PIX 501 issue routing between VPN pool and local pool

Discussion in 'Cisco' started by eostrike, Oct 16, 2008.

  1. eostrike

    eostrike

    Joined:
    Oct 16, 2008
    Messages:
    3
    Hello,


    I am new to this forum. I have a Pix 501 which is configured and working properly except for the life of me I cannot get the VPN to be able to access any hosts on my local network. I have my VPN pool set up with 192,168.3.0 and my local network is 192.168.2.0. When I connect through the VPN from outside my network I connect just fine however I can only ping the gateway of network 192.168.2.0. I cannot ping anything else on the network. On the Pix I am unable to ping the VPN client. Can someone look over my config and let me know why I cannot route to my internal netowrk 192.168.2.0. I would appreciate any assistance. I have a week in to trying to figure this out and no go. Any help would be appreciated. As long as I can not route to my internal network my VPN function is useless. I have tried many different configs and nothing works. PLEASE HELP.


    My Configuration:

    PIX Version 6.3(5)
    interface ethernet0 auto
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password *************encrypted
    passwd *************** encrypted
    hostname PIX501
    domain-name ciscopix.com
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    name 192.168.2.10 server
    name 192.168.2.2 s1
    name 192.168.2.3 desktop
    name 192.168.2.4 ap1
    name 192.168.2.5 canon
    name 192.168.2.6 mvix
    name 192.168.2.7 laptop
    name 192.168.2.8 von
    name 192.168.2.9 dell1100
    name 192.168.2.11 pdu
    name 192.168.2.12 ras
    name 192.168.2.1 pix
    access-list 101 permit ip 192.168.2.0 255.255.255.0 192.168.2.0 255.255.255.0
    access-list outside_access_in permit tcp any any eq 3389
    access-list outside_access_in permit tcp any any eq 2323
    access-list outside_access_in permit tcp any any eq 2324
    access-list outside_access_in permit tcp any any eq 2325
    access-list outside_access_in permit tcp any any eq 5851
    access-list outside_access_in permit udp any any eq 5850
    pager lines 24
    logging on
    logging buffered warnings
    mtu outside 1500
    mtu inside 1500
    ip address outside dhcp setroute
    ip address inside pix 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool ippool 192.168.3.1-192.168.3.10
    pdm location server 255.255.255.255 inside
    pdm location 192.168.1.0 255.255.255.0 outside
    pdm location desktop 255.255.255.255 inside
    pdm location pdu 255.255.255.255 inside
    pdm location ras 255.255.255.255 inside
    pdm logging errors 100
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 1 192.168.2.0 255.255.255.0 0 0
    nat (inside) 1 192.168.3.0 255.255.255.0 0 0
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    static (inside,outside) tcp interface 3389 server 3389 netmask 255.255.255.255 0
    0
    static (inside,outside) tcp interface 5851 server ftp netmask 255.255.255.255 0
    0
    static (inside,outside) udp interface 5850 desktop 5850 netmask 255.255.255.255
    0 0
    static (inside,outside) tcp interface 2325 server 2325 netmask 255.255.255.255 0
    0
    static (inside,outside) tcp interface 2323 ras telnet netmask 255.255.255.255 0
    0
    static (inside,outside) tcp interface 2324 pdu telnet netmask 255.255.255.255 0
    0
    access-group outside_access_in in interface outside
    route inside 192.168.3.0 255.255.255.0 pix 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout sip-disconnect 0:02:00 sip-invite 0:03:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local
    aaa authentication ssh console LOCAL
    aaa authentication http console LOCAL
    aaa authentication telnet console LOCAL
    http server enable
    http 192.168.1.0 255.255.255.0 outside
    http 192.168.2.0 255.255.255.0 inside
    snmp-server location Upstairs Office
    snmp-server contact **************
    snmp-server community *******
    no snmp-server enable traps
    tftp-server inside server Pix501_Backup_New
    floodguard enable
    sysopt connection permit-ipsec
    crypto ipsec transform-set myset esp-des esp-md5-hmac
    crypto dynamic-map dynmap 10 set transform-set myset
    crypto map mymap 10 ipsec-isakmp dynamic dynmap
    crypto map mymap interface outside
    isakmp enable outside
    isakmp key ******** address server netmask 255.255.255.255
    isakmp identity address
    isakmp keepalive 20 30
    isakmp nat-traversal 10
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption des
    isakmp policy 10 hash md5
    isakmp policy 10 group 2
    isakmp policy 10 lifetime 86400
    vpngroup eostrike address-pool ippool
    vpngroup eostrike dns-server server
    vpngroup eostrike split-tunnel 101
    vpngroup eostrike idle-time 1800
    vpngroup eostrike password ********
    telnet 0.0.0.0 0.0.0.0 inside
    telnet timeout 15
    ssh 0.0.0.0 0.0.0.0 outside
    ssh 0.0.0.0 0.0.0.0 inside
    ssh timeout 5
    management-access inside
    console timeout 30
    dhcpd address 192.168.2.20-192.168.2.35 inside
    dhcpd dns 24.205.1.14 66.215.64.14
    dhcpd lease 3600
    dhcpd ping_timeout 750
    dhcpd domain ***************
    dhcpd enable inside
    username ******* password *********** encrypted privilege 15
    username ******** password **************encrypted privilege 15
    terminal width 80
    banner motd Authorized users only, all others must disconnect now!
    Cryptochecksum:2d4e1e650934f0f729c3a3944e63fa05
    eostrike, Oct 16, 2008
    #1
    1. Advertising

  2. eostrike

    eostrike

    Joined:
    Oct 16, 2008
    Messages:
    3
    I figured it out. Thank you anyhow.


    EricO
    eostrike, Oct 16, 2008
    #2
    1. Advertising

  3. eostrike

    Brian45040

    Joined:
    Oct 15, 2008
    Messages:
    2
    Same issue

    Can you please let me know what I can check on because I have the same exact circumstance?

    Thank you,
    Brian
    Brian45040, Oct 24, 2008
    #3
  4. eostrike

    eostrike

    Joined:
    Oct 16, 2008
    Messages:
    3
    Pix 501

    Brian,


    Here is the config that I am using which allows me to VPN to my home network using Cisco's VPN client. I have been trying to figure out MS VPN client but have not made it that far yet. If you have any other questions I can try and help out.

    PIX Version 6.3(5)
    interface ethernet0 auto
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password ***************encrypted
    passwd *************** encrypted
    hostname PIX501
    domain-name ciscopix.com
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    name 192.168.2.10 server
    name 192.168.2.2 s1
    name 192.168.2.3 desktop
    name 192.168.2.4 ap1
    name 192.168.2.5 canon
    name 192.168.2.6 mvix
    name 192.168.2.7 laptop
    name 192.168.2.8 von
    name 192.168.2.9 dell1100
    name 192.168.2.11 pdu
    name 192.168.2.12 ras
    name 192.168.2.1 pix
    access-list outside_access_in permit tcp any any eq 3389
    access-list outside_access_in permit tcp any any eq 2323
    access-list outside_access_in permit tcp any any eq 2324
    access-list outside_access_in permit tcp any any eq 2325
    access-list outside_access_in permit tcp any any eq 5851
    access-list outside_access_in permit udp any any eq 5850
    access-list 100 permit icmp any any
    access-list inside_outbound_nat0_acl permit ip any 192.168.3.0 255.255.255.0
    access-list outside_cryptomap_dyn_10 permit ip any 192.168.3.0 255.255.255.0
    access-list vpn1_splitTunnelAcl permit ip 192.168.2.0 255.255.255.0 any
    pager lines 24
    logging on
    logging buffered warnings
    mtu outside 1500
    mtu inside 1500
    ip address outside dhcp setroute
    ip address inside pix 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool ippool 192.168.3.10-192.168.3.20 mask 255.255.255.0
    pdm location server 255.255.255.255 inside
    pdm location 192.168.1.0 255.255.255.0 outside
    pdm location desktop 255.255.255.255 inside
    pdm location pdu 255.255.255.255 inside
    pdm location ras 255.255.255.255 inside
    pdm location 192.168.3.0 255.255.255.0 outside
    pdm logging errors 100
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list inside_outbound_nat0_acl
    nat (inside) 1 192.168.2.0 255.255.255.0 0 0
    static (inside,outside) tcp interface 3389 server 3389 netmask 255.255.255.255 0
    0
    static (inside,outside) tcp interface 5851 server ftp netmask 255.255.255.255 0
    0
    static (inside,outside) udp interface 5850 desktop 5850 netmask 255.255.255.255
    0 0
    static (inside,outside) tcp interface 2325 server 2325 netmask 255.255.255.255 0
    0
    static (inside,outside) tcp interface 2323 ras telnet netmask 255.255.255.255 0
    0
    static (inside,outside) tcp interface 2324 pdu telnet netmask 255.255.255.255 0
    0
    access-group 100 in interface outside
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout sip-disconnect 0:02:00 sip-invite 0:03:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local
    aaa authentication ssh console LOCAL
    aaa authentication http console LOCAL
    aaa authentication telnet console LOCAL
    http server enable
    http 192.168.2.0 255.255.255.0 inside
    snmp-server location Upstairs Office
    snmp-server contact *****************
    snmp-server community ********
    no snmp-server enable traps
    tftp-server inside server Pix501_Backup_New
    floodguard enable
    sysopt connection permit-ipsec
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto dynamic-map outside_dyn_map 10 match address outside_cryptomap_dyn_10
    crypto dynamic-map outside_dyn_map 10 set transform-set ESP-3DES-MD5
    crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
    crypto map outside_map interface outside
    isakmp enable outside
    isakmp key ******** address server netmask 255.255.255.255
    isakmp identity address
    isakmp keepalive 20 30
    isakmp nat-traversal 10
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption des
    isakmp policy 10 hash md5
    isakmp policy 10 group 2
    isakmp policy 10 lifetime 86400
    vpngroup eostrike address-pool ippool
    vpngroup eostrike split-tunnel vpn1_splitTunnelAcl
    vpngroup eostrike idle-time 1800
    vpngroup eostrike password ********
    telnet 0.0.0.0 0.0.0.0 inside
    telnet timeout 15
    ssh 0.0.0.0 0.0.0.0 outside
    ssh 0.0.0.0 0.0.0.0 inside
    ssh timeout 5
    management-access inside
    console timeout 30
    vpdn group test accept dialin l2tp
    vpdn group test ppp authentication chap
    vpdn group test client configuration address local ippool
    vpdn group test client authentication local
    vpdn group test l2tp tunnel hello 60
    vpdn username eric password *********
    vpdn username ez password *********
    vpdn enable outside
    vpdn enable inside
    dhcpd address 192.168.2.20-192.168.2.35 inside
    dhcpd dns 24.205.1.14 66.215.64.14
    dhcpd lease 3600
    dhcpd ping_timeout 750
    dhcpd domain *********************
    dhcpd enable inside
    username eostrike password ********************encrypted privilege 15
    terminal width 80
    banner motd Authorized users only, all others must disconnect now!
    Cryptochecksum:e044e363d1b93249823ae147475765ca
    eostrike, Oct 24, 2008
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Martin Nowles
    Replies:
    0
    Views:
    1,015
    Martin Nowles
    Nov 10, 2003
  2. Lars Kraack
    Replies:
    0
    Views:
    730
    Lars Kraack
    Mar 5, 2004
  3. mcaissie

    PIX - ip local pool - question

    mcaissie, Apr 27, 2005, in forum: Cisco
    Replies:
    1
    Views:
    4,690
    Richard Graves
    Apr 27, 2005
  4. Xlat
    Replies:
    3
    Views:
    663
  5. Jeff
    Replies:
    5
    Views:
    985
Loading...

Share This Page