snchelpdesk
asked on
PIX 515 and Client VPN not getting route assigned - can't see inside network
I have similar issue as previous question with a PIX 515 but the special "nat inside 0" commands didn't help. I am connected but not able to see any devices on the inside network. I have attached print screens of vpn client stats / route as well as the running config and log of current session.
vpn-stats-route.jpg
vpn-log.txt
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password KKHLIjzcnsh7NPLj encrypted
passwd KKHLIjzcnsh7NPLj encrypted
hostname pixfirewall
domain-name chiron2k3.local
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
no fixup protocol sqlnet 1521
no fixup protocol tftp 69
access-list outside_access_in permit icmp any any
access-list outside_access_in permit tcp any interface outside eq www
access-list outside_access_in permit tcp any interface outside eq 3389
access-list outside_access_in permit tcp any interface outside eq https
access-list outside_access_in permit tcp any interface outside eq smtp
access-list outside_access_in permit tcp any interface outside object-group RWW
access-list outside_access_in permit tcp any interface outside eq ftp
access-list outside_access_in permit tcp any interface outside eq 81
access-list outside_access_in remark Wireless Sync
access-list inside_outbound_nat0_acl permit ip 10.10.1.0 255.255.255.0 10.10.2.0 255.255.255.0
access-list split permit ip any 10.10.1.0 255.255.255.0
access-list outside_cryptomap_dyn_100 permit ip any 10.10.2.0 255.255.255.0
access-list nonat permit ip any 10.10.1.192 255.255.255.192
pager lines 24
logging on
logging console errors
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside XX.XX.XX.XX 255.255.255.240
ip address inside 10.10.1.1 255.255.255.0
ip verify reverse-path interface outside
ip audit info action alarm
ip audit attack action alarm
ip local pool VPNDHCPPool 10.10.2.51-10.10.2.75 mask 255.255.255.0
ip local pool VPNPool 10.10.2.25-10.10.2.50 mask 255.255.255.0
pdm location 10.10.1.5 255.255.255.255 inside
pdm location 0.0.0.0 0.0.0.0 outside
pdm location CFGSRVR1 255.255.255.255 inside
pdm location CFGSRVR1_2 255.255.255.255 inside
pdm location 10.10.1.109 255.255.255.255 inside
pdm location 10.10.2.0 255.255.255.0 outside
pdm logging notifications 100
pdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list nonat
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface www CFG2k3SBS www netmask 255.255.255.255 0 0
static (inside,outside) tcp interface ftp CFG2k3SBS ftp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 81 CFGSRVR 81 netmask 255.255.255.255 0 0
static (inside,outside) 66.249.107.101 CFGSRVR1_2 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 255.255.255.255 75.48.93.126 1
route outside 0.0.0.0 0.0.0.0 75.48.93.126 1
route inside CFG2k3SBS 255.255.255.255 10.10.1.1 1
route outside 10.10.2.0 255.255.255.0 10.10.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 outside
http 10.10.1.109 255.255.255.255 inside
http 10.10.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection timewait
sysopt connection permit-ipsec
sysopt connection permit-l2tp
service resetoutside
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-DES-MD5
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-DES-MD5
crypto dynamic-map outside_dyn_map 80 match address outside_cryptomap_dyn_80
crypto dynamic-map outside_dyn_map 80 set transform-set ESP-DES-MD5
crypto dynamic-map outside_dyn_map 100 match address outside_cryptomap_dyn_100
crypto dynamic-map outside_dyn_map 100 set transform-set ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp nat-traversal 50
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup chiron address-pool VPNDHCPPool
vpngroup chiron dns-server CFG2k3SBS
vpngroup chiron wins-server CFG2k3SBS
vpngroup chiron default-domain chiron2k3.local
vpngroup chiron split-tunnel outside_cryptomap_dyn_100
vpngroup chiron idle-time 1800
vpngroup chiron password ********
telnet 10.10.1.0 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 10.10.1.0 255.255.255.0 inside
ssh timeout 5
management-access outside
console timeout 0
username admin password s8Vngsgpp8NmOJP7 encrypted privilege 2
username sncadmin password ugeJvaOYYV/GhANI encrypted privilege 15
terminal width 80
Cryptochecksum:9a80fe45c334caa4e9d39781aba940ed
: end
vpn-stats-route.jpg
vpn-log.txt
This does not look like a complete configuration. How is your dhcp pool configured?
Are you using a dhcp server inside your lan with correct default gateway, dns servers? Are you using an internal address pool?
In your stats, I don't see any received packets, which means they cannot find the default route to reach your internal lan hosts
First, you need to configure a dhcp pool that is on a different subnet than your lan.
The easiest way for vpn clients to connect to inside lan hosts would be the tunnel default gateway next hop address which usually is the IP address of the inside router (or any Layer 3 device)
the command would be route inside 0.0.0.0 0.0.0.0 192.168.1.1 tunneled
where 192.168.1.1 is an example of the router located on the inside of the PIX
As far as the nat0 commands, you can use the command
sysopt connection permit-ipsec, which permits the PIX to allow all decrypted IPSec packets to pass through it without inspection against existing ACL's Also, I don't see your NAT and global commands. Please provide your complete configuration.
Are you using a dhcp server inside your lan with correct default gateway, dns servers? Are you using an internal address pool?
In your stats, I don't see any received packets, which means they cannot find the default route to reach your internal lan hosts
First, you need to configure a dhcp pool that is on a different subnet than your lan.
The easiest way for vpn clients to connect to inside lan hosts would be the tunnel default gateway next hop address which usually is the IP address of the inside router (or any Layer 3 device)
the command would be route inside 0.0.0.0 0.0.0.0 192.168.1.1 tunneled
where 192.168.1.1 is an example of the router located on the inside of the PIX
As far as the nat0 commands, you can use the command
sysopt connection permit-ipsec, which permits the PIX to allow all decrypted IPSec packets to pass through it without inspection against existing ACL's Also, I don't see your NAT and global commands. Please provide your complete configuration.
ASKER
I am using separate DHCP server.
This is the VPN DHCP Config:
ip local pool VPNDHCPPool 10.10.2.51-10.10.2.75 mask 255.255.255.0
ip local pool VPNPool 10.10.2.25-10.10.2.50 mask 255.255.255.0
Tried to add default route as suggested:
Result of firewall command: "route inside 0.0.0.0 0.0.0.0 10.10.1.1 tunneled"
cannot add route entry. possible conflict with existing routes
Usage: [no] route <if_name> <foreign_ip> <mask> <gateway> [<metric>]
Command failed
This is the existing "route inside":
name 10.10.1.13 CFG2k3SBS
route inside CFG2k3SBS 255.255.255.255 10.10.1.1 1
I replaced the "1" with "tunneled".
Added the sysop command.
Still no route establshed.
Uploaded current running config.
Thank you for your assist!
Dave
pix-config-110808d.txt
This is the VPN DHCP Config:
ip local pool VPNDHCPPool 10.10.2.51-10.10.2.75 mask 255.255.255.0
ip local pool VPNPool 10.10.2.25-10.10.2.50 mask 255.255.255.0
Tried to add default route as suggested:
Result of firewall command: "route inside 0.0.0.0 0.0.0.0 10.10.1.1 tunneled"
cannot add route entry. possible conflict with existing routes
Usage: [no] route <if_name> <foreign_ip> <mask> <gateway> [<metric>]
Command failed
This is the existing "route inside":
name 10.10.1.13 CFG2k3SBS
route inside CFG2k3SBS 255.255.255.255 10.10.1.1 1
I replaced the "1" with "tunneled".
Added the sysop command.
Still no route establshed.
Uploaded current running config.
Thank you for your assist!
Dave
pix-config-110808d.txt
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Beautiful, Everything looks great!
I sincerely appreciate your expertise and proficiency,
Dave
The only other problem I've had is getting ASDM to run from remote... tried adding:
pdm location 0.0.0.0 0.0.0.0 outside
Dave
I sincerely appreciate your expertise and proficiency,
Dave
The only other problem I've had is getting ASDM to run from remote... tried adding:
pdm location 0.0.0.0 0.0.0.0 outside
Dave
Your inside interface of the PIX is 10.10.1.1 255.255.255.0, and that is why you are getting the error:
cannot add route entry. possible conflict with existing routes
Usage: [no] route <if_name> <foreign_ip> <mask> <gateway> [<metric>]
Command failed
The ip address needs to be the ip address of your internal router, not the inside interface of the pix. Otherwise, you can have a route inside statement:
route inside 0.0.0.0 0.0.0.0 10.10.1.1 1
The comment posted by the previous expert using the following commands will allow vpn traffic from hosts 10.10.2.0/24 to the internal hosts of your lan
access-list nonat permit ip 10.10.1.0 255.255.255.0 10.10.2.0 255.255.255.0
access-list SPLIT permit ip 10.10.1.0 255.255.255.0 10.10.2.0 255.255.255.0
cannot add route entry. possible conflict with existing routes
Usage: [no] route <if_name> <foreign_ip> <mask> <gateway> [<metric>]
Command failed
The ip address needs to be the ip address of your internal router, not the inside interface of the pix. Otherwise, you can have a route inside statement:
route inside 0.0.0.0 0.0.0.0 10.10.1.1 1
The comment posted by the previous expert using the following commands will allow vpn traffic from hosts 10.10.2.0/24 to the internal hosts of your lan
access-list nonat permit ip 10.10.1.0 255.255.255.0 10.10.2.0 255.255.255.0
access-list SPLIT permit ip 10.10.1.0 255.255.255.0 10.10.2.0 255.255.255.0
ASKER
Thank you again for sharing your experitse!
Dave
Dave
ASKER
vpn-stats.jpg