN_IKON2 netmask 255.255.255.255
static (inside,Net_ASPx) 172.16.24.206 PRN_HRCANN netmask 255.255.255.255
static (inside,Net_ASPx) 172.16.24.250 PRN_PRCHECK netmask 255.255.255.255
static (inside,Net_ASPx) 172.16.24.251 10.100.1.251 netmask 255.255.255.255
static (inside,Net_ASPx) 172.16.24.221 PRN_HP4SI netmask 255.255.255.255
static (inside,Net_ASPx) 172.16.24.204 PRN_HP5SI netmask 255.255.255.255
static (inside,Net_ASPx) 172.16.24.200 PRN_TOSHIBA1 netmask 255.255.255.255
static (inside,Net_ASPx) 172.16.24.230 PRN_IKON1 netmask 255.255.255.255
static (inside,Net_ASPx) 172.16.24.21 10.100.1.21 netmask 255.255.255.255
static (inside,Net_ASPx) 172.16.24.22 10.100.1.22 netmask 255.255.255.255
static (inside,Outside) x.x.x.101 MSSQL netmask 255.255.255.255
static (inside,Outside) x.x.x.109 TESTSQL netmask 255.255.255.255
static (inside,Outside) x.x.x.100 az-mail01 netmask 255.255.255.255
static (inside,Outside) x.x.x.102 Barracuda_PHX netmask 255.255.255.255
static (inside,Net_ASPx) 172.16.24.240 10.100.1.240 netmask 255.255.255.255
access-group Outside_In in interface Outside
access-group Net_ASPx in interface Net_ASPx
access-group svs_giftcard in interface SVS_GiftCard
route Outside 0.0.0.0 0.0.0.0 x.x.x.97 1
route inside 10.100.0.0 255.255.0.0 10.100.1.225 1
route inside 172.28.16.33 255.255.255.255 Cisco_Frame 1
route inside 192.168.1.0 255.255.255.0 10.100.1.17 1
route inside 192.168.254.0 255.255.255.0 10.100.1.17 1
route Net_ASPx 137.66.253.0 255.255.255.0 Net_ASPx_CiscoVPN 1
route Net_ASPx 137.66.128.0 255.255.128.0 Net_ASPx_CiscoVPN 1
route SVS_GiftCard 66.20.45.228 255.255.255.255 172.16.25.2 1
route SVS_GiftCard 66.20.45.237 255.255.255.255 172.16.25.2 1
route SVS_GiftCard 66.20.45.238 255.255.255.255 172.16.25.2 1
route SVS_GiftCard 216.72.27.0 255.255.255.0 172.16.25.2 1
route SVS_GiftCard 216.76.27.210 255.255.255.255 172.16.25.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server VPN protocol radius
aaa-server VPN host AZ-DC01
 timeout 5
 key
group-policy PhoenixVPN internal
group-policy PhoenixVPN attributes
 wins-server value 10.100.1.3
 dns-server value 10.100.1.3 192.168.1.14
 vpn-access-hours none
 vpn-simultaneous-logins 3
 vpn-idle-timeout 30
 vpn-session-timeout none
 vpn-filter value VPN_Outside_In
 vpn-tunnel-protocol IPSec l2tp-ipsec
 password-storage disable
 ip-comp enable
 group-lock value PhoenixVPN
 ipsec-udp enable
 ipsec-udp-port 10000
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value PhoenixVPN_splitTunnelAcl
 default-domain value x.local
 user-authentication-idle-timeout none
 ip-phone-bypass disable
 leap-bypass disable
 nem enable
 nac disable
 nac-sq-period 300
 nac-reval-period 36000
 nac-default-acl none
 address-pools value VPN
 client-firewall none
http server enable
http 10.100.1.4 255.255.255.255 inside
http 10.100.1.254 255.255.255.255 inside
http 10.100.2.0 255.255.255.0 inside
http 10.100.3.0 255.255.255.0 inside
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map Outside_dyn_map 20 set pfs
crypto dynamic-map Outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map Outside_map 20 match address Outside_20_cryptomap
crypto map Outside_map 20 set peer y.y.y.180
crypto map Outside_map 20 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5
crypto map Outside_map 20 set security-association lifetime seconds 86400
crypto map Outside_map 65535 ipsec-isakmp dynamic Outside_dyn_map
crypto map Outside_map interface Outside
crypto isakmp enable Outside
crypto isakmp policy 10
 authentication pre-share
 encryption aes
 hash sha
 group 5
 lifetime 86400
crypto isakmp policy 30
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
tunnel-group y.y.y.180 type ipsec-l2l
tunnel-group y.y.y.180 ipsec-attributes
 pre-shared-key *
tunnel-group PhoenixVPN type ipsec-ra
tunnel-group PhoenixVPN general-attributes
 address-pool VPN
 authentication-server-group VPN
 accounting-server-group VPN
 default-group-policy PhoenixVPN
tunnel-group PhoenixVPN ipsec-attributes
 pre-shared-key *
 isakmp ikev1-user-authentication (inside) none
tunnel-group PhoenixVPN ppp-attributes
 authentication pap
 authentication ms-chap-v2
 authentication eap-proxy
telnet timeout 5
ssh 10.100.1.0 255.255.255.0 inside
ssh 10.100.2.0 255.255.255.0 inside
ssh timeout 10
ssh version 2
console timeout 0
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
  inspect pptp
!
service-policy global_policy global
ntp authenticate
ntp server 192.43.244.18 prefer
prompt hostname context priority state
: end
0
toddlemay
Asked:
toddlemay
  • 2
1 Solution
 
lrmooreCommented:
>route inside 10.100.0.0 255.255.0.0 10.100.1.225 1
Since your VPN pool is within this same range, the router at 10.100.1.255 should have a route back to the firewall for the 10.100.2.0/24 vpn pool
I would suggest having the VPN IP Pool totally different that does not overlap with any other routes or subnets that you have. Something like 10.101.2.0/24 perhaps
0
 
Alan Huseyin KayahanCommented:
access-list Outside_20_cryptomap extended permit ip 10.100.1.0 255.255.255.0 192.168.1.0 255.255.255.0

You should add the following also to Outside_20_cryptomap
access-list Outside_20_cryptomap line 2 permit ip 10.100.0.0 255.255.255.0 192.168.1.0 255.255.255.0

Regards

0
 
Alan Huseyin KayahanCommented:
 Sorry ignore my last post....
0
 
toddlemayAuthor Commented:
Perfect! I can't believe I didnt think of that.
0

Featured Post

New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now