Problem with VPN Client and PIX 7.0(5)

Unanswered Question
Feb 28th, 2007

Hi, i have a problem configuring my pix 525 7.0(5) as a remote vpn server. I already configure the pix

sollowing this instructions (http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008060f25c.shtml)

and i can establish a vpn using CISCO VPN Client; but i can't reach any resource from my inside network or any network define in the PIX.

I think that could be a missing nat or an acl; but i have do a lot of research but i can figure out the solution.

This is the configuration i apply

/*************************************/

access-list cryptomap-scada extended permit ip any 172.10.0.0 255.255.255.0

access-list acl-vpn-sap-remoto extended permit ip any 172.16.42.64 255.255.255.224

access-list acl-vpn-sap-remoto extended permit icmp any 172.16.42.64 255.255.255.224

access-list acl-vpn-sap-remoto extended permit ip any any

access-list acl-vpn-sap-remoto extended permit icmp any any

ip local pool pool_vpn_sap 172.*.*.1-172.10.0.254 mask 255.255.255.0

nat (inside) 0 access-list cryptomap-scada

group-policy VPN_SAP_PED internal

group-policy VPN_SAP_PED attributes

vpn-filter value acl-vpn-sap-remoto

vpn-tunnel-protocol IPSec

username vpnuser password **** encrypted

username vpnuser attributes

vpn-group-policy VPN_SAP_PED

crypto ipsec transform-set vpn-cliente-remoto esp-3des esp-md5-hmac

crypto dynamic-map vpn-remoto-dymap 7 set transform-set vpn-cliente-remoto

crypto dynamic-map vpn-remoto-dymap 7 set reverse-route

crypto map siemens-scada-map 7 ipsec-isakmp dynamic vpn-remoto-dymap

isakmp policy 7 authentication pre-share

isakmp policy 7 encryption 3des

isakmp policy 7 hash sha

isakmp policy 7 group 2

isakmp policy 7 lifetime 43200

tunnel-group VPN_SAP_PED type ipsec-ra

tunnel-group VPN_SAP_PED general-attributes

address-pool pool_vpn_sap

default-group-policy VPN_SAP_PED

tunnel-group VPN_SAP_PED ipsec-attributes

pre-shared-key clavevpnsap

/*****************************************/

Thanks in Advanced

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
ggilbert Wed, 02/28/2007 - 12:23

Hi,

I looked through the config and lets start from basic. IF you remove the VPN filter from the group-policy are you able to get access to your internal resources using the VPN client?

sh run nat -> Send me this output, please.

Thanks

Gilbert

Rate this post, if it helps!

Anonymous (not verified) Wed, 02/28/2007 - 12:37

Hi, thanks for you response, if i remove the acl form de vpn filter, i get the same problem (i can't reach any host). This is the output from the command that you ask for.

/*****************************************/

PIX-Principal(config)# show running-config nat

nat (inside) 0 access-list cryptomap-scada

nat (inside) 9 JOsorioPC 255.255.255.255

nat (inside) 9 GColinaPC 255.255.255.255

nat (inside) 9 AlfonsoPC 255.255.255.255

nat (inside) 9 AngelPC 255.255.255.255

nat (inside) 9 JerryPC 255.255.255.255

nat (inside) 9 EstebanPC 255.255.255.255

nat (inside) 9 GiancarloPC 255.255.255.255

nat (inside) 9 WilliamsPC 255.255.255.255

nat (inside) 9 PerniaPC 255.255.255.255

nat (inside) 9 ElvisDomPC 255.255.255.255

nat (inside) 8 LBermudezPC 255.255.255.255

nat (inside) 9 HelpDeskPC 255.255.255.255

nat (inside) 9 OscarOPC 255.255.255.255

nat (inside) 9 AnaPC 255.255.255.255

nat (inside) 9 RobertoPC 255.255.255.255

nat (inside) 9 MarthaPC 255.255.255.255

nat (inside) 9 NOCPc5-I 255.255.255.255

nat (inside) 9 NOCPc6-I 255.255.255.255

nat (inside) 9 CiraPC 255.255.255.255

nat (inside) 9 JaimePC 255.255.255.255

nat (inside) 9 EugemarPC 255.255.255.255

nat (inside) 9 JosePC 255.255.255.255

nat (inside) 9 RixioPC 255.255.255.255

nat (inside) 9 DaniellePC 255.255.255.255

nat (inside) 9 NorimarPC 255.255.255.255

nat (inside) 9 NNavaPC 255.255.255.255

nat (inside) 8 ManriquePC 255.255.255.255

nat (inside) 8 MarcialPC 255.255.255.255

nat (inside) 8 JAlbornozPC 255.255.255.255

nat (inside) 9 GUrdanetaPC 255.255.255.255

nat (inside) 9 RVegaPC 255.255.255.255

nat (inside) 9 LLabarcaPC 255.255.255.255

nat (inside) 9 Torondoy-I 255.255.255.255

nat (inside) 9 Escuque-I 255.255.255.255

nat (inside) 9 Turbio-I 255.255.255.255

nat (inside) 9 JoseMora 255.255.255.255

nat (inside) 8 San-Juan-I 255.255.255.255

nat (inside) 8 Router7507 255.255.255.255

nat (inside) 8 NOCPc4-I 255.255.255.255

nat (InterfaceSAN) 8 MonitorHITACHI-I 255.255.255.255

/***************************************/

Anonymous (not verified) Wed, 02/28/2007 - 12:47

No i haven't, but i have others L2L vpn connections working fine without this command; is necesary only for ra vpn's? and this command could affect the others L2L vpn's?

acomiskey Wed, 02/28/2007 - 12:52

"For traffic that enters the security appliance through an IPSec tunnel and is then decrypted, use the sysopt connection permit-ipsec command in global configuration mode to allow the traffic to bypass interface access lists. Group policy and per-user authorization access lists still apply to the traffic."

You must have the traffic for other connections allowed in your interface acls?

Anonymous (not verified) Wed, 02/28/2007 - 12:56

Yes; i have acl in other interfaces; if i apply this command, it would affect the others l2l vpns?

acomiskey Wed, 02/28/2007 - 13:02

If you apply the command, all your ipsec traffic will bypass your interface acl's. If you are using your interface acl's to filter your other ipsec traffic, then you do NOT want to apply this command.

Are you restricting other ipsec traffic by interface acl's or vpn-filters?

Anonymous (not verified) Wed, 02/28/2007 - 14:13

Ok, i only filter my l2l vpn traffic with acl's configured for my vpns tunnels, no with the interfaces acls.

Example:

/**************************************/

access-list cryptomap-credicard extended permit ip host Naiguata 137.1.1.0 255.255.255.0

crypto map siemens-scada-map 2 match address cryptomap-credicard

crypto map siemens-scada-map 2 set pfs

crypto map siemens-scada-map 2 set peer XXX.XXX.XXX.XXX

crypto map siemens-scada-map 2 set transform-set vpn-credicard-sha

/**************************************/

So i won't have problem with the comand, right?

acomiskey Wed, 02/28/2007 - 18:49

No, no problems. But I'm not sure how any of your tunnel work without it.

Anonymous (not verified) Thu, 03/01/2007 - 14:15

Hi; i just run the command "show runn sysopt" and this is the result

/*****************************/

PIX-Principal# show running-config sysopt

no sysopt connection timewait

sysopt connection tcpmss 1380

sysopt connection tcpmss minimum 0

no sysopt nodnsalias inbound

no sysopt nodnsalias outbound

no sysopt radius ignore-secret

no sysopt uauth allow-http-cache

sysopt connection permit-ipsec

/**********************************/

So i already have permited the ipsec traffic. What else i could check?..

Thanks in Advanced

Kamal Malhotra Wed, 02/28/2007 - 13:46

Hi,

Please issue the command 'sh run sysopt' and make sure that you have 'sysopt connection permit-vpn'. Another thing is, as Gilbert suggested, please try removing the filter command from under the group policy. Third thing would be to make sure that the ACL on the inside interface has traffic from any permitted to the 172.10.0.0.

HTH,

Please rate if it helps,

Regards,

Kamal

Anonymous (not verified) Thu, 03/01/2007 - 14:30

Hi i try all of your sugestion and it didn't help...

Thanks in Advanced.

Anonymous (not verified) Fri, 03/02/2007 - 05:22

No, i haven't.

kaachary Sun, 03/04/2007 - 05:44

Hi,

Please enable "isakmp nat-t" on the PIX.

Also, make sure that clients have "Enable Trasparetn Tunneling" checked with IPSec over UDP NAT/PAT selected.

HTH,

-Kanishka

loverprince Wed, 03/07/2007 - 00:44

Hello

Please try to add your Inside subnet to the no-nat access list.

make sure that the source is your local subnet and the destination is the remote clients subnet

regards

Actions

This Discussion