[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 720
  • Last Modified:

Remote Access VPN problem on Cisco PIX

Hi all, I'm having problems configuring a Remote Access VPN on my PIX515E.

The PIX is being used as a firewall for ADSL access, and has a public IP on its outside interface assigned use PPPOE. It is the gateway of last resort for the network, and there is a route on the network for the VPN client pool pointing to the PIX inside interface IP address.

I tried to add Remote Access VPN using the IPSec VPN wizard in ASDM and have enabled split tunnel and override/ignore of ACL's. When looking in the statistics windows of the Cisco VPN client originally there were no bytes received, so I enabled transparent tunnelling on TCP port 10000. Now there are bytes received, however zero decrypts. I have also tried adding NAT-T, and using a different version of the VPN client / PC and network.

What does zero decrypts indicate, and what can I do to resolve this? I will attach some info below.
0
fastforward1t
Asked:
fastforward1t
1 Solution
 
fastforward1tAuthor Commented:
VPN client statistics and log
screenshot.JPG
0
 
QlemoDeveloperCommented:
The destination is strange, it is a "all-1" address (.255). Please check that, is should be your Cisco device's IP address.
0
 
DonbooCommented:
Check to see if you have NoNat on the inside interface for when going to the Remote IPSec IPs. In ASDM it is referred to as Excempt in the NAT section
0
Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

 
lrmooreCommented:
Can I assume that the IP you are trying to ping is the inside IP of the PIX?
Try pinging something "past" the PIX on the inside network and not just the PIX interface.
Else you need to designate the inside interface for management-access in order to ping the interface over the VPN.
I think donboo is probably on the right track by questioning the nat0 statement or nat exemption.
I'd probably have to see the complete conifg before I could help much further.
0
 
fastforward1tAuthor Commented:
Thanks for the responses guys.
Qlemo; If I change the subnet of my home router I can get the AddRoute error to go, I think it may be caused by a subnet clash? - either way still 0 decrypts so maybe two separate issues here.
Donboo; NoNat ASDM config attached, my understanding is a little hazy but I think this looks ok?
lrmoore; Thanks for advise regarding ping, I was pinging the default gatway as given out by the VPN pool on PIX (10.64.250.x). Please see config in post below.
screenshot-NAT.JPG
0
 
DonbooCommented:
From the client screenshot I can see that you clients IP is 10.64.250.20 and the NoNat is for 10.64.251.0 /26 change it to 10.64.250.0 /26
0
 
fastforward1tAuthor Commented:
Thanks Donboo, Can't beleive I missed that!!! (You wouldn't beleive how many times I have re-read this config..!) .251 was the original Pool that I removed. Cheers!
0

Featured Post

[Webinar] Kill tickets & tabs using PowerShell

Are you tired of cycling through the same browser tabs everyday to close the same repetitive tickets? In this webinar JumpCloud will show how you can leverage RESTful APIs to build your own PowerShell modules to kill tickets & tabs using the PowerShell command Invoke-RestMethod.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now