• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 746
  • Last Modified:

Cisco PIX 501 VPN Connection No LAN Access and No SSH

I have configured my pix 501 for vpn access.  I am trying to connect using cisco vpn client 5.0.05.0290.  The client makes the VPN connection sucessfully but I cannot access anything at the remote site.  I have tried changing the ip pool to 192.168.5.1-5 but still nothing.  Also I cannot ssh into the pix.  I get a password prompt and put in the password that I am positive is correct and it will not work.  I am using the username pix for the ssh connection.  See config below.

Thanks

PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xx encrypted
passwd xx encrypted
hostname xxxxxxx
domain-name xxxxx.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list NONAT permit ip 10.249.130.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list outside_access_in permit icmp any interface outside
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside xxx.xxx.xx.xx 255.255.255.248
ip address inside 10.249.130.232 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool XXXVPN 10.1.1.1-10.1.1.254
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NONAT
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 XXX.XXX.XX.XX 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication telnet console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set XXXSET esp-3des esp-md5-hmac
crypto dynamic-map XXXDMAP 10 set transform-set XXXSET
crypto map XXXMAP 10 ipsec-isakmp dynamic XXXDMAP
crypto map XXXMAP interface outside
isakmp enable outside
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup XXXVPNGROUP address-pool XXXVPN
vpngroup XXXVPNGROUP dns-server 10.249.130.2
vpngroup XXXVPNGROUP default-domain XXXXX.com
vpngroup XXXVPNGROUP split-tunnel NONAT
vpngroup XXXVPNGROUP idle-time 1800
vpngroup XXXVPNGROUP password ********
telnet 10.249.130.0 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 30
console timeout 0
username admin password XXX encrypted privilege 15
terminal width 80

Open in new window

0
dupont2406
Asked:
dupont2406
  • 6
  • 3
1 Solution
 
jmeggersCommented:
For the VPN, do the devices you're trying to reach know where the VPN address block is, meaning do any layer-3 devices have a route to it?  If the devices are on the immediate LAN subnet off the PIX, what is the default gateway they are using?

For SSH, I don't see any authentication configured.
0
 
dupont2406Author Commented:
I dont remember ever having to add authentication for ssh.  Normally use the username pix and enable password.  Can you tell me how to do that.

there are no routes back to the pix.  The lan devices are using a router for the default gateway
0
 
jmeggersCommented:
For SSH, the same way you're already doing it for telnet:

aaa authentication ssh console LOCAL

So it sounds like you have another router behind the PIX, and devices attached to that are using the router as their default gateway?  Is the router using the PIX as its default gateway?  If you have a subnet on the other side of a routing device, you need to either add a static route on the PIX (route inside <subnet> <mask> <router IP address>) or you need to enable a dynamic protocol such as RIP or OSPF. The commands are different depending on what protocol you're running.
0
Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

 
dupont2406Author Commented:
i tried setting the gateway on one server to point to the PIX.  still no connection.  Also I have 3 other locations with the exact same equipment configured identical to this one and I am able to connect with no problem.  I also compared the pix configs from the other locations and they are the same.
0
 
jmeggersCommented:
Are you saying you have a device on the PIX's LAN subnet, its default gateway points to the PIX itself, and you still cannot reach it from the VPN?  Is the VPN using the same 10.1.1.0 subnet show in your config, or has that changed?  (You mentioned changing to 192.168.5.0 in your original question.)  If so, did you also change the no-nat ACL?
0
 
dupont2406Author Commented:
yes the server is on the PIX's LAN Subnet, pointed at the PIX ip and I cannot connect.  The VPN pool is the 10.1.1.0.  The config is as it is posted above except I added the ssh authentication which fixed the ssh issue.  The no-nat ACL is as it is posted above.
0
 
dupont2406Author Commented:
CORRECTION....

The IP poll was on the LAN subnet, I was trying stuff.  I put it back to the 10.1.1.0 and I can see the server now.  Is there a route I can put in the pix so I can access the other devices w/o changing the gatewa?
0
 
dupont2406Author Commented:
because I do not have to do that in my other locations.

Thanks
0
 
dupont2406Author Commented:
I have done some research.  The other locations do have a route in the router (default gateway) to the VPN device.  All is working.  Thank you for all your help
0

Featured Post

A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

  • 6
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now