Cisco PIX Remote Access VPN

Hello,

I have been trying to get my remote access VPN enabled but for some reason I am unable to access my internal LAN.

My network has two firewalls. The PIX and an internal proxy server/firewall dealy.

Network (relevant) is something like this:

[internet] -- [pix fw] -- [proxy] -- [Internal lan]

Things that DO work:

-I can connect and authenticate to the VPN
-I can PING the EXTERNAL IP of the PROXY
-I can access the management page for the PROXY

Things I CANT do; but need to:

-Access any host behind the proxy (internal LAN)
-Use split-tunnel to be able to access the internet and use the VPN at the same time; would prefer to use the DNS servers located on the LAN


I've attached my configuration hoping someone can take a look to see what is wrong (if anything).

I do not see any logs (deny traffic) on the proxy when trying to access the internal host. This tells me the problem is on the PIX I presume.

IP Addressing...

PIX internal IP - 192.168.254.1
Proxy External IP - 192.168.254.2
Proxy Internal IP - 10.10.254.1
Internal LAN - 10.10.254.2...etc
VPN Pool is - 10.10.254.32 /29

Hope you can help; need any more info please let me know!

Thanks
config.txt
plexter2kAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

SuperTacoCommented:
Can you post the whole config?  sounds like you need to put in a NAT exemption rule.  I know it's a NAT0 command but i honestly have always done it through the ASDM.
0
John MeggersNetwork ArchitectCommented:
You're close.  Add to your no-nat ACL:

access-list LAN_nat0_outbound permit ip any 10.10.254.32 255.255.255.248

0
Ernie BeekExpertCommented:
Well those allready seem to be there:

access-list LAN_nat0_outbound extended permit ip ABC_LAN 255.255.255.224 10.10.254.32 255.255.255.248
access-list LAN_nat0_outbound extended permit ip Inside_Net_PIX 255.255.255.252 10.10.254.32 255.255.255.248

Did you also check the (ASDM) logs on the PIX?
0
Do You Have a Trusted Wireless Environment?

A Trusted Wireless Environment is a framework for building a complete Wi-Fi network that is fast, easy to manage, and secure.

poweruser32Commented:
is your vpn pool not in the same subnet as the lan ?
0
Ernie BeekExpertCommented:
Nope, look at the subnet mask.
0
plexter2kAuthor Commented:
Hi all,

Thanks for your replies.

I believe most of the questions have been answered by others (thanks) :)

however logs, I have attached a sample filtering by the VPN host. I see traffic but no replies.

Thoughts?
log1.txt
0
SuperTacoCommented:
Double check your shared secret, transform set and IKE proposals.  It looks like the tunnel isn't forming.
0
SuperTacoCommented:
I'm  ding-dong, sorry, this isn't for a site-to-site.  I would still check the authentication.  it looks like the tunnel isn't being built
0
Ernie BeekExpertCommented:
If you do a
sh cryp ips sa
and
sh cryp is sa

Does it show anything?
0
plexter2kAuthor Commented:
Hello all,

Thanks. Tried the commands and all seems good to me. I've attached the results.



sa-commands.txt
0
Ernie BeekExpertCommented:
Ok, let's do a little test.

Remove the access group:
no access-group WAN_access_in_1 in interface WAN control-plane
And add:
sysopt connection permit-vpn
This will allow vpn traffic through the ASA without having to add an ACE to the outside access list for it.

Let's see what happens then.
0
plexter2kAuthor Commented:
Hi again,

VPN still works, but I am still not able to connect (or see logs on the proxy) to the internal lan. :(

0
Ernie BeekExpertCommented:
Can you connect to the proxy (inside or outside)?
0
plexter2kAuthor Commented:
Hello,

I can connect to the proxy external interface for management but not the proxy internal interface which is also the internal lan.

Thanks
0
Ernie BeekExpertCommented:
Well the pix is looking good to me. You might want to take a closer look at the proxy.
Is it a possibility to do some tests without the proxy to see if the issue is on that?
0
plexter2kAuthor Commented:
Just doing some testing regarding the proxy to see if anything can be resolved on that end. Will post back when I can.

Thanks!
0
Ernie BeekExpertCommented:
I'll be here :)
0
plexter2kAuthor Commented:
setting up something else to see if things will work.
0
Ernie BeekExpertCommented:
Still here ;)
0
plexter2kAuthor Commented:
Hi Erniebeek,

Just wanted to say thanks for your help. I re: did the Cisco Pix and everything seems to be working now except for the following:

- Split Tunneling: I am able to browse the internet (i believe through the PIX first) but not local networks

Not really related to VPN but figure I'll ask
- I want to ensure my NAT statement will translate all incoming IP addresses and not just the one associated to my internal interface.  As I had stated earlier I have a second firewall device after the PIX. This device also does NAT which really should not be required. However if I turn NAT off on the second firewall internet access does not work properly. I figure it might have something to do with the addresses not being on the same block as the internal interface on the pix?

Any thoughts would be great!

Thanks again.

 new-config.txt
0
Ernie BeekExpertCommented:
Glad I could help :)

Let's see, I don't see a setup for split tunneling. Check this page: http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080702999.shtml#s2

The asa should nat everything coming in from the inside (looking at the new config). So if it doesn't when turning of nat on the second, check the logs firs (on the ASA and perhaps the proxy) to see if it shows anything that might give you a clue why that isn't working.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
plexter2kAuthor Commented:
Awesome seems to be working now. Everything is good. Thanks for your help!
0
plexter2kAuthor Commented:
Thanks!
0
Ernie BeekExpertCommented:
You're welcome :)
Thx for the points.
0
Ernie BeekExpertCommented:
You're welcome :)
Thx for the points.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.