PIX 506e VPN issue - cannot ping internal network

Discussion in 'Cisco' started by kammy_boy186@hotmail.com, May 26, 2005.

  1. Guest

    Hi All,

    I'm having an issue with remote connecting to my network using PPTP.
    The VPN connection authenticated fine, however I cannot ping any of the
    machines on the internal network.

    Myself and the other network guys have gone through the config, and
    can't find out why this is, and I was really hoping someone would be
    able to help me. The guy who configured the PIX has done a runner to
    Australia, so we're a bit up a creek here!!

    The relevant config is copied below -

    Building configuration...
    : Saved
    :
    PIX Version 6.3(1)
    interface ethernet0 auto
    interface ethernet1 auto
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password XX encrypted
    passwd XX encrypted
    hostname X
    domain-name XX
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol ils 389
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    names
    name X mail_outside
    name 192.168.1.9 srvroom
    name 192.168.1.8 inbound_SMTP
    name 192.116.106.242 ARCPHC
    name 172.168.0.0 HQ
    name X LondonPIX
    name 192.168.1.11 DC
    name 192.168.1.1 mailserv
    name 192.168.1.3 notes
    name 192.168.1.4 fileserv
    object-group service DNS tcp-udp
    description DNS
    port-object eq domain
    object-group service LANGlobal tcp
    group-object DNS
    port-object eq ftp
    port-object eq pop3
    port-object eq domain
    port-object eq www
    port-object eq https
    object-group service test udp
    group-object DNS
    port-object eq dnsix
    port-object eq nameserver
    port-object eq domain
    access-list outside_access_in remark Allow Mail delivery
    access-list outside_access_in permit tcp any any eq smtp
    access-list outside_access_in remark Allow X ARC HQ Connectivity
    access-list outside_access_in permit ip HQ 255.255.252.0 any
    access-list outside_access_in permit tcp any eq smtp host mail_outside
    eq smtp
    access-list outside_access_in remark Allow IPsec Traffic
    access-list outside_access_in permit udp host ARCPHC host X eq isakmp
    access-list outside_access_in remark Allow IPsec Traffic
    access-list outside_access_in permit ah host ARCPHC host X
    access-list outside_access_in remark Allow IPsec Traffic
    access-list outside_access_in permit esp host ARCPHC host X
    access-list outside_access_in permit tcp any object-group LANGlobal X
    255.255.255.0 object-group LANGlobal
    access-list outside_access_in remark Web Access
    access-list outside_access_in permit tcp any host X eq www
    access-list outside_access_in permit icmp HQ 255.255.0.0 X
    255.255.255.0
    access-list outside_access_in deny udp any eq 1434 any
    access-list outside_access_in remark Allow ICMP
    access-list outside_access_in permit icmp any any
    access-list outside_access_in deny tcp any any
    access-list outside_access_in remark Block everything to come in.
    access-list inside_access_in permit ip any any
    access-list inside_access_in permit icmp 192.168.1.0 255.255.255.0 HQ
    255.255.0.0
    access-list inside_access_in deny udp any eq 1434 any
    access-list inside_outbound_nat0_acl permit ip 192.168.1.0
    255.255.255.0 HQ 255.255.252.0
    access-list outside_cryptomap_20 permit ip 192.168.1.0 255.255.255.0 HQ
    255.255.252.0
    pager lines 24
    icmp permit any outside
    mtu outside 1500
    mtu inside 1500
    ip address outside X 255.255.255.240
    ip address inside 192.168.1.5 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool vpn_pool 192.168.1.200-192.168.1.210
    pdm location mail_outside 255.255.255.255 outside
    pdm location 192.168.1.192 255.255.255.224 outside
    pdm location srvroom 255.255.255.255 inside
    pdm location inbound_SMTP 255.255.255.255 inside
    pdm location notes 255.255.255.255 inside
    pdm location HQ 255.255.252.0 outside
    pdm location LondonPIX 255.255.255.255 outside
    pdm location ARCPHC 255.255.255.255 outside
    pdm location LondonPIX 255.255.255.255 inside
    pdm location HQ 255.255.0.0 outside
    pdm location mailserv 255.255.255.255 inside
    pdm location DC 255.255.255.255 inside
    pdm location fileserv 255.255.255.255 inside
    pdm location 192.168.1.2 255.255.255.255 inside
    pdm location 192.168.1.7 255.255.255.255 inside
    pdm logging informational 100
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list inside_outbound_nat0_acl
    nat (inside) 1 192.168.1.0 255.255.255.0 0 0
    static (inside,outside) mail_outside inbound_SMTP netmask
    255.255.255.255 0 0
    static (inside,outside) X fileserv netmask 255.255.255.255 0 0
    static (inside,outside) X notes netmask 255.255.255.255 0 0
    static (inside,outside) X 192.168.1.7 netmask 255.255.255.255 0 0
    access-group outside_access_in in interface outside
    access-group inside_access_in in interface inside
    route outside 0.0.0.0 0.0.0.0 62.189.104.254 1
    timeout xlate 0:05:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server LOCAL protocol local
    http server enable
    http srvroom 255.255.255.255 inside
    http notes 255.255.255.255 inside
    http mailserv 255.255.255.255 inside
    http DC 255.255.255.255 inside
    http fileserv 255.255.255.255 inside
    http 192.168.1.7 255.255.255.255 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    sysopt connection permit-pptp
    crypto ipsec transform-set X
    crypto map outside_map 20 ipsec-isakmp
    crypto map outside_map 20 match address outside_cryptomap_20
    crypto map outside_map 20 set peer ARCPHC
    crypto map outside_map 20 set transform-set ESP-DES-MD5
    crypto map outside_map interface outside
    isakmp enable outside
    isakmp key ******** address ARCPHC netmask 255.255.255.255 no-xauth
    no-config-mode
    isakmp policy 20 authentication pre-share
    isakmp policy 20 encryption des
    isakmp policy 20 hash md5
    isakmp policy 20 group 2
    isakmp policy 20 lifetime 86400
    telnet srvroom 255.255.255.255 inside
    telnet mailserv 255.255.255.255 inside
    telnet fileserv 255.255.255.255 inside
    telnet 192.168.1.7 255.255.255.255 inside
    telnet timeout 5
    ssh timeout 5
    console timeout 10
    vpdn group HQ1 accept dialin pptp
    vpdn group HQ1 ppp authentication mschap
    vpdn group HQ1 ppp encryption mppe 40
    vpdn group HQ1 client configuration address local vpn_pool
    vpdn group HQ1 client configuration dns DC
    vpdn group HQ1 client configuration wins mailserv
    vpdn group HQ1 pptp echo 60
    vpdn group HQ1 client authentication local
    vpdn username HQ1 password *********
    vpdn username HQ2 password *********
    vpdn username HQ3 password *********
    vpdn username HQ4 password *********
    vpdn username HQ5 password *********
    vpdn enable outside
    dhcprelay server DC inside
    dhcprelay enable outside
    dhcprelay setroute outside
    <snip>
    : end
    [OK]

    Would really appreciate if someone could point me in the right
    direction...cheers..

    K
    , May 26, 2005
    #1
    1. Advertising

  2. In article <>,
    <> wrote:
    :I'm having an issue with remote connecting to my network using PPTP.
    :The VPN connection authenticated fine, however I cannot ping any of the
    :machines on the internal network.

    :pIX Version 6.3(1)

    6.3(1) has a number of known security problems. I recommend that
    you look on cisco's site under the keywords PIX Security Advisories
    for information on free updates.

    :name X mail_outside

    :name X LondonPIX

    You cannot use two 'name' statements with the same IP address.

    :access-list outside_access_in permit tcp any any eq smtp

    :access-list outside_access_in permit tcp any eq smtp host mail_outside eq smtp

    That line is redundant:

    The first line I quoted permits smtp from anywhere outside to anywhere
    inside, so the later line that is more selective about smtp will never
    match since matches go top down.

    Also, remote SMTP clients (and servers) will almost never use the
    smtp port (25) as their -source- port for SMTP transactions.

    :access-list outside_access_in remark Allow IPsec Traffic
    :access-list outside_access_in remark Allow IPsec Traffic
    :access-list outside_access_in remark Allow IPsec Traffic

    Duplicate remark statements will sometimes be thrown away.

    :access-list outside_access_in permit tcp any object-group LANGlobal X 255.255.255.0 object-group LANGlobal

    :access-list outside_access_in permit tcp any host X eq www

    In what you posted, you treat X both as a host and as a subnet base
    address. That would be wrong unless the two X's are really different
    things.

    :access-list outside_access_in permit icmp any any

    :access-list outside_access_in deny tcp any any

    That's redundant -- when you get to the end of the list, anything
    not permitted will be denied.


    :access-list inside_access_in permit ip any any
    :access-list inside_access_in permit icmp 192.168.1.0 255.255.255.0 HQ 255.255.0.0

    Until PIX 7.0, the PIX doesn't handle anything other than IP, so
    all the lines after the first are redundant since icmp and so on are
    subsets of ip.

    :access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 HQ 255.255.252.0

    :name 172.168.0.0 HQ

    :access-list outside_cryptomap_20 permit ip 192.168.1.0 255.255.255.0 HQ 255.255.252.0

    You want a VPN that covers traffic to large chunks of AOL ??

    NetRange: 172.128.0.0 - 172.191.255.255
    NetName: AOL-172BLK
    NetHandle: NET-172-128-0-0-1
    TechHandle: AOL-NOC-ARIN
    TechName: America Online, Inc.

    Are you sure you don't mean 172.16.0.0 instead of 172.168.0.0 ??

    :ip address outside X 255.255.255.240

    If that is the same X that appeared in some of your ACL entries,
    then you need to recode the ACL entries to use the keyword
    'interface outside' instead of 'host X'.

    :ip address inside 192.168.1.5 255.255.255.0

    :ip local pool vpn_pool 192.168.1.200-192.168.1.210

    :vpdn group HQ1 accept dialin pptp

    :vpdn group HQ1 client configuration address local vpn_pool

    Classic mistake. The pool you allocate for any incoming VPN
    must be of addresses that are "outside" relative to your
    inside interface. IPSec, PPTP and so on only work on
    traffic that crosses the PIX, but when you allocate a PPTP
    IP that is within the range covered by the inside interface,
    then when any host on the inside goes to send packets to the
    PPTP host, the PIX looks at the packet, sees that the "route"
    to the destination back through the inside interface, and
    promptly discards the packet.

    Try:

    ip local pool vpn_pool 192.168.2.200-192.168.2.210


    By the way: did you want your PPTP users to be able to
    access the IPSec tunnel to HQ?
    --
    Feep if you love VT-52's.
    Walter Roberson, May 26, 2005
    #2
    1. Advertising

  3. Guest

    Many thanks Walter.

    I created a new VPN IP pool 192.168.2.200 - 192.168.2.210 and tried
    again but it didn't work, so I added 192.168.2.0/24 as an Outside
    Network on the PIX and then created a rule allowing 192.168.2.0/24
    [outside] to 192.168.1.0/24 [inside], but I am still having the same
    problem :(

    Obviously, 192.168.2.0/24 is not really an outside address, but I'm
    assuming the PIX classes VPN connections as such and there needs to be
    a way it can communicate with the internal network?

    Any pointers?

    K
    , May 27, 2005
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. jdennis

    PIX 506e passthru VPN issue

    jdennis, Mar 22, 2005, in forum: Cisco
    Replies:
    0
    Views:
    4,223
    jdennis
    Mar 22, 2005
  2. Replies:
    5
    Views:
    7,167
    ctilma
    Jul 20, 2005
  3. fwallace99
    Replies:
    6
    Views:
    6,184
    fwallace99
    Jun 7, 2006
  4. Replies:
    3
    Views:
    627
    Brian V
    Dec 17, 2006
  5. mgferg
    Replies:
    0
    Views:
    977
    mgferg
    Oct 28, 2008
Loading...

Share This Page