Need simple help with Pix 515 to Cisco Client VPN

Discussion in 'Cisco' started by Kilgore Troute, Sep 6, 2004.

  1. Greetings gang, I've worked two days straight now, cleaning up from
    our second hurricane here. I have most our systems up at our disaster
    recovery site, but I'm having trouble getting Clients VPNS to route.
    I know I'm not thinking straight and I'm missing something, anyone
    lend a hand?

    My Cisco client connects from the desktop fine and authenticates via
    radius all swell. Once the VPN is established, I can not ping anything
    on the internal network. I'm pretty sure this is a routing issue

    My Ip pool for the vpn is 10.1.15.x - 10.1.15.x... 10.1.15.0 is
    routed on my core internal router via a "ip 10.1.15.1 secondary"
    command on that router.

    Here's my config. Any help would be great. Also, when looking at the
    "Cisco Client Status" screen, I'm seeing 1800 bytes sent, but 0
    received - thats leading my to blv it's a routing problem. My client
    is getting the address 10.1.15.200 with no default gateway and a
    subnet of 255.0.0.0 <- should that be ok?

    : Written by enable_15 at 18:22:10.560 UTC Sun Sep 5 2004
    PIX Version 6.3(1)
    interface ethernet0 auto
    interface ethernet1 auto
    interface ethernet2 auto
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    nameif ethernet2 intf2 security4
    hostname pix
    domain-name mydomain.org
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol ils 389
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    names
    object-group network 1
    description metaframe farm
    network-object host 10.1.20.181
    network-object host 10.1.20.182
    network-object host 10.1.20.183
    network-object host 10.1.20.184
    network-object host 10.1.20.185
    network-object host 10.1.20.186
    network-object host 10.1.20.187
    access-list outside_in permit tcp any host 127.44.5.5 eq smtp
    access-list outside_in permit tcp any host 127.44.5.6 eq https
    access-list outside_in permit icmp any any
    access-list inside_in permit tcp host 10.1.20.111 any eq smtp
    access-list inside_in permit udp any any eq domain
    access-list inside_in permit tcp any any eq domain
    access-list inside_in permit icmp any any
    access-list inside_in permit ip any 127.44.5.0 mynetmask
    access-list inside_in permit ip host 10.1.20.10 any
    access-list inside_in permit tcp any any eq citrix-ica
    access-list inside_in permit ip host 10.1.1.244 any
    access-list inside_in permit tcp any host 66.83.130.85 eq 400
    access-list inside_in permit tcp host 66.83.130.85 any eq 400
    access-list inside_in permit tcp any host 66.220.43.26 eq 3389
    access-list inside_in permit tcp host 66.220.43.26 any eq 3389
    access-list dmz_in permit udp any any eq domain
    access-list dmz_in permit tcp any any eq domain
    access-list dmz_in permit icmp any any
    access-list dmz_in permit tcp host 10.1.100.201 object-group 1 eq
    citrix-ica
    access-list dmz_in permit tcp host 10.1.100.201 host 10.1.20.102 eq
    https
    access-list 102 permit ip 10.1.10.0 255.255.255.0 10.1.15.0
    255.255.255.0
    access-list 102 permit ip 10.1.20.0 255.255.255.0 10.1.15.0
    255.255.255.0
    pager lines 24
    logging on
    logging console debugging
    logging trap warnings
    logging host inside 10.1.20.102
    mtu outside 1500
    mtu inside 1500
    mtu intf2 1500
    ip address outside 127.44.5.3 255.255.255.240
    ip address inside 10.1.20.3 255.255.255.0
    ip address intf2 10.1.100.1 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool vpnpool1 10.1.15.200-10.1.15.210
    pdm location 10.1.10.0 255.255.255.0 inside
    pdm history enable
    arp timeout 14400
    global (outside) 1 127.44.5.4 netmask 255.255.255.255
    nat (inside) 0 access-list 102
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    static (inside,outside) 127.44.5.5 10.1.20.111 netmask 255.255.255.255
    0 0
    static (intf2,outside) 127.44.5.6 10.1.100.201 netmask 255.255.255.255
    0 0
    static (inside,intf2) 10.1.20.0 10.1.20.0 netmask 255.255.255.0 0 0
    access-group outside_in in interface outside
    access-group inside_in in interface inside
    access-group dmz_in in interface intf2
    route outside 0.0.0.0 0.0.0.0 127.44.5.1 1
    route inside 10.0.0.0 255.0.0.0 10.1.20.1 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server RADIUS (inside) host 10.1.20.102 ****** timeout 10
    aaa-server LOCAL protocol local
    aaa-server partnerauth protocol radius
    aaa-server partnerauth (inside) host 10.1.20.102 ****** timeout 5
    http server enable
    http 10.1.20.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    tftp-server inside 10.1.20.72 /pix-disaster
    floodguard enable
    sysopt connection permit-ipsec
    crypto ipsec transform-set trmset1 esp-aes-256 esp-sha-hmac
    crypto dynamic-map map2 10 set transform-set trmset1
    crypto map map1 10 ipsec-isakmp dynamic map2
    crypto map map1 client authentication partnerauth
    crypto map map1 interface outside
    isakmp enable outside
    isakmp identity address
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption aes-256
    isakmp policy 10 hash sha
    isakmp policy 10 group 2
    isakmp policy 10 lifetime 86400
    vpngroup vendor address-pool vpnpool1
    vpngroup vendor dns-server 10.1.20.102
    vpngroup vendor wins-server 10.1.20.102
    vpngroup vendor default-domain mydomain.org
    vpngroup vendor split-tunnel 102
    vpngroup vendor idle-time 1800
    vpngroup vendor password ******

    telnet 10.1.20.0 255.255.255.0 inside
    telnet timeout 5
    ssh 10.1.20.0 255.255.255.0 inside
    ssh timeout 5
    console timeout 0
    terminal width 80
    : end
    Kilgore Troute, Sep 6, 2004
    #1
    1. Advertising

  2. Kilgore Troute

    S. Gione Guest

    You might try isakmp nat-traversal

    "Kilgore Troute" <> wrote in message
    news:...
    > Greetings gang, I've worked two days straight now, cleaning up from
    > our second hurricane here. I have most our systems up at our disaster
    > recovery site, but I'm having trouble getting Clients VPNS to route.
    > I know I'm not thinking straight and I'm missing something, anyone
    > lend a hand?
    >
    > My Cisco client connects from the desktop fine and authenticates via
    > radius all swell. Once the VPN is established, I can not ping anything
    > on the internal network. I'm pretty sure this is a routing issue
    >
    > My Ip pool for the vpn is 10.1.15.x - 10.1.15.x... 10.1.15.0 is
    > routed on my core internal router via a "ip 10.1.15.1 secondary"
    > command on that router.
    >
    > Here's my config. Any help would be great. Also, when looking at the
    > "Cisco Client Status" screen, I'm seeing 1800 bytes sent, but 0
    > received - thats leading my to blv it's a routing problem. My client
    > is getting the address 10.1.15.200 with no default gateway and a
    > subnet of 255.0.0.0 <- should that be ok?
    >
    > : Written by enable_15 at 18:22:10.560 UTC Sun Sep 5 2004
    > PIX Version 6.3(1)
    > interface ethernet0 auto
    > interface ethernet1 auto
    > interface ethernet2 auto
    > nameif ethernet0 outside security0
    > nameif ethernet1 inside security100
    > nameif ethernet2 intf2 security4
    > hostname pix
    > domain-name mydomain.org
    > fixup protocol ftp 21
    > fixup protocol h323 h225 1720
    > fixup protocol h323 ras 1718-1719
    > fixup protocol http 80
    > fixup protocol ils 389
    > fixup protocol rsh 514
    > fixup protocol rtsp 554
    > fixup protocol sip 5060
    > fixup protocol sip udp 5060
    > fixup protocol skinny 2000
    > fixup protocol smtp 25
    > fixup protocol sqlnet 1521
    > names
    > object-group network 1
    > description metaframe farm
    > network-object host 10.1.20.181
    > network-object host 10.1.20.182
    > network-object host 10.1.20.183
    > network-object host 10.1.20.184
    > network-object host 10.1.20.185
    > network-object host 10.1.20.186
    > network-object host 10.1.20.187
    > access-list outside_in permit tcp any host 127.44.5.5 eq smtp
    > access-list outside_in permit tcp any host 127.44.5.6 eq https
    > access-list outside_in permit icmp any any
    > access-list inside_in permit tcp host 10.1.20.111 any eq smtp
    > access-list inside_in permit udp any any eq domain
    > access-list inside_in permit tcp any any eq domain
    > access-list inside_in permit icmp any any
    > access-list inside_in permit ip any 127.44.5.0 mynetmask
    > access-list inside_in permit ip host 10.1.20.10 any
    > access-list inside_in permit tcp any any eq citrix-ica
    > access-list inside_in permit ip host 10.1.1.244 any
    > access-list inside_in permit tcp any host 66.83.130.85 eq 400
    > access-list inside_in permit tcp host 66.83.130.85 any eq 400
    > access-list inside_in permit tcp any host 66.220.43.26 eq 3389
    > access-list inside_in permit tcp host 66.220.43.26 any eq 3389
    > access-list dmz_in permit udp any any eq domain
    > access-list dmz_in permit tcp any any eq domain
    > access-list dmz_in permit icmp any any
    > access-list dmz_in permit tcp host 10.1.100.201 object-group 1 eq
    > citrix-ica
    > access-list dmz_in permit tcp host 10.1.100.201 host 10.1.20.102 eq
    > https
    > access-list 102 permit ip 10.1.10.0 255.255.255.0 10.1.15.0
    > 255.255.255.0
    > access-list 102 permit ip 10.1.20.0 255.255.255.0 10.1.15.0
    > 255.255.255.0
    > pager lines 24
    > logging on
    > logging console debugging
    > logging trap warnings
    > logging host inside 10.1.20.102
    > mtu outside 1500
    > mtu inside 1500
    > mtu intf2 1500
    > ip address outside 127.44.5.3 255.255.255.240
    > ip address inside 10.1.20.3 255.255.255.0
    > ip address intf2 10.1.100.1 255.255.255.0
    > ip audit info action alarm
    > ip audit attack action alarm
    > ip local pool vpnpool1 10.1.15.200-10.1.15.210
    > pdm location 10.1.10.0 255.255.255.0 inside
    > pdm history enable
    > arp timeout 14400
    > global (outside) 1 127.44.5.4 netmask 255.255.255.255
    > nat (inside) 0 access-list 102
    > nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    > static (inside,outside) 127.44.5.5 10.1.20.111 netmask 255.255.255.255
    > 0 0
    > static (intf2,outside) 127.44.5.6 10.1.100.201 netmask 255.255.255.255
    > 0 0
    > static (inside,intf2) 10.1.20.0 10.1.20.0 netmask 255.255.255.0 0 0
    > access-group outside_in in interface outside
    > access-group inside_in in interface inside
    > access-group dmz_in in interface intf2
    > route outside 0.0.0.0 0.0.0.0 127.44.5.1 1
    > route inside 10.0.0.0 255.0.0.0 10.1.20.1 1
    > timeout xlate 3:00:00
    > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    > 1:00:00
    > timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    > timeout uauth 0:05:00 absolute
    > aaa-server TACACS+ protocol tacacs+
    > aaa-server RADIUS protocol radius
    > aaa-server RADIUS (inside) host 10.1.20.102 ****** timeout 10
    > aaa-server LOCAL protocol local
    > aaa-server partnerauth protocol radius
    > aaa-server partnerauth (inside) host 10.1.20.102 ****** timeout 5
    > http server enable
    > http 10.1.20.0 255.255.255.0 inside
    > no snmp-server location
    > no snmp-server contact
    > snmp-server community public
    > no snmp-server enable traps
    > tftp-server inside 10.1.20.72 /pix-disaster
    > floodguard enable
    > sysopt connection permit-ipsec
    > crypto ipsec transform-set trmset1 esp-aes-256 esp-sha-hmac
    > crypto dynamic-map map2 10 set transform-set trmset1
    > crypto map map1 10 ipsec-isakmp dynamic map2
    > crypto map map1 client authentication partnerauth
    > crypto map map1 interface outside
    > isakmp enable outside
    > isakmp identity address
    > isakmp policy 10 authentication pre-share
    > isakmp policy 10 encryption aes-256
    > isakmp policy 10 hash sha
    > isakmp policy 10 group 2
    > isakmp policy 10 lifetime 86400
    > vpngroup vendor address-pool vpnpool1
    > vpngroup vendor dns-server 10.1.20.102
    > vpngroup vendor wins-server 10.1.20.102
    > vpngroup vendor default-domain mydomain.org
    > vpngroup vendor split-tunnel 102
    > vpngroup vendor idle-time 1800
    > vpngroup vendor password ******
    >
    > telnet 10.1.20.0 255.255.255.0 inside
    > telnet timeout 5
    > ssh 10.1.20.0 255.255.255.0 inside
    > ssh timeout 5
    > console timeout 0
    > terminal width 80
    > : end
    S. Gione, Sep 7, 2004
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. GVB
    Replies:
    1
    Views:
    2,790
    Martin Bilgrav
    Feb 6, 2004
  2. Al
    Replies:
    0
    Views:
    5,204
  3. Scott Townsend
    Replies:
    8
    Views:
    688
    Roman Nakhmanson
    Feb 22, 2006
  4. Svenn
    Replies:
    3
    Views:
    720
    Svenn
    Mar 13, 2006
  5. Stephen M
    Replies:
    1
    Views:
    642
    mcaissie
    Nov 14, 2006
Loading...

Share This Page