04-13-2007 07:52 AM
I'm new to the PIX and used the PDM Startup Wizard and VPN Wizard to configure my PIX 506e. I have very simple needs: my inside network connects to the ISP via PPPoE and want to be able to VPN from any outside IP address and access any address on my inside network (via various protocols including ssh).
The basic configuration works fine for all outbound traffic, but there's something wrong with the VPN configuration.
When I use my Cisco VPN client (v.4.9.01) I can authenticate and make the IPSec connection, but can't see any clients on the inside network (I tested with ping and by attempting to access a web page hosted on a client). The remote client's IP address is from the vpnlocal pool that I configured in the Wizard. I didn't think I'd need ACLs to allow specific traffic over the VPN, but I'm stumped as to why I can make the VPN connection successfully, but can't do anything with it.
Attached is the configuration for the PIX. Also attached is the log from the remote Cisco VPN client attempting to make the VPN connection.
Any help will be most appreciated!
Thanks,
Tim
04-13-2007 08:03 AM
Always use a different subnet for your vpn client pool, not the same as inside subnet.
Add "isakmp nat-traversal" for clients behind nat/pat.
Your nat exemption acl is not correct. Should be something like...
access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0
04-13-2007 08:34 PM
Thanks for the reply. I've made the suggested changes, but still have the same behavior-- I can make a remote connection, but can't access any clients on the inside network.
Attached is an updated configuration file.
Thanks for your help,
Tim
04-15-2007 02:01 PM
I've resolved my problem, I think, by reconfiguring the subnet mask setting on the firewall to 255.255.0.0 (in addition to assigning vpn pool IP addresses out of the 192.168.2.0 range and enabling nat-traversal).
The only oddity I've noticed is that I can VPN and access devices on the internal network from a couple of locations, but one site using a Linksys WR54G allows the VPN connection, but still can't see devices on the inside network.
Any suggestions here would be great, and thanks for your other advice!
04-16-2007 12:24 PM
Hmm, not sure why changing mask on the inside interface would make that work. Could you post the current config?
04-17-2007 07:02 AM
04-17-2007 07:07 AM
the issue with changing the inside mask to /16 is that now the vpn client subnet is a part of that 192.168.0.0/16, which it shouldn't be. But you say it's working?
04-18-2007 06:59 PM
Yep, it works fine from two different sites, though not from the one behind a WR54G router for some reason.
Is there a resource for a relative network "noob" like me to find a good explanation for the IP notation you used (192.168.0.0/16)? I often see this on the Cisco site and in Cisco literature where the IP address is followed by a slash (/) and a number. I think that the number after the four octet IP refers to subnetting info, but am not sure.
Thanks for the help, and if you're not tired of me yet, I plan to post a question to this forum on setting a static translation and ACLs to allow Web traffic through the firewall. :-)
--Tim
04-19-2007 06:11 AM
Yes, this refers to the mask. An ip address has 4 octets, 8 bits each. So for example...
/8 = 255.0.0.0
/16 = 255.255.0.0
/24 = 255.255.255.0
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide