CISCO Pix 501 VPN question
I have a CISCO PIX Vpn box which is installed at a client's premises. However, I am testing it at the moment and can get a connection to the VPN using the Cisco VPN client software.
I am given the following IP info after connecting :
IP Address: 192.168.17.15
Default Gateway: 192.168.17.1
DNS: 217.144.147.66 (public IP of the PIX)
I can't access the internet once I'm connected. I'm sure that the gateway and DNS servers are wrong (i'm given 217.144.144.11 as one to use by my ISP) but not sure what I should change them to or where to change them. Any help gratefully received...
Here is the config:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 1iwWUtCZbeXI9x7r encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname londonpix
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.16.2 mail
name 192.168.1.0 Munich-Lan
name 192.168.15.0 munich
name 212.202.225.34 munichpix
object-group service Webmail tcp
description Secure webmail access
port-object eq www
port-object eq https
port-object eq smtp
access-list inside_outbound_nat0_acl permit ip any 192.168.17.10 255.255.255.254
access-list inside_outbound_nat0_acl permit ip 192.168.16.0 255.255.255.0 munich 255.255.255.0
access-list outside_access_in remark Remoteweb workplace
access-list outside_access_in permit tcp any eq 4125 any eq 4125
access-list outside_access_in permit tcp any interface outside object-group Webmail
access-list outside_cryptomap_20 permit ip 192.168.16.0 255.255.255.0 munich 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 217.144.147.66 255.255.255.252
ip address inside 192.168.16.253 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool remote 192.168.17.10-192.168.17.2
pdm location 192.168.16.0 255.255.255.255 inside
pdm location 192.168.16.0 255.255.255.0 inside
pdm location Munich-Lan 255.255.255.0 inside
pdm location mail 255.255.255.255 inside
pdm location 192.168.17.10 255.255.255.254 outside
pdm location Munich-Lan 255.255.255.255 outside
pdm location munich 255.255.255.0 outside
pdm location munichpix 255.255.255.255 outside
pdm location 0.0.0.0 255.255.255.255 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface smtp mail smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface www mail www netmask 255.255.255.255 0 0
static (inside,outside) tcp interface https mail https netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 217.144.147.65 1
route outside munich 255.255.255.0 217.144.147.65 1
route outside munichpix 255.255.255.255 217.144.147.66 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http Munich-Lan 255.255.255.0 inside
http 192.168.16.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
sysopt connection permit-l2tp
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer munichpix
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 212.202.225.48 netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address munichpix netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address 0.0.0.0 netmask 255.255.255.255 no-xauth no-config-mode
isakmp log 1
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup users address-pool remote
vpngroup users dns-server 217.144.147.66
vpngroup users idle-time 1800
vpngroup users password ********
telnet 0.0.0.0 255.255.255.255 outside
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group users accept dialin l2tp
vpdn group users ppp authentication pap
vpdn group users client configuration address local remote
vpdn group users client authentication local
vpdn group users l2tp tunnel hello 300
vpdn username magnus password *********
dhcpd address 192.168.16.1-192.168.16.10
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
username lmiles password C2KmXgyDJjL27vvz encrypted privilege 5
username dvago password WXHm1TBh5B6VgDIo encrypted privilege 5
username nlarsen password QtvepTrpg8fR1r86 encrypted privilege 5
username sfallgren password j75viSdKsDioff67 encrypted privilege 5
username treiss password 84cqV/yi9n6c6nuT encrypted privilege 5
username jcgas password uTOiBOn/rmqRSV.v encrypted privilege 5
username akoch password 8KaL7ZAowyWxZxhN encrypted privilege 5
username magnus password qu7pouLeRTTVAQBg encrypted privilege 15
username eyblood password whhCrfoivSj9zJwC encrypted privilege 5
vpnclient server 217.144.147.66
vpnclient mode client-mode
vpnclient vpngroup users password ********
terminal width 80
Cryptochecksum:84c96b4ddd7
: end
londonpix(config)#
I am given the following IP info after connecting :
IP Address: 192.168.17.15
Default Gateway: 192.168.17.1
DNS: 217.144.147.66 (public IP of the PIX)
I can't access the internet once I'm connected. I'm sure that the gateway and DNS servers are wrong (i'm given 217.144.144.11 as one to use by my ISP) but not sure what I should change them to or where to change them. Any help gratefully received...
Here is the config:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 1iwWUtCZbeXI9x7r encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname londonpix
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.16.2 mail
name 192.168.1.0 Munich-Lan
name 192.168.15.0 munich
name 212.202.225.34 munichpix
object-group service Webmail tcp
description Secure webmail access
port-object eq www
port-object eq https
port-object eq smtp
access-list inside_outbound_nat0_acl permit ip any 192.168.17.10 255.255.255.254
access-list inside_outbound_nat0_acl permit ip 192.168.16.0 255.255.255.0 munich 255.255.255.0
access-list outside_access_in remark Remoteweb workplace
access-list outside_access_in permit tcp any eq 4125 any eq 4125
access-list outside_access_in permit tcp any interface outside object-group Webmail
access-list outside_cryptomap_20 permit ip 192.168.16.0 255.255.255.0 munich 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 217.144.147.66 255.255.255.252
ip address inside 192.168.16.253 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool remote 192.168.17.10-192.168.17.2
pdm location 192.168.16.0 255.255.255.255 inside
pdm location 192.168.16.0 255.255.255.0 inside
pdm location Munich-Lan 255.255.255.0 inside
pdm location mail 255.255.255.255 inside
pdm location 192.168.17.10 255.255.255.254 outside
pdm location Munich-Lan 255.255.255.255 outside
pdm location munich 255.255.255.0 outside
pdm location munichpix 255.255.255.255 outside
pdm location 0.0.0.0 255.255.255.255 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface smtp mail smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface www mail www netmask 255.255.255.255 0 0
static (inside,outside) tcp interface https mail https netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 217.144.147.65 1
route outside munich 255.255.255.0 217.144.147.65 1
route outside munichpix 255.255.255.255 217.144.147.66 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http Munich-Lan 255.255.255.0 inside
http 192.168.16.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
sysopt connection permit-l2tp
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer munichpix
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 212.202.225.48 netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address munichpix netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address 0.0.0.0 netmask 255.255.255.255 no-xauth no-config-mode
isakmp log 1
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup users address-pool remote
vpngroup users dns-server 217.144.147.66
vpngroup users idle-time 1800
vpngroup users password ********
telnet 0.0.0.0 255.255.255.255 outside
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group users accept dialin l2tp
vpdn group users ppp authentication pap
vpdn group users client configuration address local remote
vpdn group users client authentication local
vpdn group users l2tp tunnel hello 300
vpdn username magnus password *********
dhcpd address 192.168.16.1-192.168.16.10
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
username lmiles password C2KmXgyDJjL27vvz encrypted privilege 5
username dvago password WXHm1TBh5B6VgDIo encrypted privilege 5
username nlarsen password QtvepTrpg8fR1r86 encrypted privilege 5
username sfallgren password j75viSdKsDioff67 encrypted privilege 5
username treiss password 84cqV/yi9n6c6nuT encrypted privilege 5
username jcgas password uTOiBOn/rmqRSV.v encrypted privilege 5
username akoch password 8KaL7ZAowyWxZxhN encrypted privilege 5
username magnus password qu7pouLeRTTVAQBg encrypted privilege 15
username eyblood password whhCrfoivSj9zJwC encrypted privilege 5
vpnclient server 217.144.147.66
vpnclient mode client-mode
vpnclient vpngroup users password ********
terminal width 80
Cryptochecksum:84c96b4ddd7
: end
londonpix(config)#
Maybe I'm not understanding the issue here, but shouldn't the above access-list read:
access-list split_T permit ip 192.168.16.0 255.255.255.0 192.168.17.0 255.255.255.224
^^ ^ ^^^
That mask would cover 1-30 from the 192.168.17.0 subnet, although the pool is only giving out 10-21 on that subnet. You could also use a /24 mask if you wish...
access-list split_T permit ip 192.168.16.0 255.255.255.0 192.168.17.0 255.255.255.224
^^ ^ ^^^
That mask would cover 1-30 from the 192.168.17.0 subnet, although the pool is only giving out 10-21 on that subnet. You could also use a /24 mask if you wish...
Hi Bat
You are correct, it should be 224 but following is the pool line that user defined
ip local pool remote 192.168.17.10-192.168.17.2
You are correct, it should be 224 but following is the pool line that user defined
ip local pool remote 192.168.17.10-192.168.17.2
i am missing 6 in my first post. Correct is the following
access-list split_T permit ip 192.168.16.0 255.255.255.0 192.168.17.10 255.255.255.0
vpngroup users split-tunnel split_T
access-list split_T permit ip 192.168.16.0 255.255.255.0 192.168.17.10 255.255.255.0
vpngroup users split-tunnel split_T
ASKER
OK I'm doing it now!
ASKER
londonpix(config)# access-list split_T permit ip 192.168.16.0 255.255.255.0 19$
ERROR: Source address,mask <192.168.17.10,255.255.255
Usage: [no] access-list compiled
[no] access-list deny-flow-max <n>
[no] access-list alert-interval <secs>
[no] access-list <id> object-group-search
[no] access-list <id> compiled
[no] access-list <id> [line <line-num>] remark <text>
[no] access-list <id> [line <line-num>] deny|permit
<protocol>|object-group <protocol_obj_grp_id>
<sip> <smask> | interface <if_name> | object-group <network_obj_grp_id>
[<operator> <port> [<port>] | object-group <service_obj_grp_id>]
<dip> <dmask> | interface <if_name> | object-group <network_obj_grp_id>
[<operator> <port> [<port>] | object-group <service_obj_grp_id>]
[log [disable|default] | [<level>] [interval <secs>]]
[no] access-list <id> [line <line-num>] deny|permit icmp
<sip> <smask> | interface <if_name> | object-group <network_obj_grp_id>
<dip> <dmask> | interface <if_name> | object-group <network_obj_grp_id>
[<icmp_type> | object-group <icmp_type_obj_grp_id>]
[log [disable|default] | [<level>] [interval <secs>]]
Restricted ACLs for route-map use:
[no] access-list <id> deny|permit {any | <prefix> <mask> | host <address>}
londonpix(config)#
ERROR: Source address,mask <192.168.17.10,255.255.255
Usage: [no] access-list compiled
[no] access-list deny-flow-max <n>
[no] access-list alert-interval <secs>
[no] access-list <id> object-group-search
[no] access-list <id> compiled
[no] access-list <id> [line <line-num>] remark <text>
[no] access-list <id> [line <line-num>] deny|permit
<protocol>|object-group <protocol_obj_grp_id>
<sip> <smask> | interface <if_name> | object-group <network_obj_grp_id>
[<operator> <port> [<port>] | object-group <service_obj_grp_id>]
<dip> <dmask> | interface <if_name> | object-group <network_obj_grp_id>
[<operator> <port> [<port>] | object-group <service_obj_grp_id>]
[log [disable|default] | [<level>] [interval <secs>]]
[no] access-list <id> [line <line-num>] deny|permit icmp
<sip> <smask> | interface <if_name> | object-group <network_obj_grp_id>
<dip> <dmask> | interface <if_name> | object-group <network_obj_grp_id>
[<icmp_type> | object-group <icmp_type_obj_grp_id>]
[log [disable|default] | [<level>] [interval <secs>]]
Restricted ACLs for route-map use:
[no] access-list <id> deny|permit {any | <prefix> <mask> | host <address>}
londonpix(config)#
ASKER
?
Understood...
No, the acccess-list list should read:
access-list split_T permit ip 192.168.16.0 255.255.255.0 192.168.17.0 255.255.255.0
access-list split_T permit ip 192.168.16.0 255.255.255.0 192.168.17.0 255.255.255.0
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
my mistake, I assumed you did
ip local pool remote 192.168.17.10-192.168.17.2
on purpose. If you have no idea what it is, then do the following
ip local pool remotepool 192.168.17.10-192.168.17.2
no vpngroup users address-pool remote
vpngroup users address-pool remotepool
access-list split_T permit ip 192.168.16.0 255.255.255.0 192.168.17.10 255.255.255.224
vpngroup users split-tunnel split_T
or just go on as following
access-list split_T permit ip 192.168.16.0 255.255.255.0 192.168.17.0 255.255.255.0
vpngroup users split-tunnel split_T
ip local pool remote 192.168.17.10-192.168.17.2
on purpose. If you have no idea what it is, then do the following
ip local pool remotepool 192.168.17.10-192.168.17.2
no vpngroup users address-pool remote
vpngroup users address-pool remotepool
access-list split_T permit ip 192.168.16.0 255.255.255.0 192.168.17.10 255.255.255.224
vpngroup users split-tunnel split_T
or just go on as following
access-list split_T permit ip 192.168.16.0 255.255.255.0 192.168.17.0 255.255.255.0
vpngroup users split-tunnel split_T
ASKER
You genii! It works! thanks a lot!
You're right, I have no idea what "ip local pool remote 192.168.17.10-192.168.17.2
vpngroup users split-tunnel split_T"
and now everything works! Appreciate it...
You're right, I have no idea what "ip local pool remote 192.168.17.10-192.168.17.2
vpngroup users split-tunnel split_T"
and now everything works! Appreciate it...
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You are welcome :) Btw "yes..." was answer for batry, not answer for "you geni!!" . I dont want to look like an a..hole :)
ASKER
you didn't! and thanks again...
I'm sure there are plenty more questions to follow before I get this sodding box working fully!
I need to go on a course...
I'm sure there are plenty more questions to follow before I get this sodding box working fully!
I need to go on a course...
access-list split_T permit ip 192.168.1.0 255.255.255.0 192.168.17.10 255.255.255.0
vpngroup users split-tunnel split_T
Regards