Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > PIX 506e VPN issue - cannot ping internal network

Reply
Thread Tools

PIX 506e VPN issue - cannot ping internal network

 
 
kammy_boy186@hotmail.com
Guest
Posts: n/a
 
      05-26-2005
Hi All,

I'm having an issue with remote connecting to my network using PPTP.
The VPN connection authenticated fine, however I cannot ping any of the
machines on the internal network.

Myself and the other network guys have gone through the config, and
can't find out why this is, and I was really hoping someone would be
able to help me. The guy who configured the PIX has done a runner to
Australia, so we're a bit up a creek here!!

The relevant config is copied below -

Building configuration...
: Saved
:
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password XX encrypted
passwd XX encrypted
hostname X
domain-name XX
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
name X mail_outside
name 192.168.1.9 srvroom
name 192.168.1.8 inbound_SMTP
name 192.116.106.242 ARCPHC
name 172.168.0.0 HQ
name X LondonPIX
name 192.168.1.11 DC
name 192.168.1.1 mailserv
name 192.168.1.3 notes
name 192.168.1.4 fileserv
object-group service DNS tcp-udp
description DNS
port-object eq domain
object-group service LANGlobal tcp
group-object DNS
port-object eq ftp
port-object eq pop3
port-object eq domain
port-object eq www
port-object eq https
object-group service test udp
group-object DNS
port-object eq dnsix
port-object eq nameserver
port-object eq domain
access-list outside_access_in remark Allow Mail delivery
access-list outside_access_in permit tcp any any eq smtp
access-list outside_access_in remark Allow X ARC HQ Connectivity
access-list outside_access_in permit ip HQ 255.255.252.0 any
access-list outside_access_in permit tcp any eq smtp host mail_outside
eq smtp
access-list outside_access_in remark Allow IPsec Traffic
access-list outside_access_in permit udp host ARCPHC host X eq isakmp
access-list outside_access_in remark Allow IPsec Traffic
access-list outside_access_in permit ah host ARCPHC host X
access-list outside_access_in remark Allow IPsec Traffic
access-list outside_access_in permit esp host ARCPHC host X
access-list outside_access_in permit tcp any object-group LANGlobal X
255.255.255.0 object-group LANGlobal
access-list outside_access_in remark Web Access
access-list outside_access_in permit tcp any host X eq www
access-list outside_access_in permit icmp HQ 255.255.0.0 X
255.255.255.0
access-list outside_access_in deny udp any eq 1434 any
access-list outside_access_in remark Allow ICMP
access-list outside_access_in permit icmp any any
access-list outside_access_in deny tcp any any
access-list outside_access_in remark Block everything to come in.
access-list inside_access_in permit ip any any
access-list inside_access_in permit icmp 192.168.1.0 255.255.255.0 HQ
255.255.0.0
access-list inside_access_in deny udp any eq 1434 any
access-list inside_outbound_nat0_acl permit ip 192.168.1.0
255.255.255.0 HQ 255.255.252.0
access-list outside_cryptomap_20 permit ip 192.168.1.0 255.255.255.0 HQ
255.255.252.0
pager lines 24
icmp permit any outside
mtu outside 1500
mtu inside 1500
ip address outside X 255.255.255.240
ip address inside 192.168.1.5 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpn_pool 192.168.1.200-192.168.1.210
pdm location mail_outside 255.255.255.255 outside
pdm location 192.168.1.192 255.255.255.224 outside
pdm location srvroom 255.255.255.255 inside
pdm location inbound_SMTP 255.255.255.255 inside
pdm location notes 255.255.255.255 inside
pdm location HQ 255.255.252.0 outside
pdm location LondonPIX 255.255.255.255 outside
pdm location ARCPHC 255.255.255.255 outside
pdm location LondonPIX 255.255.255.255 inside
pdm location HQ 255.255.0.0 outside
pdm location mailserv 255.255.255.255 inside
pdm location DC 255.255.255.255 inside
pdm location fileserv 255.255.255.255 inside
pdm location 192.168.1.2 255.255.255.255 inside
pdm location 192.168.1.7 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
static (inside,outside) mail_outside inbound_SMTP netmask
255.255.255.255 0 0
static (inside,outside) X fileserv netmask 255.255.255.255 0 0
static (inside,outside) X notes netmask 255.255.255.255 0 0
static (inside,outside) X 192.168.1.7 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 62.189.104.254 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http srvroom 255.255.255.255 inside
http notes 255.255.255.255 inside
http mailserv 255.255.255.255 inside
http DC 255.255.255.255 inside
http fileserv 255.255.255.255 inside
http 192.168.1.7 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set X
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer ARCPHC
crypto map outside_map 20 set transform-set ESP-DES-MD5
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address ARCPHC netmask 255.255.255.255 no-xauth
no-config-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
telnet srvroom 255.255.255.255 inside
telnet mailserv 255.255.255.255 inside
telnet fileserv 255.255.255.255 inside
telnet 192.168.1.7 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 10
vpdn group HQ1 accept dialin pptp
vpdn group HQ1 ppp authentication mschap
vpdn group HQ1 ppp encryption mppe 40
vpdn group HQ1 client configuration address local vpn_pool
vpdn group HQ1 client configuration dns DC
vpdn group HQ1 client configuration wins mailserv
vpdn group HQ1 pptp echo 60
vpdn group HQ1 client authentication local
vpdn username HQ1 password *********
vpdn username HQ2 password *********
vpdn username HQ3 password *********
vpdn username HQ4 password *********
vpdn username HQ5 password *********
vpdn enable outside
dhcprelay server DC inside
dhcprelay enable outside
dhcprelay setroute outside
<snip>
: end
[OK]

Would really appreciate if someone could point me in the right
direction...cheers..

K

 
Reply With Quote
 
 
 
 
Walter Roberson
Guest
Posts: n/a
 
      05-26-2005
In article <(E-Mail Removed) .com>,
<(E-Mail Removed)> wrote:
:I'm having an issue with remote connecting to my network using PPTP.
:The VPN connection authenticated fine, however I cannot ping any of the
:machines on the internal network.

IX Version 6.3(1)

6.3(1) has a number of known security problems. I recommend that
you look on cisco's site under the keywords PIX Security Advisories
for information on free updates.

:name X mail_outside

:name X LondonPIX

You cannot use two 'name' statements with the same IP address.

:access-list outside_access_in permit tcp any any eq smtp

:access-list outside_access_in permit tcp any eq smtp host mail_outside eq smtp

That line is redundant:

The first line I quoted permits smtp from anywhere outside to anywhere
inside, so the later line that is more selective about smtp will never
match since matches go top down.

Also, remote SMTP clients (and servers) will almost never use the
smtp port (25) as their -source- port for SMTP transactions.

:access-list outside_access_in remark Allow IPsec Traffic
:access-list outside_access_in remark Allow IPsec Traffic
:access-list outside_access_in remark Allow IPsec Traffic

Duplicate remark statements will sometimes be thrown away.

:access-list outside_access_in permit tcp any object-group LANGlobal X 255.255.255.0 object-group LANGlobal

:access-list outside_access_in permit tcp any host X eq www

In what you posted, you treat X both as a host and as a subnet base
address. That would be wrong unless the two X's are really different
things.

:access-list outside_access_in permit icmp any any

:access-list outside_access_in deny tcp any any

That's redundant -- when you get to the end of the list, anything
not permitted will be denied.


:access-list inside_access_in permit ip any any
:access-list inside_access_in permit icmp 192.168.1.0 255.255.255.0 HQ 255.255.0.0

Until PIX 7.0, the PIX doesn't handle anything other than IP, so
all the lines after the first are redundant since icmp and so on are
subsets of ip.

:access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 HQ 255.255.252.0

:name 172.168.0.0 HQ

:access-list outside_cryptomap_20 permit ip 192.168.1.0 255.255.255.0 HQ 255.255.252.0

You want a VPN that covers traffic to large chunks of AOL ??

NetRange: 172.128.0.0 - 172.191.255.255
NetName: AOL-172BLK
NetHandle: NET-172-128-0-0-1
TechHandle: AOL-NOC-ARIN
TechName: America Online, Inc.

Are you sure you don't mean 172.16.0.0 instead of 172.168.0.0 ??

:ip address outside X 255.255.255.240

If that is the same X that appeared in some of your ACL entries,
then you need to recode the ACL entries to use the keyword
'interface outside' instead of 'host X'.

:ip address inside 192.168.1.5 255.255.255.0

:ip local pool vpn_pool 192.168.1.200-192.168.1.210

:vpdn group HQ1 accept dialin pptp

:vpdn group HQ1 client configuration address local vpn_pool

Classic mistake. The pool you allocate for any incoming VPN
must be of addresses that are "outside" relative to your
inside interface. IPSec, PPTP and so on only work on
traffic that crosses the PIX, but when you allocate a PPTP
IP that is within the range covered by the inside interface,
then when any host on the inside goes to send packets to the
PPTP host, the PIX looks at the packet, sees that the "route"
to the destination back through the inside interface, and
promptly discards the packet.

Try:

ip local pool vpn_pool 192.168.2.200-192.168.2.210


By the way: did you want your PPTP users to be able to
access the IPSec tunnel to HQ?
--
Feep if you love VT-52's.
 
Reply With Quote
 
 
 
 
kammy_boy186@hotmail.com
Guest
Posts: n/a
 
      05-27-2005
Many thanks Walter.

I created a new VPN IP pool 192.168.2.200 - 192.168.2.210 and tried
again but it didn't work, so I added 192.168.2.0/24 as an Outside
Network on the PIX and then created a rule allowing 192.168.2.0/24
[outside] to 192.168.1.0/24 [inside], but I am still having the same
problem

Obviously, 192.168.2.0/24 is not really an outside address, but I'm
assuming the PIX classes VPN connections as such and there needs to be
a way it can communicate with the internal network?

Any pointers?

K

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Pix 506e w/5 static outside IPs - How to create a rule to allow ALL tcp/udp traffic from one outside IP to an internal IP (for an internal router/NAT with it's own subnet) kyoo Cisco 22 04-12-2008 03:37 PM
VPN Client Connect to PIX FW but cannot browse internal network.. toureg69@yahoo.com Cisco 3 12-17-2006 01:30 AM
Pix 506E client VPN OK but can't ping lan network pdgraaff@gmail.com Cisco 5 07-20-2005 07:25 AM
VPN Connection Problems between Cisco PIX 506E and Cisco VPN Concentrator 3005 Kai Cisco 0 02-15-2005 02:03 PM
Cisco Pix 506E VPN to Win XP using Microsoft built in VPN Mark Cisco 2 01-06-2004 09:59 AM



Advertisments