Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > PIX 501 issue routing between VPN pool and local pool

Reply
Thread Tools

PIX 501 issue routing between VPN pool and local pool

 
 
eostrike eostrike is offline
Junior Member
Join Date: Oct 2008
Posts: 3
 
      10-16-2008
Hello,


I am new to this forum. I have a Pix 501 which is configured and working properly except for the life of me I cannot get the VPN to be able to access any hosts on my local network. I have my VPN pool set up with 192,168.3.0 and my local network is 192.168.2.0. When I connect through the VPN from outside my network I connect just fine however I can only ping the gateway of network 192.168.2.0. I cannot ping anything else on the network. On the Pix I am unable to ping the VPN client. Can someone look over my config and let me know why I cannot route to my internal netowrk 192.168.2.0. I would appreciate any assistance. I have a week in to trying to figure this out and no go. Any help would be appreciated. As long as I can not route to my internal network my VPN function is useless. I have tried many different configs and nothing works. PLEASE HELP.


My Configuration:

PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password *************encrypted
passwd *************** encrypted
hostname PIX501
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.2.10 server
name 192.168.2.2 s1
name 192.168.2.3 desktop
name 192.168.2.4 ap1
name 192.168.2.5 canon
name 192.168.2.6 mvix
name 192.168.2.7 laptop
name 192.168.2.8 von
name 192.168.2.9 dell1100
name 192.168.2.11 pdu
name 192.168.2.12 ras
name 192.168.2.1 pix
access-list 101 permit ip 192.168.2.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list outside_access_in permit tcp any any eq 3389
access-list outside_access_in permit tcp any any eq 2323
access-list outside_access_in permit tcp any any eq 2324
access-list outside_access_in permit tcp any any eq 2325
access-list outside_access_in permit tcp any any eq 5851
access-list outside_access_in permit udp any any eq 5850
pager lines 24
logging on
logging buffered warnings
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside pix 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool ippool 192.168.3.1-192.168.3.10
pdm location server 255.255.255.255 inside
pdm location 192.168.1.0 255.255.255.0 outside
pdm location desktop 255.255.255.255 inside
pdm location pdu 255.255.255.255 inside
pdm location ras 255.255.255.255 inside
pdm logging errors 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.2.0 255.255.255.0 0 0
nat (inside) 1 192.168.3.0 255.255.255.0 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 3389 server 3389 netmask 255.255.255.255 0
0
static (inside,outside) tcp interface 5851 server ftp netmask 255.255.255.255 0
0
static (inside,outside) udp interface 5850 desktop 5850 netmask 255.255.255.255
0 0
static (inside,outside) tcp interface 2325 server 2325 netmask 255.255.255.255 0
0
static (inside,outside) tcp interface 2323 ras telnet netmask 255.255.255.255 0
0
static (inside,outside) tcp interface 2324 pdu telnet netmask 255.255.255.255 0
0
access-group outside_access_in in interface outside
route inside 192.168.3.0 255.255.255.0 pix 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 outside
http 192.168.2.0 255.255.255.0 inside
snmp-server location Upstairs Office
snmp-server contact **************
snmp-server community *******
no snmp-server enable traps
tftp-server inside server Pix501_Backup_New
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
isakmp enable outside
isakmp key ******** address server netmask 255.255.255.255
isakmp identity address
isakmp keepalive 20 30
isakmp nat-traversal 10
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup eostrike address-pool ippool
vpngroup eostrike dns-server server
vpngroup eostrike split-tunnel 101
vpngroup eostrike idle-time 1800
vpngroup eostrike password ********
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 15
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
management-access inside
console timeout 30
dhcpd address 192.168.2.20-192.168.2.35 inside
dhcpd dns 24.205.1.14 66.215.64.14
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain ***************
dhcpd enable inside
username ******* password *********** encrypted privilege 15
username ******** password **************encrypted privilege 15
terminal width 80
banner motd Authorized users only, all others must disconnect now!
Cryptochecksum:2d4e1e650934f0f729c3a3944e63fa05
 
Reply With Quote
 
 
 
 
eostrike eostrike is offline
Junior Member
Join Date: Oct 2008
Posts: 3
 
      10-16-2008
I figured it out. Thank you anyhow.


EricO
 
Reply With Quote
 
 
 
 
Brian45040 Brian45040 is offline
Junior Member
Join Date: Oct 2008
Posts: 2
 
      10-24-2008
Can you please let me know what I can check on because I have the same exact circumstance?

Thank you,
Brian
 
Reply With Quote
 
eostrike eostrike is offline
Junior Member
Join Date: Oct 2008
Posts: 3
 
      10-24-2008
Brian,


Here is the config that I am using which allows me to VPN to my home network using Cisco's VPN client. I have been trying to figure out MS VPN client but have not made it that far yet. If you have any other questions I can try and help out.

PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ***************encrypted
passwd *************** encrypted
hostname PIX501
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.2.10 server
name 192.168.2.2 s1
name 192.168.2.3 desktop
name 192.168.2.4 ap1
name 192.168.2.5 canon
name 192.168.2.6 mvix
name 192.168.2.7 laptop
name 192.168.2.8 von
name 192.168.2.9 dell1100
name 192.168.2.11 pdu
name 192.168.2.12 ras
name 192.168.2.1 pix
access-list outside_access_in permit tcp any any eq 3389
access-list outside_access_in permit tcp any any eq 2323
access-list outside_access_in permit tcp any any eq 2324
access-list outside_access_in permit tcp any any eq 2325
access-list outside_access_in permit tcp any any eq 5851
access-list outside_access_in permit udp any any eq 5850
access-list 100 permit icmp any any
access-list inside_outbound_nat0_acl permit ip any 192.168.3.0 255.255.255.0
access-list outside_cryptomap_dyn_10 permit ip any 192.168.3.0 255.255.255.0
access-list vpn1_splitTunnelAcl permit ip 192.168.2.0 255.255.255.0 any
pager lines 24
logging on
logging buffered warnings
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside pix 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool ippool 192.168.3.10-192.168.3.20 mask 255.255.255.0
pdm location server 255.255.255.255 inside
pdm location 192.168.1.0 255.255.255.0 outside
pdm location desktop 255.255.255.255 inside
pdm location pdu 255.255.255.255 inside
pdm location ras 255.255.255.255 inside
pdm location 192.168.3.0 255.255.255.0 outside
pdm logging errors 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 192.168.2.0 255.255.255.0 0 0
static (inside,outside) tcp interface 3389 server 3389 netmask 255.255.255.255 0
0
static (inside,outside) tcp interface 5851 server ftp netmask 255.255.255.255 0
0
static (inside,outside) udp interface 5850 desktop 5850 netmask 255.255.255.255
0 0
static (inside,outside) tcp interface 2325 server 2325 netmask 255.255.255.255 0
0
static (inside,outside) tcp interface 2323 ras telnet netmask 255.255.255.255 0
0
static (inside,outside) tcp interface 2324 pdu telnet netmask 255.255.255.255 0
0
access-group 100 in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 192.168.2.0 255.255.255.0 inside
snmp-server location Upstairs Office
snmp-server contact *****************
snmp-server community ********
no snmp-server enable traps
tftp-server inside server Pix501_Backup_New
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 10 match address outside_cryptomap_dyn_10
crypto dynamic-map outside_dyn_map 10 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address server netmask 255.255.255.255
isakmp identity address
isakmp keepalive 20 30
isakmp nat-traversal 10
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup eostrike address-pool ippool
vpngroup eostrike split-tunnel vpn1_splitTunnelAcl
vpngroup eostrike idle-time 1800
vpngroup eostrike password ********
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 15
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
management-access inside
console timeout 30
vpdn group test accept dialin l2tp
vpdn group test ppp authentication chap
vpdn group test client configuration address local ippool
vpdn group test client authentication local
vpdn group test l2tp tunnel hello 60
vpdn username eric password *********
vpdn username ez password *********
vpdn enable outside
vpdn enable inside
dhcpd address 192.168.2.20-192.168.2.35 inside
dhcpd dns 24.205.1.14 66.215.64.14
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain *********************
dhcpd enable inside
username eostrike password ********************encrypted privilege 15
terminal width 80
banner motd Authorized users only, all others must disconnect now!
Cryptochecksum:e044e363d1b93249823ae147475765ca
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
pix 501 - routing from pix subnet to another (dir-655) question ra170 Cisco 1 11-22-2010 04:46 AM
Site to Site VPN problems between PIX 501 and PIX 515 Jeff Cisco 5 01-04-2007 02:18 AM
PIX 501 <-> PIX 501 - Problem contating private networks on the inside Andre Cisco 7 02-20-2005 07:02 PM
PIX to PIX VPN and VPN Client to PIX Config Example? GVB Cisco 1 02-06-2004 07:44 PM
Cant establish a VPN tunnel between PIX 501 and Cisco VPN Client Martin Nowles Cisco 0 11-10-2003 03:46 PM



Advertisments