Can connect to PIX 501 with VPN client and ping internal addresses but some issues

Discussion in 'Cisco' started by mgferg, Oct 28, 2008.

  1. mgferg

    mgferg

    Joined:
    Oct 28, 2008
    Messages:
    1
    Likes Received:
    0
    Scenario:
    Internet---x.x.x.x---ADSL--192.168.1.1<---->192.168.1.2--(e)-PIX-(i)--
    10.0.0.1 (10.0.0.0/24)

    I have to use the ADSL with NAT (and not bridge) as provider does not
    support PPPoE only PPPoA
    I can connect with Cisco VPN client 4.0.3(C)
    I can ping/telnet to any address on 10.0.0.0 network
    What I can't do is map a drive to any of the other XP hosts on the 10.0.0.0 network
    I also get the following occurring within the log "No route to 10.1.2.255 from 10.1.2.1"

    Main parts of the config are posted below.

    Questions:
    1. Why the error "No route to 10.1.2.255 from 10.1.2.1" ?

    2. Although I can remote desktop, I tried to mount a network drive to another XP box which failed.

    Log shows:
    UDP request discarded from 10.1.2.1/62025 to inside:10.0.0.1/domain

    So is there something we need to do to get all 10.1.2.0 traffic to access anything on 10.0.0.0? (and vice versa)

    3. Are the following required in order to get to the 10.0.0.0 network once connected via VPN using pool 10.1.2.0/24 ?
    (tried lots to get things to work and not sure if this is required or not, but main functionality is finally working and posting this via vpn)

    access-list outside_crypto permit ip any 10.1.2.0 255.255.255.0
    crypto dynamic-map dynmap 10 match address outside_crypto

    4. Any glaring problems/things that should be changed/removed?

    5. Above is the main requirement. I also have an issue getting "no
    translation group found" when trying to connect via Putty to 10.0.0.35 (Dune) using SSH tunnel on port 443.
    ADSL modem has NAT/PAT set to forward to 10.0.0.35 (Dune) incoming
    443 outgoing 443

    tried various options and currently:
    access-list outside_access_in permit ip any host Dune
    static (inside,outside) tcp interface https Dune https netmask 255.255.255.255 0 0

    What do I need to do for this to work/remove the "no translation group found" issue?
    (I don't have immediate access now, so may post a seperate query on this if there's no "simple" answer.


    Thanks,
    Mark

    PIX Version 6.3(5)
    interface ethernet0 auto
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100

    domain-name localdomain.com

    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol pptp 1723
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    name 10.0.0.35 Dune

    access-list outside_access_in permit ip 10.1.2.0 255.255.255.0
    interface inside log
    access-list outside_access_in permit ip any host Dune
    access-list outside_access_in permit tcp any interface outside eq https
    access-list 101 permit ip 10.0.0.0 255.255.255.0 10.1.2.0 255.255.255.0
    access-list outside_crypto permit ip any 10.1.2.0 255.255.255.0

    icmp permit any inside
    mtu outside 1500
    mtu inside 1500
    ip address outside 192.168.1.2 255.255.255.0
    ip address inside 10.0.0.1 255.255.255.0

    ip local pool ippool 10.1.2.1-10.1.2.254 mask 255.255.255.0

    pdm location Dune 255.255.255.255 inside
    pdm location 10.0.0.0 255.0.0.0 inside
    pdm location 192.168.1.0 255.255.255.0 outside
    pdm location 10.1.2.0 255.255.255.0 outside
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list 101
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    static (inside,outside) tcp interface https Dune https netmask 255.255.255.255 0 0
    access-group outside_access_in in interface outside
    rip inside default version 2
    route outside 0.0.0.0 0.0.0.0 192.168.1.1 1

    management-access insidetelnet 10.1.2.0 255.255.255.0 insidehttp 10.1.2.0 255.255.255.0 inside
    floodguard enable
    sysopt connection permit-ipsec
    crypto ipsec transform-set myset esp-des esp-md5-hmac
    crypto dynamic-map dynmap 10 match address outside_crypto
    crypto dynamic-map dynmap 10 set transform-set myset
    crypto map mymap 10 ipsec-isakmp dynamic dynmap
    crypto map mymap interface outside
    isakmp enable outside
    isakmp identity address
    isakmp nat-traversal 20
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption des
    isakmp policy 10 hash md5
    isakmp policy 10 group 2
    isakmp policy 10 lifetime 86400
    vpngroup vpn3000 address-pool ippool
    vpngroup vpn3000 dns-server 10.0.0.1
    vpngroup vpn3000 wins-server 10.0.0.1
    vpngroup vpn3000 default-domain localdomain.com
    vpngroup vpn3000 idle-time 1800
    vpngroup vpn3000 password ********
    telnet 10.0.0.0 255.0.0.0 inside
    telnet timeout 60
    ssh timeout 5
    console timeout 0
    dhcpd address 10.0.0.201-10.0.0.232 inside
    dhcpd dns 192.168.1.1
    dhcpd lease 3600
    dhcpd ping_timeout 750
    dhcpd auto_config outside
    dhcpd enable inside
     
    mgferg, Oct 28, 2008
    #1
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.