• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 673
  • Last Modified:

PIX 515 and Client VPN not getting route assigned - can't see inside network

I have similar issue as previous question with a PIX 515 but the special "nat inside 0" commands didn't help.  I am connected but not able to see any devices on the inside network.  I have attached print screens of vpn client stats / route as well as the running config and log of current session.
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password KKHLIjzcnsh7NPLj encrypted
passwd KKHLIjzcnsh7NPLj encrypted
hostname pixfirewall
domain-name chiron2k3.local
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
no fixup protocol sqlnet 1521
no fixup protocol tftp 69
access-list outside_access_in permit icmp any any 
access-list outside_access_in permit tcp any interface outside eq www 
access-list outside_access_in permit tcp any interface outside eq 3389 
access-list outside_access_in permit tcp any interface outside eq https 
access-list outside_access_in permit tcp any interface outside eq smtp 
access-list outside_access_in permit tcp any interface outside object-group RWW 
access-list outside_access_in permit tcp any interface outside eq ftp 
access-list outside_access_in permit tcp any interface outside eq 81 
access-list outside_access_in remark Wireless Sync
access-list inside_outbound_nat0_acl permit ip 10.10.1.0 255.255.255.0 10.10.2.0 255.255.255.0 
access-list split permit ip any 10.10.1.0 255.255.255.0 
access-list outside_cryptomap_dyn_100 permit ip any 10.10.2.0 255.255.255.0 
access-list nonat permit ip any 10.10.1.192 255.255.255.192 
pager lines 24
logging on
logging console errors
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside XX.XX.XX.XX  255.255.255.240
ip address inside 10.10.1.1 255.255.255.0
ip verify reverse-path interface outside
ip audit info action alarm
ip audit attack action alarm
ip local pool VPNDHCPPool 10.10.2.51-10.10.2.75 mask 255.255.255.0
ip local pool VPNPool 10.10.2.25-10.10.2.50 mask 255.255.255.0
pdm location 10.10.1.5 255.255.255.255 inside
pdm location 0.0.0.0 0.0.0.0 outside
pdm location CFGSRVR1 255.255.255.255 inside
pdm location CFGSRVR1_2 255.255.255.255 inside
pdm location 10.10.1.109 255.255.255.255 inside
pdm location 10.10.2.0 255.255.255.0 outside
pdm logging notifications 100
pdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list nonat
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface www CFG2k3SBS www netmask 255.255.255.255 0 0 
static (inside,outside) tcp interface ftp CFG2k3SBS ftp netmask 255.255.255.255 0 0 
static (inside,outside) tcp interface 81 CFGSRVR 81 netmask 255.255.255.255 0 0 
static (inside,outside) 66.249.107.101 CFGSRVR1_2 netmask 255.255.255.255 0 0 
access-group outside_access_in in interface outside
route outside 0.0.0.0 255.255.255.255 75.48.93.126 1
route outside 0.0.0.0 0.0.0.0 75.48.93.126 1
route inside CFG2k3SBS 255.255.255.255 10.10.1.1 1
route outside 10.10.2.0 255.255.255.0 10.10.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+ 
aaa-server TACACS+ max-failed-attempts 3 
aaa-server TACACS+ deadtime 10 
aaa-server RADIUS protocol radius 
aaa-server RADIUS max-failed-attempts 3 
aaa-server RADIUS deadtime 10 
aaa-server LOCAL protocol local 
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 outside
http 10.10.1.109 255.255.255.255 inside
http 10.10.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection timewait
sysopt connection permit-ipsec
sysopt connection permit-l2tp
service resetoutside
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-DES-MD5
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-DES-MD5
crypto dynamic-map outside_dyn_map 80 match address outside_cryptomap_dyn_80
crypto dynamic-map outside_dyn_map 80 set transform-set ESP-DES-MD5
crypto dynamic-map outside_dyn_map 100 match address outside_cryptomap_dyn_100
crypto dynamic-map outside_dyn_map 100 set transform-set ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp nat-traversal 50
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup chiron address-pool VPNDHCPPool
vpngroup chiron dns-server CFG2k3SBS
vpngroup chiron wins-server CFG2k3SBS
vpngroup chiron default-domain chiron2k3.local
vpngroup chiron split-tunnel outside_cryptomap_dyn_100
vpngroup chiron idle-time 1800
vpngroup chiron password ********
telnet 10.10.1.0 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 10.10.1.0 255.255.255.0 inside
ssh timeout 5
management-access outside
console timeout 0
username admin password s8Vngsgpp8NmOJP7 encrypted privilege 2
username sncadmin password ugeJvaOYYV/GhANI encrypted privilege 15
terminal width 80
Cryptochecksum:9a80fe45c334caa4e9d39781aba940ed
: end

Open in new window

vpn-stats-route.jpg
vpn-stats-route.jpg
vpn-log.txt
0
snchelpdesk
Asked:
snchelpdesk
  • 4
  • 2
1 Solution
 
snchelpdeskAuthor Commented:
I uploaded wrong "stats" file.
vpn-stats.jpg
0
 
bignewfCommented:
This does not look like a complete configuration. How is your dhcp pool configured?
Are you using a dhcp server inside your lan with correct default gateway, dns servers? Are you using an internal address pool?
In your stats, I don't see any received packets, which means they cannot find the default route to reach your internal lan hosts
First, you need to configure a dhcp pool that is on a different subnet than your lan.
The easiest way for vpn clients to connect to inside lan hosts would be the tunnel default gateway next hop address which usually is the IP address of the inside router (or any Layer 3 device)

the command would be route inside 0.0.0.0 0.0.0.0 192.168.1.1 tunneled

where 192.168.1.1 is an example of the router located on the inside of the PIX

As far as the nat0 commands, you can use the command
sysopt connection permit-ipsec, which permits the PIX to allow all decrypted IPSec packets to pass through it without inspection against existing ACL's  Also, I don't see your NAT and global commands. Please provide your complete configuration.
0
 
snchelpdeskAuthor Commented:
I am using separate DHCP server.

This is the VPN DHCP Config:
ip local pool VPNDHCPPool 10.10.2.51-10.10.2.75 mask 255.255.255.0
ip local pool VPNPool 10.10.2.25-10.10.2.50 mask 255.255.255.0

Tried to add default route as suggested:

Result of firewall command: "route inside 0.0.0.0 0.0.0.0 10.10.1.1 tunneled"
 
cannot add route entry. possible conflict with existing routes
Usage:      [no] route <if_name> <foreign_ip> <mask> <gateway> [<metric>]
Command failed

This is the existing "route inside":

name 10.10.1.13 CFG2k3SBS
route inside CFG2k3SBS 255.255.255.255 10.10.1.1 1

I replaced the "1" with "tunneled".

Added the sysop command.

Still no route establshed.

Uploaded current running config.

Thank you for your assist!
Dave
pix-config-110808d.txt
0
Become a Leader in Data Analytics

Gain the power to turn raw data into better business decisions and outcomes in your industry. Transform your career future by earning your MS in Data Analytics. WGU’s MSDA program curriculum features IT certifications from Oracle and SAS.  

 
lrmooreCommented:
Add the following:

access-list nonat permit ip 10.10.1.0 255.255.255.0 10.10.2.0 255.255.255.0
access-list SPLIT permit ip 10.10.1.0 255.255.255.0 10.10.2.0 255.255.255.0

no crypto dynamic-map outside_dyn_map 40 set transform-set ESP-DES-MD5
no crypto dynamic-map outside_dyn_map 60 set transform-set ESP-DES-MD5
no crypto dynamic-map outside_dyn_map 80 match address outside_cryptomap_dyn_80
no crypto dynamic-map outside_dyn_map 80 set transform-set ESP-DES-MD5
no crypto dynamic-map outside_dyn_map 100 match address outside_cryptomap_dyn_100
no crypto dynamic-map outside_dyn_map 100 set transform-set ESP-DES-MD5

no vpngroup chiron split-tunnel outside_cryptomap_dyn_100
vpngroup chiron split-tunnel SPLIT


0
 
snchelpdeskAuthor Commented:
Beautiful,   Everything looks great!

I sincerely appreciate your expertise and proficiency,
Dave

The only other problem I've had is getting ASDM to run from remote...  tried adding:
pdm location 0.0.0.0 0.0.0.0 outside  

Dave
0
 
bignewfCommented:
Your inside interface of the PIX is 10.10.1.1 255.255.255.0, and that is why you are getting the error:
cannot add route entry. possible conflict with existing routes
Usage:      [no] route <if_name> <foreign_ip> <mask> <gateway> [<metric>]
Command failed

The ip address needs to be the ip address of your internal router, not the inside interface of the pix.  Otherwise, you can have a route inside statement:

route inside 0.0.0.0 0.0.0.0 10.10.1.1 1

The comment posted by the previous expert using the following commands will allow vpn traffic from hosts 10.10.2.0/24 to the internal hosts of your lan

access-list nonat permit ip 10.10.1.0 255.255.255.0 10.10.2.0 255.255.255.0
access-list SPLIT permit ip 10.10.1.0 255.255.255.0 10.10.2.0 255.255.255.0
0
 
snchelpdeskAuthor Commented:
Thank you again for sharing your experitse!  
Dave
0

Featured Post

A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now