Link to home
Start Free TrialLog in
Avatar of OAC Technology
OAC TechnologyFlag for United States of America

asked on

Problems connecting with the Cisco VPN Client while behind PIX

We're trying to connect to a remote ASA 5505 with the Cisco VPN Client software on a computer that is behind a PIX 501 firewall.  The Cisco VPN Client connects and authenticates correctly, but even though the VPN Client is connected, we cannot access or ping any network resources at the remote site.  When connected, if I right click on the VPN Client icon and click "statistics" it shows that 0 bytes have been received, but bytes are constantly being sent.  

If we replace the 501 with another router, we do not have this problem; the VPN Client will successfully connect and we are able to access the remote resources.

The VPN Client is set up for "IPSec over UDP (NAT / PAT)."

The configuration for the PIX 501 is posted below.  I have intentionally left the outgoing access-list off for troubleshooting purposes.  Let me know if you need clarification or more details.  Thank you in advance

PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password encrypted
passwd encrypted
hostname OAC-PTown
domain-name domain.local
clock timezone CST -6
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol http 443
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.2.0 nhopevpn
access-list outbound permit tcp 192.168.1.0 255.255.255.0 any
access-list outbound permit udp 192.168.1.0 255.255.255.0 any
access-list outbound permit icmp any any
access-list outbound permit gre any any
access-list inbound permit tcp any any eq 3389
access-list inbound permit tcp any interface outside eq 3389
access-list inbound permit tcp any interface outside eq https
access-list inbound permit tcp any interface outside eq 3390
access-list inbound permit tcp any interface outside eq 5500
access-list inbound permit tcp any interface outside eq 5501
access-list inbound permit icmp any interface outside echo-reply
access-list inbound permit esp any any
access-list inbound permit ah any any
access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 nhopevpn 255.255.255.0
access-list 101 permit ip 192.168.1.0 255.255.255.0 nhopevpn 255.255.255.0
access-list outside_cryptomap_40 permit ip 192.168.1.0 255.255.255.0 nhopevpn 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 192.168.1.1 255.255.255.0
ip verify reverse-path interface outside
ip audit name attack attack action alarm drop reset
ip audit interface outside attack
ip audit info action alarm
ip audit attack action alarm drop reset
ip local pool test 10.0.0.1-10.0.0.25
pdm location x.x.x.224 255.255.255.255 outside
pdm location 192.168.1.0 255.255.255.255 inside
pdm location 192.168.1.2 255.255.255.255 inside
pdm location 192.168.1.100 255.255.255.255 inside
pdm location nhopevpn 255.255.255.0 outside
pdm location 192.168.1.90 255.255.255.255 inside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 3390 192.168.1.100 3390 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 5901 192.168.1.2 5901 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface https 192.168.1.100 https netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 3389 192.168.1.2 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 5501 192.168.1.90 5501 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 5500 192.168.1.90 5500 netmask 255.255.255.255 0 0
access-group inbound in interface outside
route outside nhopevpn 255.255.255.0 192.168.2.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
ntp server 192.43.244.18 source inside
http server enable
http nhopevpn 255.255.255.0 outside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto map outside_map 40 ipsec-isakmp
crypto map outside_map 40 match address outside_cryptomap_40
crypto map outside_map 40 set pfs group2
crypto map outside_map 40 set peer y.y.y.28
crypto map outside_map 40 set transform-set ESP-AES-128-SHA
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address y.y.y.28 netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp keepalive 60 30
isakmp nat-traversal 20
isakmp policy 40 authentication pre-share
isakmp policy 40 encryption aes
isakmp policy 40 hash sha
isakmp policy 40 group 5
isakmp policy 40 lifetime 86400
vpngroup vpn3000 address-pool test
vpngroup vpn3000 dns-server 192.168.1.100
vpngroup vpn3000 wins-server 192.168.1.100
vpngroup vpn3000 default-domain domain.local
vpngroup vpn3000 idle-time 1800
vpngroup vpn3000 password ********
telnet 192.168.1.0 255.255.255.255 inside
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 25
console timeout 0
terminal width 80
ASKER CERTIFIED SOLUTION
Avatar of batry_boy
batry_boy
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of OAC Technology

ASKER

ooops, mod: please delete. thank you