Solved

Cisco PIX reomte VPN can ping the internal LAN resources but cannot access resources

Posted on 2009-04-13
5
524 Views
Last Modified: 2013-11-16

Dear Experts

Apparently i was able to set up a remote  access VPN using cisco client through PIX firewall , at first , i had some issues connecting to the remote site to site tunnel and i was able to fix this issue by disabling the split tunnel, now my problem is that iam not able to telnet or RDP through the internal servers of my network, i can ping the internal LAN , routers behind pix but i cannot telnet any


below is my PIX configuration:

UCCFW# sh run
: Saved
:
PIX Version 7.2(3)
!
hostname UCCFW
domain-name iq.lafarge.com
enable password Gq00./HFgspM1n9G encrypted
names
name 10.232.0.15 ISA-Server
!
interface Ethernet0
 nameif outside
 security-level 0
 ip address 209.8.244.102 255.255.255.224
!
interface Ethernet1
 speed 100
 nameif inside
 security-level 100
 ip address 10.232.0.5 255.255.252.0
!
interface Ethernet2
 speed 100
 duplex full
 nameif visitors
 security-level 100
 ip address 10.232.4.5 255.255.252.0
!
interface Ethernet3
 nameif ras
 security-level 0
 no ip address
!
passwd Gq00./HFgspM1n9G encrypted
ftp mode passive
clock timezone AST 3
dns server-group DefaultDNS
 domain-name iq.lafarge.com
same-security-traffic permit intra-interface
access-list 101 extended permit ip 10.232.0.0 255.255.252.0 192.168.0.0 255.255.0.0
access-list 101 extended permit ip 10.232.0.0 255.255.252.0 172.16.0.0 255.240.0.0
access-list 101 extended permit ip 10.232.100.0 255.255.252.0 192.168.0.0 255.255.0.0
access-list 101 extended permit ip 10.232.100.0 255.255.252.0 172.16.0.0 255.240.0.0
access-list 101 extended permit ip 10.232.200.0 255.255.252.0 192.168.0.0 255.255.0.0
access-list 101 extended permit ip 10.232.200.0 255.255.252.0 172.16.0.0 255.240.0.0
access-list 101 extended permit ip 10.232.0.0 255.255.252.0 10.0.0.0 255.128.0.0
access-list 101 extended permit ip 10.232.0.0 255.255.252.0 10.128.0.0 255.192.0.0
access-list 101 extended permit ip 10.232.0.0 255.255.252.0 10.192.0.0 255.224.0.0
access-list 101 extended permit ip 10.232.0.0 255.255.252.0 10.224.0.0 255.248.0.0
access-list 101 extended permit ip 10.232.0.0 255.255.252.0 10.233.0.0 255.255.0.0
access-list 101 extended permit ip 10.232.0.0 255.255.252.0 10.234.0.0 255.254.0.0
access-list 101 extended permit ip 10.232.0.0 255.255.252.0 10.236.0.0 255.252.0.0
access-list 101 extended permit ip 10.232.0.0 255.255.252.0 10.240.0.0 255.240.0.0
access-list 101 extended permit ip 10.232.100.0 255.255.252.0 10.0.0.0 255.128.0.0
access-list 101 extended permit ip 10.232.100.0 255.255.252.0 10.128.0.0 255.192.0.0
access-list 101 extended permit ip 10.232.100.0 255.255.252.0 10.192.0.0 255.224.0.0
access-list 101 extended permit ip 10.232.100.0 255.255.252.0 10.224.0.0 255.248.0.0
access-list 101 extended permit ip 10.232.100.0 255.255.252.0 10.233.0.0 255.255.0.0
access-list 101 extended permit ip 10.232.100.0 255.255.252.0 10.234.0.0 255.254.0.0
access-list 101 extended permit ip 10.232.100.0 255.255.252.0 10.236.0.0 255.252.0.0
access-list 101 extended permit ip 10.232.100.0 255.255.252.0 10.240.0.0 255.240.0.0
access-list 101 extended permit ip 10.232.200.0 255.255.252.0 10.0.0.0 255.128.0.0
access-list 101 extended permit ip 10.232.200.0 255.255.252.0 10.128.0.0 255.192.0.0
access-list 101 extended permit ip 10.232.200.0 255.255.252.0 10.192.0.0 255.224.0.0
access-list 101 extended permit ip 10.232.200.0 255.255.252.0 10.224.0.0 255.248.0.0
access-list 101 extended permit ip 10.232.200.0 255.255.252.0 10.233.0.0 255.255.0.0
access-list 101 extended permit ip 10.232.200.0 255.255.252.0 10.234.0.0 255.254.0.0
access-list 101 extended permit ip 10.232.200.0 255.255.252.0 10.236.0.0 255.252.0.0
access-list 101 extended permit ip 10.232.200.0 255.255.252.0 10.240.0.0 255.240.0.0
access-list 101 extended permit ip 10.232.0.0 255.255.252.0 10.232.3.0 255.255.255.0
access-list 101 extended permit ip 10.232.100.0 255.255.252.0 10.232.3.0 255.255.255.0
access-list 101 extended permit ip 10.232.200.0 255.255.252.0 10.232.3.0 255.255.255.0
access-list laf-acl extended permit ip 10.232.0.0 255.255.252.0 192.168.0.0 255.255.0.0
access-list laf-acl extended permit ip 10.232.0.0 255.255.252.0 192.16.0.0 255.240.0.0
access-list laf-acl extended permit ip 10.232.100.0 255.255.252.0 192.168.0.0 255.255.0.0
access-list laf-acl extended permit ip 10.232.100.0 255.255.252.0 192.16.0.0 255.240.0.0
access-list laf-acl extended permit ip 10.232.200.0 255.255.252.0 192.168.0.0 255.255.0.0
access-list laf-acl extended permit ip 10.232.200.0 255.255.252.0 192.16.0.0 255.240.0.0
access-list laf-acl extended permit ip 10.232.0.0 255.255.252.0 10.0.0.0 255.128.0.0
access-list laf-acl extended permit ip 10.232.0.0 255.255.252.0 10.128.0.0 255.192.0.0
access-list laf-acl extended permit ip 10.232.0.0 255.255.252.0 10.192.0.0 255.224.0.0
access-list laf-acl extended permit ip 10.232.0.0 255.255.252.0 10.224.0.0 255.248.0.0
access-list laf-acl extended permit ip 10.232.0.0 255.255.252.0 10.233.0.0 255.255.0.0
access-list laf-acl extended permit ip 10.232.0.0 255.255.252.0 10.234.0.0 255.254.0.0
access-list laf-acl extended permit ip 10.232.0.0 255.255.252.0 10.236.0.0 255.252.0.0
access-list laf-acl extended permit ip 10.232.0.0 255.255.252.0 10.240.0.0 255.240.0.0
access-list laf-acl extended permit ip 10.232.100.0 255.255.252.0 10.0.0.0 255.128.0.0
access-list laf-acl extended permit ip 10.232.100.0 255.255.252.0 10.128.0.0 255.192.0.0
access-list laf-acl extended permit ip 10.232.100.0 255.255.252.0 10.192.0.0 255.224.0.0
access-list laf-acl extended permit ip 10.232.100.0 255.255.252.0 10.224.0.0 255.248.0.0
access-list laf-acl extended permit ip 10.232.100.0 255.255.252.0 10.233.0.0 255.255.0.0
access-list laf-acl extended permit ip 10.232.100.0 255.255.252.0 10.234.0.0 255.254.0.0
access-list laf-acl extended permit ip 10.232.100.0 255.255.252.0 10.236.0.0 255.252.0.0
access-list laf-acl extended permit ip 10.232.100.0 255.255.252.0 10.240.0.0 255.240.0.0
access-list laf-acl extended permit ip 10.232.200.0 255.255.252.0 10.0.0.0 255.128.0.0
access-list laf-acl extended permit ip 10.232.200.0 255.255.252.0 10.128.0.0 255.192.0.0
access-list laf-acl extended permit ip 10.232.200.0 255.255.252.0 10.192.0.0 255.224.0.0
access-list laf-acl extended permit ip 10.232.200.0 255.255.252.0 10.224.0.0 255.248.0.0
access-list laf-acl extended permit ip 10.232.200.0 255.255.252.0 10.233.0.0 255.255.0.0
access-list laf-acl extended permit ip 10.232.200.0 255.255.252.0 10.234.0.0 255.254.0.0
access-list laf-acl extended permit ip 10.232.200.0 255.255.252.0 10.236.0.0 255.252.0.0
access-list laf-acl extended permit ip 10.232.200.0 255.255.252.0 10.240.0.0 255.240.0.0
pager lines 24
logging enable
logging console alerts
logging monitor informational
logging buffered debugging
logging trap debugging
logging history alerts
logging asdm critical
logging mail emergencies
logging from-address osama.elolemy@iq.lafarge.com
logging recipient-address mohamed.zedan@iq.lafarge.com level alerts
logging recipient-address osama.elolemy@iq.lafarge.com level critical
logging host inside 10.232.1.45
mtu outside 1500
mtu inside 1500
mtu visitors 1500
mtu ras 1500
ip local pool vpnpool1 10.232.3.100-10.232.3.150 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any echo inside
icmp permit any echo-reply inside
asdm image flash:/asdm
no asdm history enable
arp timeout 14400
global (outside) 10 209.8.244.103
global (outside) 20 209.8.244.104
nat (inside) 0 access-list 101
nat (inside) 10 ISA-Server 255.255.255.255
nat (inside) 10 10.232.0.210 255.255.255.255
nat (visitors) 20 10.232.4.0 255.255.252.0
nat (visitors) 20 10.232.104.0 255.255.252.0
nat (visitors) 20 10.232.204.0 255.255.252.0
route outside 0.0.0.0 0.0.0.0 209.8.244.97 1
route outside 10.0.0.0 255.0.0.0 195.33.65.158 1
route outside 172.16.0.0 255.240.0.0 195.33.65.158 1
route outside 192.168.0.0 255.255.0.0 195.33.65.158 1
route inside 10.232.100.0 255.255.252.0 10.232.0.1 1
route inside 10.232.200.0 255.255.252.0 10.232.0.1 1
route visitors 10.232.104.0 255.255.252.0 10.232.4.1 1
route visitors 10.232.204.0 255.255.252.0 10.232.4.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 10.232.0.0 255.255.252.0 inside
snmp-server host inside 10.232.1.45 community lafarge
snmp-server location Tasluja UCC Building, Lafarge IRAQ
snmp-server contact Osama Elolemy, +9647708686881
snmp-server community lafarge
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set laf-ts esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 3600
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set laf-ts
crypto dynamic-map outside_dyn_map 20 set reverse-route
crypto map uccbcc-cm 1 match address laf-acl
crypto map uccbcc-cm 1 set peer 195.33.65.158
crypto map uccbcc-cm 1 set transform-set laf-ts
crypto map uccbcc-cm 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map uccbcc-cm interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 1
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 1440
crypto isakmp nat-traversal  20
telnet 10.232.0.0 255.255.252.0 inside
telnet timeout 10
ssh timeout 5
console timeout 0
!
!
group-policy taslujavpn internal
group-policy taslujavpn attributes
 wins-server value 10.232.0.35
 dns-server value 10.232.0.35 10.232.0.40
 vpn-tunnel-protocol IPSec
 default-domain value tasluja.ucc.iq
username oelolemy password bGFTsyNhqFXNYFox encrypted privilege 0
username oelolemy attributes
 vpn-group-policy taslujavpn
tunnel-group 195.33.65.158 type ipsec-l2l
tunnel-group 195.33.65.158 ipsec-attributes
 pre-shared-key *
tunnel-group taslujavpn type ipsec-ra
tunnel-group taslujavpn general-attributes
 address-pool vpnpool1
 default-group-policy taslujavpn
tunnel-group taslujavpn ipsec-attributes
 pre-shared-key *
smtp-server 10.232.0.85
prompt hostname context
Cryptochecksum:266aafb0c934f70aa414b1b1c52e5a7d
: end


Your help is greatly apprecaited,
0
Comment
Question by:oelolemy
  • 3
  • 2
5 Comments
 
LVL 6

Expert Comment

by:ricks_v
Comment Utility
i havent gone through every single ACL,
but can you please try dropping this.
#sysopt connection permit-vpn
This way we can narrow down whether it's  acl and nat related or not.
0
 

Author Comment

by:oelolemy
Comment Utility
i have removed it but still having the same problem , any advise ?
0
 
LVL 6

Accepted Solution

by:
ricks_v earned 500 total points
Comment Utility
sorry didnt mean to remove it.

can you apply the command I mean

#sysopt connection permit-vpn
0
 

Author Comment

by:oelolemy
Comment Utility
hello

that command was arfleady added and still no use
ice removed the address pool and assigned a different pool (10.232.8.0/22) which is different from the LAn subnet , i can ping and telnet  to the LAN but now , i cannot even ping to the remote site tunnel !!!! please advise
0
 

Author Closing Comment

by:oelolemy
Comment Utility
still did not solve the problem
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

How to configure Site to Site VPN on a Cisco ASA.     (version: 1.1 - updated August 6, 2009) Index          [Preface]   1.    [Introduction]   2.    [The situation]   3.    [Getting started]   4.    [Interesting traffic]   5.    [NAT0]   6.…
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
This video discusses moving either the default database or any database to a new volume.
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now