02-28-2007 12:15 PM - edited 02-21-2020 02:53 PM
Hi, i have a problem configuring my pix 525 7.0(5) as a remote vpn server. I already configure the pix
sollowing this instructions (http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008060f25c.shtml)
and i can establish a vpn using CISCO VPN Client; but i can't reach any resource from my inside network or any network define in the PIX.
I think that could be a missing nat or an acl; but i have do a lot of research but i can figure out the solution.
This is the configuration i apply
/*************************************/
access-list cryptomap-scada extended permit ip any 172.10.0.0 255.255.255.0
access-list acl-vpn-sap-remoto extended permit ip any 172.16.42.64 255.255.255.224
access-list acl-vpn-sap-remoto extended permit icmp any 172.16.42.64 255.255.255.224
access-list acl-vpn-sap-remoto extended permit ip any any
access-list acl-vpn-sap-remoto extended permit icmp any any
ip local pool pool_vpn_sap 172.*.*.1-172.10.0.254 mask 255.255.255.0
nat (inside) 0 access-list cryptomap-scada
group-policy VPN_SAP_PED internal
group-policy VPN_SAP_PED attributes
vpn-filter value acl-vpn-sap-remoto
vpn-tunnel-protocol IPSec
username vpnuser password **** encrypted
username vpnuser attributes
vpn-group-policy VPN_SAP_PED
crypto ipsec transform-set vpn-cliente-remoto esp-3des esp-md5-hmac
crypto dynamic-map vpn-remoto-dymap 7 set transform-set vpn-cliente-remoto
crypto dynamic-map vpn-remoto-dymap 7 set reverse-route
crypto map siemens-scada-map 7 ipsec-isakmp dynamic vpn-remoto-dymap
isakmp policy 7 authentication pre-share
isakmp policy 7 encryption 3des
isakmp policy 7 hash sha
isakmp policy 7 group 2
isakmp policy 7 lifetime 43200
tunnel-group VPN_SAP_PED type ipsec-ra
tunnel-group VPN_SAP_PED general-attributes
address-pool pool_vpn_sap
default-group-policy VPN_SAP_PED
tunnel-group VPN_SAP_PED ipsec-attributes
pre-shared-key clavevpnsap
/*****************************************/
Thanks in Advanced
02-28-2007 12:23 PM
Hi,
I looked through the config and lets start from basic. IF you remove the VPN filter from the group-policy are you able to get access to your internal resources using the VPN client?
sh run nat -> Send me this output, please.
Thanks
Gilbert
Rate this post, if it helps!
02-28-2007 12:37 PM
Hi, thanks for you response, if i remove the acl form de vpn filter, i get the same problem (i can't reach any host). This is the output from the command that you ask for.
/*****************************************/
PIX-Principal(config)# show running-config nat
nat (inside) 0 access-list cryptomap-scada
nat (inside) 9 JOsorioPC 255.255.255.255
nat (inside) 9 GColinaPC 255.255.255.255
nat (inside) 9 AlfonsoPC 255.255.255.255
nat (inside) 9 AngelPC 255.255.255.255
nat (inside) 9 JerryPC 255.255.255.255
nat (inside) 9 EstebanPC 255.255.255.255
nat (inside) 9 GiancarloPC 255.255.255.255
nat (inside) 9 WilliamsPC 255.255.255.255
nat (inside) 9 PerniaPC 255.255.255.255
nat (inside) 9 ElvisDomPC 255.255.255.255
nat (inside) 8 LBermudezPC 255.255.255.255
nat (inside) 9 HelpDeskPC 255.255.255.255
nat (inside) 9 OscarOPC 255.255.255.255
nat (inside) 9 AnaPC 255.255.255.255
nat (inside) 9 RobertoPC 255.255.255.255
nat (inside) 9 MarthaPC 255.255.255.255
nat (inside) 9 NOCPc5-I 255.255.255.255
nat (inside) 9 NOCPc6-I 255.255.255.255
nat (inside) 9 CiraPC 255.255.255.255
nat (inside) 9 JaimePC 255.255.255.255
nat (inside) 9 EugemarPC 255.255.255.255
nat (inside) 9 JosePC 255.255.255.255
nat (inside) 9 RixioPC 255.255.255.255
nat (inside) 9 DaniellePC 255.255.255.255
nat (inside) 9 NorimarPC 255.255.255.255
nat (inside) 9 NNavaPC 255.255.255.255
nat (inside) 8 ManriquePC 255.255.255.255
nat (inside) 8 MarcialPC 255.255.255.255
nat (inside) 8 JAlbornozPC 255.255.255.255
nat (inside) 9 GUrdanetaPC 255.255.255.255
nat (inside) 9 RVegaPC 255.255.255.255
nat (inside) 9 LLabarcaPC 255.255.255.255
nat (inside) 9 Torondoy-I 255.255.255.255
nat (inside) 9 Escuque-I 255.255.255.255
nat (inside) 9 Turbio-I 255.255.255.255
nat (inside) 9 JoseMora 255.255.255.255
nat (inside) 8 San-Juan-I 255.255.255.255
nat (inside) 8 Router7507 255.255.255.255
nat (inside) 8 NOCPc4-I 255.255.255.255
nat (InterfaceSAN) 8 MonitorHITACHI-I 255.255.255.255
/***************************************/
02-28-2007 12:42 PM
do you have "sysopt connection permit-ipsec"?
02-28-2007 12:47 PM
No i haven't, but i have others L2L vpn connections working fine without this command; is necesary only for ra vpn's? and this command could affect the others L2L vpn's?
02-28-2007 12:52 PM
"For traffic that enters the security appliance through an IPSec tunnel and is then decrypted, use the sysopt connection permit-ipsec command in global configuration mode to allow the traffic to bypass interface access lists. Group policy and per-user authorization access lists still apply to the traffic."
You must have the traffic for other connections allowed in your interface acls?
02-28-2007 12:56 PM
Yes; i have acl in other interfaces; if i apply this command, it would affect the others l2l vpns?
02-28-2007 01:02 PM
If you apply the command, all your ipsec traffic will bypass your interface acl's. If you are using your interface acl's to filter your other ipsec traffic, then you do NOT want to apply this command.
Are you restricting other ipsec traffic by interface acl's or vpn-filters?
02-28-2007 02:13 PM
Ok, i only filter my l2l vpn traffic with acl's configured for my vpns tunnels, no with the interfaces acls.
Example:
/**************************************/
access-list cryptomap-credicard extended permit ip host Naiguata 137.1.1.0 255.255.255.0
crypto map siemens-scada-map 2 match address cryptomap-credicard
crypto map siemens-scada-map 2 set pfs
crypto map siemens-scada-map 2 set peer XXX.XXX.XXX.XXX
crypto map siemens-scada-map 2 set transform-set vpn-credicard-sha
/**************************************/
So i won't have problem with the comand, right?
02-28-2007 06:49 PM
No, no problems. But I'm not sure how any of your tunnel work without it.
03-01-2007 02:15 PM
Hi; i just run the command "show runn sysopt" and this is the result
/*****************************/
PIX-Principal# show running-config sysopt
no sysopt connection timewait
sysopt connection tcpmss 1380
sysopt connection tcpmss minimum 0
no sysopt nodnsalias inbound
no sysopt nodnsalias outbound
no sysopt radius ignore-secret
no sysopt uauth allow-http-cache
sysopt connection permit-ipsec
/**********************************/
So i already have permited the ipsec traffic. What else i could check?..
Thanks in Advanced
02-28-2007 01:46 PM
Hi,
Please issue the command 'sh run sysopt' and make sure that you have 'sysopt connection permit-vpn'. Another thing is, as Gilbert suggested, please try removing the filter command from under the group policy. Third thing would be to make sure that the ACL on the inside interface has traffic from any permitted to the 172.10.0.0.
HTH,
Please rate if it helps,
Regards,
Kamal
03-01-2007 02:30 PM
Hi i try all of your sugestion and it didn't help...
Thanks in Advanced.
03-01-2007 03:58 PM
do you have
crypto isakmp nat-traversal
03-02-2007 05:22 AM
No, i haven't.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide