Cisco PIX Remote Access VPN

Hello,

I have been trying to get my remote access VPN enabled but for some reason I am unable to access my internal LAN.

My network has two firewalls. The PIX and an internal proxy server/firewall dealy.

Network (relevant) is something like this:

[internet] -- [pix fw] -- [proxy] -- [Internal lan]

Things that DO work:

-I can connect and authenticate to the VPN
-I can PING the EXTERNAL IP of the PROXY
-I can access the management page for the PROXY

Things I CANT do; but need to:

-Access any host behind the proxy (internal LAN)
-Use split-tunnel to be able to access the internet and use the VPN at the same time; would prefer to use the DNS servers located on the LAN


I've attached my configuration hoping someone can take a look to see what is wrong (if anything).

I do not see any logs (deny traffic) on the proxy when trying to access the internal host. This tells me the problem is on the PIX I presume.

IP Addressing...

PIX internal IP - 192.168.254.1
Proxy External IP - 192.168.254.2
Proxy Internal IP - 10.10.254.1
Internal LAN - 10.10.254.2...etc
VPN Pool is - 10.10.254.32 /29

Hope you can help; need any more info please let me know!

Thanks
config.txt
plexter2kAsked:
Who is Participating?
 
Ernie BeekConnect With a Mentor ExpertCommented:
Glad I could help :)

Let's see, I don't see a setup for split tunneling. Check this page: http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080702999.shtml#s2

The asa should nat everything coming in from the inside (looking at the new config). So if it doesn't when turning of nat on the second, check the logs firs (on the ASA and perhaps the proxy) to see if it shows anything that might give you a clue why that isn't working.
0
 
SuperTacoCommented:
Can you post the whole config?  sounds like you need to put in a NAT exemption rule.  I know it's a NAT0 command but i honestly have always done it through the ASDM.
0
 
John MeggersNetwork ArchitectCommented:
You're close.  Add to your no-nat ACL:

access-list LAN_nat0_outbound permit ip any 10.10.254.32 255.255.255.248

0
Get Certified for a Job in Cybersecurity

Want an exciting career in an emerging field? Earn your MS in Cybersecurity and get certified in ethical hacking or computer forensic investigation. WGU’s MSCSIA degree program was designed to meet the most recent U.S. Department of Homeland Security (DHS) and NSA guidelines.  

 
Ernie BeekExpertCommented:
Well those allready seem to be there:

access-list LAN_nat0_outbound extended permit ip ABC_LAN 255.255.255.224 10.10.254.32 255.255.255.248
access-list LAN_nat0_outbound extended permit ip Inside_Net_PIX 255.255.255.252 10.10.254.32 255.255.255.248

Did you also check the (ASDM) logs on the PIX?
0
 
poweruser32Commented:
is your vpn pool not in the same subnet as the lan ?
0
 
Ernie BeekExpertCommented:
Nope, look at the subnet mask.
0
 
plexter2kAuthor Commented:
Hi all,

Thanks for your replies.

I believe most of the questions have been answered by others (thanks) :)

however logs, I have attached a sample filtering by the VPN host. I see traffic but no replies.

Thoughts?
log1.txt
0
 
SuperTacoCommented:
Double check your shared secret, transform set and IKE proposals.  It looks like the tunnel isn't forming.
0
 
SuperTacoCommented:
I'm  ding-dong, sorry, this isn't for a site-to-site.  I would still check the authentication.  it looks like the tunnel isn't being built
0
 
Ernie BeekExpertCommented:
If you do a
sh cryp ips sa
and
sh cryp is sa

Does it show anything?
0
 
plexter2kAuthor Commented:
Hello all,

Thanks. Tried the commands and all seems good to me. I've attached the results.



sa-commands.txt
0
 
Ernie BeekExpertCommented:
Ok, let's do a little test.

Remove the access group:
no access-group WAN_access_in_1 in interface WAN control-plane
And add:
sysopt connection permit-vpn
This will allow vpn traffic through the ASA without having to add an ACE to the outside access list for it.

Let's see what happens then.
0
 
plexter2kAuthor Commented:
Hi again,

VPN still works, but I am still not able to connect (or see logs on the proxy) to the internal lan. :(

0
 
Ernie BeekExpertCommented:
Can you connect to the proxy (inside or outside)?
0
 
plexter2kAuthor Commented:
Hello,

I can connect to the proxy external interface for management but not the proxy internal interface which is also the internal lan.

Thanks
0
 
Ernie BeekExpertCommented:
Well the pix is looking good to me. You might want to take a closer look at the proxy.
Is it a possibility to do some tests without the proxy to see if the issue is on that?
0
 
plexter2kAuthor Commented:
Just doing some testing regarding the proxy to see if anything can be resolved on that end. Will post back when I can.

Thanks!
0
 
Ernie BeekExpertCommented:
I'll be here :)
0
 
plexter2kAuthor Commented:
setting up something else to see if things will work.
0
 
Ernie BeekExpertCommented:
Still here ;)
0
 
plexter2kAuthor Commented:
Hi Erniebeek,

Just wanted to say thanks for your help. I re: did the Cisco Pix and everything seems to be working now except for the following:

- Split Tunneling: I am able to browse the internet (i believe through the PIX first) but not local networks

Not really related to VPN but figure I'll ask
- I want to ensure my NAT statement will translate all incoming IP addresses and not just the one associated to my internal interface.  As I had stated earlier I have a second firewall device after the PIX. This device also does NAT which really should not be required. However if I turn NAT off on the second firewall internet access does not work properly. I figure it might have something to do with the addresses not being on the same block as the internal interface on the pix?

Any thoughts would be great!

Thanks again.

 new-config.txt
0
 
plexter2kAuthor Commented:
Awesome seems to be working now. Everything is good. Thanks for your help!
0
 
plexter2kAuthor Commented:
Thanks!
0
 
Ernie BeekExpertCommented:
You're welcome :)
Thx for the points.
0
 
Ernie BeekExpertCommented:
You're welcome :)
Thx for the points.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.