pc_evans
asked on
PIX VPN connects but cannot ping other hosts
I am trying to create a vpn client solution using a pix 501. I am able to create a vpn connection but cannot ping other hosts on the inside interface of the firewall. Any help would be appreciated.
<-----Running Config------>
=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2012.03.28 15:44:58 =~=~=~=~=~=~=~=~=~=~=~=
User Access Verification
Password:
Type help or '?' for a list of available commands.
rc-pix501-1# sh run
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxx encrypted
passwd xxxxxx encrypted
hostname rc-pix501-1
domain-name abc.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
<--- More --->
names
access-list in2out permit ip 10.0.1.0 255.255.255.0 10.0.2.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 10.0.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool clientpool 10.0.2.10-10.0.2.30 mask 255.255.255.0
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list in2out
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
<--- More --->
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 172.17.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
crypto ipsec transform-set trset2 esp-aes-256 esp-md5-hmac
crypto dynamic-map ipsec_map 1 set transform-set trset2
crypto map outside_map 65535 ipsec-isakmp dynamic ipsec_map
crypto map outside_map client authentication LOCAL
crypto map outside_map interface outside
isakmp enable outside
isakmp identity address
isakmp nat-traversal 20
isakmp log 25
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption aes-256
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400
<--- More --->
vpngroup remoteClient address-pool clientpool
vpngroup remoteClient dns-server 8.8.8.8
vpngroup remoteClient default-domain abc.com
vpngroup remoteClient split-tunnel in2out
vpngroup remoteClient split-dns abc.com
vpngroup remoteClient idle-time 1800
vpngroup remoteClient password ********
telnet 0.0.0.0 0.0.0.0 outside
telnet 10.0.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 10.0.1.10-10.0.1.30 inside
dhcpd dns 8.8.8.8
dhcpd lease 3600
dhcpd ping_timeout 100
dhcpd enable inside
dhcprelay timeout 60
username bill password xxxxx encrypted privilege 2
terminal width 80
Cryptochecksum:0cf867e3a00
: end
vpn-screen
<-----Running Config------>
=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2012.03.28 15:44:58 =~=~=~=~=~=~=~=~=~=~=~=
User Access Verification
Password:
Type help or '?' for a list of available commands.
rc-pix501-1# sh run
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxx encrypted
passwd xxxxxx encrypted
hostname rc-pix501-1
domain-name abc.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
<--- More --->
names
access-list in2out permit ip 10.0.1.0 255.255.255.0 10.0.2.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 10.0.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool clientpool 10.0.2.10-10.0.2.30 mask 255.255.255.0
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list in2out
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
<--- More --->
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 172.17.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
crypto ipsec transform-set trset2 esp-aes-256 esp-md5-hmac
crypto dynamic-map ipsec_map 1 set transform-set trset2
crypto map outside_map 65535 ipsec-isakmp dynamic ipsec_map
crypto map outside_map client authentication LOCAL
crypto map outside_map interface outside
isakmp enable outside
isakmp identity address
isakmp nat-traversal 20
isakmp log 25
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption aes-256
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400
<--- More --->
vpngroup remoteClient address-pool clientpool
vpngroup remoteClient dns-server 8.8.8.8
vpngroup remoteClient default-domain abc.com
vpngroup remoteClient split-tunnel in2out
vpngroup remoteClient split-dns abc.com
vpngroup remoteClient idle-time 1800
vpngroup remoteClient password ********
telnet 0.0.0.0 0.0.0.0 outside
telnet 10.0.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 10.0.1.10-10.0.1.30 inside
dhcpd dns 8.8.8.8
dhcpd lease 3600
dhcpd ping_timeout 100
dhcpd enable inside
dhcprelay timeout 60
username bill password xxxxx encrypted privilege 2
terminal width 80
Cryptochecksum:0cf867e3a00
: end
vpn-screen
Kruno Džoić
allow icmp protocol
Send a Ping Through the PIX
PIX/ASA Software Versions 7.x
Pings Inbound
Pings initiated from the outside, or another low security interface of the PIX, are denied be default. The pings can be allowed by the use of static and access lists or access lists alone. In this example, one server on the inside of the PIX is made accessible to external pings. A static translation is created between the inside address (10.1.1.5) and the outside address (192.168.1.5).
pix(config)#static (inside,outside) 192.168.1.5 10.1.1.5 netmask 255.255.255.255
pix(config)#access-list 101 permit icmp any host 192.168.1.5 echo
pix(config)#access-group 101 in interface outside
Pings Outbound
There are two options in PIX 7.x that allow inside users to ping hosts on the outside. The first option is to setup a specific rule for each type of echo message.
For example:
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any source-quench
access-list 101 permit icmp any any unreachable
access-list 101 permit icmp any any time-exceeded
access-group 101 in interface outside
This allows only these return messages through the firewall when an inside user pings to an outside host. The other types of ICMP status messages might be hostile and the firewall blocks all other ICMP messages.
Another option is to configure ICMP inspection. This allows a trusted IP address to traverse the firewall and allows replies back to the trusted address only. This way, hosts on all inside interfaces can ping hosts on the outside and the firewall allows the replies to return. This also gives you the advantage of monitoring the ICMP traffic that traverses the firewall. In this example, icmp inspection is added to the default global inspection policy.
For example:
policy-map global_policy
class inspection_default
inspect icmp
Pinging Another Interface
The management-access command allows users to connect to the management-access interface from the outside ONLY when the user is connected to PIX/ASA using a full tunnel IPSec VPN or SSL VPN client (AnyConnect 2.x client, SVC 1.x) or across a site-to-site IPSec tunnel.
The inside interface of the PIX cannot be accessed from the outside, and vice-versa, unless the management-access is configured in global configuration mode. Once management-access is enabled, Telnet, SSH, or HTTP access must be configured for the desired hosts.
pix(config)#management-acc
pix(config)#show running-config management-access
management-access inside
Note: For the ASA, ICMP types of 127 and below have hard-coded inspection that cannot be turned off. The inspect icmp command has no affect on this inspection when it is on or off.
Note: A destination unreachable message being sent one way across the ASA referencing a packet that has not already traversed the ASA will be flagged and stopped. This protective ability cannot be turned off.
PIX Software Versions 5.0.1 Through 6.3.3
Inbound ICMP through the PIX is denied by default; outbound ICMP is permitted, but the incoming reply is denied by default.
Note: Version 6.3.3 is the most recent version of code available at the time of publication. For later versions, refer to the release notes for any possible changes.
Pings Inbound
Inbound ICMP can be permitted with either a conduit statement or an access-list statement, based on which you use on the PIX. Do not mix conduits and access lists.
This example shows how to permit ICMP of device 10.1.1.5 inside (static to 192.168.1.5) by all devices outside:
static (inside,outside) 192.168.1.5 10.1.1.5 netmask 255.255.255.255 0 0
!--- and either
conduit permit icmp 192.168.1.5 255.255.255.255 0.0.0.0 0.0.0.0 echo
!--- or
access-list 101 permit icmp any host 192.168.1.5 echo
access-group 101 in interface outside
Pings Outbound
Responses to outbound ICMP can be permitted with either a conduit statement or an access-list statement, based on which you use on the PIX. Do not mix conduits and access lists.
This example shows how to permit responses to ICMP requests initiated by device 10.1.1.5 inside (static to 192.168.1.5) from all devices outside:
static (inside,outside) 192.168.1.5 10.1.1.5 netmask 255.255.255.255 0 0
!--- and either
conduit permit icmp 192.168.1.5 255.255.255.255 0.0.0.0 0.0.0.0 echo-reply
conduit permit icmp 192.168.1.5 255.255.255.255 0.0.0.0 0.0.0.0 source-quench
conduit permit icmp 192.168.1.5 255.255.255.255 0.0.0.0 0.0.0.0 unreachable
conduit permit icmp 192.168.1.5 255.255.255.255 0.0.0.0 0.0.0.0 time-exceeded
!--- or
access-list 101 permit icmp any host 192.168.1.5 echo-reply
access-list 101 permit icmp any host 192.168.1.5 source-quench
access-list 101 permit icmp any host 192.168.1.5 unreachable
access-list 101 permit icmp any host 192.168.1.5 time-exceeded
access-group 101 in interface outside
PIX Software Versions 4.2(2) to 5.0.1
Inbound ICMP through the PIX is denied by default. Outbound ICMP is permitted, but the incoming reply is denied by default.
Pings Inbound
Inbound ICMP can be permitted with a conduit statement.
This example shows how to permit ICMP of device 10.1.1.5 inside (static to 192.168.1.5) by all devices outside:
static (inside,outside) 192.168.1.5 10.1.1.5 netmask 255.255.255.255 0 0
conduit permit icmp 192.168.1.5 255.255.255.255 0.0.0.0 0.0.0.0 echo
Pings Outbound
Responses to outbound ICMP can be permitted with a conduit statement.
This example shows how to permit responses to ICMP requests initiated by device 10.1.1.5 inside (static to 192.168.1.5) from all devices outside:
static (inside,outside) 192.168.1.5 10.1.1.5 netmask 255.255.255.255 0 0
conduit permit icmp 192.168.1.5 255.255.255.255 0.0.0.0 0.0.0.0 echo-reply
conduit permit icmp 192.168.1.5 255.255.255.255 0.0.0.0 0.0.0.0 source-quench
conduit permit icmp 192.168.1.5 255.255.255.255 0.0.0.0 0.0.0.0 unreachable
conduit permit icmp 192.168.1.5 255.255.255.255 0.0.0.0 0.0.0.0 time-exceeded
PIX/ASA Software Versions 7.x
Pings Inbound
Pings initiated from the outside, or another low security interface of the PIX, are denied be default. The pings can be allowed by the use of static and access lists or access lists alone. In this example, one server on the inside of the PIX is made accessible to external pings. A static translation is created between the inside address (10.1.1.5) and the outside address (192.168.1.5).
pix(config)#static (inside,outside) 192.168.1.5 10.1.1.5 netmask 255.255.255.255
pix(config)#access-list 101 permit icmp any host 192.168.1.5 echo
pix(config)#access-group 101 in interface outside
Pings Outbound
There are two options in PIX 7.x that allow inside users to ping hosts on the outside. The first option is to setup a specific rule for each type of echo message.
For example:
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any source-quench
access-list 101 permit icmp any any unreachable
access-list 101 permit icmp any any time-exceeded
access-group 101 in interface outside
This allows only these return messages through the firewall when an inside user pings to an outside host. The other types of ICMP status messages might be hostile and the firewall blocks all other ICMP messages.
Another option is to configure ICMP inspection. This allows a trusted IP address to traverse the firewall and allows replies back to the trusted address only. This way, hosts on all inside interfaces can ping hosts on the outside and the firewall allows the replies to return. This also gives you the advantage of monitoring the ICMP traffic that traverses the firewall. In this example, icmp inspection is added to the default global inspection policy.
For example:
policy-map global_policy
class inspection_default
inspect icmp
Pinging Another Interface
The management-access command allows users to connect to the management-access interface from the outside ONLY when the user is connected to PIX/ASA using a full tunnel IPSec VPN or SSL VPN client (AnyConnect 2.x client, SVC 1.x) or across a site-to-site IPSec tunnel.
The inside interface of the PIX cannot be accessed from the outside, and vice-versa, unless the management-access is configured in global configuration mode. Once management-access is enabled, Telnet, SSH, or HTTP access must be configured for the desired hosts.
pix(config)#management-acc
pix(config)#show running-config management-access
management-access inside
Note: For the ASA, ICMP types of 127 and below have hard-coded inspection that cannot be turned off. The inspect icmp command has no affect on this inspection when it is on or off.
Note: A destination unreachable message being sent one way across the ASA referencing a packet that has not already traversed the ASA will be flagged and stopped. This protective ability cannot be turned off.
PIX Software Versions 5.0.1 Through 6.3.3
Inbound ICMP through the PIX is denied by default; outbound ICMP is permitted, but the incoming reply is denied by default.
Note: Version 6.3.3 is the most recent version of code available at the time of publication. For later versions, refer to the release notes for any possible changes.
Pings Inbound
Inbound ICMP can be permitted with either a conduit statement or an access-list statement, based on which you use on the PIX. Do not mix conduits and access lists.
This example shows how to permit ICMP of device 10.1.1.5 inside (static to 192.168.1.5) by all devices outside:
static (inside,outside) 192.168.1.5 10.1.1.5 netmask 255.255.255.255 0 0
!--- and either
conduit permit icmp 192.168.1.5 255.255.255.255 0.0.0.0 0.0.0.0 echo
!--- or
access-list 101 permit icmp any host 192.168.1.5 echo
access-group 101 in interface outside
Pings Outbound
Responses to outbound ICMP can be permitted with either a conduit statement or an access-list statement, based on which you use on the PIX. Do not mix conduits and access lists.
This example shows how to permit responses to ICMP requests initiated by device 10.1.1.5 inside (static to 192.168.1.5) from all devices outside:
static (inside,outside) 192.168.1.5 10.1.1.5 netmask 255.255.255.255 0 0
!--- and either
conduit permit icmp 192.168.1.5 255.255.255.255 0.0.0.0 0.0.0.0 echo-reply
conduit permit icmp 192.168.1.5 255.255.255.255 0.0.0.0 0.0.0.0 source-quench
conduit permit icmp 192.168.1.5 255.255.255.255 0.0.0.0 0.0.0.0 unreachable
conduit permit icmp 192.168.1.5 255.255.255.255 0.0.0.0 0.0.0.0 time-exceeded
!--- or
access-list 101 permit icmp any host 192.168.1.5 echo-reply
access-list 101 permit icmp any host 192.168.1.5 source-quench
access-list 101 permit icmp any host 192.168.1.5 unreachable
access-list 101 permit icmp any host 192.168.1.5 time-exceeded
access-group 101 in interface outside
PIX Software Versions 4.2(2) to 5.0.1
Inbound ICMP through the PIX is denied by default. Outbound ICMP is permitted, but the incoming reply is denied by default.
Pings Inbound
Inbound ICMP can be permitted with a conduit statement.
This example shows how to permit ICMP of device 10.1.1.5 inside (static to 192.168.1.5) by all devices outside:
static (inside,outside) 192.168.1.5 10.1.1.5 netmask 255.255.255.255 0 0
conduit permit icmp 192.168.1.5 255.255.255.255 0.0.0.0 0.0.0.0 echo
Pings Outbound
Responses to outbound ICMP can be permitted with a conduit statement.
This example shows how to permit responses to ICMP requests initiated by device 10.1.1.5 inside (static to 192.168.1.5) from all devices outside:
static (inside,outside) 192.168.1.5 10.1.1.5 netmask 255.255.255.255 0 0
conduit permit icmp 192.168.1.5 255.255.255.255 0.0.0.0 0.0.0.0 echo-reply
conduit permit icmp 192.168.1.5 255.255.255.255 0.0.0.0 0.0.0.0 source-quench
conduit permit icmp 192.168.1.5 255.255.255.255 0.0.0.0 0.0.0.0 unreachable
conduit permit icmp 192.168.1.5 255.255.255.255 0.0.0.0 0.0.0.0 time-exceeded
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I want to clarify my problem. Once I connect to the vpn, I get a new ethernet interface with a new private IP address. Once my tunnel is established Any data leaving my laptop traverses the tunnel and appears as if it was originating from the inside interface. I am not trying to get ping to travel from outside to inside. I am trying to connect to other machines on the inside interface once the vpn connnection is established.
ASKER
this is what ipconfig /all displays after the vpn connection
Ethernet adapter Local Area Connection 2:
Connection-specific DNS Suffix . : abc.com
Description . . . . . . . . . . . : Cisco Systems VPN Adapter
Physical Address. . . . . . . . . : 00-05-9A-3C-78-00
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::5d55:7f4:3c61:cf8f%1
IPv4 Address. . . . . . . . . . . : 10.0.2.10(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
DNS Servers . . . . . . . . . . . : 8.8.8.8
NetBIOS over Tcpip. . . . . . . . : Enabled
Wireless LAN adapter Wireless Network Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) Wireless WiFi Link 4965AG
Physical Address. . . . . . . . . : 00-1D-E0-8C-29-5D
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::10e4:18ce:b934:597%1
IPv4 Address. . . . . . . . . . . : 192.168.2.13(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Thursday, March 29, 2012 9:27:05 AM
Lease Expires . . . . . . . . . . : Friday, March 30, 2012 8:46:22 AM
Default Gateway . . . . . . . . . : 192.168.2.1
DHCP Server . . . . . . . . . . . : 192.168.2.1
DHCPv6 IAID . . . . . . . . . . . : 285220320
DNS Servers . . . . . . . . . . . : 8.8.8.8
NetBIOS over Tcpip. . . . . . . . : Enabled
Ethernet adapter Local Area Connection 2:
Connection-specific DNS Suffix . : abc.com
Description . . . . . . . . . . . : Cisco Systems VPN Adapter
Physical Address. . . . . . . . . : 00-05-9A-3C-78-00
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::5d55:7f4:3c61:cf8f%1
IPv4 Address. . . . . . . . . . . : 10.0.2.10(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
DNS Servers . . . . . . . . . . . : 8.8.8.8
NetBIOS over Tcpip. . . . . . . . : Enabled
Wireless LAN adapter Wireless Network Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) Wireless WiFi Link 4965AG
Physical Address. . . . . . . . . : 00-1D-E0-8C-29-5D
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::10e4:18ce:b934:597%1
IPv4 Address. . . . . . . . . . . : 192.168.2.13(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Thursday, March 29, 2012 9:27:05 AM
Lease Expires . . . . . . . . . . : Friday, March 30, 2012 8:46:22 AM
Default Gateway . . . . . . . . . : 192.168.2.1
DHCP Server . . . . . . . . . . . : 192.168.2.1
DHCPv6 IAID . . . . . . . . . . . : 285220320
DNS Servers . . . . . . . . . . . : 8.8.8.8
NetBIOS over Tcpip. . . . . . . . : Enabled
Well, the VPN terminates on the outside interface of the PIX so the traffic does traverse through the firewall.
Did you try adding the sysopt command?
If that doesn't work, have a look at the logs to see what is showing up there.
Did you try adding the sysopt command?
If that doesn't work, have a look at the logs to see what is showing up there.
ASKER
That worked. I can now ping a host on the 10.0.1.0 network. I am trying to set this up so my friend can run a client-server based application. Now that the tunnel is connected and I can ping other hosts on the inside is there any reason why other applications wouldn't connect?