VPN through pix: confusion about broadcast address

Discussion in 'Cisco' started by John Scholvin, Feb 23, 2005.

  1. All right, I'm down to (hopefully) my last pix problem. Thanks again
    to all the helpful people here.

    When I establish a VPN connection to the pix, everything is working
    great except one thing. When I try to browse for the SMB servers that
    are on the internal LAN, nothing comes back. I see lots of messages
    like this in the log:

    Feb 22 20:30:07 pixfw %PIX-3-106011: Deny inbound (No xlate) udp src outside:192.168.250.1/58702 dst outside:192.168.250.255/137

    The 192.168.250 network is the VPN pool and 192.168.0 is the inside
    network. It looks to me like there's a problem with the broadcast
    address (.255) and NAT? Seems like the error message indicates it's
    trying to translate that address, but it shouldn't. It is part of
    the NONAT acl below, right?

    I set the "ip local pool" to 192.168.250.1 - 192.168.250.254, specifically
    excluding the .255 address, since I don't want the pix ever assigning that
    to someone's VPN connection. Could that be the problem?

    Other services to the internal LAN are fine from the VPN client; this
    seems to be the last frontier. Config below. Any ideas?


    show conf
    : Saved
    : Written by enable_15 at 20:38:11.681 CST Tue Feb 22 2005
    PIX Version 6.3(3)
    interface ethernet0 auto
    interface ethernet1 auto
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password *** encrypted
    passwd *** encrypted
    hostname pixfw
    domain-name ****.***
    clock timezone CST -6
    clock summer-time CDT recurring
    fixup protocol dns maximum-length 600
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    name 192.168.0.200 utility
    name xx.xx.xx.97 router01
    object-group icmp-type icmp_traffic
    icmp-object echo-reply
    icmp-object source-quench
    icmp-object unreachable
    icmp-object time-exceeded
    access-list PERMIT_IN permit icmp any any object-group icmp_traffic
    access-list PERMIT_IN permit tcp any host xx.xx.xx.102 eq ssh
    access-list PERMIT_IN permit tcp any host xx.xx.xx.102 eq www
    access-list PERMIT_IN permit tcp any host xx.xx.xx.102 eq https
    access-list PERMIT_IN permit udp host router01 host xx.xx.xx.102 eq syslog
    access-list PERMIT_IN permit udp host router01 any eq snmp
    access-list PERMIT_IN permit udp any host xx.xx.xx.102 eq isakmp
    access-list PERMIT_IN permit ah any host xx.xx.xx.102
    access-list PERMIT_IN permit esp any host xx.xx.xx.102
    access-list NONAT permit ip 192.168.0.0 255.255.255.0 192.168.250.0 255.255.255.0
    no pager
    logging on
    logging trap notifications
    logging host inside utility
    icmp permit any outside
    icmp permit any inside
    mtu outside 1500
    mtu inside 1500
    ip address outside xx.xx.xx.102 255.255.255.248
    ip address inside 192.168.0.1 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool REMOTE_PC 192.168.250.1-192.168.250.254
    pdm logging informational 100
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list NONAT
    nat (inside) 1 192.168.0.0 255.255.255.0 0 0
    static (inside,outside) tcp interface ssh utility ssh netmask 255.255.255.255 0 0
    static (inside,outside) tcp interface www utility www netmask 255.255.255.255 0 0
    static (inside,outside) tcp interface https utility https netmask 255.255.255.255 0 0
    static (inside,outside) udp interface syslog utility syslog netmask 255.255.255.255 0 0
    access-group PERMIT_IN in interface outside
    route outside 0.0.0.0 0.0.0.0 router01 1
    timeout xlate 0:05:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server LOCAL protocol local
    ntp server utility source inside
    http server enable
    http 192.168.0.0 255.255.255.0 inside
    floodguard enable
    sysopt connection permit-ipsec
    crypto ipsec transform-set remoteaccess esp-3des esp-sha-hmac
    crypto dynamic-map DYN_MAP 10 set transform-set remoteaccess
    crypto map CRYPTO_MAP 99 ipsec-isakmp dynamic DYN_MAP
    crypto map CRYPTO_MAP client configuration address initiate
    crypto map CRYPTO_MAP client configuration address respond
    crypto map CRYPTO_MAP interface outside
    isakmp enable outside
    isakmp key ******** address 0.0.0.0 netmask 0.0.0.0 no-xauth
    isakmp client configuration address-pool local REMOTE_PC outside
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption 3des
    isakmp policy 10 hash sha
    isakmp policy 10 group 2
    isakmp policy 10 lifetime 86400
    vpngroup VPN address-pool REMOTE_PC
    vpngroup VPN dns-server utility
    vpngroup VPN default-domain ***.***
    vpngroup VPN split-tunnel NONAT
    vpngroup VPN idle-time 1800
    vpngroup dns-server idle-time 1800
    telnet timeout 5
    ssh 192.168.0.0 255.255.255.0 inside
    ssh timeout 30
    console timeout 0
    dhcpd address 192.168.0.50-192.168.0.69 inside
    dhcpd dns utility
    dhcpd lease 3600
    dhcpd ping_timeout 750
    dhcpd domain ***.***
    dhcpd auto_config outside
    dhcpd enable inside
    username *** password *** encrypted privilege 15
    terminal width 80
     
    John Scholvin, Feb 23, 2005
    #1
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.