Cisco VPN client - PIX 315 - users connect but cannot ping or communicate

Discussion in 'Cisco' started by rseier, Jan 18, 2008.

  1. rseier

    rseier

    Joined:
    Jan 18, 2008
    Messages:
    1
    I have configured a PIX 315 to allow VPN connections and authenticate users through Active Directory. Users can authenticate, but cannot go anywhere once they are connected.

    Any help you can provide would be MOST APPRECIATED!

    access-list INET_IN permit icmp any any echo-reply
    access-list INET_IN permit icmp any any time-exceeded
    access-list INET_IN permit tcp any host x.x.x.x eq www
    access-list INET_IN permit tcp any host x.x.x.x eq https
    access-list INET_IN permit tcp any host x.x.x.x eq ftp
    access-list INET_IN permit tcp host x.x.x.x host x.x.x.x eq 3389
    access-list INET_IN deny tcp any host x.x.x.x eq 41794
    access-list INET_IN deny tcp any host x.x.x.x eq 41795
    access-list INET_IN permit tcp any host x.x.x.x eq h323
    access-list INET_IN permit tcp any host x.x.x.x eq 3230
    access-list INET_IN permit tcp any host x.x.x.x eq 3231
    access-list INET_IN permit tcp any host x.x.x.x eq 3232
    access-list INET_IN permit tcp any host x.x.x.x eq 3233
    access-list INET_IN permit tcp any host x.x.x.x eq 3234
    access-list INET_IN permit tcp any host x.x.x.x eq 3235
    access-list INET_IN permit udp any host x.x.x.x eq 3235
    access-list INET_IN permit udp any host x.x.x.x eq 3236
    access-list INET_IN permit udp any host x.x.x.x eq 3237
    access-list INET_IN permit udp any host x.x.x.x eq 3238
    access-list INET_IN permit udp any host x.x.x.x eq 3239
    access-list INET_IN permit udp any host x.x.x.x eq 3240
    access-list INET_IN permit udp any host x.x.x.x eq 3241
    access-list INET_IN permit udp any host x.x.x.x eq 3242
    access-list INET_IN permit udp any host x.x.x.x eq 3243
    access-list INET_IN permit udp any host x.x.x.x eq 3244
    access-list INET_IN permit udp any host x.x.x.x eq 3245
    access-list INET_IN permit udp any host x.x.x.x eq 3246
    access-list INET_IN permit udp any host x.x.x.x eq 3247
    access-list INET_IN permit udp any host x.x.x.x eq 3248
    access-list INET_IN permit udp any host x.x.x.x eq 3249
    access-list INET_IN permit udp any host x.x.x.x eq 3250
    access-list INET_IN permit udp any host x.x.x.x eq 3251
    access-list INET_IN permit udp any host x.x.x.x eq 3252
    access-list INET_IN permit udp any host x.x.x.x eq 3253
    access-list INET_IN permit udp any host x.x.x.x eq 3254
    access-list INET_IN permit udp any host x.x.x.x eq 3255
    access-list INET_IN permit udp any host x.x.x.x eq 3256
    access-list INET_IN permit udp any host x.x.x.x eq 3257
    access-list INET_IN permit udp any host x.x.x.x eq 3258

    access-list inside_outbound_nat0_acl permit ip any 192.168.169.208 255.255.255.240

    access-list outside_cryptomap_dyn_20 permit ip any 192.168.169.208 255.255.255.240

    access-list 101 permit ip 192.168.169.0 255.255.255.0 192.168.168.0 255.255.255.0

    access-list 101 permit ip 192.168.170.0 255.255.255.0 192.168.168.0 255.255.255.0

    access-list 101 permit ip 192.168.168.0 255.255.255.0 192.168.169.0 255.255.255.0

    access-list 101 permit ip 192.168.168.0 255.255.255.0 192.168.170.0 255.255.255.0

    access-list split_tunnel_acl permit ip any any

    ip address outside x.x.x.18 255.255.255.248

    ip address inside 192.168.169.22 255.255.255.0

    ip local pool VPN 192.168.169.210-192.168.169.219 mask 255.255.255.0

    global (outside) 1 x.x.x.19

    nat (inside) 0 access-list inside_outbound_nat0_acl
    nat (inside) 2 access-list 101 0 0
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0

    static (inside,outside) x.x.x.x LAB1-Server netmask 255.255.255.255 0 0
    static (inside,outside) x.x.x.x 192.168.169.210 netmask 255.255.255.255 0 0
    static (inside,outside) x.x.x.x Polycom_VS4000 dns netmask 255.255.255.255 0 0

    access-group INET_IN in interface outside
    route outside 0.0.0.0 0.0.0.0 x.x.x.17 1

    route inside 192.168.0.0 255.255.0.0 192.168.169.21 1

    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local
    aaa-server partnerauth protocol radius
    aaa-server partnerauth max-failed-attempts 3
    aaa-server partnerauth deadtime 10
    aaa-server partnerauth (inside) host LAB2-Server <shared pw> timeout 5

    sysopt connection permit-ipsec
    sysopt connection permit-l2tp
    crypto ipsec transform-set TRANS_ESP_DES_MD5 esp-des esp-md5-hmac
    crypto ipsec transform-set TRANS_ESP_DES_MD5 mode transport
    crypto ipsec transform-set myset esp-des esp-md5-hmac
    crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20

    crypto dynamic-map outside_dyn_map 20 set transform-set TRANS_ESP_DES_MD5

    crypto dynamic-map dynmap 10 set transform-set myset
    crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

    crypto map mymap 10 ipsec-isakmp dynamic dynmap
    crypto map mymap client authentication partnerauth

    crypto map mymap interface outside
    isakmp enable outside

    isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
    isakmp identity address
    isakmp nat-traversal 20
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption des
    isakmp policy 10 hash md5
    isakmp policy 10 group 2
    isakmp policy 10 lifetime 86400

    vpngroup vpn3000 address-pool VPN
    vpngroup vpn3000 dns-server LAB2-Server
    vpngroup vpn3000 wins-server LAB1-Server
    vpngroup vpn3000 default-domain <domain-name>
    vpngroup vpn3000 split-tunnel split_tunnel_acl
    vpngroup vpn3000 idle-time 1800
    vpngroup vpn3000 password ********
     
    rseier, Jan 18, 2008
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Bruce Lautenschlager
    Replies:
    0
    Views:
    3,586
    Bruce Lautenschlager
    Nov 16, 2004
  2. ronnieshih
    Replies:
    1
    Views:
    2,743
    Brian V
    Nov 28, 2006
  3. toureg69@yahoo.com
    Replies:
    3
    Views:
    674
    Brian V
    Dec 17, 2006
  4. mgferg
    Replies:
    0
    Views:
    1,018
    mgferg
    Oct 28, 2008
  5. Pappy
    Replies:
    1
    Views:
    2,438
    Pappy
    Jan 30, 2009
Loading...

Share This Page