remote access vpn with PIX 525 ver 7.2 issue
I've been searching for days for the solution to this problem. A lot of people seem to have the problem, but no one has posted a solution, i.e., exact commands to solve the problem.
I have a Cisco PIX 525 and am trying to create a VPN that would allow employees to remote in from home. Employees can remote in using Windows but cannot access any LAN resources. it just authenticates but iam not able to get to the inside network, i cannot even ping th inside interface of the PIX. iam using version 7.2 and below is the configuration applied ,, ive searched for solutions and some are suggexting that the pool address used should be ina a different subnet range than the LAN, the subnet LAN ranges of the routes behind the pix are 10.232.0.0/22, 10.232.100.0/22 and 10.232.200.0/22, i used the address pool 10.232.8.0 ( 10.232.8.100-10.232.8.150 ) but this time iam not able to authenticate so i reverted back using the address pool 10.232.3-100- 10.232.3.150 mask 255.255.252.0 bearing in mind that the address pool assigned does not confilict with the ip addresses assigned to the LAN resources
config
UCCFW# sh run
: Saved
:
PIX Version 7.2(3)
!
hostname UCCFW
domain-name iq.lafarge.com
enable password Gq00./HFgspM1n9G encrypted
names
name 10.232.0.15 ISA-Server
!
interface Ethernet0
nameif outside
security-level 0
ip address ----------------------
interface Ethernet1
speed 100
nameif inside
security-level 100
ip address 10.232.0.5 255.255.252.0
!
interface Ethernet2
speed 100
duplex full
nameif visitors
security-level 100
ip address 10.232.4.5 255.255.252.0
!
interface Ethernet3
shutdown
no nameif
no security-level
no ip address
!
passwd Gq00./HFgspM1n9G encrypted
ftp mode passive
clock timezone AST 3
dns server-group DefaultDNS
domain-name iq.lafarge.com
access-list 101 extended permit ip 10.232.0.0 255.255.252.0 10.0.0.0 255.0.0.0
access-list 101 extended permit ip 10.232.0.0 255.255.252.0 192.168.0.0 255.255.0.0
access-list 101 extended permit ip 10.232.0.0 255.255.252.0 172.16.0.0 255.240.0.0
access-list 101 extended permit ip 10.232.100.0 255.255.252.0 10.0.0.0 255.0.0.0
access-list 101 extended permit ip 10.232.100.0 255.255.252.0 192.168.0.0 255.255.0.0
access-list 101 extended permit ip 10.232.100.0 255.255.252.0 172.16.0.0 255.240.0.0
access-list 101 extended permit ip 10.232.200.0 255.255.252.0 10.0.0.0 255.0.0.0
access-list 101 extended permit ip 10.232.200.0 255.255.252.0 192.168.0.0 255.255.0.0
access-list 101 extended permit ip 10.232.200.0 255.255.252.0 172.16.0.0 255.240.0.0
access-list 101 extended permit ip 10.232.0.0 255.255.252.0 10.232.8.0 255.255.255.0
access-list 101 extended permit ip 10.232.100.0 255.255.252.0 10.232.8.0 255.255.255.0
access-list 101 extended permit ip 10.232.200.0 255.255.252.0 10.232.8.0 255.255.255.0
access-list laf-acl extended permit ip 10.232.0.0 255.255.252.0 10.0.0.0 255.0.0.0
access-list laf-acl extended permit ip 10.232.0.0 255.255.252.0 192.168.0.0 255.255.0.0
access-list laf-acl extended permit ip 10.232.0.0 255.255.252.0 192.16.0.0 255.240.0.0
access-list laf-acl extended permit ip 10.232.100.0 255.255.252.0 10.0.0.0 255.0.0.0
access-list laf-acl extended permit ip 10.232.100.0 255.255.252.0 192.168.0.0 255.255.0.0
access-list laf-acl extended permit ip 10.232.100.0 255.255.252.0 192.16.0.0 255.240.0.0
access-list laf-acl extended permit ip 10.232.200.0 255.255.252.0 10.0.0.0 255.0.0.0
access-list laf-acl extended permit ip 10.232.200.0 255.255.252.0 192.168.0.0 255.255.0.0
access-list laf-acl extended permit ip 10.232.200.0 255.255.252.0 192.16.0.0 255.240.0.0
access-list outside_access_in remark allow SNMP polls from outside
access-list outside_access_in extended permit udp host 10.100.43.31 any eq snmp
access-list uccbcc_tn_splitTunnelAcl extended permit ip 10.232.0.0 255.255.252.0 any
access-list uccbcc_tn_splitTunnelAcl extended permit ip 10.232.100.0 255.255.252.0 any
access-list uccbcc_tn_splitTunnelAcl extended permit ip 10.232.200.0 255.255.252.0 any
access-list outside_dyn_map extended permit ip any 10.232.8.0 255.255.252.0
pager lines 24
logging enable
logging monitor errors
logging buffered informational
logging trap informational
logging history critical
logging asdm informational
logging debug-trace
mtu outside 1500
mtu inside 1500
mtu visitors 1500
ip local pool vpnpool1 10.232.8.100-10.232.8.150 mask 255.255.252.0
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any echo inside
icmp permit any echo-reply inside
asdm image flash:/asdm
no asdm history enable
arp timeout 14400
global (outside) 10 209.8.244.103
global (outside) 20 209.8.244.104
nat (inside) 0 access-list 101
nat (inside) 10 ISA-Server 255.255.255.255
nat (inside) 10 10.232.0.210 255.255.255.255
nat (visitors) 20 10.232.4.0 255.255.252.0
nat (visitors) 20 10.232.104.0 255.255.252.0
nat (visitors) 20 10.232.204.0 255.255.252.0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 209.8.244.97 1
route outside 10.0.0.0 255.0.0.0 195.33.65.158 1
route outside 172.16.0.0 255.240.0.0 195.33.65.158 1
route outside 192.168.0.0 255.255.0.0 195.33.65.158 1
route inside 10.232.100.0 255.255.252.0 10.232.0.1 1
route inside 10.232.200.0 255.255.252.0 10.232.0.1 1
route visitors 10.232.104.0 255.255.252.0 10.232.4.1 1
route visitors 10.232.204.0 255.255.252.0 10.232.4.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 10.232.0.0 255.255.252.0 inside
snmp-server host outside 10.100.43.31 community lafarge version 2c udp-port 161
snmp-server location Tasluja UCC Building, Lafarge IRAQ
snmp-server contact Osama Elolemy, +9647708686881
snmp-server community lafarge
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set laf-ts esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 3600
crypto dynamic-map outside_dyn_map 20 match address outside_dyn_map
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set laf-ts
crypto map uccbcc-cm 1 match address laf-acl
crypto map uccbcc-cm 1 set peer 195.33.65.158
crypto map uccbcc-cm 1 set transform-set laf-ts
crypto map uccbcc-cm 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map uccbcc-cm interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 1440
crypto isakmp nat-traversal 20
telnet 10.232.0.0 255.255.252.0 inside
telnet timeout 10
ssh timeout 5
console timeout 0
management-access inside
!
!
group-policy uccbcc_tn internal
group-policy uccbcc_tn attributes
wins-server value 10.232.0.35
dns-server value 10.232.0.35 10.232.0.40
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value uccbcc_tn_splitTunnelAcl
default-domain value tasluja.ucc.iq
username oelolemy password bGFTsyNhqFXNYFox encrypted privilege 15
username oelolemy attributes
vpn-group-policy uccbcc_tn
tunnel-group 195.33.65.158 type ipsec-l2l
tunnel-group 195.33.65.158 ipsec-attributes
pre-shared-key *
tunnel-group uccbcc_tn type ipsec-ra
tunnel-group uccbcc_tn general-attributes
address-pool vpnpool1
default-group-policy uccbcc_tn
tunnel-group uccbcc_tn ipsec-attributes
pre-shared-key *
prompt hostname context
Cryptochecksum:a7346c8d0e2
: end
-=======================
kindly check my configuration and advise why this is not working even though this has been configured by the ASDM wizard
I have a Cisco PIX 525 and am trying to create a VPN that would allow employees to remote in from home. Employees can remote in using Windows but cannot access any LAN resources. it just authenticates but iam not able to get to the inside network, i cannot even ping th inside interface of the PIX. iam using version 7.2 and below is the configuration applied ,, ive searched for solutions and some are suggexting that the pool address used should be ina a different subnet range than the LAN, the subnet LAN ranges of the routes behind the pix are 10.232.0.0/22, 10.232.100.0/22 and 10.232.200.0/22, i used the address pool 10.232.8.0 ( 10.232.8.100-10.232.8.150 ) but this time iam not able to authenticate so i reverted back using the address pool 10.232.3-100- 10.232.3.150 mask 255.255.252.0 bearing in mind that the address pool assigned does not confilict with the ip addresses assigned to the LAN resources
config
UCCFW# sh run
: Saved
:
PIX Version 7.2(3)
!
hostname UCCFW
domain-name iq.lafarge.com
enable password Gq00./HFgspM1n9G encrypted
names
name 10.232.0.15 ISA-Server
!
interface Ethernet0
nameif outside
security-level 0
ip address ----------------------
interface Ethernet1
speed 100
nameif inside
security-level 100
ip address 10.232.0.5 255.255.252.0
!
interface Ethernet2
speed 100
duplex full
nameif visitors
security-level 100
ip address 10.232.4.5 255.255.252.0
!
interface Ethernet3
shutdown
no nameif
no security-level
no ip address
!
passwd Gq00./HFgspM1n9G encrypted
ftp mode passive
clock timezone AST 3
dns server-group DefaultDNS
domain-name iq.lafarge.com
access-list 101 extended permit ip 10.232.0.0 255.255.252.0 10.0.0.0 255.0.0.0
access-list 101 extended permit ip 10.232.0.0 255.255.252.0 192.168.0.0 255.255.0.0
access-list 101 extended permit ip 10.232.0.0 255.255.252.0 172.16.0.0 255.240.0.0
access-list 101 extended permit ip 10.232.100.0 255.255.252.0 10.0.0.0 255.0.0.0
access-list 101 extended permit ip 10.232.100.0 255.255.252.0 192.168.0.0 255.255.0.0
access-list 101 extended permit ip 10.232.100.0 255.255.252.0 172.16.0.0 255.240.0.0
access-list 101 extended permit ip 10.232.200.0 255.255.252.0 10.0.0.0 255.0.0.0
access-list 101 extended permit ip 10.232.200.0 255.255.252.0 192.168.0.0 255.255.0.0
access-list 101 extended permit ip 10.232.200.0 255.255.252.0 172.16.0.0 255.240.0.0
access-list 101 extended permit ip 10.232.0.0 255.255.252.0 10.232.8.0 255.255.255.0
access-list 101 extended permit ip 10.232.100.0 255.255.252.0 10.232.8.0 255.255.255.0
access-list 101 extended permit ip 10.232.200.0 255.255.252.0 10.232.8.0 255.255.255.0
access-list laf-acl extended permit ip 10.232.0.0 255.255.252.0 10.0.0.0 255.0.0.0
access-list laf-acl extended permit ip 10.232.0.0 255.255.252.0 192.168.0.0 255.255.0.0
access-list laf-acl extended permit ip 10.232.0.0 255.255.252.0 192.16.0.0 255.240.0.0
access-list laf-acl extended permit ip 10.232.100.0 255.255.252.0 10.0.0.0 255.0.0.0
access-list laf-acl extended permit ip 10.232.100.0 255.255.252.0 192.168.0.0 255.255.0.0
access-list laf-acl extended permit ip 10.232.100.0 255.255.252.0 192.16.0.0 255.240.0.0
access-list laf-acl extended permit ip 10.232.200.0 255.255.252.0 10.0.0.0 255.0.0.0
access-list laf-acl extended permit ip 10.232.200.0 255.255.252.0 192.168.0.0 255.255.0.0
access-list laf-acl extended permit ip 10.232.200.0 255.255.252.0 192.16.0.0 255.240.0.0
access-list outside_access_in remark allow SNMP polls from outside
access-list outside_access_in extended permit udp host 10.100.43.31 any eq snmp
access-list uccbcc_tn_splitTunnelAcl extended permit ip 10.232.0.0 255.255.252.0 any
access-list uccbcc_tn_splitTunnelAcl extended permit ip 10.232.100.0 255.255.252.0 any
access-list uccbcc_tn_splitTunnelAcl extended permit ip 10.232.200.0 255.255.252.0 any
access-list outside_dyn_map extended permit ip any 10.232.8.0 255.255.252.0
pager lines 24
logging enable
logging monitor errors
logging buffered informational
logging trap informational
logging history critical
logging asdm informational
logging debug-trace
mtu outside 1500
mtu inside 1500
mtu visitors 1500
ip local pool vpnpool1 10.232.8.100-10.232.8.150 mask 255.255.252.0
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any echo inside
icmp permit any echo-reply inside
asdm image flash:/asdm
no asdm history enable
arp timeout 14400
global (outside) 10 209.8.244.103
global (outside) 20 209.8.244.104
nat (inside) 0 access-list 101
nat (inside) 10 ISA-Server 255.255.255.255
nat (inside) 10 10.232.0.210 255.255.255.255
nat (visitors) 20 10.232.4.0 255.255.252.0
nat (visitors) 20 10.232.104.0 255.255.252.0
nat (visitors) 20 10.232.204.0 255.255.252.0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 209.8.244.97 1
route outside 10.0.0.0 255.0.0.0 195.33.65.158 1
route outside 172.16.0.0 255.240.0.0 195.33.65.158 1
route outside 192.168.0.0 255.255.0.0 195.33.65.158 1
route inside 10.232.100.0 255.255.252.0 10.232.0.1 1
route inside 10.232.200.0 255.255.252.0 10.232.0.1 1
route visitors 10.232.104.0 255.255.252.0 10.232.4.1 1
route visitors 10.232.204.0 255.255.252.0 10.232.4.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 10.232.0.0 255.255.252.0 inside
snmp-server host outside 10.100.43.31 community lafarge version 2c udp-port 161
snmp-server location Tasluja UCC Building, Lafarge IRAQ
snmp-server contact Osama Elolemy, +9647708686881
snmp-server community lafarge
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set laf-ts esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 3600
crypto dynamic-map outside_dyn_map 20 match address outside_dyn_map
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set laf-ts
crypto map uccbcc-cm 1 match address laf-acl
crypto map uccbcc-cm 1 set peer 195.33.65.158
crypto map uccbcc-cm 1 set transform-set laf-ts
crypto map uccbcc-cm 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map uccbcc-cm interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 1440
crypto isakmp nat-traversal 20
telnet 10.232.0.0 255.255.252.0 inside
telnet timeout 10
ssh timeout 5
console timeout 0
management-access inside
!
!
group-policy uccbcc_tn internal
group-policy uccbcc_tn attributes
wins-server value 10.232.0.35
dns-server value 10.232.0.35 10.232.0.40
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value uccbcc_tn_splitTunnelAcl
default-domain value tasluja.ucc.iq
username oelolemy password bGFTsyNhqFXNYFox encrypted privilege 15
username oelolemy attributes
vpn-group-policy uccbcc_tn
tunnel-group 195.33.65.158 type ipsec-l2l
tunnel-group 195.33.65.158 ipsec-attributes
pre-shared-key *
tunnel-group uccbcc_tn type ipsec-ra
tunnel-group uccbcc_tn general-attributes
address-pool vpnpool1
default-group-policy uccbcc_tn
tunnel-group uccbcc_tn ipsec-attributes
pre-shared-key *
prompt hostname context
Cryptochecksum:a7346c8d0e2
: end
-=======================
kindly check my configuration and advise why this is not working even though this has been configured by the ASDM wizard
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Pete Long
Dead Link see http://petenetlive.com/KB/Article/0000070.htm instead