«

Hi everyone. I've been going a little crazy trying to get something
that seems pretty simple to work on a PIX 506. FYI, I've upgraded to
PIX Version 6.3(3) and my remote VPN clients are using Cisco Client
v.3.6.3.

What I'm trying to accomplish is to have incoming VPN and outgoing
internet working at the same time. Sounds easy, but I can't get the
two to co-exist. I'm convinced that it's related to my NAT / PAT
configuration. Here's the relevant parts of my config file ...

PIX Version 6.3(3)
access-list 101 permit ip 10.185.16.0 255.255.255.0 any
ip local pool remote 10.185.16.190-10.185.16.199
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 X.X.X.X 1
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address
outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup vpn3000 address-pool remote
vpngroup vpn3000 dns-server X.X.X.X
vpngroup vpn3000 idle-time 1800
vpngroup vpn3000 password X
: end

I can get the remote VPN clients to work at points, but that breaks my
ability to see the outside world with PAT. I can get the PAT working
properly, but that breaks my remote VPN clients by not allowing them
to see any of the internal network. Any ideas? Someone suggested it
might be an access-list problem. Any help would be much appreciated
since I've been struggling with this for 18 hours so far.

Paul.

In article < >,
Paul Emond <> wrote:
:Hi everyone. I've been going a little crazy trying to get something
:that seems pretty simple to work on a PIX 506. FYI, I've upgraded to
IX Version 6.3(3) and my remote VPN clients are using Cisco Client
:v.3.6.3.

:What I'm trying to accomplish is to have incoming VPN and outgoing
:internet working at the same time. Sounds easy, but I can't get the
:two to co-exist. I'm convinced that it's related to my NAT / PAT
:configuration. Here's the relevant parts of my config file ...

:crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20

What's in the access list outside_cryptomap_dyn_20 ?

Are you showing us the saved configuration or the running configuration?
Is outside_cryptomap_dyn_20 something you configured or is it
a dynamic ACL generated by the PIX?

:access-list 101 permit ip 10.185.16.0 255.255.255.0 any
:ip local pool remote 10.185.16.190-10.185.16.199
:nat (inside) 0 access-list 101

:vpngroup vpn3000 address-pool remote

Your nat 0 ACL overlaps your vpn address pool.

You do not show us anything about the inside or outside address
range, or anything about your global statements.

My suspicion would be that you are using the address range 10.185.16/24
inside as well somehow, and that you are getting a bad routing interaction.
When the VPN is built, it's possibly routing all of 10.186.16/24
through the tunnel.

My first pass suggestion would be to remove the 'match address'
clause from your dynamic map and remove the nat 0.
--
"No one has the right to destroy another person's belief by
demanding empirical evidence." -- Ann Landers

Paul Emond wrote:

> Hi everyone. I've been going a little crazy trying to get something
> that seems pretty simple to work on a PIX 506. FYI, I've upgraded to
> PIX Version 6.3(3) and my remote VPN clients are using Cisco Client
> v.3.6.3.
>
> What I'm trying to accomplish is to have incoming VPN and outgoing
> internet working at the same time. Sounds easy, but I can't get the
> two to co-exist. I'm convinced that it's related to my NAT / PAT
> configuration. Here's the relevant parts of my config file ...
>
> PIX Version 6.3(3)
> access-list 101 permit ip 10.185.16.0 255.255.255.0 any
> ip local pool remote 10.185.16.190-10.185.16.199
> nat (inside) 0 access-list 101
> nat (inside) 1 0.0.0.0 0.0.0.0 0 0
> route outside 0.0.0.0 0.0.0.0 X.X.X.X 1
> sysopt connection permit-ipsec
> crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
> crypto dynamic-map outside_dyn_map 20 match address
> outside_cryptomap_dyn_20
> crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
> crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
> crypto map outside_map interface outside
> isakmp enable outside
> isakmp policy 20 authentication pre-share
> isakmp policy 20 encryption 3des
> isakmp policy 20 hash md5
> isakmp policy 20 group 2
> isakmp policy 20 lifetime 86400
> vpngroup vpn3000 address-pool remote
> vpngroup vpn3000 dns-server X.X.X.X
> vpngroup vpn3000 idle-time 1800
> vpngroup vpn3000 password X
> : end
>
> I can get the remote VPN clients to work at points, but that breaks my
> ability to see the outside world with PAT. I can get the PAT working
> properly, but that breaks my remote VPN clients by not allowing them
> to see any of the internal network. Any ideas? Someone suggested it
> might be an access-list problem. Any help would be much appreciated
> since I've been struggling with this for 18 hours so far.
>
> Paul.
The issue is you need to split the dns server searches with this command:
vpngroup vpn3000 split-tunnel 101 (101 is the access-list obviously)

other suggestions are to tighter control change:
1. access-list 101 permit ip 10.185.16.0 255.255.255.0 any to
access-list 101 permit ip 10.185.16.0 255.255.255.0 10.185.17.192
255.255.255.240 (this will give you 14 usable ip's you can always change
the subnet to expand for more ip's)
2. ip local pool remote 10.185.16.190-10.185.16.199 to ip local pool remote
10.185.16.193-10.185.16.206 (anyone care to comment if local pool follows
subnetting- I have always used the subnetting convention that the first and
last ip in the network are allocated and never tried using all ip's in the
subnet)

the last thing might be to use some other type of authentication such as
TACACS+ or a radius server or windows IAS to have one more step in
security; with this a user will have to not only enter the preshare key and
group (which will be done only once during setup of the client) but also
the user will be asked for a username and password at the end of Phase 1
every time they log into the vpn before phase 2 is launched and granted
access into the network.

also setup nat traversal with the command
isakmp nat-traversal 3600

Good luck and enjoy

CR
--
just remove the nospam in my email address

Paul Emond wrote:

> Hi everyone. I've been going a little crazy trying to get something
> that seems pretty simple to work on a PIX 506. FYI, I've upgraded to
> PIX Version 6.3(3) and my remote VPN clients are using Cisco Client
> v.3.6.3.
>
> What I'm trying to accomplish is to have incoming VPN and outgoing
> internet working at the same time. Sounds easy, but I can't get the
> two to co-exist. I'm convinced that it's related to my NAT / PAT
> configuration. Here's the relevant parts of my config file ...
>
> PIX Version 6.3(3)
> access-list 101 permit ip 10.185.16.0 255.255.255.0 any
> ip local pool remote 10.185.16.190-10.185.16.199
> nat (inside) 0 access-list 101
> nat (inside) 1 0.0.0.0 0.0.0.0 0 0
> route outside 0.0.0.0 0.0.0.0 X.X.X.X 1
> sysopt connection permit-ipsec
> crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
> crypto dynamic-map outside_dyn_map 20 match address
> outside_cryptomap_dyn_20
> crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
> crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
> crypto map outside_map interface outside
> isakmp enable outside
> isakmp policy 20 authentication pre-share
> isakmp policy 20 encryption 3des
> isakmp policy 20 hash md5
> isakmp policy 20 group 2
> isakmp policy 20 lifetime 86400
> vpngroup vpn3000 address-pool remote
> vpngroup vpn3000 dns-server X.X.X.X
> vpngroup vpn3000 idle-time 1800
> vpngroup vpn3000 password X
> : end
>
> I can get the remote VPN clients to work at points, but that breaks my
> ability to see the outside world with PAT. I can get the PAT working
> properly, but that breaks my remote VPN clients by not allowing them
> to see any of the internal network. Any ideas? Someone suggested it
> might be an access-list problem. Any help would be much appreciated
> since I've been struggling with this for 18 hours so far.
>
> Paul.
btw forgot in my haste about the crypto dynamic-map outside_dyn_map 20 match
address
outside_cryptomap_dyn_20 needs to point to an access list so it should be
crypto dynamic-map outside_dyn_map 20 match address 101

the global statement for PAT might look something like this
global (outside) 1 x.x.x.7
--
just remove the nospam in my email address