PIX VPN can't access internal network

Discussion in 'Cisco' started by Bjarne, Aug 4, 2006.

  1. Bjarne

    Bjarne Guest

    Hi

    I havve a bit of a problem that I hope that somone will help me with..

    I can connect with the vpn client thru my second ISP line on work but
    not fra home..

    Wenn I connect I can't access the internal network (no ping etc..)

    This is my config

    : Saved
    : Written by enable_15 at 22:44:36.762 UTC Fri Aug 4 2006
    PIX Version 6.3(4)
    interface ethernet0 auto
    interface ethernet1 100full
    interface ethernet2 auto shutdown
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    nameif ethernet2 intf2 security4
    enable password *************** encrypted
    passwd *************** encrypted
    hostname pixfirewall
    domain-name inet.local
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    name 10.0.31.6 INET06
    name 10.0.16.1 DLOG-ITDR01
    name 10.0.16.2 DLOG-ITDR02
    access-list outside_access_in permit tcp any any eq www
    access-list outside_access_in permit tcp any any eq 3389
    access-list outside_access_in permit tcp any any eq 3397
    access-list outside_access_in permit ip 10.0.25.0 255.255.255.0 any
    access-list inside_outbound_nat0_acl permit ip any 10.0.25.0
    255.255.255.0
    access-list outside_cryptomap_dyn_40 permit ip any 10.0.25.0
    255.255.255.0
    pager lines 24
    logging buffered debugging
    mtu outside 1500
    mtu inside 1500
    mtu intf2 1500
    ip address outside 192.168.1.2 255.255.255.0
    ip address inside 10.0.31.200 255.255.240.0
    no ip address intf2
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool ippool-1 10.0.25.1-10.0.25.10
    pdm location DLOG-ITDR01 255.255.255.255 inside
    pdm location INET06 255.255.255.255 inside
    pdm location xxx.xxx.xxx.xxx 255.255.255.255 outside
    pdm location 10.0.25.0 255.255.255.0 outside
    pdm location DLOG-ITDR02 255.255.255.255 inside
    pdm location DLOG-ITDR02 255.255.255.255 outside
    pdm location 10.0.0.0 255.255.0.0 outside
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list inside_outbound_nat0_acl
    nat (inside) 1 10.0.16.0 255.255.240.0 0 0
    static (inside,outside) tcp interface www INET06 www netmask
    255.255.255.255 0 0
    static (inside,outside) tcp interface 3389 DLOG-ITDR01 3389 netmask
    255.255.255.255 0 0
    static (inside,outside) tcp interface 3397 DLOG-ITDR02 3397 netmask
    255.255.255.255 0 0
    access-group outside_access_in in interface outside
    rip inside default version 1
    route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local
    http server enable
    http xxx.xxx.xxx.xxx 255.255.255.255 outside
    http DLOG-ITDR01 255.255.255.255 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto dynamic-map outside_dyn_map 40 match address
    outside_cryptomap_dyn_40
    crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-MD5
    crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
    crypto map outside_map interface outside
    isakmp enable outside
    isakmp keepalive 20 30
    isakmp nat-traversal 10
    isakmp policy 20 authentication pre-share
    isakmp policy 20 encryption 3des
    isakmp policy 20 hash sha
    isakmp policy 20 group 2
    isakmp policy 20 lifetime 86400
    vpngroup Medarbejder-VPN address-pool ippool-1
    vpngroup Medarbejder-VPN dns-server 10.0.31.1
    vpngroup Medarbejder-VPN default-domain inet.local
    vpngroup Medarbejder-VPN idle-time 1800
    vpngroup Medarbejder-VPN password ***************
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    terminal width 80
    Cryptochecksum:***************
    : end

    Thanks

    Bjarne
    Bjarne, Aug 4, 2006
    #1
    1. Advertising

  2. "Bjarne" <> wrote in message
    news:...

    >
    > Wenn I connect I can't access the internal network (no ping etc..)

    No-NAT problems, since you allready have Isakmp nat-t

    > access-list inside_outbound_nat0_acl permit ip any 10.0.25.0
    > 255.255.255.0
    > access-list outside_cryptomap_dyn_40 permit ip any 10.0.25.0
    > 255.255.255.0


    you need to reverse these two ACLs (above)
    HTH
    Martin


    > ip address inside 10.0.31.200 255.255.240.0


    > ip local pool ippool-1 10.0.25.1-10.0.25.10


    > nat (inside) 0 access-list inside_outbound_nat0_acl
    Martin Bilgrav, Aug 4, 2006
    #2
    1. Advertising

  3. "Martin Bilgrav" <> wrote in message
    news:DMPAg.11215$2net.dk...
    >
    > "Bjarne" <> wrote in message
    > news:...
    >
    >>
    >> Wenn I connect I can't access the internal network (no ping etc..)

    > No-NAT problems, since you allready have Isakmp nat-t
    >
    >> access-list inside_outbound_nat0_acl permit ip any 10.0.25.0
    >> 255.255.255.0
    >> access-list outside_cryptomap_dyn_40 permit ip any 10.0.25.0
    >> 255.255.255.0

    >
    > you need to reverse these two ACLs (above)
    > HTH
    > Martin
    >
    >
    >> ip address inside 10.0.31.200 255.255.240.0

    >
    >> ip local pool ippool-1 10.0.25.1-10.0.25.10

    >
    >> nat (inside) 0 access-list inside_outbound_nat0_acl

    >
    >
    >
    >
    Martin Bilgrav, Aug 4, 2006
    #3
  4. "Martin Bilgrav" <> wrote in message
    news:DMPAg.11215$2net.dk...

    > you need to reverse these two ACLs (above)
    > HTH
    > Martin
    >
    >
    >> ip address inside 10.0.31.200 255.255.240.0

    >
    >> ip local pool ippool-1 10.0.25.1-10.0.25.10


    Sorry about that - That is not correct what I just wrote ... I mistakenly
    looked at the wrong lines...
    Your ACL and config looks just fine ...


    You do nat have the "sysopt connection permit-ipsec" command
    Also :
    You are using RIP - Verify that the Pool you have used is routed the right
    way.
    Veify that your VPN client is set for UDP encap of IPSEC (Transperent
    tunneling), and when connected you use UDP/4500 on the status Tab

    getting late....

    HTH
    Martin
    Martin Bilgrav, Aug 4, 2006
    #4
  5. Bjarne

    Bjarne Guest

    Thanks alot..

    It seems to work :)


    Martin Bilgrav wrote:
    > "Martin Bilgrav" <> wrote in message
    > news:DMPAg.11215$2net.dk...
    >
    > > you need to reverse these two ACLs (above)
    > > HTH
    > > Martin
    > >
    > >
    > >> ip address inside 10.0.31.200 255.255.240.0

    > >
    > >> ip local pool ippool-1 10.0.25.1-10.0.25.10

    >
    > Sorry about that - That is not correct what I just wrote ... I mistakenly
    > looked at the wrong lines...
    > Your ACL and config looks just fine ...
    >
    >
    > You do nat have the "sysopt connection permit-ipsec" command
    > Also :
    > You are using RIP - Verify that the Pool you have used is routed the right
    > way.
    > Veify that your VPN client is set for UDP encap of IPSEC (Transperent
    > tunneling), and when connected you use UDP/4500 on the status Tab
    >
    > getting late....
    >
    > HTH
    > Martin
    Bjarne, Aug 5, 2006
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.

Share This Page