Cisco PIX Remote Access VPN
Hello,
I have been trying to get my remote access VPN enabled but for some reason I am unable to access my internal LAN.
My network has two firewalls. The PIX and an internal proxy server/firewall dealy.
Network (relevant) is something like this:
[internet] -- [pix fw] -- [proxy] -- [Internal lan]
Things that DO work:
-I can connect and authenticate to the VPN
-I can PING the EXTERNAL IP of the PROXY
-I can access the management page for the PROXY
Things I CANT do; but need to:
-Access any host behind the proxy (internal LAN)
-Use split-tunnel to be able to access the internet and use the VPN at the same time; would prefer to use the DNS servers located on the LAN
I've attached my configuration hoping someone can take a look to see what is wrong (if anything).
I do not see any logs (deny traffic) on the proxy when trying to access the internal host. This tells me the problem is on the PIX I presume.
IP Addressing...
PIX internal IP - 192.168.254.1
Proxy External IP - 192.168.254.2
Proxy Internal IP - 10.10.254.1
Internal LAN - 10.10.254.2...etc
VPN Pool is - 10.10.254.32 /29
Hope you can help; need any more info please let me know!
Thanks
config.txt
I have been trying to get my remote access VPN enabled but for some reason I am unable to access my internal LAN.
My network has two firewalls. The PIX and an internal proxy server/firewall dealy.
Network (relevant) is something like this:
[internet] -- [pix fw] -- [proxy] -- [Internal lan]
Things that DO work:
-I can connect and authenticate to the VPN
-I can PING the EXTERNAL IP of the PROXY
-I can access the management page for the PROXY
Things I CANT do; but need to:
-Access any host behind the proxy (internal LAN)
-Use split-tunnel to be able to access the internet and use the VPN at the same time; would prefer to use the DNS servers located on the LAN
I've attached my configuration hoping someone can take a look to see what is wrong (if anything).
I do not see any logs (deny traffic) on the proxy when trying to access the internal host. This tells me the problem is on the PIX I presume.
IP Addressing...
PIX internal IP - 192.168.254.1
Proxy External IP - 192.168.254.2
Proxy Internal IP - 10.10.254.1
Internal LAN - 10.10.254.2...etc
VPN Pool is - 10.10.254.32 /29
Hope you can help; need any more info please let me know!
Thanks
config.txt
Can you post the whole config? sounds like you need to put in a NAT exemption rule. I know it's a NAT0 command but i honestly have always done it through the ASDM.
You're close. Add to your no-nat ACL:
access-list LAN_nat0_outbound permit ip any 10.10.254.32 255.255.255.248
access-list LAN_nat0_outbound permit ip any 10.10.254.32 255.255.255.248
Well those allready seem to be there:
access-list LAN_nat0_outbound extended permit ip ABC_LAN 255.255.255.224 10.10.254.32 255.255.255.248
access-list LAN_nat0_outbound extended permit ip Inside_Net_PIX 255.255.255.252 10.10.254.32 255.255.255.248
Did you also check the (ASDM) logs on the PIX?
access-list LAN_nat0_outbound extended permit ip ABC_LAN 255.255.255.224 10.10.254.32 255.255.255.248
access-list LAN_nat0_outbound extended permit ip Inside_Net_PIX 255.255.255.252 10.10.254.32 255.255.255.248
Did you also check the (ASDM) logs on the PIX?
is your vpn pool not in the same subnet as the lan ?
Nope, look at the subnet mask.
ASKER
Hi all,
Thanks for your replies.
I believe most of the questions have been answered by others (thanks) :)
however logs, I have attached a sample filtering by the VPN host. I see traffic but no replies.
Thoughts?
log1.txt
Thanks for your replies.
I believe most of the questions have been answered by others (thanks) :)
however logs, I have attached a sample filtering by the VPN host. I see traffic but no replies.
Thoughts?
log1.txt
Double check your shared secret, transform set and IKE proposals. It looks like the tunnel isn't forming.
I'm ding-dong, sorry, this isn't for a site-to-site. I would still check the authentication. it looks like the tunnel isn't being built
If you do a
sh cryp ips sa
and
sh cryp is sa
Does it show anything?
sh cryp ips sa
and
sh cryp is sa
Does it show anything?
ASKER
Hello all,
Thanks. Tried the commands and all seems good to me. I've attached the results.
sa-commands.txt
Thanks. Tried the commands and all seems good to me. I've attached the results.
sa-commands.txt
Ok, let's do a little test.
Remove the access group:
no access-group WAN_access_in_1 in interface WAN control-plane
And add:
sysopt connection permit-vpn
This will allow vpn traffic through the ASA without having to add an ACE to the outside access list for it.
Let's see what happens then.
Remove the access group:
no access-group WAN_access_in_1 in interface WAN control-plane
And add:
sysopt connection permit-vpn
This will allow vpn traffic through the ASA without having to add an ACE to the outside access list for it.
Let's see what happens then.
ASKER
Hi again,
VPN still works, but I am still not able to connect (or see logs on the proxy) to the internal lan. :(
VPN still works, but I am still not able to connect (or see logs on the proxy) to the internal lan. :(
Can you connect to the proxy (inside or outside)?
ASKER
Hello,
I can connect to the proxy external interface for management but not the proxy internal interface which is also the internal lan.
Thanks
I can connect to the proxy external interface for management but not the proxy internal interface which is also the internal lan.
Thanks
Well the pix is looking good to me. You might want to take a closer look at the proxy.
Is it a possibility to do some tests without the proxy to see if the issue is on that?
Is it a possibility to do some tests without the proxy to see if the issue is on that?
ASKER
Just doing some testing regarding the proxy to see if anything can be resolved on that end. Will post back when I can.
Thanks!
Thanks!
I'll be here :)
ASKER
setting up something else to see if things will work.
Still here ;)
ASKER
Hi Erniebeek,
Just wanted to say thanks for your help. I re: did the Cisco Pix and everything seems to be working now except for the following:
- Split Tunneling: I am able to browse the internet (i believe through the PIX first) but not local networks
Not really related to VPN but figure I'll ask
- I want to ensure my NAT statement will translate all incoming IP addresses and not just the one associated to my internal interface. As I had stated earlier I have a second firewall device after the PIX. This device also does NAT which really should not be required. However if I turn NAT off on the second firewall internet access does not work properly. I figure it might have something to do with the addresses not being on the same block as the internal interface on the pix?
Any thoughts would be great!
Thanks again.
new-config.txt
Just wanted to say thanks for your help. I re: did the Cisco Pix and everything seems to be working now except for the following:
- Split Tunneling: I am able to browse the internet (i believe through the PIX first) but not local networks
Not really related to VPN but figure I'll ask
- I want to ensure my NAT statement will translate all incoming IP addresses and not just the one associated to my internal interface. As I had stated earlier I have a second firewall device after the PIX. This device also does NAT which really should not be required. However if I turn NAT off on the second firewall internet access does not work properly. I figure it might have something to do with the addresses not being on the same block as the internal interface on the pix?
Any thoughts would be great!
Thanks again.
new-config.txt
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Awesome seems to be working now. Everything is good. Thanks for your help!
ASKER
Thanks!
You're welcome :)
Thx for the points.
Thx for the points.
You're welcome :)
Thx for the points.
Thx for the points.