vpn client conects but cannot access internal network

Unanswered Question
Mar 13th, 2007
User Badges:
  • Bronze, 100 points or more

hello,


i have configured the client vpn on pix 515E and the user can connect successfully but they don't get any internal access to any servers also cannot browse internet.


my config is attached



Attachment: 
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Kamal Malhotra Tue, 03/13/2007 - 06:15
User Badges:
  • Cisco Employee,

Hi,


The access-list acl_inside does not have traffic permitted from inside to the pool range. Please get that corrected. As far as Internet access is concerned,we'll have to further look into it.


HTH,


Please rate if it helps,


Regards,


Kamal

zulqurnain Tue, 03/13/2007 - 22:07
User Badges:
  • Bronze, 100 points or more

hello kamal,


i tried by allowing even everything on the acl_inside yet same results.

oabduo983 Tue, 03/13/2007 - 11:27
User Badges:
  • Bronze, 100 points or more

Hi,


Make sure you have a route inside statment to the place where you want to reach. Also make sure you are connecting to the VPN without going through a NAT device (use NAT-Transparent feature to fix this problem, but before that see what happens if you connect to it throu a dialup connection as you will be getting into it without translation)...


Please rate if this helps


Osama Abduo

acomiskey Tue, 03/13/2007 - 11:43
User Badges:
  • Green, 3000 points or more

these are not correct...the source is wrong, should be your inside network which you would like to cross the tunnel.


access-list nonat permit ip 1.2.3.4255.255.0.0 192.168.1.0 255.255.255.0

access-list split-vpn permit ip 1.2.3.4255.255.0.0 192.168.1.0 255.255.255.0

zulqurnain Tue, 03/13/2007 - 22:16
User Badges:
  • Bronze, 100 points or more

hello,


you mean it should be like


access-list nonat permit ip 192.168.1.0 255.255.255.0 1.2.3.4 255.255.0.0


acomiskey Wed, 03/14/2007 - 05:50
User Badges:
  • Green, 3000 points or more

You want vpn clients to access inside servers. So you need to specify the correct nat exemption. You can do this by host or by subnet.


access-list nonat permit ip 192.168.1.0 255.255.255.252


or


access-list nonat permit ip host 192.168.1.0 255.255.255.252

zulqurnain Wed, 03/14/2007 - 14:32
User Badges:
  • Bronze, 100 points or more

hello,


with respect, if you look at my config this is what i had done


access-list nonat permit ip 1.2.3.4 255.255.0.0 192.168.1.0 255.255.255.0


so what's wrong now?



acomiskey Wed, 03/14/2007 - 15:22
User Badges:
  • Green, 3000 points or more

Well, the source looked wrong, the mask doesn't match. Do you want 1.2.0.0 255.255.0.0 or do you want a single host, 1.2.3.4 255.255.255.255 ?

zulqurnain Wed, 03/14/2007 - 22:07
User Badges:
  • Bronze, 100 points or more

well it would be good if i allow the subnet 1.2.0.0 instead of single host.


i am running out of options here so please everyone, i need help.

zulqurnain Thu, 03/15/2007 - 01:31
User Badges:
  • Bronze, 100 points or more

when ever i connect vpn client i am receving this message on my syslog


# Generated by SysLog Monitor

# Version 8.0.19

# 3/15/2007 11:19:14 AM

#

# Syslog Monitor

Date/Time Hostname Priority Message

"3/15/2007 11:10" 1.2.4.230 Info "Jan 03 1993 23:27:43: %PIX-6-110001: No route to 192.168.1.255 from 192.168.1.1 "

"3/15/2007 11:10" 1.2.4.230 Info "Jan 03 1993 23:27:32: %PIX-6-110001: No route to 192.168.1.255 from 192.168.1.1 "

"3/15/2007 11:10" 1.2.4.230 Info "Jan 03 1993 23:27:22: %PIX-6-110001: No route to < outside gateway IP for PIX> from 192.168.1.1 "


even though i have added the route 192.168.1.0 255.255.255.255

also i read in one of the documents that it all has to do with the way the PIX processes traffic (i.e. it's order of operation). The most important thing to remember about the PIX is that one of the first things it attempts to do is NAT, even before it looks at the routing table. This message will typically appear if the PIX has a descrepancy between the NAT table and the routing table.


meaning configuration output has missing information about your NAT translations (globals, nats, statics). This is most likely the section of the configuration where the problems are. Yes, even though the logs say it's a routing problem, it's not. It is NAT.


so help would be really great


acomiskey Thu, 03/15/2007 - 06:12
User Badges:
  • Green, 3000 points or more

My point is, you have this


1.2.3.4 255.255.0.0


It doesn't make sense and I'm surprised the pix even took it. The mask does not match! Not sure on your routing errors though. What is 192.168.1.1, your client ip?

zulqurnain Thu, 03/15/2007 - 06:32
User Badges:
  • Bronze, 100 points or more

yes its my client ip and as for 1.2.3.4 255.255.0.0 , let me tell you with respect that i changed my ip's as i was posting them to public.

acomiskey Thu, 03/15/2007 - 06:42
User Badges:
  • Green, 3000 points or more

Ok, no harm done. So you do have something like 1.2.0.0 255.255.0.0

zulqurnain Fri, 03/16/2007 - 11:08
User Badges:
  • Bronze, 100 points or more

hello,


okay lets just imagine i have 1.2.0.0 255.255.0.0 in my network hope this will help you understnad my config more clarly

acomiskey Fri, 03/16/2007 - 11:17
User Badges:
  • Green, 3000 points or more

If 192.168.1.0 is your vpn client subnet, you should not have route 192.168.1.0 255.255.255.255 , as you have stated you entered above.


oh, and not to be picky, but it's much harder to troubleshoot when you don't have all the right info. The mask doesn't match for this either 192.168.1.0 255.255.255.255.

Actions

This Discussion