User VPN doesn't pass traffic - Cisco Pix 506e
I can connect to the VPN from the Cisco client, but can't pass traffic. I have racked my brain on this. It has to be something simple. There are 3 subnets, but only need the 192.168.1.0 Config is below.
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password x encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname PIX
domain-name poormansapocalypse.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list inboundacl permit tcp any any eq smtp
access-list PMAVPN_splitTunnelAcl permit ip 192.168.1.0 255.255.255.0 any
access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 192.168.2.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 192.168.3.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list outside_cryptomap_dyn_20 permit ip any 10.0.0.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 192.168.1.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool PMAPool 10.0.0.10-10.0.0.50
pdm location 192.168.1.1 255.255.255.255 inside
pdm location 192.168.1.0 255.255.255.0 inside
pdm location 192.168.2.0 255.255.255.0 inside
pdm location 192.168.0.0 255.255.255.255 inside
pdm location 192.168.1.50 255.255.255.255 inside
pdm location 192.168.1.110 255.255.255.255 inside
pdm location 192.168.1.133 255.255.255.255 inside
pdm location 192.168.3.0 255.255.255.0 inside
pdm location 192.168.0.0 255.255.0.0 inside
pdm location 10.0.0.0 255.255.255.0 outside
pdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 10 192.168.1.0 255.255.255.0 0 0
nat (inside) 10 192.168.2.0 255.255.255.0 0 0
nat (inside) 10 192.168.3.0 255.255.255.0 0 0
static (inside,outside) tcp interface smtp 192.168.1.1 smtp netmask 255.255.255.255 0 0
access-group inboundacl in interface outside
route inside 192.168.2.0 255.255.255.0 192.168.1.2 1
route inside 192.168.3.0 255.255.255.0 192.168.1.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 4.4.4.4 netmask 255.255.255.255 no-xauth no-config-mode
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup PMAVPN address-pool PMAPool
vpngroup PMAVPN dns-server 192.168.1.1
vpngroup PMAVPN wins-server 192.168.1.1
vpngroup PMAVPN split-tunnel PMAVPN_splitTunnelAcl
vpngroup PMAVPN idle-time 1800
vpngroup PMAVPN password ********
telnet 192.168.0.0 255.255.255.255 inside
telnet 192.168.0.0 255.255.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:1663ce120b2
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password x encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname PIX
domain-name poormansapocalypse.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list inboundacl permit tcp any any eq smtp
access-list PMAVPN_splitTunnelAcl permit ip 192.168.1.0 255.255.255.0 any
access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 192.168.2.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 192.168.3.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list outside_cryptomap_dyn_20 permit ip any 10.0.0.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 192.168.1.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool PMAPool 10.0.0.10-10.0.0.50
pdm location 192.168.1.1 255.255.255.255 inside
pdm location 192.168.1.0 255.255.255.0 inside
pdm location 192.168.2.0 255.255.255.0 inside
pdm location 192.168.0.0 255.255.255.255 inside
pdm location 192.168.1.50 255.255.255.255 inside
pdm location 192.168.1.110 255.255.255.255 inside
pdm location 192.168.1.133 255.255.255.255 inside
pdm location 192.168.3.0 255.255.255.0 inside
pdm location 192.168.0.0 255.255.0.0 inside
pdm location 10.0.0.0 255.255.255.0 outside
pdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 10 192.168.1.0 255.255.255.0 0 0
nat (inside) 10 192.168.2.0 255.255.255.0 0 0
nat (inside) 10 192.168.3.0 255.255.255.0 0 0
static (inside,outside) tcp interface smtp 192.168.1.1 smtp netmask 255.255.255.255 0 0
access-group inboundacl in interface outside
route inside 192.168.2.0 255.255.255.0 192.168.1.2 1
route inside 192.168.3.0 255.255.255.0 192.168.1.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 4.4.4.4 netmask 255.255.255.255 no-xauth no-config-mode
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup PMAVPN address-pool PMAPool
vpngroup PMAVPN dns-server 192.168.1.1
vpngroup PMAVPN wins-server 192.168.1.1
vpngroup PMAVPN split-tunnel PMAVPN_splitTunnelAcl
vpngroup PMAVPN idle-time 1800
vpngroup PMAVPN password ********
telnet 192.168.0.0 255.255.255.255 inside
telnet 192.168.0.0 255.255.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:1663ce120b2
ASKER
DG on LAN is 192.168.0.2.
ASKER
192.168.1.2
ASKER
Router has 0.0.0.0 0.0.0.0 192.168.1.254 in it for its default route. Below is from router.
interface FastEthernet0
description connected to J
ip address 192.168.1.2 255.255.255.0
speed auto
!
interface Serial0
description connected to K
ip address 10.10.10.1 255.255.255.252
service-module t1 remote-alarm-enable
!
interface Serial1
description connected to B
ip address 10.10.11.1 255.255.255.252
service-module t1 remote-alarm-enable
!
router rip
version 2
network 10.0.0.0
network 192.168.1.0
no auto-summary
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.1.254
no ip http server
interface FastEthernet0
description connected to J
ip address 192.168.1.2 255.255.255.0
speed auto
!
interface Serial0
description connected to K
ip address 10.10.10.1 255.255.255.252
service-module t1 remote-alarm-enable
!
interface Serial1
description connected to B
ip address 10.10.11.1 255.255.255.252
service-module t1 remote-alarm-enable
!
router rip
version 2
network 10.0.0.0
network 192.168.1.0
no auto-summary
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.1.254
no ip http server
Just checked your config again, pretty sure its the access list on the outside interface that is blocking the traffic. On a pix, trafic is effectively decrypted before it hits the outside interface, therefore it needs to be allowed through this access list. Or you can add the command:-
!--- Permit packet that came from an IPsec tunnel to pass through without
!--- checking them against the configured conduits/access lists.
sysopt connection permit-ipsec
See http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_configuration_example09186a00801e71c0.shtml for reference.
!--- Permit packet that came from an IPsec tunnel to pass through without
!--- checking them against the configured conduits/access lists.
sysopt connection permit-ipsec
See http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_configuration_example09186a00801e71c0.shtml for reference.
ASKER
put in the command. saved, rebooted pix. Still won't pass the traffic.
Ok, try adding this one: sysopt ipsec pl-compatible
This command should allow all ipsec traffic to bypass any firewall features and terminate the traffic on the inside interface. with this command, you shouldn't need the nat 0 command.
see: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008009484e.shtml
If that doesn't work, specifically allow the traffic in the outside access-list, i.e. permit ip 10.0.0.0 255.255.255.0 any
This command should allow all ipsec traffic to bypass any firewall features and terminate the traffic on the inside interface. with this command, you shouldn't need the nat 0 command.
see: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008009484e.shtml
If that doesn't work, specifically allow the traffic in the outside access-list, i.e. permit ip 10.0.0.0 255.255.255.0 any
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Got it working. You are most excellent.
the config above looks correct.