Cisco 525 VPN Problem

Discussion in 'Cisco' started by Steve Jarrell, Feb 25, 2004.

  1. We have had two network engineers try to figure this out, however they
    weren't familiar with Cisco VPNs and wasted a lot of time and
    accomplished nothing. The solution is probably very simply for someone
    who really understands what's going on (that group certainly doesn't
    include me.) :)

    We have a Cisco 525 firewall that did have just an outside and inside
    network. We use the Cisco client to access the inside network. The VPN
    was working fine.

    We recently added a DMZ network. Now, we can connect to the VPN via
    the Cisco client (it appears as if the authentication takes place,
    however we can't access the inside network).

    Here's what I believe are the pertinent parts of the config. Any help
    would be greatly appreciated:

    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    nameif ethernet2 DMZ security50
    nameif ethernet3 intf3 security15
    name 192.168.5.0 DMZ
    name 192.168.4.0 Inside_Network

    access-list vpn permit ip Inside_Network 255.255.255.0 172.16.2.0
    255.255.255.0

    ip address outside xxx.yyy.zzz.190 255.255.255.224
    ip address inside 192.168.4.1 255.255.255.0
    ip address DMZ 192.168.5.1 255.255.255.0
    ip address intf3 127.0.0.1 255.255.255.255
    ip verify reverse-path interface outside
    ip verify reverse-path interface inside
    ip verify reverse-path interface DMZ

    ip local pool tech_vpn 172.16.2.1-172.16.2.254

    global (outside) 1 interface
    nat (inside) 0 access-list vpn
    nat (inside) 1 Inside_Any 0.0.0.0 0 0

    route outside Inside_Any Inside_Any xxx.yyy.zzz.161 1

    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server RADIUS (outside) host aaa.bb.ccc.205 xxxxxxxxx timeout 5
    aaa-server LOCAL protocol local

    sysopt connection permit-ipsec
    no sysopt route dnat

    crypto ipsec transform-set myset esp-des esp-md5-hmac
    crypto dynamic-map outside_dyn_map 10 set transform-set myset
    crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
    crypto map outside_map client configuration address initiate
    crypto map outside_map client authentication RADIUS
    crypto map outside_map interface outside


    Thanks,

    Steve Jarrell
     
    Steve Jarrell, Feb 25, 2004
    #1
    1. Advertisements

  2. We recently added a DMZ network. Now, we can connect to the VPN via
    I should have been a little clearer about what the problem actually
    is.... we can connect to the VPN, however once we do, we can't access
    the inside network at all. Can't ping, connect to devices, etc.

    Thanks,

    Steve Jarrell
     
    Steve Jarrell, Feb 26, 2004
    #2
    1. Advertisements

  3. Steve Jarrell

    Ivan Ostres Guest

    Can you provide us a PIX config?
     
    Ivan Ostres, Feb 26, 2004
    #3
  4. Sure - here it is from the original post...

    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    nameif ethernet2 DMZ security50
    nameif ethernet3 intf3 security15
    name 192.168.5.0 DMZ
    name 192.168.4.0 Inside_Network

    access-list vpn permit ip Inside_Network 255.255.255.0 172.16.2.0
    255.255.255.0

    ip address outside xxx.yyy.zzz.190 255.255.255.224
    ip address inside 192.168.4.1 255.255.255.0
    ip address DMZ 192.168.5.1 255.255.255.0
    ip address intf3 127.0.0.1 255.255.255.255
    ip verify reverse-path interface outside
    ip verify reverse-path interface inside
    ip verify reverse-path interface DMZ

    ip local pool tech_vpn 172.16.2.1-172.16.2.254

    global (outside) 1 interface
    nat (inside) 0 access-list vpn
    nat (inside) 1 Inside_Any 0.0.0.0 0 0

    route outside Inside_Any Inside_Any xxx.yyy.zzz.161 1

    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server RADIUS (outside) host aaa.bb.ccc.205 xxxxxxxxx timeout 5
    aaa-server LOCAL protocol local

    sysopt connection permit-ipsec
    no sysopt route dnat

    crypto ipsec transform-set myset esp-des esp-md5-hmac
    crypto dynamic-map outside_dyn_map 10 set transform-set myset
    crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
    crypto map outside_map client configuration address initiate
    crypto map outside_map client authentication RADIUS
    crypto map outside_map interface outside
     
    Steve Jarrell, Feb 27, 2004
    #4
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.