Solved

PIX VPN connects but cannot ping other hosts

Posted on 2012-03-29
7
458 Views
Last Modified: 2012-03-29
I am trying to create a vpn client solution using a pix 501. I am able to create a vpn connection but cannot ping other hosts on the inside interface of the firewall.  Any help would be appreciated.

<-----Running Config------>

=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2012.03.28 15:44:58 =~=~=~=~=~=~=~=~=~=~=~=


User Access Verification

Password:
Type help or '?' for a list of available commands.



rc-pix501-1# sh run
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxx encrypted
passwd xxxxxx encrypted
hostname rc-pix501-1
domain-name abc.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
<--- More --->
             
names
access-list in2out permit ip 10.0.1.0 255.255.255.0 10.0.2.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 10.0.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool clientpool 10.0.2.10-10.0.2.30 mask 255.255.255.0
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list in2out
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
<--- More --->
             
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 172.17.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
crypto ipsec transform-set trset2 esp-aes-256 esp-md5-hmac
crypto dynamic-map ipsec_map 1 set transform-set trset2
crypto map outside_map 65535 ipsec-isakmp dynamic ipsec_map
crypto map outside_map client authentication LOCAL
crypto map outside_map interface outside
isakmp enable outside
isakmp identity address
isakmp nat-traversal 20
isakmp log 25
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption aes-256
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400
<--- More --->
             
vpngroup remoteClient address-pool clientpool
vpngroup remoteClient dns-server 8.8.8.8
vpngroup remoteClient default-domain abc.com
vpngroup remoteClient split-tunnel in2out
vpngroup remoteClient split-dns abc.com
vpngroup remoteClient idle-time 1800
vpngroup remoteClient password ********
telnet 0.0.0.0 0.0.0.0 outside
telnet 10.0.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 10.0.1.10-10.0.1.30 inside
dhcpd dns 8.8.8.8
dhcpd lease 3600
dhcpd ping_timeout 100
dhcpd enable inside
dhcprelay timeout 60
username bill password xxxxx encrypted privilege 2
terminal width 80
Cryptochecksum:0cf867e3a00e16e2b5b5be04c12c419f
: end
vpn-screen
0
Comment
Question by:pc_evans
  • 3
  • 2
  • 2
7 Comments
 
LVL 11

Expert Comment

by:M3rc74
ID: 37781404
allow icmp protocol
0
 
LVL 11

Expert Comment

by:M3rc74
ID: 37781407
Send a Ping Through the PIX

PIX/ASA Software Versions 7.x

Pings Inbound

Pings initiated from the outside, or another low security interface of the PIX, are denied be default. The pings can be allowed by the use of static and access lists or access lists alone. In this example, one server on the inside of the PIX is made accessible to external pings. A static translation is created between the inside address (10.1.1.5) and the outside address (192.168.1.5).

pix(config)#static (inside,outside) 192.168.1.5 10.1.1.5 netmask 255.255.255.255
pix(config)#access-list 101 permit icmp any host 192.168.1.5 echo
pix(config)#access-group 101 in interface outside
Pings Outbound

There are two options in PIX 7.x that allow inside users to ping hosts on the outside. The first option is to setup a specific rule for each type of echo message.

For example:

access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any source-quench
access-list 101 permit icmp any any unreachable  
access-list 101 permit icmp any any time-exceeded
access-group 101 in interface outside
This allows only these return messages through the firewall when an inside user pings to an outside host. The other types of ICMP status messages might be hostile and the firewall blocks all other ICMP messages.

Another option is to configure ICMP inspection. This allows a trusted IP address to traverse the firewall and allows replies back to the trusted address only. This way, hosts on all inside interfaces can ping hosts on the outside and the firewall allows the replies to return. This also gives you the advantage of monitoring the ICMP traffic that traverses the firewall. In this example, icmp inspection is added to the default global inspection policy.

For example:

policy-map global_policy
    class inspection_default
     inspect icmp
Pinging Another Interface

The management-access command allows users to connect to the management-access interface from the outside ONLY when the user is connected to PIX/ASA using a full tunnel IPSec VPN or SSL VPN client (AnyConnect 2.x client, SVC 1.x) or across a site-to-site IPSec tunnel.

The inside interface of the PIX cannot be accessed from the outside, and vice-versa, unless the management-access is configured in global configuration mode. Once management-access is enabled, Telnet, SSH, or HTTP access must be configured for the desired hosts.

pix(config)#management-access inside
pix(config)#show running-config management-access
management-access inside
Note:  For the ASA, ICMP types of 127 and below have hard-coded inspection that cannot be turned off. The inspect icmp command has no affect on this inspection when it is on or off.

Note: A destination unreachable message being sent one way across the ASA referencing a packet that has not already traversed the ASA will be flagged and stopped. This protective ability cannot be turned off.

PIX Software Versions 5.0.1 Through 6.3.3

Inbound ICMP through the PIX is denied by default; outbound ICMP is permitted, but the incoming reply is denied by default.

Note: Version 6.3.3 is the most recent version of code available at the time of publication. For later versions, refer to the release notes for any possible changes.

Pings Inbound

Inbound ICMP can be permitted with either a conduit statement or an access-list statement, based on which you use on the PIX. Do not mix conduits and access lists.

This example shows how to permit ICMP of device 10.1.1.5 inside (static to 192.168.1.5) by all devices outside:

static (inside,outside) 192.168.1.5 10.1.1.5 netmask 255.255.255.255 0 0

!--- and either


conduit permit icmp 192.168.1.5 255.255.255.255 0.0.0.0 0.0.0.0 echo

!--- or


access-list 101 permit icmp any host 192.168.1.5 echo
access-group 101 in interface outside
Pings Outbound

Responses to outbound ICMP can be permitted with either a conduit statement or an access-list statement, based on which you use on the PIX. Do not mix conduits and access lists.

This example shows how to permit responses to ICMP requests initiated by device 10.1.1.5 inside (static to 192.168.1.5) from all devices outside:

static (inside,outside) 192.168.1.5 10.1.1.5 netmask 255.255.255.255 0 0

!--- and either


conduit permit icmp 192.168.1.5 255.255.255.255 0.0.0.0 0.0.0.0 echo-reply
conduit permit icmp 192.168.1.5 255.255.255.255 0.0.0.0 0.0.0.0 source-quench
conduit permit icmp 192.168.1.5 255.255.255.255 0.0.0.0 0.0.0.0 unreachable
conduit permit icmp 192.168.1.5 255.255.255.255 0.0.0.0 0.0.0.0 time-exceeded

!--- or


access-list 101 permit icmp any host 192.168.1.5 echo-reply
access-list 101 permit icmp any host 192.168.1.5 source-quench
access-list 101 permit icmp any host 192.168.1.5 unreachable
access-list 101 permit icmp any host 192.168.1.5 time-exceeded
access-group 101 in interface outside
PIX Software Versions 4.2(2) to 5.0.1

Inbound ICMP through the PIX is denied by default. Outbound ICMP is permitted, but the incoming reply is denied by default.

Pings Inbound

Inbound ICMP can be permitted with a conduit statement.

This example shows how to permit ICMP of device 10.1.1.5 inside (static to 192.168.1.5) by all devices outside:

static (inside,outside) 192.168.1.5 10.1.1.5 netmask 255.255.255.255 0 0
conduit permit icmp 192.168.1.5 255.255.255.255 0.0.0.0 0.0.0.0 echo
Pings Outbound

Responses to outbound ICMP can be permitted with a conduit statement.

This example shows how to permit responses to ICMP requests initiated by device 10.1.1.5 inside (static to 192.168.1.5) from all devices outside:

static (inside,outside) 192.168.1.5 10.1.1.5 netmask 255.255.255.255 0 0
conduit permit icmp 192.168.1.5 255.255.255.255 0.0.0.0 0.0.0.0 echo-reply
conduit permit icmp 192.168.1.5 255.255.255.255 0.0.0.0 0.0.0.0 source-quench
conduit permit icmp 192.168.1.5 255.255.255.255 0.0.0.0 0.0.0.0 unreachable
conduit permit icmp 192.168.1.5 255.255.255.255 0.0.0.0 0.0.0.0 time-exceeded
0
 
LVL 35

Accepted Solution

by:
Ernie Beek earned 500 total points
ID: 37781534
Try adding:
sysopt connection permit-ipsec
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:pc_evans
ID: 37781959
I want to clarify my problem.  Once I connect to the vpn,  I get a new ethernet interface  with a new private IP address.  Once my tunnel is established Any data leaving my laptop traverses the tunnel and appears as if it was originating from the inside interface.  I am not trying to get ping to travel from outside to inside.  I am trying to connect to other machines on the inside interface once the vpn connnection is established.
0
 

Author Comment

by:pc_evans
ID: 37781963
this is what ipconfig /all displays after the vpn connection

Ethernet adapter Local Area Connection 2:

   Connection-specific DNS Suffix  . : abc.com
   Description . . . . . . . . . . . : Cisco Systems VPN Adapter
   Physical Address. . . . . . . . . : 00-05-9A-3C-78-00
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::5d55:7f4:3c61:cf8f%19(Preferred)
   IPv4 Address. . . . . . . . . . . : 10.0.2.10(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . :
   DNS Servers . . . . . . . . . . . : 8.8.8.8
   NetBIOS over Tcpip. . . . . . . . : Enabled

Wireless LAN adapter Wireless Network Connection:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Intel(R) Wireless WiFi Link 4965AG
   Physical Address. . . . . . . . . : 00-1D-E0-8C-29-5D
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::10e4:18ce:b934:597%14(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.2.13(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Thursday, March 29, 2012 9:27:05 AM
   Lease Expires . . . . . . . . . . : Friday, March 30, 2012 8:46:22 AM
   Default Gateway . . . . . . . . . : 192.168.2.1
   DHCP Server . . . . . . . . . . . : 192.168.2.1
   DHCPv6 IAID . . . . . . . . . . . : 285220320
   DNS Servers . . . . . . . . . . . : 8.8.8.8
   NetBIOS over Tcpip. . . . . . . . : Enabled
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 37782071
Well, the VPN terminates on the outside interface of the PIX so the traffic does traverse through the firewall.
Did you try adding the sysopt command?
If that doesn't work, have a look at the logs to see what is showing up there.
0
 

Author Closing Comment

by:pc_evans
ID: 37785262
That worked.  I can now ping a host on the 10.0.1.0 network.   I am trying to set this up so my friend can run a client-server based application.  Now that the tunnel is connected and I can ping other hosts on the inside is there any reason why other applications wouldn't connect?
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Do you have an old router lying around the house that you don’t know what to do with? Check the make and model, then refer to either of these links to see if its compatible. http://www.dd-wrt.com/site/support/router-database http://www.dd-wrt.c…
Secure VPN Connection terminated locally by the Client.  Reason 442: Failed to enable Virtual Adapter. If you receive this error on Windows 8 or Windows 8.1 while trying to connect with the Cisco VPN Client then the solution is a simple registry f…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now