Solved

Cisco PIX Remote Access VPN

Posted on 2011-09-06
25
291 Views
Last Modified: 2012-06-22
Hello,

I have been trying to get my remote access VPN enabled but for some reason I am unable to access my internal LAN.

My network has two firewalls. The PIX and an internal proxy server/firewall dealy.

Network (relevant) is something like this:

[internet] -- [pix fw] -- [proxy] -- [Internal lan]

Things that DO work:

-I can connect and authenticate to the VPN
-I can PING the EXTERNAL IP of the PROXY
-I can access the management page for the PROXY

Things I CANT do; but need to:

-Access any host behind the proxy (internal LAN)
-Use split-tunnel to be able to access the internet and use the VPN at the same time; would prefer to use the DNS servers located on the LAN


I've attached my configuration hoping someone can take a look to see what is wrong (if anything).

I do not see any logs (deny traffic) on the proxy when trying to access the internal host. This tells me the problem is on the PIX I presume.

IP Addressing...

PIX internal IP - 192.168.254.1
Proxy External IP - 192.168.254.2
Proxy Internal IP - 10.10.254.1
Internal LAN - 10.10.254.2...etc
VPN Pool is - 10.10.254.32 /29

Hope you can help; need any more info please let me know!

Thanks
config.txt
0
Comment
Question by:plexter2k
  • 11
  • 9
  • 3
  • +2
25 Comments
 
LVL 10

Expert Comment

by:SuperTaco
ID: 36492920
Can you post the whole config?  sounds like you need to put in a NAT exemption rule.  I know it's a NAT0 command but i honestly have always done it through the ASDM.
0
 
LVL 18

Expert Comment

by:jmeggers
ID: 36493100
You're close.  Add to your no-nat ACL:

access-list LAN_nat0_outbound permit ip any 10.10.254.32 255.255.255.248

0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36493994
Well those allready seem to be there:

access-list LAN_nat0_outbound extended permit ip ABC_LAN 255.255.255.224 10.10.254.32 255.255.255.248
access-list LAN_nat0_outbound extended permit ip Inside_Net_PIX 255.255.255.252 10.10.254.32 255.255.255.248

Did you also check the (ASDM) logs on the PIX?
0
 
LVL 16

Expert Comment

by:poweruser32
ID: 36496753
is your vpn pool not in the same subnet as the lan ?
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36496783
Nope, look at the subnet mask.
0
 

Author Comment

by:plexter2k
ID: 36499938
Hi all,

Thanks for your replies.

I believe most of the questions have been answered by others (thanks) :)

however logs, I have attached a sample filtering by the VPN host. I see traffic but no replies.

Thoughts?
log1.txt
0
 
LVL 10

Expert Comment

by:SuperTaco
ID: 36500353
Double check your shared secret, transform set and IKE proposals.  It looks like the tunnel isn't forming.
0
 
LVL 10

Expert Comment

by:SuperTaco
ID: 36500358
I'm  ding-dong, sorry, this isn't for a site-to-site.  I would still check the authentication.  it looks like the tunnel isn't being built
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36501171
If you do a
sh cryp ips sa
and
sh cryp is sa

Does it show anything?
0
 

Author Comment

by:plexter2k
ID: 36502004
Hello all,

Thanks. Tried the commands and all seems good to me. I've attached the results.



sa-commands.txt
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36502284
Ok, let's do a little test.

Remove the access group:
no access-group WAN_access_in_1 in interface WAN control-plane
And add:
sysopt connection permit-vpn
This will allow vpn traffic through the ASA without having to add an ACE to the outside access list for it.

Let's see what happens then.
0
 

Author Comment

by:plexter2k
ID: 36507870
Hi again,

VPN still works, but I am still not able to connect (or see logs on the proxy) to the internal lan. :(

0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36508624
Can you connect to the proxy (inside or outside)?
0
 

Author Comment

by:plexter2k
ID: 36513391
Hello,

I can connect to the proxy external interface for management but not the proxy internal interface which is also the internal lan.

Thanks
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36513736
Well the pix is looking good to me. You might want to take a closer look at the proxy.
Is it a possibility to do some tests without the proxy to see if the issue is on that?
0
 

Author Comment

by:plexter2k
ID: 36536047
Just doing some testing regarding the proxy to see if anything can be resolved on that end. Will post back when I can.

Thanks!
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36536072
I'll be here :)
0
 

Author Comment

by:plexter2k
ID: 36560226
setting up something else to see if things will work.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36560276
Still here ;)
0
 

Author Comment

by:plexter2k
ID: 36905002
Hi Erniebeek,

Just wanted to say thanks for your help. I re: did the Cisco Pix and everything seems to be working now except for the following:

- Split Tunneling: I am able to browse the internet (i believe through the PIX first) but not local networks

Not really related to VPN but figure I'll ask
- I want to ensure my NAT statement will translate all incoming IP addresses and not just the one associated to my internal interface.  As I had stated earlier I have a second firewall device after the PIX. This device also does NAT which really should not be required. However if I turn NAT off on the second firewall internet access does not work properly. I figure it might have something to do with the addresses not being on the same block as the internal interface on the pix?

Any thoughts would be great!

Thanks again.

 new-config.txt
0
 
LVL 35

Accepted Solution

by:
Ernie Beek earned 500 total points
ID: 36908748
Glad I could help :)

Let's see, I don't see a setup for split tunneling. Check this page: http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080702999.shtml#s2

The asa should nat everything coming in from the inside (looking at the new config). So if it doesn't when turning of nat on the second, check the logs firs (on the ASA and perhaps the proxy) to see if it shows anything that might give you a clue why that isn't working.
0
 

Author Comment

by:plexter2k
ID: 36911888
Awesome seems to be working now. Everything is good. Thanks for your help!
0
 

Author Closing Comment

by:plexter2k
ID: 36911893
Thanks!
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36911965
You're welcome :)
Thx for the points.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36911966
You're welcome :)
Thx for the points.
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
If you use NetMotion Mobility on your PC and plan to upgrade to Windows 10, it may not work unless you take these steps.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now