Pix 506E client VPN OK but can't ping lan network

Discussion in 'Cisco' started by pdgraaff, Jul 19, 2005.

  1. pdgraaff

    pdgraaff Guest

    Weird problem, can't figure out where it goes wrong.

    I can establish with the Cisco VPN client (4.6) a connection to the PIX
    506E.
    But I can't ping or access anything on the local network.

    Here is the config:
    PIX Version 6.3(4)
    interface ethernet0 auto
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password m8Eh4PhLD1OvIGAU encrypted
    passwd m8Eh4PhLD1OvIGAU encrypted
    hostname pix506
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol ils 389
    fixup protocol pptp 1723
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    access-list outside_access_in permit icmp any any echo-reply
    access-list outside_access_in permit icmp any any
    access-list outside_access_in permit tcp any host 195.64.83.115 eq www
    access-list NONAT permit ip 192.168.100.0 255.255.255.0 192.168.201.0
    255.255.2
    5.0
    pager lines 24
    mtu outside 1500
    mtu inside 1500
    ip address outside 195.64.83.115 255.255.255.248
    ip address inside 192.168.100.100 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool VPN 192.168.201.1-192.168.201.50
    pdm logging informational 100
    pdm history enable
    arp timeout 14400
    global (outside) 1 195.64.83.116
    nat (inside) 0 access-list NONAT
    nat (inside) 1 192.168.100.0 255.255.255.0 0 0
    access-group outside_access_in in interface outside
    route outside 0.0.0.0 0.0.0.0 195.64.83.113 1
    timeout xlate 0:05:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local
    http server enable
    http 192.168.100.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    crypto ipsec transform-set BOSTON esp-aes esp-sha-hmac
    crypto dynamic-map dynmap 10 set transform-set BOSTON
    crypto map mymap 20 ipsec-isakmp dynamic dynmap
    crypto map mymap interface outside
    isakmp enable outside
    isakmp identity address
    isakmp client configuration address-pool local VPN outside
    isakmp nat-traversal 20
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption aes
    isakmp policy 10 hash sha
    isakmp policy 10 group 2
    isakmp policy 10 lifetime 86400
    vpngroup BOSTON address-pool VPN
    vpngroup BOSTON dns-server 192.168.100.211
    vpngroup BOSTON idle-time 1800
    vpngroup BOSTON password ********
    telnet 192.168.100.0 255.255.255.0 inside
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    terminal width 80
    Cryptochecksum:a964d400b76313524aeca63d132f216c

    Any help would be great.

    Regards,

    Paul de Graaff
     
    pdgraaff, Jul 19, 2005
    #1
    1. Advertisements

  2. You can ping, but you are not getting the reply packets.
    Please note that the second line makes the first useless.
    You need at least something like this:

    access-list FromBOSTON permit ip 192.168.100.0 255.255.255.0 192.168.201.0 255.255.255.0
    vpngroup BOSTON split-tunnel FromBOSTON
     
    Jyri Korhonen, Jul 19, 2005
    #2
    1. Advertisements

  3. pdgraaff

    pdgraaff Guest

    Jyri,

    Thanks for your reply.
    I deleted access-list outside_access_in permit icmp any any
    And I add the 2 lines but I'm sorry to inform you, it didn't work out.

    Any other options?

    Regards,

    Paul
     
    pdgraaff, Jul 19, 2005
    #3
  4. pdgraaff

    rave Guest

    check out the routing behind your pix.
    look into the ipsec sa on the PIX whether you are getting any decaps or
    not with the vpn client connected.
    If you are getting decaps and no encaps it is definitely something to
    do with routing or nat. nat seems fine to me.
    check teh default gateway on the devices is the pix's inside.
     
    rave, Jul 19, 2005
    #4
  5. Hi Paul ,

    Are you able to ping PIX's inside interface after enabling
    "management-access inside" command .
    If yes , Then check default gateway on the PC you are trying to ping in
    your lan . Also remember , the VPN pool needs to be routed in your
    network to PIX .

    HTH
    S
     
    cisco9947 9947, Jul 20, 2005
    #5
  6. pdgraaff

    ctilma Guest

    Thanks guys for the help.
    The problem is solved. We forgot to add the route statement on the
    servers inside.
     
    ctilma, Jul 20, 2005
    #6
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.