PIX advise needed

Discussion in 'Cisco' started by Ned, Oct 5, 2007.

  1. Ned

    Ned Guest

    I am able to VPN into my PIX from the Internet - I get an address from
    the
    local pool. But when I try to PING anything on the inside I get
    timeouts...
    I have tried different address pools - even one on the same subnnet as
    the inside
    interface; also tried split tunnel on & off - all results are the
    same...
    Can anyone spot the problem & advise ? TIA, Ned
    ***********
    PIX Version 6.3(3)
    interface ethernet0 auto
    interface ethernet1 auto
    interface ethernet2 auto
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    nameif ethernet2 ether2 security90
    names

    access-list 102 permit ip 172.29.0.0 255.255.0.0 192.168.2.0
    255.255.255.0
    access-list 102 permit ip 172.29.0.0 255.255.0.0 172.22.0.0
    255.255.0.0
    access-list 102 permit ip 172.29.0.0 255.255.0.0 172.30.0.0
    255.255.0.0
    access-list 102 permit ip 172.30.0.0 255.255.0.0 172.29.0.0
    255.255.0.0
    access-list 112 permit tcp any any eq www
    access-list 112 permit icmp any any
    access-list 112 permit tcp host 172.2.0.1 host 77.92.238.229 eq 3389
    access-list 112 permit tcp host 172.22.0.1 host 77.92.238.229 eq 3389
    access-list 112 permit ip any any

    ip address outside 77.92.238.226 255.255.255.248
    ip address inside 172.29.11.254 255.255.0.0
    no ip address ether2
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool LAN1vpn 192.168.2.1-192.168.2.100
    ip local pool mypool1 172.22.0.1-172.22.0.6
    ip local pool mypool2 172.29.11.1-172.29.11.6
    pdm history enable
    arp timeout 14400
    global (outside) 1 77.92.238.227
    nat (inside) 0 access-list 102
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    static (inside,outside) 77.92.238.229 172.29.11.250 netmask
    255.255.255.255 0 0

    access-group 112 in interface outside
    route outside 0.0.0.0 0.0.0.0 77.92.152.1 1
    route inside 172.30.0.0 255.255.0.0 172.29.11.253 1

    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    crypto ipsec transform-set trns1 esp-3des esp-sha-hmac
    crypto ipsec transform-set trmset1 esp-3des esp-sha-hmac
    crypto dynamic-map map2 10 set transform-set trmset1
    crypto map map1 10 ipsec-isakmp dynamic map2
    crypto map map1 interface outside
    isakmp enable outside
    isakmp identity address
    isakmp nat-traversal 20
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption 3des
    isakmp policy 10 hash sha
    isakmp policy 10 group 2
    isakmp policy 10 lifetime 86400

    vpngroup user5 address-pool LAN1vpn
    vpngroup user5 idle-time 600
    vpngroup user5 password ********
    vpngroup user6 address-pool mypool1
    vpngroup user6 split-tunnel 102
    vpngroup user6 idle-time 600
    vpngroup user6 password ********
    vpngroup user7 address-pool mypool2
    vpngroup user7 split-tunnel 102
    vpngroup user7 idle-time 600
    vpngroup user7 password ********

    console timeout 0
    dhcpd address 172.29.50.1-172.29.50.200 inside
    dhcpd dns 162.23.132.10 162.23.132.11
    dhcpd lease 3000
    dhcpd ping_timeout 1000
    dhcpd enable inside

    *******************
    ixfirewall(config)# 32: ICMP echo-request from outside:172.29.11.1 to
    172.29.11
    ..254 ID=1280 seq=2304 length=40
    33: ICMP echo-request from outside:172.29.11.1 to 172.29.11.254
    ID=1280 seq=2560
    length=40
    34: ICMP echo-request from outside:172.29.11.1 to 172.29.11.254
    ID=1280 seq=2816
    length=40
    ***********************8
     
    Ned, Oct 5, 2007
    #1
    1. Advertising

  2. Ned

    mcaissie Guest

    You must assure that your traffic is part of your nat (0) access-list

    adding the following line should help

    access-list 102 permit ip 172.29.11.0 255.255.255.0 172.29.11.0
    255.255.255.0



    "Ned" <> wrote in message
    news:...
    >I am able to VPN into my PIX from the Internet - I get an address from
    > the
    > local pool. But when I try to PING anything on the inside I get
    > timeouts...
    > I have tried different address pools - even one on the same subnnet as
    > the inside
    > interface; also tried split tunnel on & off - all results are the
    > same...
    > Can anyone spot the problem & advise ? TIA, Ned
    > ***********
    > PIX Version 6.3(3)
    > interface ethernet0 auto
    > interface ethernet1 auto
    > interface ethernet2 auto
    > nameif ethernet0 outside security0
    > nameif ethernet1 inside security100
    > nameif ethernet2 ether2 security90
    > names
    >
    > access-list 102 permit ip 172.29.0.0 255.255.0.0 192.168.2.0
    > 255.255.255.0
    > access-list 102 permit ip 172.29.0.0 255.255.0.0 172.22.0.0
    > 255.255.0.0
    > access-list 102 permit ip 172.29.0.0 255.255.0.0 172.30.0.0
    > 255.255.0.0
    > access-list 102 permit ip 172.30.0.0 255.255.0.0 172.29.0.0
    > 255.255.0.0
    > access-list 112 permit tcp any any eq www
    > access-list 112 permit icmp any any
    > access-list 112 permit tcp host 172.2.0.1 host 77.92.238.229 eq 3389
    > access-list 112 permit tcp host 172.22.0.1 host 77.92.238.229 eq 3389
    > access-list 112 permit ip any any
    >
    > ip address outside 77.92.238.226 255.255.255.248
    > ip address inside 172.29.11.254 255.255.0.0
    > no ip address ether2
    > ip audit info action alarm
    > ip audit attack action alarm
    > ip local pool LAN1vpn 192.168.2.1-192.168.2.100
    > ip local pool mypool1 172.22.0.1-172.22.0.6
    > ip local pool mypool2 172.29.11.1-172.29.11.6
    > pdm history enable
    > arp timeout 14400
    > global (outside) 1 77.92.238.227
    > nat (inside) 0 access-list 102
    > nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    > static (inside,outside) 77.92.238.229 172.29.11.250 netmask
    > 255.255.255.255 0 0
    >
    > access-group 112 in interface outside
    > route outside 0.0.0.0 0.0.0.0 77.92.152.1 1
    > route inside 172.30.0.0 255.255.0.0 172.29.11.253 1
    >
    > no snmp-server enable traps
    > floodguard enable
    > sysopt connection permit-ipsec
    > crypto ipsec transform-set trns1 esp-3des esp-sha-hmac
    > crypto ipsec transform-set trmset1 esp-3des esp-sha-hmac
    > crypto dynamic-map map2 10 set transform-set trmset1
    > crypto map map1 10 ipsec-isakmp dynamic map2
    > crypto map map1 interface outside
    > isakmp enable outside
    > isakmp identity address
    > isakmp nat-traversal 20
    > isakmp policy 10 authentication pre-share
    > isakmp policy 10 encryption 3des
    > isakmp policy 10 hash sha
    > isakmp policy 10 group 2
    > isakmp policy 10 lifetime 86400
    >
    > vpngroup user5 address-pool LAN1vpn
    > vpngroup user5 idle-time 600
    > vpngroup user5 password ********
    > vpngroup user6 address-pool mypool1
    > vpngroup user6 split-tunnel 102
    > vpngroup user6 idle-time 600
    > vpngroup user6 password ********
    > vpngroup user7 address-pool mypool2
    > vpngroup user7 split-tunnel 102
    > vpngroup user7 idle-time 600
    > vpngroup user7 password ********
    >
    > console timeout 0
    > dhcpd address 172.29.50.1-172.29.50.200 inside
    > dhcpd dns 162.23.132.10 162.23.132.11
    > dhcpd lease 3000
    > dhcpd ping_timeout 1000
    > dhcpd enable inside
    >
    > *******************
    > ixfirewall(config)# 32: ICMP echo-request from outside:172.29.11.1 to
    > 172.29.11
    > .254 ID=1280 seq=2304 length=40
    > 33: ICMP echo-request from outside:172.29.11.1 to 172.29.11.254
    > ID=1280 seq=2560
    > length=40
    > 34: ICMP echo-request from outside:172.29.11.1 to 172.29.11.254
    > ID=1280 seq=2816
    > length=40
    > ***********************8
    >
     
    mcaissie, Oct 5, 2007
    #2
    1. Advertising

  3. Ned

    Ned Guest

    On 5 Oct, 16:42, "mcaissie" <> wrote:
    > You must assure that your traffic is part of your nat (0) access-list
    >
    > adding the following line should help
    >
    > access-list 102 permit ip 172.29.11.0 255.255.255.0 172.29.11.0
    > 255.255.255.0
    >
    > "Ned" <> wrote in message
    >
    > news:...
    >

    I have added that to my NAT 0 access list but stiull can't get through
    to the inside LAN. Interestingly, when I have my VPN established, ans
    I try to PING the inside ip address 172.29.11.254 the debug shows...
    pixfirewall(config)# 1040: ICMP echo-request from outside:172.29.11.1
    to 172.29.11.254
    1041: ICMP echo-request from outside:172.29.11.1 to 172.29.11.254
    ID=1280 seq=87
    1042: ICMP echo-request from outside:172.29.11.1 to 172.29.11.254
    ID=1280 seq=89
    ICMP echo-request from outside:172.29.11.1 to 172.29.11.254 ...
    When I try to PING the address 172.29.11.253 (a router down in the
    LAN) the debug shows the echo reply attempts but I still dont see the
    replies on my VPN client...
    pixfirewall(config)# 1032: ICMP echo-request from outside:172.29.11.1
    to 172.29.11.253
    1033: ICMP echo-reply from inside:172.29.11.253 to 172.29.11.1 ID=1280
    seq=7424
    1034: ICMP echo-request from outside:172.29.11.1 to 172.29.11.253
    ID=1280 seq=76
    1035: ICMP echo-reply from inside:172.29.11.253 to 172.29.11.1 ID=1280
    seq=7680
    Maybe there is a problem with my access-list...

    access-list 102 permit ip 172.29.0.0 255.255.0.0 192.168.2.0
    255.255.255.0
    access-list 102 permit ip 172.29.0.0 255.255.0.0 172.22.0.0
    255.255.0.0
    access-list 102 permit ip 172.29.0.0 255.255.0.0 172.30.0.0
    255.255.0.0
    access-list 102 permit ip 172.30.0.0 255.255.0.0 172.29.0.0
    255.255.0.0
    access-list 102 permit ip 172.29.0.0 255.255.0.0 172.29.0.0
    255.255.0.0
    access-list acl_in permit ip any any
    access-group acl_in in interface inside

    Thanks for your interest...
     
    Ned, Oct 9, 2007
    #3
  4. mcaissie wrote:

    >You must assure that your traffic is part of your nat (0) access-list
    >
    >adding the following line should help
    >
    >access-list 102 permit ip 172.29.11.0 255.255.255.0 172.29.11.0
    >255.255.255.0


    I'm not sure if it's a good idea to assign addresses from the "inside"
    network to the VPN clients. IMO, they should get addresses in a sub-net
    that's not assigned to any PIX interface. But the "nat 0" ACL is an
    important point.

    Regards

    fw
     
    Frank Winkler, Oct 9, 2007
    #4
  5. Ned

    Ned Guest

    On 9 Oct, 13:25, Frank Winkler <> wrote:
    > mcaissie wrote:
    >
    > >You must assure that your traffic is part of your nat (0) access-list
    > >

    I have two different VPN pool address subnets. The first one gives
    addresses 172.22.x.x ; this was include in my original access
    list...but it still didn't work.. (I added another pool to use the
    same subnet as the inside after seeing it as an example on the Cisco
    website..
    access-list 102 permit ip 172.29.0.0 255.255.0.0 172.22.0.0
    255.255.0.0
    do I also need the "reverse access list" permit 172.22.0.0 to
    172.29.0.0 ???
    Thanks


    > >adding the following line should help
    > >
    > >access-list 102 permit ip 172.29.11.0 255.255.255.0 172.29.11.0
    > >255.255.255.0

    >
    > I'm not sure if it's a good idea to assign addresses from the "inside"
    > network to the VPN clients. IMO, they should get addresses in a sub-net
    > that's not assigned to any PIX interface. But the "nat 0" ACL is an
    > important point.
    >
    > Regards
    >
    > fw
     
    Ned, Oct 9, 2007
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. =?Utf-8?B?cGFmb3M=?=

    Wireless Network help/advise needed please

    =?Utf-8?B?cGFmb3M=?=, Jan 21, 2006, in forum: Wireless Networking
    Replies:
    1
    Views:
    666
    Doug Sherman [MVP]
    Jan 21, 2006
  2. Ling Chung Shum

    Advise needed

    Ling Chung Shum, Jun 21, 2003, in forum: Computer Support
    Replies:
    5
    Views:
    1,655
  3. brian

    advise needed.

    brian, May 15, 2004, in forum: Computer Support
    Replies:
    31
    Views:
    1,163
    oothlagre
    May 16, 2004
  4. Arawak
    Replies:
    2
    Views:
    7,183
    treehugger
    Nov 18, 2004
  5. george

    Advise needed re: svchost.exe -k netsvcs

    george, May 26, 2005, in forum: Computer Support
    Replies:
    4
    Views:
    12,435
    Duane ;-\)
    May 26, 2005
Loading...

Share This Page