10-22-2007 08:58 AM - edited 02-21-2020 03:19 PM
I am trying to setup VPN on my PIX 515e and I believe I am almost there but not quite.
I currently can connect to the PIX with a VPN client on the outside but I can't ping a PC that is on the inside.
Inside: 10.0.0.1
Outside: 10.0.1.1
I created an ACL test:
access-l test ext permit ip any 10.0.0.1 255.255.255.0
access-l test ext permit ip 10.0.0.1 255.255.255.0 any
and applied this to a group and created a user that inherited from this group.
I also created a PAT:
global (outside) 1 10.0.1.1
nat (inside) 1 10.0.0.0 255.255.255.0
And I made an exception for the VPN:
access-list nonat permit ip 10.1.1.0 255.255.255.0 10.0.0.0 255.255.255.0
nat (inside) 0 access-list nonat
I am not sure if this is right, I have been basically piecing together stuff all over that I have read. Thanks for any help and I will post more if needed.
10-22-2007 09:03 AM
Could you post your whole config?
10-22-2007 09:14 AM
: Saved
:
PIX Version 7.0(4)
!
hostname MTBFirewall
domain-name default.domain.invalid
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0
nameif outside
security-level 0
ip address 10.0.1.1 255.255.255.0
!
interface Ethernet1
nameif inside
security-level 100
ip address 10.0.0.1 255.255.255.0
!
interface Ethernet2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet3
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet4
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet5
shutdown
no nameif
no security-level
no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list nonat extended permit ip 10.0.1.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list test extended permit ip any 10.0.0.0 255.255.255.0
access-list test extended permit ip 10.0.0.0 255.255.255.0 any
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
ip local pool vpnpool 10.0.0.10-10.0.0.100
no failover
asdm image flash:/asdm
no asdm history enable
arp timeout 14400
global (outside) 1 10.0.1.1
nat (inside) 0 access-list nonat
nat (inside) 1 10.0.0.0 255.255.255.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy Administrator internal
group-policy vpncert internal
group-policy vpncert attributes
vpn-idle-timeout 30
username reedd password CTC5SyxxMxM0xKeg encrypted privilege 15
username reedd attributes
vpn-group-policy Administrator
http server enable
http 10.0.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
tunnel-group vpncert type ipsec-ra
tunnel-group vpncert general-attributes
address-pool vpnpool
default-group-policy vpncert
tunnel-group vpncert ipsec-attributes
pre-shared-key *
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
Cryptochecksum:adf3011e30aba333b6e3a7fecaac04b7
: end
10-22-2007 09:21 AM
Firstly, your vpn client pool should not be the same subnet as your inside. Also, your nat exemption acl is backwards. Change your vpn pool and go from there...
ip local pool vpnpool 192.168.1.1-192.168.1.100
access-list nonat extended permit ip 10.0.0.0 255.255.255.0 192.168.1.0 255.255.255.0
10-22-2007 09:28 AM
Thanks for the help! I guess I need some education but I thought you want the client on the same subnet as the inside as to act like they are on that LAN!!
So I basically will have 3 different subnets??
10-22-2007 09:30 AM
Yes. It will be like they are on your inside subnet but you don't want the subnet to be the same.
10-22-2007 09:52 AM
Ok did that but I still am unable to ping the inside PC from the outside one.
Could you possibly give more info for me please,
thanks a lot.
10-22-2007 09:50 AM
Thanks for the help! I guess I need some education but I thought you want the client on the same subnet as the inside as to act like they are on that LAN!!
So I basically will have 3 different subnets??
10-22-2007 09:56 AM
Try adding...
isakmp nat-traversal
10-22-2007 10:56 AM
Alright I setup everything as instructed but I still can't ping from the outside to the inside.
I can ping from the inside to the outside, so I think it might be some ACL error or NAT error possibly.
Thanks again!
10-22-2007 11:08 AM
Post a "show run sysopt". Make sure you have sysopt connection permit-ipsec. Also, post the new config.
10-22-2007 11:41 AM
SYSOPT:
MTBFirewall(config)# sh run sysopt
no sysopt connection timewait
sysopt connection tcpmss 1380
sysopt connection tcpmss minimum 0
no sysopt nodnsalias inbound
no sysopt nodnsalias outbound
no sysopt radius ignore-secret
no sysopt uauth allow-http-cache
sysopt connection permit-ipsec
MTBFirewall(config)#
CONFIG:
MTBFirewall(config)# sh run
: Saved
:
PIX Version 7.0(4)
!
hostname MTBFirewall
domain-name default.domain.invalid
enable password xxxx
names
!
interface Ethernet0
nameif outside
security-level 0
ip address 10.1.1.1 255.255.255.0
!
interface Ethernet1
nameif inside
security-level 100
ip address 10.0.0.1 255.255.255.0
!
interface Ethernet2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet3
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet4
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet5
shutdown
no nameif
no security-level
no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list nonat extended permit ip 10.0.0.0 255.255.255.0 10.0.3.0 255.255.255.0
access-list test extended permit ip any 10.0.0.0 255.255.255.0
access-list test extended permit ip 10.0.0.0 255.255.255.0 any
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
ip local pool vpnpool 10.0.3.1-10.0.3.100
no failover
asdm image flash:/asdm
no asdm history enable
arp timeout 14400
global (outside) 1 10.0.1.1
nat (inside) 1 10.0.0.0 255.255.255.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy Administrator internal
group-policy vpncert internal
group-policy vpncert attributes
vpn-idle-timeout 30
username reedd password
username reedd attributes
vpn-group-policy Administrator
http server enable
http 10.0.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp nat-traversal 20
tunnel-group vpncert type ipsec-ra
tunnel-group vpncert general-attributes
address-pool vpnpool
default-group-policy vpncert
tunnel-group vpncert ipsec-attributes
pre-shared-key *
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
Cryptochecksum:xxx
: end
MTBFirewall(config)#
10-23-2007 06:51 AM
When you modified the ACL you most likely lost this line:
nat (inside) 0 access-list nonat
Just add it again and it should be fine.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide