Problem with IPsec on Pix 501 can't ping Local LAN

Discussion in 'Cisco' started by Yogiz, Jun 20, 2007.

  1. Yogiz

    Yogiz

    Joined:
    Jun 20, 2007
    Messages:
    2
    Likes Received:
    0
    Hi there,

    I have a very frustrating problem with my VPN setup.
    I'm able to establish the VPN connection with the pix using Cisco VPN Client however for some very strange reason I cannot PING and browse local network.
    However I can ping through the pix.

    Here is the copy of my Pix config;

    ================================================== =======
    PIX Version 6.3(5)
    interface ethernet0 auto
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password encrypted
    passwd encrypted
    hostname
    domain-name
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol ils 389
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    object-group network INSIDE-LAN
    network-object 10.164.117.0 255.255.255.0
    object-group network VPNCLIENTB
    network-object 10.10.10.0 255.255.255.0
    access-list 101 permit icmp any any traceroute
    access-list 101 permit icmp any any echo-reply
    access-list 101 permit icmp any any unreachable
    access-list 101 permit icmp any any time-exceeded
    access-list 101 permit ip host *.*.*.* any
    access-list NONAT permit ip 10.164.117.0 255.255.255.0 object-group VPNCLIENTB
    access-list ST-ACCESS permit ip object-group VPNCLIENTB object-group INSIDE-LAN
    access-list DUMP permit icmp any any
    pager lines 24
    logging on
    mtu outside 1500
    mtu inside 1500
    ip address outside dhcp setroute
    ip address inside 10.164.117.1 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool VPNCLIENTB 10.10.10.1-10.10.10.10
    pdm location 10.164.117.6 255.255.255.255 inside
    pdm location 172.16.8.0 255.255.255.0 outside
    pdm location 217.153.7.122 255.255.255.255 outside
    pdm location 10.164.117.0 255.255.255.0 inside
    pdm group INSIDE-LAN inside
    pdm group VPNCLIENT outside
    pdm logging informational 100
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 1 10.164.117.0 255.255.255.0 0 0
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    static (inside,outside) tcp interface 3389 10.164.117.6 3389 netmask 255.255.255.255 0 0
    static (inside,outside) tcp interface telnet 10.164.117.6 telnet netmask 255.255.255.255 0 0
    access-group 101 in interface outside
    timeout xlate 0:05:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout sip-disconnect 0:02:00 sip-invite 0:03:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local
    aaa authentication ssh console LOCAL
    http server enable
    http *.*.*.* 255.255.255.255 outside
    http 10.164.117.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    crypto ipsec transform-set VPN3DES esp-3des esp-sha-hmac
    crypto dynamic-map CLIENT 1 set transform-set VPN3DES
    crypto map VPN 80 ipsec-isakmp dynamic CLIENT
    crypto map VPN client authentication LOCAL
    crypto map VPN interface outside
    isakmp enable outside
    isakmp identity address
    isakmp nat-traversal 20
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption 3des
    isakmp policy 10 hash sha
    isakmp policy 10 group 2
    isakmp policy 10 lifetime 86400
    vpngroup TESTING address-pool VPNCLIENTB
    vpngroup TESTING split-tunnel ST-ACCESS
    vpngroup TESTING idle-time 1800
    vpngroup TESTING password ********
    ssh 0.0.0.0 0.0.0.0 outside
    ssh 10.164.117.0 255.255.255.0 inside
    ssh timeout 60
    console timeout 0
    dhcpd address 10.164.117.2-10.164.117.6 inside
    dhcpd dns 4.2.2.1 4.2.2.2
    dhcpd lease 3600
    dhcpd ping_timeout 750
    dhcpd auto_config outside
    dhcpd enable inside

    ================================================== ======

    This is the IP assigned to me when VPN connection is established using Cisco VPN Client ;
    ================================================== ======
    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : Cisco Systems VPN Adapter
    Physical Address. . . . . . . . . : 00-05-9A-3C-78-00
    Dhcp Enabled. . . . . . . . . . . : No
    IP Address. . . . . . . . . . . . : 10.10.10.1
    Subnet Mask . . . . . . . . . . . : 255.0.0.0
    Default Gateway . . . . . . . . . :
    ================================================== ========
    I can ping the devices on the inside interface through the ssh on the pix.

    pix(config)# ping 10.164.117.2
    10.164.117.2 response received -- 0ms
    10.164.117.2 response received -- 0ms
    10.164.117.2 response received -- 0ms
    ================================================== ========
    pix(config)# show arp
    outside ******** 0012.da29.a054
    inside 10.164.117.2 001b.2f05.eb4e
    inside 10.164.117.6 0014.85ea.91d5
    pix(config)#
    ================================================== ========
    Route Print
    ========================================================
    Active Routes:
    Network Destination Netmask Gateway Interface Metric
    0.0.0.0 0.0.0.0 192.168.150.1 192.168.150.112 20
    10.0.0.0 255.0.0.0 10.10.10.1 10.10.10.1 20
    10.0.0.0 255.255.255.0 192.168.150.11 192.168.150.112 1
    10.10.10.0 255.255.255.0 10.0.0.1 10.10.10.1 1
    10.10.10.1 255.255.255.255 127.0.0.1 127.0.0.1 20
    10.255.255.255 255.255.255.255 10.10.10.1 10.10.10.1 20
    ========================================================
    Thanks for any input,
     
    Yogiz, Jun 20, 2007
    #1
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.