Cisco Pix 510 - VPN problems

Discussion in 'Cisco' started by proximo, Aug 31, 2005.

  1. proximo

    proximo Guest

    Hi,

    I'm new to the Cisco Pix and firewall.

    I have made a VPN configuration and can connect to the Pix through VPN.
    I can't se the server on the LAN side.

    The LAN DHCP pool is : 10.5.75.100 - 10.5.75.131
    The VPN Pool is : 10.5.75.150 - 10.5.75.160

    The server on the LAN side isn't using DHCP. It's IP address is :
    10.5.75.10

    What must I change to make it work ? (pleas post the commands with the
    req. options that have to be used) Thanks.

    Here is the configuration as it is now :
    PIX Version 6.3(4)
    interface ethernet0 auto
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password xxxxxxxxxxxx/ encrypted
    passwd xxxxxxxxxxx encrypted
    hostname pixfirewall
    domain-name ciscopix.com
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    name 10.5.75.10 Server
    pager lines 24
    mtu outside 1500
    mtu inside 1500
    ip address outside dhcp setroute
    ip address inside 10.5.75.1 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool RTS 10.5.75.150-10.5.75.160
    pdm location 10.5.75.0 255.255.255.0 inside
    pdm location 10.5.75.128 255.255.255.192 outside
    pdm location 10.5.75.0 255.255.255.255 inside
    pdm location Server 255.255.255.255 inside
    pdm logging informational 100
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    timeout xlate 0:05:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local
    http server enable
    http 10.5.75.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-pptp
    crypto ipsec transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac
    crypto ipsec transform-set TRANS_ESP_3DES_MD5 mode transport
    crypto dynamic-map outside_dyn_map 20 set transform-set
    TRANS_ESP_3DES_MD5
    crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
    crypto map outside_map interface outside
    isakmp enable outside
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    vpdn group PPTP-VPDN-GROUP accept dialin pptp
    vpdn group PPTP-VPDN-GROUP ppp authentication mschap
    vpdn group PPTP-VPDN-GROUP ppp encryption mppe auto required
    vpdn group PPTP-VPDN-GROUP client configuration address local RTS
    vpdn group PPTP-VPDN-GROUP client configuration dns 193.162.153.164
    194.239.134.83
    vpdn group PPTP-VPDN-GROUP client configuration wins Server
    vpdn group PPTP-VPDN-GROUP pptp echo 60
    vpdn group PPTP-VPDN-GROUP client authentication local
    vpdn username xxxxxxxxxxx password ********
    vpdn username xxxxxxx password ********
    vpdn enable outside
    dhcpd address 10.5.75.100-10.5.75.131 inside
    dhcpd dns 193.162.153.164 194.239.134.83
    dhcpd wins Server
    dhcpd lease 3600
    dhcpd ping_timeout 750
    dhcpd domain RTS
    dhcpd auto_config outside
    dhcpd enable inside
    terminal width 80
     
    proximo, Aug 31, 2005
    #1
    1. Advertising

  2. In article <>,
    proximo <> wrote:
    :I have made a VPN configuration and can connect to the Pix through VPN.
    : I can't se the server on the LAN side.

    :The LAN DHCP pool is : 10.5.75.100 - 10.5.75.131
    :The VPN Pool is : 10.5.75.150 - 10.5.75.160

    The VPN pool must be "outside" relative to the inside interface.
    You will have to change the VPN pool range to not be in 10.5.75/24 .

    :pIX Version 6.3(4)
    :ip address outside dhcp setroute
    :ip address inside 10.5.75.1 255.255.255.0
    :ip local pool RTS 10.5.75.150-10.5.75.160

    ip local pool RTS 10.255.75.128-10.255.75.159

    Note: as well as moving to a different range, I realigned the range
    to fit into a subnet to make other commands easier.

    :global (outside) 1 interface
    :nat (inside) 1 0.0.0.0 0.0.0.0 0 0

    :sysopt connection permit-pptp
    :crypto ipsec transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac
    :crypto ipsec transform-set TRANS_ESP_3DES_MD5 mode transport

    In PIX 6.x, L2TP is the only protocol that can use mode transport
    but you are using pptp.
    http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/c.htm#wp1026972

    All other types of packets using IPSec transport mode will
    be discarded by the PIX Firewall.

    :crypto dynamic-map outside_dyn_map 20 set transform-set TRANS_ESP_3DES_MD5
    :crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
    :crypto map outside_map interface outside

    :vpdn group PPTP-VPDN-GROUP accept dialin pptp
    :vpdn group PPTP-VPDN-GROUP client configuration address local RTS

    access-list pptp_nonat_acl permit ip host Server 10.255.75.128 255.255.255.224

    nat (inside) 0 access-list pptp_nonat_acl
    --
    The rule of thumb for speed is:

    1. If it doesn't work then speed doesn't matter. -- Christian Bau
     
    Walter Roberson, Aug 31, 2005
    #2
    1. Advertising

  3. proximo

    proximo Guest

    Thanks for the quick and accurate reply Walter - It works just as it
    should after making the changes.

    Does it mean that the following line can be deleted ? :
    :crypto ipsec transform-set TRANS_ESP_3DES_MD5 mode transport
     
    proximo, Aug 31, 2005
    #3
  4. In article <>,
    proximo <> wrote:
    :Does it mean that the following line can be deleted ? :
    ::crypto ipsec transform-set TRANS_ESP_3DES_MD5 mode transport

    Yes, and I recommend deleting it to avoid confusion and possible
    packet drops.
    --
    Entropy is the logarithm of probability -- Boltzmann
     
    Walter Roberson, Sep 1, 2005
    #4
  5. proximo

    proximo Guest

    Thanks again for your help. ! ! !
     
    proximo, Sep 1, 2005
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. GVB
    Replies:
    1
    Views:
    2,878
    Martin Bilgrav
    Feb 6, 2004
  2. Kai
    Replies:
    0
    Views:
    7,690
  3. proximo

    Cisco Pix 510 - VPN problems

    proximo, Aug 31, 2005, in forum: Cisco
    Replies:
    0
    Views:
    657
    proximo
    Aug 31, 2005
  4. Svenn
    Replies:
    3
    Views:
    755
    Svenn
    Mar 13, 2006
  5. Replies:
    1
    Views:
    2,341
    Kevin Widner
    Aug 9, 2006
Loading...

Share This Page