PIX 506e- No VPN Access to Inside Network

Unanswered Question

I'm new to the PIX and used the PDM Startup Wizard and VPN Wizard to configure my PIX 506e. I have very simple needs: my inside network connects to the ISP via PPPoE and want to be able to VPN from any outside IP address and access any address on my inside network (via various protocols including ssh).


The basic configuration works fine for all outbound traffic, but there's something wrong with the VPN configuration.


When I use my Cisco VPN client (v.4.9.01) I can authenticate and make the IPSec connection, but can't see any clients on the inside network (I tested with ping and by attempting to access a web page hosted on a client). The remote client's IP address is from the vpnlocal pool that I configured in the Wizard. I didn't think I'd need ACLs to allow specific traffic over the VPN, but I'm stumped as to why I can make the VPN connection successfully, but can't do anything with it.


Attached is the configuration for the PIX. Also attached is the log from the remote Cisco VPN client attempting to make the VPN connection.


Any help will be most appreciated!


Thanks,

Tim




  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (2 ratings)
Loading.
acomiskey Fri, 04/13/2007 - 08:03
User Badges:
  • Green, 3000 points or more

Always use a different subnet for your vpn client pool, not the same as inside subnet.


Add "isakmp nat-traversal" for clients behind nat/pat.


Your nat exemption acl is not correct. Should be something like...


access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0

I've resolved my problem, I think, by reconfiguring the subnet mask setting on the firewall to 255.255.0.0 (in addition to assigning vpn pool IP addresses out of the 192.168.2.0 range and enabling nat-traversal).


The only oddity I've noticed is that I can VPN and access devices on the internal network from a couple of locations, but one site using a Linksys WR54G allows the VPN connection, but still can't see devices on the inside network.


Any suggestions here would be great, and thanks for your other advice!

acomiskey Mon, 04/16/2007 - 12:24
User Badges:
  • Green, 3000 points or more

Hmm, not sure why changing mask on the inside interface would make that work. Could you post the current config?

acomiskey Tue, 04/17/2007 - 07:07
User Badges:
  • Green, 3000 points or more

the issue with changing the inside mask to /16 is that now the vpn client subnet is a part of that 192.168.0.0/16, which it shouldn't be. But you say it's working?

Yep, it works fine from two different sites, though not from the one behind a WR54G router for some reason.


Is there a resource for a relative network "noob" like me to find a good explanation for the IP notation you used (192.168.0.0/16)? I often see this on the Cisco site and in Cisco literature where the IP address is followed by a slash (/) and a number. I think that the number after the four octet IP refers to subnetting info, but am not sure.


Thanks for the help, and if you're not tired of me yet, I plan to post a question to this forum on setting a static translation and ACLs to allow Web traffic through the firewall. :-)


--Tim

acomiskey Thu, 04/19/2007 - 06:11
User Badges:
  • Green, 3000 points or more

Yes, this refers to the mask. An ip address has 4 octets, 8 bits each. So for example...

/8 = 255.0.0.0

/16 = 255.255.0.0

/24 = 255.255.255.0

Actions

This Discussion