PIX VPN connects, but no internal access

Discussion in 'Hardware' started by gobirds, Jun 22, 2008.

  1. gobirds

    gobirds

    Joined:
    Jun 22, 2008
    Messages:
    1
    Hi,

    Been struggling with this for over a week now, using some of the forum posts and cisco docs to resolve - getting close...so any help is much appreciated :) Sorry for the long post - trying to give all the info needed in 1 shot...

    I'm using a PIX 501 to provide vpn access to my internal network. I've gotten the configuration to the point where I can connect to the VPN from the Internet but once I do so I cannot rdp, map a drive, etc. to any servers. I can ping the outside interface of the pix.

    The configuration is:

    Internet --> dlink dir-625 (forwarding to pix, inside ip is 10.1.1.1) --> pix (outside is 10.1.1.150, inside is 192.168.1.1)

    When I have a device plugged into the pix directly it gets a 192.168.1.x address and can access everything on 10.1.1.x fine. I don't see anything that idicates errors in the pdm log or in the ipsec logging that I enabled - I used to get "no route from x to y" but I don't see them anymore with the current config - which is as follows:

    : Saved
    : Written by admin at 16:21:09.690 UTC Sun Jun 22 2008
    PIX Version 6.3(5)
    interface ethernet0 auto
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password ** encrypted
    passwd ** encrypted
    hostname pix
    domain-name vpn1realm.com
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
    access-list 102 permit ip 10.1.1.0 255.255.255.0 192.168.2.0 255.255.255.0
    pager lines 24
    logging on
    icmp permit 192.168.2.0 255.255.255.0 outside
    icmp permit any outside
    icmp permit 192.168.2.0 255.255.255.0 inside
    icmp permit any inside
    mtu outside 1500
    mtu inside 1500
    ip address outside dhcp setroute
    ip address inside 192.168.1.1 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool ippool 192.168.2.1-192.168.2.254
    ip local pool ippool2 192.168.1.30-192.168.1.40 mask 255.255.255.0
    pdm location 10.1.1.0 255.255.255.0 outside
    pdm logging debugging 100
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list 101
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    route outside 192.168.2.0 255.255.255.0 10.1.1.1 1
    timeout xlate 0:05:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout sip-disconnect 0:02:00 sip-invite 0:03:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local
    aaa authentication enable console LOCAL
    aaa authentication http console LOCAL
    aaa authentication ssh console LOCAL
    aaa authorization command LOCAL
    http server enable
    http 10.1.1.0 255.255.255.0 outside
    http 192.168.1.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    tftp-server outside 10.1.1.99 pix.conf
    floodguard enable
    sysopt connection permit-ipsec
    sysopt ipsec pl-compatible
    crypto ipsec transform-set myset esp-3des esp-md5-hmac
    crypto dynamic-map dynmap 10 set transform-set myset
    crypto map mymap 10 ipsec-isakmp dynamic dynmap
    crypto map mymap interface outside
    isakmp enable outside
    isakmp identity address
    isakmp nat-traversal 20
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption 3des
    isakmp policy 10 hash md5
    isakmp policy 10 group 2
    isakmp policy 10 lifetime 86400
    vpngroup vpn1 address-pool ippool
    vpngroup vpn1 dns-server 10.1.1.1
    vpngroup vpn1 default-domain vpn1realm.com
    vpngroup vpn1 split-tunnel 102
    vpngroup vpn1 idle-time 1800
    vpngroup vpn1 password **
    telnet timeout 5
    ssh 10.1.1.0 255.255.255.0 outside
    ssh 192.168.1.0 255.255.255.0 inside
    ssh timeout 30
    console timeout 0
    dhcpd address 192.168.1.2-192.168.1.33 inside
    dhcpd lease 3600
    dhcpd ping_timeout 750
    dhcpd auto_config outside
    dhcpd enable inside
    username admin nopassword privilege 15
    terminal width 80
    Cryptochecksum:ed2bb590434f9a5dea8bbbfa54f9af
    : end

    show route on the pix gives the following:

    outside 0.0.0.0 0.0.0.0 10.1.1.1 1 DHCP static
    outside 10.1.1.0 255.255.255.0 10.1.1.150 1 CONNECT static
    inside 192.168.1.0 255.255.255.0 192.168.1.1 1 CONNECT static
    outside 192.168.2.0 255.255.255.0 10.1.1.1 1 OTHER static

    Again, thanks so much for any ideas!!
     
    gobirds, Jun 22, 2008
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. GlenMorgan
    Replies:
    13
    Views:
    6,707
    Walter Roberson
    Feb 22, 2005
  2. rambur
    Replies:
    5
    Views:
    646
    rambur
    Apr 25, 2007
  3. maram66@gmail.com
    Replies:
    3
    Views:
    1,019
    maram66@gmail.com
    Aug 5, 2008
  4. atidafe
    Replies:
    0
    Views:
    613
    atidafe
    Apr 14, 2010
  5. sky
    Replies:
    13
    Views:
    4,057
Loading...

Share This Page