VPN PLEASE HELP!

Discussion in 'Cisco' started by jtrooney@gmail.com, Aug 21, 2006.

  1. Guest

    Ok need some help pretty quickly, got a new pix firewall and can't get
    the damn vpn working properly. I'm sure its something dumb, but can't
    figure it out. I am able to connect to the vpn and authenticate just
    fine, but am unable to communicate with any of the systems behind the
    pix, in fact after checking the logs, when i try and browse to any
    internal site or connect to any system behind, I don't see anything in
    the logs, almost like the client side is messed up. Below is my config
    and below that is the routes given to the client once they connect.
    Please help me!?!? =) Thanks inadvance.

    : Saved
    PIX Version 7.0(4)
    !
    hostname pix0-bw
    domain-name nexdlevel.com
    enable password 2KFQnbNIdI.2KYOU encrypted
    names
    !
    interface Ethernet0
    nameif outside
    security-level 0
    ip address 63.x.x.200 255.255.255.0
    !
    interface Ethernet1
    nameif inside
    security-level 100
    ip address 172.16.1.1 255.255.255.0
    !
    passwd 2KFQnbNIdI.2KYOU encrypted
    ftp mode passive
    access-list 101 extended permit ip 172.16.1.0 255.255.255.0 172.16.2.0
    255.255.255.0
    access-list 101 extended permit icmp 172.16.1.0 255.255.255.0
    172.16.2.0 255.255.255.0
    access-list 102 standard permit 172.16.1.0 255.255.255.0
    access-list 102 standard permit 172.16.2.0 255.255.255.0
    access-list inbound extended permit ip any any
    access-list inbound extended permit tcp any any
    access-list inbound extended permit udp any any
    pager lines 24
    logging enable
    logging console alerts
    logging trap debugging
    logging facility 23
    logging host inside 172.16.1.3
    mtu outside 1500
    mtu inside 1500
    ip local pool bigpool 172.16.2.1-172.16.2.254
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 1 0.0.0.0 0.0.0.0
    static (inside,outside) 63.x.x.199 172.16.1.3 netmask 255.255.255.255
    access-group inbound in interface outside
    route outside 0.0.0.0 0.0.0.0 63.x.x.1 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
    timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    group-policy vpn3000-all internal
    group-policy vpn3000-all attributes
    wins-server value 172.16.1.3
    dns-server value 172.16.1.3
    vpn-idle-timeout 30
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value 102
    default-domain value iyd.com
    username jtrooney password 0Iv9/eZsaVXuicgH encrypted
    username jtrooney attributes
    vpn-group-policy vpn3000-all
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set myset esp-des esp-md5-hmac
    crypto dynamic-map dynmap 10 set transform-set myset
    crypto map mymap 10 ipsec-isakmp dynamic dynmap
    crypto map mymap interface outside
    isakmp identity address
    isakmp enable outside
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption des
    isakmp policy 10 hash md5
    isakmp policy 10 group 1
    isakmp policy 10 lifetime 86400
    isakmp policy 20 authentication pre-share
    isakmp policy 20 encryption des
    isakmp policy 20 hash md5
    isakmp policy 20 group 2
    isakmp policy 20 lifetime 86400
    tunnel-group DefaultRAGroup general-attributes
    address-pool (outside) bigpool
    tunnel-group DefaultRAGroup ipsec-attributes
    pre-shared-key *
    tunnel-group vpn3000-all type ipsec-ra
    tunnel-group vpn3000-all general-attributes
    address-pool bigpool
    default-group-policy vpn3000-all
    tunnel-group vpn3000-all ipsec-attributes
    pre-shared-key *
    telnet 0.0.0.0 0.0.0.0 outside
    telnet 0.0.0.0 0.0.0.0 inside
    telnet timeout 5
    ssh 63.x.x.0 255.255.255.0 outside
    ssh 0.0.0.0 0.0.0.0 inside
    ssh timeout 60
    console timeout 0
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    policy-map global_policy
    class inspection_default
    inspect dns maximum-length 512
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect netbios
    inspect rsh
    inspect rtsp
    inspect skinny
    inspect esmtp
    inspect sqlnet
    inspect sunrpc
    inspect tftp
    inspect sip
    inspect xdmcp
    !
    service-policy global_policy global
    Cryptochecksum:0730349c6a31ede02cace6e9306701b6
    : end



    Active Routes:
    Network Destination Netmask Gateway Interface
    Metric
    0.0.0.0 0.0.0.0 192.168.10.1 192.168.10.234
    30
    63.85.86.200 255.255.255.255 192.168.10.1 192.168.10.234
    1
    127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1
    1
    172.16.0.0 255.255.0.0 172.16.2.1 172.16.2.1
    10
    172.16.1.0 255.255.255.0 172.16.2.1 172.16.2.1
    1
    172.16.2.0 255.255.255.0 172.16.2.1 172.16.2.1
    1
    172.16.2.1 255.255.255.255 127.0.0.1 127.0.0.1
    10
    172.16.255.255 255.255.255.255 172.16.2.1 172.16.2.1
    10
    192.168.10.0 255.255.255.0 192.168.10.234 192.168.10.234
    30
    192.168.10.234 255.255.255.255 127.0.0.1 127.0.0.1
    30
    192.168.10.255 255.255.255.255 192.168.10.234 192.168.10.234
    30
    224.0.0.0 240.0.0.0 172.16.2.1 172.16.2.1
    10
    224.0.0.0 240.0.0.0 192.168.10.234 192.168.10.234
    30
    255.255.255.255 255.255.255.255 172.16.2.1 172.16.2.1
    1
    255.255.255.255 255.255.255.255 192.168.10.234 192.168.10.234
    1
    Default Gateway: 192.168.10.1
    ===========================================================================
    Persistent Routes:
    None
    , Aug 21, 2006
    #1
    1. Advertising

  2. PacoPepe Guest

    Hi,

    I had a similar problem once and what worked for me was adding this:

    isakmp nat-traversal 20

    The nat-traversal is what was specifically added to take care of those
    issues and allow all the IPSEC to be handled properly via UDP behind
    NAT.

    Hope this helps,

    PP
    PacoPepe, Aug 21, 2006
    #2
    1. Advertising

  3. Guest

    Looks like I'm getting closer...after running the isakmp
    nat-transversal I can see the traffic getting to the pix now. This is
    what I get now:

    Aug 21 21:44:57 172.16.1.1 %PIX-6-609001: Built local-host
    outside:172.16.2.1
    Aug 21 21:44:57 172.16.1.1 %PIX-3-305005: No translation group found
    for tcp src outside:172.16.2.1/4768 dst inside:172.16.1.3/22

    Any thoughts?

    BTW Thanks!!! =)

    PacoPepe wrote:
    > Hi,
    >
    > I had a similar problem once and what worked for me was adding this:
    >
    > isakmp nat-traversal 20
    >
    > The nat-traversal is what was specifically added to take care of those
    > issues and allow all the IPSEC to be handled properly via UDP behind
    > NAT.
    >
    > Hope this helps,
    >
    > PP
    , Aug 21, 2006
    #3
  4. asr Guest

    hello,

    use static mappings for the local addresses for the address
    translateion.

    wrote:
    > Looks like I'm getting closer...after running the isakmp
    > nat-transversal I can see the traffic getting to the pix now. This is
    > what I get now:
    >
    > Aug 21 21:44:57 172.16.1.1 %PIX-6-609001: Built local-host
    > outside:172.16.2.1
    > Aug 21 21:44:57 172.16.1.1 %PIX-3-305005: No translation group found
    > for tcp src outside:172.16.2.1/4768 dst inside:172.16.1.3/22
    >
    > Any thoughts?
    >
    > BTW Thanks!!! =)
    >
    > PacoPepe wrote:
    > > Hi,
    > >
    > > I had a similar problem once and what worked for me was adding this:
    > >
    > > isakmp nat-traversal 20
    > >
    > > The nat-traversal is what was specifically added to take care of those
    > > issues and allow all the IPSEC to be handled properly via UDP behind
    > > NAT.
    > >
    > > Hope this helps,
    > >
    > > PP
    asr, Aug 21, 2006
    #4
  5. Chad Mahoney Guest

    wrote:
    > Looks like I'm getting closer...after running the isakmp
    > nat-transversal I can see the traffic getting to the pix now. This is
    > what I get now:
    >
    > Aug 21 21:44:57 172.16.1.1 %PIX-6-609001: Built local-host
    > outside:172.16.2.1
    > Aug 21 21:44:57 172.16.1.1 %PIX-3-305005: No translation group found
    > for tcp src outside:172.16.2.1/4768 dst inside:172.16.1.3/22
    >
    > Any thoughts?
    >
    > BTW Thanks!!! =)
    >
    > PacoPepe wrote:
    > > Hi,
    > >
    > > I had a similar problem once and what worked for me was adding this:
    > >
    > > isakmp nat-traversal 20
    > >
    > > The nat-traversal is what was specifically added to take care of those
    > > issues and allow all the IPSEC to be handled properly via UDP behind
    > > NAT.
    > >
    > > Hope this helps,
    > >
    > > PP


    This is happening due to NAT issues. You must place a NAT statement:
    nat (inside) 0 access-list no-nat
    access-list no-nat permit ip x.x.x.x x.x.x.x any

    If using the PDM goto the NAT section and click the button that states
    NAT exemptions and enter the subnets for local and remote sides of the
    tunnels.
    Chad Mahoney, Aug 21, 2006
    #5
  6. Brian V Guest

    "Chad Mahoney" <> wrote in message
    news:...
    >
    > wrote:
    >> Looks like I'm getting closer...after running the isakmp
    >> nat-transversal I can see the traffic getting to the pix now. This is
    >> what I get now:
    >>
    >> Aug 21 21:44:57 172.16.1.1 %PIX-6-609001: Built local-host
    >> outside:172.16.2.1
    >> Aug 21 21:44:57 172.16.1.1 %PIX-3-305005: No translation group found
    >> for tcp src outside:172.16.2.1/4768 dst inside:172.16.1.3/22
    >>
    >> Any thoughts?
    >>
    >> BTW Thanks!!! =)
    >>
    >> PacoPepe wrote:
    >> > Hi,
    >> >
    >> > I had a similar problem once and what worked for me was adding this:
    >> >
    >> > isakmp nat-traversal 20
    >> >
    >> > The nat-traversal is what was specifically added to take care of those
    >> > issues and allow all the IPSEC to be handled properly via UDP behind
    >> > NAT.
    >> >
    >> > Hope this helps,
    >> >
    >> > PP

    >
    > This is happening due to NAT issues. You must place a NAT statement:
    > nat (inside) 0 access-list no-nat
    > access-list no-nat permit ip x.x.x.x x.x.x.x any
    >
    > If using the PDM goto the NAT section and click the button that states
    > NAT exemptions and enter the subnets for local and remote sides of the
    > tunnels.
    >


    not quite, if you do that all traffic will break. You got the right idea
    tho, he does need to add a nonat statement.
    Couple different ways to do it.

    access-list nonat permit ip <internal subnet> <vpn subnet>
    nat (inside) 0 access-list nonat

    or

    access-list nonat permit ip any <vpn subnet>
    nat (inside) 0 access-list nonat
    Brian V, Aug 21, 2006
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Elise
    Replies:
    6
    Views:
    796
    John Rennie
    May 22, 2004
  2. tpg comcntr

    HELP! HELP! PLEASE, PLEASE, PLEASE

    tpg comcntr, Feb 14, 2004, in forum: Computer Support
    Replies:
    11
    Views:
    847
    michael turner
    Feb 15, 2004
  3. Nick

    Computer problems please please please help

    Nick, Jun 4, 2004, in forum: Computer Support
    Replies:
    0
    Views:
    440
  4. pasatealinux
    Replies:
    1
    Views:
    2,000
    pasatealinux
    Dec 17, 2007
  5. ozoubi
    Replies:
    0
    Views:
    841
    ozoubi
    Sep 23, 2010
Loading...

Share This Page