Solved

PIX VPN connects but cannot ping other hosts

Posted on 2012-03-29
7
473 Views
Last Modified: 2012-03-29
I am trying to create a vpn client solution using a pix 501. I am able to create a vpn connection but cannot ping other hosts on the inside interface of the firewall.  Any help would be appreciated.

<-----Running Config------>

=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2012.03.28 15:44:58 =~=~=~=~=~=~=~=~=~=~=~=


User Access Verification

Password:
Type help or '?' for a list of available commands.



rc-pix501-1# sh run
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxx encrypted
passwd xxxxxx encrypted
hostname rc-pix501-1
domain-name abc.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
<--- More --->
             
names
access-list in2out permit ip 10.0.1.0 255.255.255.0 10.0.2.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 10.0.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool clientpool 10.0.2.10-10.0.2.30 mask 255.255.255.0
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list in2out
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
<--- More --->
             
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 172.17.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
crypto ipsec transform-set trset2 esp-aes-256 esp-md5-hmac
crypto dynamic-map ipsec_map 1 set transform-set trset2
crypto map outside_map 65535 ipsec-isakmp dynamic ipsec_map
crypto map outside_map client authentication LOCAL
crypto map outside_map interface outside
isakmp enable outside
isakmp identity address
isakmp nat-traversal 20
isakmp log 25
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption aes-256
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400
<--- More --->
             
vpngroup remoteClient address-pool clientpool
vpngroup remoteClient dns-server 8.8.8.8
vpngroup remoteClient default-domain abc.com
vpngroup remoteClient split-tunnel in2out
vpngroup remoteClient split-dns abc.com
vpngroup remoteClient idle-time 1800
vpngroup remoteClient password ********
telnet 0.0.0.0 0.0.0.0 outside
telnet 10.0.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 10.0.1.10-10.0.1.30 inside
dhcpd dns 8.8.8.8
dhcpd lease 3600
dhcpd ping_timeout 100
dhcpd enable inside
dhcprelay timeout 60
username bill password xxxxx encrypted privilege 2
terminal width 80
Cryptochecksum:0cf867e3a00e16e2b5b5be04c12c419f
: end
vpn-screen
0
Comment
Question by:pc_evans
  • 3
  • 2
  • 2
7 Comments
 
LVL 11

Expert Comment

by:M3rc74
ID: 37781404
allow icmp protocol
0
 
LVL 11

Expert Comment

by:M3rc74
ID: 37781407
Send a Ping Through the PIX

PIX/ASA Software Versions 7.x

Pings Inbound

Pings initiated from the outside, or another low security interface of the PIX, are denied be default. The pings can be allowed by the use of static and access lists or access lists alone. In this example, one server on the inside of the PIX is made accessible to external pings. A static translation is created between the inside address (10.1.1.5) and the outside address (192.168.1.5).

pix(config)#static (inside,outside) 192.168.1.5 10.1.1.5 netmask 255.255.255.255
pix(config)#access-list 101 permit icmp any host 192.168.1.5 echo
pix(config)#access-group 101 in interface outside
Pings Outbound

There are two options in PIX 7.x that allow inside users to ping hosts on the outside. The first option is to setup a specific rule for each type of echo message.

For example:

access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any source-quench
access-list 101 permit icmp any any unreachable  
access-list 101 permit icmp any any time-exceeded
access-group 101 in interface outside
This allows only these return messages through the firewall when an inside user pings to an outside host. The other types of ICMP status messages might be hostile and the firewall blocks all other ICMP messages.

Another option is to configure ICMP inspection. This allows a trusted IP address to traverse the firewall and allows replies back to the trusted address only. This way, hosts on all inside interfaces can ping hosts on the outside and the firewall allows the replies to return. This also gives you the advantage of monitoring the ICMP traffic that traverses the firewall. In this example, icmp inspection is added to the default global inspection policy.

For example:

policy-map global_policy
    class inspection_default
     inspect icmp
Pinging Another Interface

The management-access command allows users to connect to the management-access interface from the outside ONLY when the user is connected to PIX/ASA using a full tunnel IPSec VPN or SSL VPN client (AnyConnect 2.x client, SVC 1.x) or across a site-to-site IPSec tunnel.

The inside interface of the PIX cannot be accessed from the outside, and vice-versa, unless the management-access is configured in global configuration mode. Once management-access is enabled, Telnet, SSH, or HTTP access must be configured for the desired hosts.

pix(config)#management-access inside
pix(config)#show running-config management-access
management-access inside
Note:  For the ASA, ICMP types of 127 and below have hard-coded inspection that cannot be turned off. The inspect icmp command has no affect on this inspection when it is on or off.

Note: A destination unreachable message being sent one way across the ASA referencing a packet that has not already traversed the ASA will be flagged and stopped. This protective ability cannot be turned off.

PIX Software Versions 5.0.1 Through 6.3.3

Inbound ICMP through the PIX is denied by default; outbound ICMP is permitted, but the incoming reply is denied by default.

Note: Version 6.3.3 is the most recent version of code available at the time of publication. For later versions, refer to the release notes for any possible changes.

Pings Inbound

Inbound ICMP can be permitted with either a conduit statement or an access-list statement, based on which you use on the PIX. Do not mix conduits and access lists.

This example shows how to permit ICMP of device 10.1.1.5 inside (static to 192.168.1.5) by all devices outside:

static (inside,outside) 192.168.1.5 10.1.1.5 netmask 255.255.255.255 0 0

!--- and either


conduit permit icmp 192.168.1.5 255.255.255.255 0.0.0.0 0.0.0.0 echo

!--- or


access-list 101 permit icmp any host 192.168.1.5 echo
access-group 101 in interface outside
Pings Outbound

Responses to outbound ICMP can be permitted with either a conduit statement or an access-list statement, based on which you use on the PIX. Do not mix conduits and access lists.

This example shows how to permit responses to ICMP requests initiated by device 10.1.1.5 inside (static to 192.168.1.5) from all devices outside:

static (inside,outside) 192.168.1.5 10.1.1.5 netmask 255.255.255.255 0 0

!--- and either


conduit permit icmp 192.168.1.5 255.255.255.255 0.0.0.0 0.0.0.0 echo-reply
conduit permit icmp 192.168.1.5 255.255.255.255 0.0.0.0 0.0.0.0 source-quench
conduit permit icmp 192.168.1.5 255.255.255.255 0.0.0.0 0.0.0.0 unreachable
conduit permit icmp 192.168.1.5 255.255.255.255 0.0.0.0 0.0.0.0 time-exceeded

!--- or


access-list 101 permit icmp any host 192.168.1.5 echo-reply
access-list 101 permit icmp any host 192.168.1.5 source-quench
access-list 101 permit icmp any host 192.168.1.5 unreachable
access-list 101 permit icmp any host 192.168.1.5 time-exceeded
access-group 101 in interface outside
PIX Software Versions 4.2(2) to 5.0.1

Inbound ICMP through the PIX is denied by default. Outbound ICMP is permitted, but the incoming reply is denied by default.

Pings Inbound

Inbound ICMP can be permitted with a conduit statement.

This example shows how to permit ICMP of device 10.1.1.5 inside (static to 192.168.1.5) by all devices outside:

static (inside,outside) 192.168.1.5 10.1.1.5 netmask 255.255.255.255 0 0
conduit permit icmp 192.168.1.5 255.255.255.255 0.0.0.0 0.0.0.0 echo
Pings Outbound

Responses to outbound ICMP can be permitted with a conduit statement.

This example shows how to permit responses to ICMP requests initiated by device 10.1.1.5 inside (static to 192.168.1.5) from all devices outside:

static (inside,outside) 192.168.1.5 10.1.1.5 netmask 255.255.255.255 0 0
conduit permit icmp 192.168.1.5 255.255.255.255 0.0.0.0 0.0.0.0 echo-reply
conduit permit icmp 192.168.1.5 255.255.255.255 0.0.0.0 0.0.0.0 source-quench
conduit permit icmp 192.168.1.5 255.255.255.255 0.0.0.0 0.0.0.0 unreachable
conduit permit icmp 192.168.1.5 255.255.255.255 0.0.0.0 0.0.0.0 time-exceeded
0
 
LVL 35

Accepted Solution

by:
Ernie Beek earned 500 total points
ID: 37781534
Try adding:
sysopt connection permit-ipsec
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 

Author Comment

by:pc_evans
ID: 37781959
I want to clarify my problem.  Once I connect to the vpn,  I get a new ethernet interface  with a new private IP address.  Once my tunnel is established Any data leaving my laptop traverses the tunnel and appears as if it was originating from the inside interface.  I am not trying to get ping to travel from outside to inside.  I am trying to connect to other machines on the inside interface once the vpn connnection is established.
0
 

Author Comment

by:pc_evans
ID: 37781963
this is what ipconfig /all displays after the vpn connection

Ethernet adapter Local Area Connection 2:

   Connection-specific DNS Suffix  . : abc.com
   Description . . . . . . . . . . . : Cisco Systems VPN Adapter
   Physical Address. . . . . . . . . : 00-05-9A-3C-78-00
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::5d55:7f4:3c61:cf8f%19(Preferred)
   IPv4 Address. . . . . . . . . . . : 10.0.2.10(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . :
   DNS Servers . . . . . . . . . . . : 8.8.8.8
   NetBIOS over Tcpip. . . . . . . . : Enabled

Wireless LAN adapter Wireless Network Connection:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Intel(R) Wireless WiFi Link 4965AG
   Physical Address. . . . . . . . . : 00-1D-E0-8C-29-5D
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::10e4:18ce:b934:597%14(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.2.13(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Thursday, March 29, 2012 9:27:05 AM
   Lease Expires . . . . . . . . . . : Friday, March 30, 2012 8:46:22 AM
   Default Gateway . . . . . . . . . : 192.168.2.1
   DHCP Server . . . . . . . . . . . : 192.168.2.1
   DHCPv6 IAID . . . . . . . . . . . : 285220320
   DNS Servers . . . . . . . . . . . : 8.8.8.8
   NetBIOS over Tcpip. . . . . . . . : Enabled
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 37782071
Well, the VPN terminates on the outside interface of the PIX so the traffic does traverse through the firewall.
Did you try adding the sysopt command?
If that doesn't work, have a look at the logs to see what is showing up there.
0
 

Author Closing Comment

by:pc_evans
ID: 37785262
That worked.  I can now ping a host on the 10.0.1.0 network.   I am trying to set this up so my friend can run a client-server based application.  Now that the tunnel is connected and I can ping other hosts on the inside is there any reason why other applications wouldn't connect?
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
AnyConnect to 3rd vpn site 4 61
printer shows as offline while connected to vpn 13 70
Cisco ASA5508-X vs Barracuda X200 2 55
SBS 2008 cannot logon remotely 7 47
Juniper VPN devices are a popular alternative to using Cisco products. Last year I needed to set up an international site-to-site VPN over the Internet, but the client had high security requirements -- FIPS 140. What and Why of FIPS 140 Federa…
This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now