Solved

Cisco PIX rfeomte VPN can ping the internal LAN resources but cannot access resources

Posted on 2009-04-12
20
558 Views
Last Modified: 2012-05-06
Dear Experts

Apparently i was able to set up a remote  access VPN using cisco client through PIX firewall , at first , i had some issues connecting to the remote site to site tunnel and i was able to fix this issue by disabling the split tunnel, now my problem is that iam not able to telnet or RDP through the internal servers of my network, i can ping the internal LAN , routers behind pix but i cannot telnet any


below is my PIX configuration:

UCCFW# sh run
: Saved
:
PIX Version 7.2(3)
!
hostname UCCFW
domain-name iq.lafarge.com
enable password Gq00./HFgspM1n9G encrypted
names
name 10.232.0.15 ISA-Server
!
interface Ethernet0
 nameif outside
 security-level 0
 ip address 209.8.244.102 255.255.255.224
!
interface Ethernet1
 speed 100
 nameif inside
 security-level 100
 ip address 10.232.0.5 255.255.252.0
!
interface Ethernet2
 speed 100
 duplex full
 nameif visitors
 security-level 100
 ip address 10.232.4.5 255.255.252.0
!
interface Ethernet3
 nameif ras
 security-level 0
 no ip address
!
passwd Gq00./HFgspM1n9G encrypted
ftp mode passive
clock timezone AST 3
dns server-group DefaultDNS
 domain-name iq.lafarge.com
same-security-traffic permit intra-interface
access-list 101 extended permit ip 10.232.0.0 255.255.252.0 192.168.0.0 255.255.0.0
access-list 101 extended permit ip 10.232.0.0 255.255.252.0 172.16.0.0 255.240.0.0
access-list 101 extended permit ip 10.232.100.0 255.255.252.0 192.168.0.0 255.255.0.0
access-list 101 extended permit ip 10.232.100.0 255.255.252.0 172.16.0.0 255.240.0.0
access-list 101 extended permit ip 10.232.200.0 255.255.252.0 192.168.0.0 255.255.0.0
access-list 101 extended permit ip 10.232.200.0 255.255.252.0 172.16.0.0 255.240.0.0
access-list 101 extended permit ip 10.232.0.0 255.255.252.0 10.0.0.0 255.128.0.0
access-list 101 extended permit ip 10.232.0.0 255.255.252.0 10.128.0.0 255.192.0.0
access-list 101 extended permit ip 10.232.0.0 255.255.252.0 10.192.0.0 255.224.0.0
access-list 101 extended permit ip 10.232.0.0 255.255.252.0 10.224.0.0 255.248.0.0
access-list 101 extended permit ip 10.232.0.0 255.255.252.0 10.233.0.0 255.255.0.0
access-list 101 extended permit ip 10.232.0.0 255.255.252.0 10.234.0.0 255.254.0.0
access-list 101 extended permit ip 10.232.0.0 255.255.252.0 10.236.0.0 255.252.0.0
access-list 101 extended permit ip 10.232.0.0 255.255.252.0 10.240.0.0 255.240.0.0
access-list 101 extended permit ip 10.232.100.0 255.255.252.0 10.0.0.0 255.128.0.0
access-list 101 extended permit ip 10.232.100.0 255.255.252.0 10.128.0.0 255.192.0.0
access-list 101 extended permit ip 10.232.100.0 255.255.252.0 10.192.0.0 255.224.0.0
access-list 101 extended permit ip 10.232.100.0 255.255.252.0 10.224.0.0 255.248.0.0
access-list 101 extended permit ip 10.232.100.0 255.255.252.0 10.233.0.0 255.255.0.0
access-list 101 extended permit ip 10.232.100.0 255.255.252.0 10.234.0.0 255.254.0.0
access-list 101 extended permit ip 10.232.100.0 255.255.252.0 10.236.0.0 255.252.0.0
access-list 101 extended permit ip 10.232.100.0 255.255.252.0 10.240.0.0 255.240.0.0
access-list 101 extended permit ip 10.232.200.0 255.255.252.0 10.0.0.0 255.128.0.0
access-list 101 extended permit ip 10.232.200.0 255.255.252.0 10.128.0.0 255.192.0.0
access-list 101 extended permit ip 10.232.200.0 255.255.252.0 10.192.0.0 255.224.0.0
access-list 101 extended permit ip 10.232.200.0 255.255.252.0 10.224.0.0 255.248.0.0
access-list 101 extended permit ip 10.232.200.0 255.255.252.0 10.233.0.0 255.255.0.0
access-list 101 extended permit ip 10.232.200.0 255.255.252.0 10.234.0.0 255.254.0.0
access-list 101 extended permit ip 10.232.200.0 255.255.252.0 10.236.0.0 255.252.0.0
access-list 101 extended permit ip 10.232.200.0 255.255.252.0 10.240.0.0 255.240.0.0
access-list 101 extended permit ip 10.232.0.0 255.255.252.0 10.232.3.0 255.255.255.0
access-list 101 extended permit ip 10.232.100.0 255.255.252.0 10.232.3.0 255.255.255.0
access-list 101 extended permit ip 10.232.200.0 255.255.252.0 10.232.3.0 255.255.255.0
access-list laf-acl extended permit ip 10.232.0.0 255.255.252.0 192.168.0.0 255.255.0.0
access-list laf-acl extended permit ip 10.232.0.0 255.255.252.0 192.16.0.0 255.240.0.0
access-list laf-acl extended permit ip 10.232.100.0 255.255.252.0 192.168.0.0 255.255.0.0
access-list laf-acl extended permit ip 10.232.100.0 255.255.252.0 192.16.0.0 255.240.0.0
access-list laf-acl extended permit ip 10.232.200.0 255.255.252.0 192.168.0.0 255.255.0.0
access-list laf-acl extended permit ip 10.232.200.0 255.255.252.0 192.16.0.0 255.240.0.0
access-list laf-acl extended permit ip 10.232.0.0 255.255.252.0 10.0.0.0 255.128.0.0
access-list laf-acl extended permit ip 10.232.0.0 255.255.252.0 10.128.0.0 255.192.0.0
access-list laf-acl extended permit ip 10.232.0.0 255.255.252.0 10.192.0.0 255.224.0.0
access-list laf-acl extended permit ip 10.232.0.0 255.255.252.0 10.224.0.0 255.248.0.0
access-list laf-acl extended permit ip 10.232.0.0 255.255.252.0 10.233.0.0 255.255.0.0
access-list laf-acl extended permit ip 10.232.0.0 255.255.252.0 10.234.0.0 255.254.0.0
access-list laf-acl extended permit ip 10.232.0.0 255.255.252.0 10.236.0.0 255.252.0.0
access-list laf-acl extended permit ip 10.232.0.0 255.255.252.0 10.240.0.0 255.240.0.0
access-list laf-acl extended permit ip 10.232.100.0 255.255.252.0 10.0.0.0 255.128.0.0
access-list laf-acl extended permit ip 10.232.100.0 255.255.252.0 10.128.0.0 255.192.0.0
access-list laf-acl extended permit ip 10.232.100.0 255.255.252.0 10.192.0.0 255.224.0.0
access-list laf-acl extended permit ip 10.232.100.0 255.255.252.0 10.224.0.0 255.248.0.0
access-list laf-acl extended permit ip 10.232.100.0 255.255.252.0 10.233.0.0 255.255.0.0
access-list laf-acl extended permit ip 10.232.100.0 255.255.252.0 10.234.0.0 255.254.0.0
access-list laf-acl extended permit ip 10.232.100.0 255.255.252.0 10.236.0.0 255.252.0.0
access-list laf-acl extended permit ip 10.232.100.0 255.255.252.0 10.240.0.0 255.240.0.0
access-list laf-acl extended permit ip 10.232.200.0 255.255.252.0 10.0.0.0 255.128.0.0
access-list laf-acl extended permit ip 10.232.200.0 255.255.252.0 10.128.0.0 255.192.0.0
access-list laf-acl extended permit ip 10.232.200.0 255.255.252.0 10.192.0.0 255.224.0.0
access-list laf-acl extended permit ip 10.232.200.0 255.255.252.0 10.224.0.0 255.248.0.0
access-list laf-acl extended permit ip 10.232.200.0 255.255.252.0 10.233.0.0 255.255.0.0
access-list laf-acl extended permit ip 10.232.200.0 255.255.252.0 10.234.0.0 255.254.0.0
access-list laf-acl extended permit ip 10.232.200.0 255.255.252.0 10.236.0.0 255.252.0.0
access-list laf-acl extended permit ip 10.232.200.0 255.255.252.0 10.240.0.0 255.240.0.0
pager lines 24
logging enable
logging console alerts
logging monitor informational
logging buffered debugging
logging trap debugging
logging history alerts
logging asdm critical
logging mail emergencies
logging from-address osama.elolemy@iq.lafarge.com
logging recipient-address mohamed.zedan@iq.lafarge.com level alerts
logging recipient-address osama.elolemy@iq.lafarge.com level critical
logging host inside 10.232.1.45
mtu outside 1500
mtu inside 1500
mtu visitors 1500
mtu ras 1500
ip local pool vpnpool1 10.232.3.100-10.232.3.150 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any echo inside
icmp permit any echo-reply inside
asdm image flash:/asdm
no asdm history enable
arp timeout 14400
global (outside) 10 209.8.244.103
global (outside) 20 209.8.244.104
nat (inside) 0 access-list 101
nat (inside) 10 ISA-Server 255.255.255.255
nat (inside) 10 10.232.0.210 255.255.255.255
nat (visitors) 20 10.232.4.0 255.255.252.0
nat (visitors) 20 10.232.104.0 255.255.252.0
nat (visitors) 20 10.232.204.0 255.255.252.0
route outside 0.0.0.0 0.0.0.0 209.8.244.97 1
route outside 10.0.0.0 255.0.0.0 195.33.65.158 1
route outside 172.16.0.0 255.240.0.0 195.33.65.158 1
route outside 192.168.0.0 255.255.0.0 195.33.65.158 1
route inside 10.232.100.0 255.255.252.0 10.232.0.1 1
route inside 10.232.200.0 255.255.252.0 10.232.0.1 1
route visitors 10.232.104.0 255.255.252.0 10.232.4.1 1
route visitors 10.232.204.0 255.255.252.0 10.232.4.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 10.232.0.0 255.255.252.0 inside
snmp-server host inside 10.232.1.45 community lafarge
snmp-server location Tasluja UCC Building, Lafarge IRAQ
snmp-server contact Osama Elolemy, +9647708686881
snmp-server community lafarge
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set laf-ts esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 3600
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set laf-ts
crypto dynamic-map outside_dyn_map 20 set reverse-route
crypto map uccbcc-cm 1 match address laf-acl
crypto map uccbcc-cm 1 set peer 195.33.65.158
crypto map uccbcc-cm 1 set transform-set laf-ts
crypto map uccbcc-cm 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map uccbcc-cm interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 1
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 1440
crypto isakmp nat-traversal  20
telnet 10.232.0.0 255.255.252.0 inside
telnet timeout 10
ssh timeout 5
console timeout 0
!
!
group-policy taslujavpn internal
group-policy taslujavpn attributes
 wins-server value 10.232.0.35
 dns-server value 10.232.0.35 10.232.0.40
 vpn-tunnel-protocol IPSec
 default-domain value tasluja.ucc.iq
username oelolemy password bGFTsyNhqFXNYFox encrypted privilege 0
username oelolemy attributes
 vpn-group-policy taslujavpn
tunnel-group 195.33.65.158 type ipsec-l2l
tunnel-group 195.33.65.158 ipsec-attributes
 pre-shared-key *
tunnel-group taslujavpn type ipsec-ra
tunnel-group taslujavpn general-attributes
 address-pool vpnpool1
 default-group-policy taslujavpn
tunnel-group taslujavpn ipsec-attributes
 pre-shared-key *
smtp-server 10.232.0.85
prompt hostname context
Cryptochecksum:266aafb0c934f70aa414b1b1c52e5a7d
: end


Your help is greatly apprecaited,
0
Comment
Question by:oelolemy
  • 10
  • 9
20 Comments
 
LVL 15

Expert Comment

by:bignewf
ID: 24126994
add this:  (I don't see it in your config)

access-group laf-acl in interface outside  (assuming that the access-lists laf-acl are for traffic from your outside interface to your inside interface)

This applies the access-lists to the outside interface
0
 
LVL 15

Expert Comment

by:bignewf
ID: 24127045
have you also tried this:

sysopt connection permit-ipsec
0
 

Author Comment

by:oelolemy
ID: 24127138
i have tried both commands now  but still no joy, unfortunately my pix version is 7.2 so sysopt connection permit-vpn is only supported
any advise ?
0
 
LVL 15

Expert Comment

by:bignewf
ID: 24127165
I will return about an hour, I will review your config in detail

have you tried wireshark or similar program to see what happens to the packets - i.e rdp, telnet?
I will inspect your access-lists in detail
also, have you tried the packet tracer in the gui?

thanks
0
 
LVL 15

Expert Comment

by:bignewf
ID: 24127260
First, try this  access-list for your vpn client pool to access your internal lan:

access-list laf-acl extended permit ip 10.232.0.0 255.255.252.0  10.232.3.0 255.255.255.0

I don't see this access-list in your config, only in your NAT 0 acess-lists
0
 

Author Comment

by:oelolemy
ID: 24128425
i tried this one
" access-list laf-acl extended permit ip 10.232.0.0 255.255.252.0  10.232.3.0 255.255.255.0" but unfortunately i was not even able to ping the inside network , from the VPN client  ican see packets sent but  nothing received , the thing is that iam able to ping all the internal lan networks ( PCs, routers, switches/ application servers/ ISA ) but iam not able to telnet /RDP or access any of them
any advise please ?



0
 

Author Comment

by:oelolemy
ID: 24128585
i also get this on the pix when i try to telnet the router behind the PIX

%PIX-6-106015: Deny TCP (no connection) from 10.232.0.1/23 to 10.232.3.100/2190
0
 
LVL 15

Expert Comment

by:bignewf
ID: 24134557
try this:

route inside 10.232.3.0 255.255.255.0 10.232.0.5

and try this for testing telnet:
access-list laf-acl extended permit tcp 10.232.3.0 255.255.255.0 host  [ip address of any server]  subnet mask  eq 23

this will test an acl for a specific host  allowing telnet from a vpnclient to that server

the error you are reporting indicates that traffic is not passing from host 10.232.0.1 to the vpnclient at 10.232.3.100

I still don't see this access-list below, which allows all ip packets sourced from your internal lan to the vpn clients at 10.232.3.0

access-list laf-acl extended permit ip 10.232.0.0 255.255.252.0 10.232.3.0 255.255.255.0  (if most of the lan hosts are in the 10.232.0.0/23 network)



but first try a specific access-list as I indicated, if that works, then include the list above




0
 

Author Comment

by:oelolemy
ID: 24145640
ill try this today and ill his  you a reply, i hope that this wont impact our business since iam going to test this on a production site
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:oelolemy
ID: 24155021
tried above commands on the PIX but it doesnt see to have any effect ,  even the static route doesnt have any effect on the pix
any advise please ?
0
 
LVL 15

Expert Comment

by:bignewf
ID: 24163891
We need some packet traces here to see if it is the access lists, as your connections are being blocked---
you wrote in a previous post:
>>i also get this on the pix when i try to telnet the router behind the PIX
%PIX-6-106015: Deny TCP (no connection) from 10.232.0.1/23 to 10.232.3.100/2190


0
 

Author Comment

by:oelolemy
ID: 24178633
here, are some outputs from the PIX logs , there is no wayt i can trace a specific network or IP from outside

%PIX-6-110003: Routing failed to locate next hop for UDP from outside:10.232.3.1
00/2656 to visitors:10.232.0.40/53
%PIX-6-302021: Teardown ICMP connection for faddr 10.232.3.100/1792 gaddr 10.232
.0.1/0 laddr 10.232.0.1/0 (oelolemy)
%PIX-6-302021: Teardown ICMP connection for faddr 10.232.3.100/1792 gaddr 10.232
.0.1/0 laddr 10.232.0.1/0
%PIX-6-302020: Built outbound ICMP connection for faddr 10.232.3.100/1792 gaddr
10.232.0.1/0 laddr 10.232.0.1/0
0
 

Author Comment

by:oelolemy
ID: 24178641
when i changed the subnet 10.232.3.0 to a different subnet outside our LAN network (10.232.8.0/22) i was able to ping and telnet my LAN networks 10.232.0.0/22 but at the same time , i was not able to ping the remote site tunnel ( e,g 10.100.6.60, 192.168.0.0/16  and 172.16.0.0/16 networks ) strange !!!!
i have also seen some other forums suggesting to add static routes on pix , others suggesting to add routes on windows client, people also suggesting to apply ppolicy basesd NAT, any idea please ?????
0
 
LVL 15

Accepted Solution

by:
bignewf earned 500 total points
ID: 24179853
since you changed the subnet (vpn clients should always be on a different network than the inside lan network).
In answer to adding a static routes on the pix, yes add the new network since the subnet is different. You can try adding an ip classless statement which will allow any subnet to advertise, but this may not work depending on IOS version. So add a static route so you can reach and ping the remote site tunnel. Sometimes it is necessary to use the route add statement  with static routes on a windows client if all else fails.

I see your internal lan subnet is /22   I originally thought your configs had it as a /24 network. Again, the rule of thumb is always have the remote client on a different network than the internal lan hosts so routing can occur from the remote client to the internal lan.
0
 
LVL 15

Expert Comment

by:bignewf
ID: 24179861
correction to above post - didn't finish the first line. Since you changed the subnet (vpn clients should always be on a different network than the inside lan network).
then the pix should know about this route. Unless you are using a dynamic routing protocol, without a route to this new subnet (vpn client pool) it might not find the route to the inside lan
0
 

Author Comment

by:oelolemy
ID: 24180137
can you please tell me whoch static routes should be added ? and what add routes should i add on the windows client and how should we add it ?
0
 
LVL 15

Expert Comment

by:bignewf
ID: 24180410
route inside 10.232.8.0 255.255.252  10.232.0.5
0
 
LVL 15

Expert Comment

by:bignewf
ID: 24180477
As for static routes on windows xp, there never is a guarantee these will work.
The vpn server, in this case usually determines the default gateway for the client.

you can try this:

route add -p  10.232.0.0 255.255.252  {default gateway of remote client network)


 route ADD 157.0.0.0 MASK 255.0.0.0  157.55.80.1 METRIC 3 IF 2
       destination^      ^mask      ^gateway     metric^    ^
                                                   Interface^
0
 

Author Closing Comment

by:oelolemy
ID: 31569338
somehow convincing
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Suggested Solutions

Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now