Cisco 515 VPN Traffic can not ping internal hosts

I am trying to get clients runnign Cisco VPN software to connect to my
internal network. currently the clients can connect and authenticate ok

but can't see anything on the inside network.

PIX Version 6.3(1)
interface ethernet0 100full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password Gn7cdoayw6QM/xoG encrypted
passwd Gn7cdoayw6QM/xoG encrypted
hostname PIX515e
domain-name rockeagle
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
name 168.24.225.12 Relabserver
name 168.24.225.19 Steve
name 168.24.225.21 Tina
name 168.24.225.20 Tandberg
name 168.24.224.0 Rockeagle
name 168.24.225.11 Userfiles
name 168.24.225.18 Cory
access-list outside_access_in remark FTP access to Userfiles
access-list outside_access_in permit tcp any host Userfiles eq ftp
access-list outside_access_in remark Full TCP access to Tandberg
access-list outside_access_in permit tcp any host Tandberg
access-list outside_access_in remark Full TCP access to Tandberg for
h323
access-list outside_access_in permit tcp any host Tandberg eq h323
access-list outside_access_in remark Full UDP access to Tandberg
access-list outside_access_in remark
access-list outside_access_in permit udp any host Tandberg
access-list outside_access_in remark Full http access to Userfiles
access-list outside_access_in permit tcp any host Userfiles eq www
access-list outside_access_in remark Full ftp access to Relabserver
access-list outside_access_in permit tcp any host Relabserver eq ftp
access-list outside_access_in remark WWW access to Relabserver
access-list outside_access_in remark
access-list outside_access_in permit tcp any host Relabserver eq www
access-list outside_access_in remark Allow tcp traffic to Tandberg for
range 5555 to 5599
access-list outside_access_in remark
access-list outside_access_in permit tcp any host Tandberg range 5555
5599
access-list outside_access_in remark Allow tcp traffic to Tandberg for
range 3230 to 3235
access-list outside_access_in remark
access-list outside_access_in permit tcp any host Tandberg range 3230
3235
access-list outside_access_in remark Allow udp traffic to Tandberg for
range 2325 to 2387
access-list outside_access_in remark
access-list outside_access_in permit udp any host Tandberg range 2325
2387
access-list outside_access_in remark Allow udp traffic to Tandberg for
range 3220 to 3247
access-list outside_access_in remark
access-list outside_access_in permit udp any host Tandberg range 3220
3247
access-list outside_access_in remark FTP access to Tina
access-list outside_access_in permit tcp any host Tina eq ftp
access-list outside_access_in remark PPTP for VPN to RELABSERVER
access-list outside_access_in permit tcp any host Relabserver eq pptp
access-list outside_access_in remark GRE for VPN on RELABSERVER
access-list outside_access_in permit tcp any host Relabserver eq 47
access-list outside_access_in remark PCAnywhere access to Userfiles
access-list outside_access_in permit tcp any host Userfiles eq
pcanywhere-data
access-list outside_access_in permit esp any any
access-list outside_access_in permit gre any any
access-list outside_access_in permit tcp any eq pptp host Relabserver
access-list inside_outbound_nat0_acl permit ip any 168.24.224.240
255.255.255.240
access-list outside_cryptomap_dyn_20 permit ip any 168.24.224.240
255.255.255.240
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 168.24.192.141 255.255.255.248
ip address inside 168.24.224.1 255.255.254.0
ip audit info action alarm
ip audit attack action alarm
ip local pool VPN Cory
ip local pool Steve Steve
ip local pool VPNAdd 168.24.224.245-168.24.224.249
failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 168.24.192.142
failover ip address inside 168.24.224.2
pdm location Rockeagle 255.255.254.0 inside
pdm location Userfiles 255.255.255.255 inside
pdm location Relabserver 255.255.255.255 inside
pdm location Cory 255.255.255.255 inside
pdm location Steve 255.255.255.255 inside
pdm location Tina 255.255.255.255 inside
pdm location 168.24.225.0 255.255.255.0 inside
pdm location Tandberg 255.255.255.255 inside
pdm location 192.168.1.1 255.255.255.255 inside
pdm location 192.168.1.0 255.255.255.0 inside
pdm location 72.152.146.187 255.255.255.255 outside
pdm location 128.192.83.0 255.255.255.0 outside
pdm location 168.24.224.240 255.255.255.240 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
nat (inside) 0 access-list inside_outbound_nat0_acl
static (inside,outside) Relabserver Relabserver netmask 255.255.255.255
0 0
static (inside,outside) Rockeagle Rockeagle netmask 255.255.254.0 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 168.24.192.137 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
ntp server 132.163.4.101 source outside
http server enable
http 72.152.146.187 255.255.255.255 outside
http 128.192.83.0 255.255.255.0 outside
http Rockeagle 255.255.254.0 inside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community rockeagle
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
sysopt connection permit-l2tp
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map inside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 20 match address
outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup state address-pool VPNAdd
vpngroup state dns-server Userfiles 128.192.110.221
vpngroup state wins-server Userfiles 128.192.1.31
vpngroup state default-domain rockeagle
vpngroup state idle-time 1800
vpngroup state password ********
telnet 72.152.146.186 255.255.255.255 outside
telnet Rockeagle 255.255.254.0 inside
telnet timeout 5
ssh 72.152.146.186 255.255.255.255 outside
ssh timeout 5
management-access inside
console timeout 0
vpdn username a password *********
vpdn username b password *********
vpdn enable outside
dhcprelay server Userfiles inside
dhcprelay enable outside
terminal width 80
Cryptochecksum:1e38b95a71ebb4117009e37fdb1495e8
: end

 

You should upgrade, there are known security problems in 6.3(1),
6.3(3), and 6.3(5). You can get a free upgrade at least as far as
6.3(4) even if you do not have a support contract.

For the purpose of debugging this problem, we can ignore that ACL
since you have sysopt connection permit-ipsec in effect.

Okay, those are appropriate for the case where the VPN clients will
have IPs in the range 168.24.224.240 -> .255

And there we hit the problem. In order for your nat0 and dyn_20 to work,
your VPN clients have to have IPs in the 168.24.224 range, but that's
the same range you have for your inside IPs. That isn't going to work:
when the outgoing packets for those clients hit the inside interface,
the PIX would see that they are destined to part of the inside interface
IP range and would drop the packets.

You do not use those two pools.

You do not have pptp or l2tp defined so you might as get rid of the
latter two of those.

It is unusual these days to use 3DES with MD5: there are known
collision attacks on MD5 that reduce its theoretical security.

As per above, 3DES + MD5 is unusual these days. If you are at 6.3(1)
and you can use 3DES, your license also allows you to use AES
(note: use group 5 for AES). You could put AES-128/SHA and 3DES/SHA
as higher priority (lower policy numbers) than your 3DES/MD5, and
thereby get the increased security for systems that support it while
not affecting connections to any devices that don't support those two.

As discussed above, your VPN address pool must not be part of the
same IP range as your inside interface. Use one of the private IP ranges.

You designate an external dns server, but your default domain is
"rockeagle" instead of a qualified domain name. Will the external dns
server know how to resolve "rockeagle" as a top-level domain?

That can complicate matters: in order to use a management-access
properly, you need a distinct tunnel with a different transport-mode .
I don't know if the VPN client is able to negotiate those tunnels
automatically.

 

Thanks for the info. I don't know very much about pix firewalls and
don't have a budget to hire a Cisco expert. What commands would you
suggest to fix my problems.

 

Thanks for the info. I don't know very much about pix firewalls and
don't have a budget to hire a Cisco expert. What commands would you
suggest to fix my problems.