PIX515E Ipsec vpn can't access local hosts

Discussion in 'Cisco' started by Tony2Time, Jun 23, 2011.

  1. Tony2Time

    Tony2Time

    Joined:
    Jun 23, 2011
    Messages:
    1
    Likes Received:
    0
    Having trouble with this config. Any input is appreciated.

    PIX Version 7.2(3)
    !
    hostname xxxxxxxx
    domain-name xxxxxxxxx
    enable password 3D9gM0PSZtiJ7yf3 encrypted
    names
    name 10.10.0.253 xxxxxxxxdc
    dns-guard
    !
    interface Ethernet0
    nameif outside
    security-level 0
    ip address xxxxxxxx.81 255.255.255.248
    !
    interface Ethernet1
    nameif inside
    security-level 100
    ip address 10.10.0.254 255.255.255.0
    !
    interface Ethernet2
    shutdown
    nameif intf2
    security-level 4
    no ip address
    !
    passwd 2KFQnbNIdI.2KYOU encrypted
    boot system flash:/pix723.bin
    ftp mode passive
    clock timezone EST -5
    clock summer-time EDT recurring
    dns server-group DefaultDNS
    domain-name xxxxxxxx.local
    access-list outside_cryptomap_10 extended permit ip 10.10.0.0 255.255.255.0 10.10.7.0 255.255.255.0
    access-list nonat extended permit ip 10.10.0.0 255.255.255.0 10.10.7.0 255.255.255.0 inactive
    access-list nonat extended permit ip 10.10.0.0 255.255.255.0 10.10.1.0 255.255.255.0 inactive
    access-list nonat extended permit ip 10.10.0.0 255.255.255.0 10.4.0.0 255.255.255.0 inactive
    access-list nonat extended permit ip 10.10.0.0 255.255.255.0 10.10.2.0 255.255.255.0 inactive
    access-list nonat extended permit ip 10.10.0.0 255.255.255.0 10.0.0.0 255.255.255.0 inactive
    access-list nonat extended permit ip 10.10.0.0 255.255.255.0 10.2.0.0 255.255.255.0 inactive
    access-list nonat extended permit ip 10.10.0.0 255.255.255.0 10.1.0.0 255.255.255.0 inactive

    access-list nonat extended permit ip 10.10.0.0 255.255.255.0 172.16.3.0 255.255.255.240 inactive
    access-list outside_cryptomap_20 extended permit ip 10.10.0.0 255.255.255.0 10.10.1.0 255.255.255.0
    access-list outside_cryptomap_30 extended permit ip 10.10.0.0 255.255.255.0 10.4.0.0 255.255.255.0
    access-list outside_cryptomap_11 extended permit ip 10.10.0.0 255.255.255.0 10.10.2.0 255.255.255.0
    access-list outside_cryptomap_1 extended permit ip 10.10.0.0 255.255.255.0 10.0.0.0 255.255.255.0
    access-list outside_access_in extended permit icmp any any
    access-list outside_access_in remark RDC to xxxxxxx
    access-list outside_access_in extended permit tcp any host xxxxxxxx.83 eq 3389
    access-list outside_access_in remark RDC access to xxxxxxxxx
    access-list outside_access_in extended permit tcp any host xxxxxxxx.83 eq https
    access-list outside_access_in remark VNC access to xxxxxxxxxx
    access-list outside_access_in extended permit tcp any host xxxxxxxx.195 eq 5900 inactive
    access-list outside_access_in remark voip to local xxxxxxxx
    access-list outside_access_in extended permit tcp any host xxxxxxxx.195 range 1718 h323 inactive
    access-list outside_access_in remark voip to local xxxxxxxx
    access-list outside_access_in extended permit udp any host xxxxxxxx.195 range 1718 1719 inactive
    access-list outside_access_in remark voip to local xxxxxxxx
    access-list outside_access_in extended permit tcp any host xxxxxxxx.195 eq 10015 inactive
    access-list outside_access_in remark voip to local xxxxxxxx
    access-list outside_access_in extended permit tcp any host xxxxxxxx.195 range 10025 10028 inactive
    access-list outside_access_in remark voip to local xxxxxxxx
    access-list outside_access_in extended permit tcp any host xxxxxxxx.195 eq 10032 inactive
    access-list outside_access_in remark voip to local xxxxxxxx
    access-list outside_access_in extended permit tcp any host xxxxxxxx.195 range 30040 30042 inactive
    access-list outside_access_in remark voip to local xxxxxxxx
    access-list outside_access_in extended permit tcp any host xxxxxxxx.195 range 49152 49275 inactive
    access-list outside_access_in remark voip to local xxxxxxxx
    access-list outside_access_in extended permit udp any host xxxxxxxx.195 range 30000 30002 inactive
    access-list outside_access_in remark voip to local xxxxxxxx
    access-list outside_access_in extended permit udp any host xxxxxxxx.195 range 49152 49275 inactive
    access-list outside_access_in extended permit tcp any host xxxxxxxx.196 eq www
    access-list outside_access_in extended permit tcp any host xxxxxxxx.82 eq 3389 inactive
    access-list outside_access_in remark xxxxxxxx HTTP
    access-list outside_access_in extended permit tcp any host xxxxxxxx.82 eq www
    access-list outside_access_in remark xxxxxxxx HTTPS
    access-list outside_access_in extended permit tcp any host xxxxxxxx.82 eq https
    access-list outside_cryptomap_2 extended deny ip host 10.10.0.251 host 10.4.0.252
    access-list outside_cryptomap_50 extended permit ip 10.10.0.0 255.255.255.0 10.2.0.0 255.255.255.0
    access-list outside_cryptomap_3 extended deny ip host 10.10.0.251 host 10.2.0.251
    access-list outside_cryptomap_4 extended deny ip host 10.10.0.251 host 10.0.0.247
    access-list outside_cryptomap_12 extended permit ip 10.10.0.0 255.255.255.0 10.1.0.0 255.255.255.0
    access-list outside_cryptomap_dyn_20 extended permit ip 172.16.3.0 255.255.255.0 10.10.0.0 255.255.255.0
    access-list 101 extended permit ip 172.16.3.0 255.255.255.240 any
    access-list RAPool1_splitTunnelAcl extended permit ip 172.16.3.0 255.255.255.240 any
    access-list NO_NAT extended permit ip 172.16.3.0 255.255.255.240 10.10.0.0 255.255.255.0
    access-list NO_NAT extended permit ip 10.10.0.0 255.255.255.0 10.10.7.0 255.255.255.0
    access-list NO_NAT extended permit ip 10.10.0.0 255.255.255.0 10.10.1.0 255.255.255.0
    access-list NO_NAT extended permit ip 10.10.0.0 255.255.255.0 10.4.0.0 255.255.255.0
    access-list NO_NAT extended permit ip 10.10.0.0 255.255.255.0 10.1.0.0 255.255.255.0
    access-list NO_NAT extended permit ip 10.10.0.0 255.255.255.0 10.10.2.0 255.255.255.0
    access-list NO_NAT extended permit ip 10.10.0.0 255.255.255.0 10.2.0.0 255.255.255.0
    access-list NO_NAT extended permit ip 10.10.0.0 255.255.255.0 10.0.0.0 255.255.255.0
    pager lines 24
    logging enable
    logging timestamp
    logging asdm informational
    mtu outside 1500
    mtu inside 1500
    mtu intf2 1500
    ip local pool IPSEC 172.16.3.1-172.16.3.10
    icmp unreachable rate-limit 1 burst-size 1
    icmp permit any outside
    icmp permit any inside
    asdm image flash:/asdm-523.bin
    asdm history enable
    arp timeout 14400
    nat-control
    global (outside) 10 interface
    nat (inside) 0 access-list NO_NAT
    nat (inside) 10 0.0.0.0 0.0.0.0
    static (inside,outside) tcp xxxxxxxx.84 3391 10.10.0.91 3391 netmask 255.255.255.255
    static (inside,outside) tcp xxxxxxxx.84 3390 10.10.0.90 3390 netmask 255.255.255.255
    static (inside,outside) xxxxxxxx.82 10.10.0.11 netmask 255.255.255.255
    static (inside,outside) xxxxxxxx.83 10.10.0.2 netmask 255.255.255.255
    access-group outside_access_in in interface outside
    route outside 0.0.0.0 0.0.0.0 xxxxxxxx.86 1
    timeout xlate 0:30:00
    timeout conn 0:10:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    http server enable
    http 0.0.0.0 0.0.0.0 outside
    http 0.0.0.0 0.0.0.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community xxxxxxxx
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set aes256set esp-aes-256 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto dynamic-map outside_dyn_map 20 set pfs
    crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
    crypto map xxxxxxxx-map 1 match address outside_cryptomap_2
    crypto map xxxxxxxx-map 1 set peer xxxxxxxx.146
    crypto map xxxxxxxx-map 1 set transform-set aes256set
    crypto map xxxxxxxx-map 2 match address outside_cryptomap_3
    crypto map xxxxxxxx-map 2 set peer xxxxxxxx.161
    crypto map xxxxxxxx-map 2 set transform-set aes256set
    crypto map xxxxxxxx-map 3 match address outside_cryptomap_4
    crypto map xxxxxxxx-map 3 set peer xxxxxxxx.129
    crypto map xxxxxxxx-map 3 set transform-set aes256set
    crypto map xxxxxxxx-map 10 match address outside_cryptomap_10
    crypto map xxxxxxxx-map 10 set peer xxxxxxxx.98
    crypto map xxxxxxxx-map 10 set transform-set ESP-3DES-MD5
    crypto map xxxxxxxx-map 11 match address outside_cryptomap_11
    crypto map xxxxxxxx-map 11 set peer xxxxxxxx.186
    crypto map xxxxxxxx-map 11 set transform-set ESP-3DES-MD5
    crypto map xxxxxxxx-map 12 match address outside_cryptomap_12
    crypto map xxxxxxxx-map 12 set peer xxxxxxxx.98
    crypto map xxxxxxxx-map 12 set transform-set ESP-3DES-MD5
    crypto map xxxxxxxx-map 20 match address outside_cryptomap_20
    crypto map xxxxxxxx-map 20 set peer xxxxxxxx.34
    crypto map xxxxxxxx-map 20 set transform-set ESP-AES-256-SHA
    crypto map xxxxxxxx-map 30 match address outside_cryptomap_30
    crypto map xxxxxxxx-map 30 set peer xxxxxxxx.146
    crypto map xxxxxxxx-map 30 set transform-set ESP-AES-256-SHA
    crypto map xxxxxxxx-map 40 match address outside_cryptomap_1
    crypto map xxxxxxxx-map 40 set peer xxxxxxxx.129
    crypto map xxxxxxxx-map 40 set transform-set ESP-AES-256-SHA
    crypto map xxxxxxxx-map 50 match address outside_cryptomap_50
    crypto map xxxxxxxx-map 50 set peer xxxxxxxx.161
    crypto map xxxxxxxx-map 50 set transform-set ESP-AES-256-SHA
    crypto map xxxxxxxx-map 65535 ipsec-isakmp dynamic outside_dyn_map
    crypto map xxxxxxxx-map interface outside
    crypto isakmp identity address
    crypto isakmp enable outside
    crypto isakmp policy 10
    authentication pre-share
    encryption aes-256
    hash sha
    group 2
    lifetime 86400
    crypto isakmp policy 20
    authentication pre-share
    encryption 3des
    hash md5
    group 2
    lifetime 86400
    crypto isakmp policy 40
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    telnet timeout 5
    ssh timeout 5
    ssh version 1
    console timeout 0
    dhcprelay server 10.10.0.252 inside
    dhcprelay enable outside
    dhcprelay timeout 60
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    policy-map type inspect dns migrated_dns_map_1
    parameters
    message-length maximum 512
    policy-map global_policy
    class inspection_default
    inspect dns migrated_dns_map_1
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect http
    inspect netbios
    inspect rsh
    inspect rtsp
    inspect skinny
    inspect esmtp
    inspect sqlnet
    inspect sunrpc
    inspect tftp
    inspect sip
    inspect xdmcp
    !
    service-policy global_policy global
    ntp server xxxxxxxx.28 source outside prefer
    tftp-server inside xxxxxxxxdc \\tftp
    group-policy RAPool1 internal
    group-policy RAPool1 attributes

    vpn-tunnel-protocol IPSec
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value 101

    username testuser1 password oDcNOrk78GeU6W4K encrypted privilege 15
    tunnel-group xxxxxxxx.98 type ipsec-l2l
    tunnel-group xxxxxxxx.98 ipsec-attributes
    pre-shared-key *
    tunnel-group xxxxxxxx.226 type ipsec-l2l
    tunnel-group xxxxxxxx.226 ipsec-attributes
    pre-shared-key *
    tunnel-group xxxxxxxx.146 type ipsec-l2l
    tunnel-group xxxxxxxx.146 ipsec-attributes
    pre-shared-key *
    tunnel-group xxxxxxxx.186 type ipsec-l2l
    tunnel-group xxxxxxxx.186 ipsec-attributes
    pre-shared-key *
    tunnel-group xxxxxxxx.129 type ipsec-l2l
    tunnel-group xxxxxxxx.129 ipsec-attributes
    pre-shared-key *
    tunnel-group xxxxxxxx.34 type ipsec-l2l
    tunnel-group xxxxxxxx.34 ipsec-attributes
    pre-shared-key *
    peer-id-validate nocheck
    isakmp keepalive disable
    tunnel-group xxxxxxxx.161 type ipsec-l2l
    tunnel-group xxxxxxxx.161 ipsec-attributes
    pre-shared-key *
    tunnel-group xxxxxxxx.2 type ipsec-l2l
    tunnel-group xxxxxxxx.2 ipsec-attributes
    pre-shared-key *
    tunnel-group RAPool1 type ipsec-ra
    tunnel-group RAPool1 general-attributes
    address-pool IPSEC
    default-group-policy RAPool1
    tunnel-group RAPool1 ipsec-attributes
    pre-shared-key *
    prompt hostname context

    Thanks.
     
    Tony2Time, Jun 23, 2011
    #1
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.