Unable to get to internal resources after successfully tunneling-in!!

Unanswered Question
Nov 16th, 2007
User Badges:

I have configured an IPSec remote access VPN connection and I'm successfully able to establish the tunnel but I can not get to any of my LAN internal

resources. I'm able to ping PIX's internal interface (192.168.10.1) and even telnet to it from the VPN client, once logged into the PIX I'm able to ping all

192.168.10.0 /24 internal resources from inside interface but wont work from the VPN client (192.168.20.0 /24)


Heres the scenario



INTERNET---->1800SERIES--->PIX515e-->LAN(192.168.50.0 /24)


1800 SERIES 201.190.x.9 /30

PIX515e 201.190.x.10 /30


Below is a clean run-config regarding mostly the VPN statement for ease of reading....



PIX Version 6.3(4)

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto


nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 DMZ security50


enable password T5Gug97KpLnrmPci encrypted

passwd NHrPq0iSfkVBUBUb encrypted


hostname PIX515e

domain-name tecmant.com


fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69



!!! ACL for split tunneling


access-list 101 permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0


!!! ACL form interesting traffic


access-list 102 permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0

access-list 102 permit icmp 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0 echo

access-list 102 permit icmp 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0 echo-reply


pager lines 24

mtu outside 1500

mtu inside 1500

mtu DMZ 1500


ip address outside 201.190.X.10 255.255.255.252

ip address inside 192.168.10.1 255.255.255.0

ip address DMZ 172.16.10.1 255.255.255.0


ip audit info action alarm

ip audit attack action alarm


!!! Pool of addresses to be assigned to Remote clients


ip local pool VPNPOOL 192.168.20.0-192.168.20.254

pdm history enable

arp timeout 14400


global (outside) 1 interface

nat (outside) 1 192.168.10.0 255.255.255.0 0 0

nat (inside) 1 0.0.0.0 0.0.0.0 0 0


route outside 0.0.0.0 0.0.0.0 201.190.X.9 1


aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local


http server enable

http 192.168.10.254 255.255.255.255 inside

http 192.168.10.0 255.255.255.0 inside


no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable



!!!Allow IPSec to pass through


sysopt connection permit-ipsec



!!! IKE phase 2 negotiation


crypto ipsec transform-set TECMANT-VPN esp-3des esp-sha-hmac


crypto dynamic-map VPN-MAP 10 set transform-set TECMANT-VPN

crypto map STATIC-VPN-MAP 10 ipsec-isakmp dynamic VPN-MAP

crypto map STATIC-VPN-MAP interface outside



!!!Allow ISAKMP prot on outside int.


isakmp enable outside

isakmp identity address


!!!IKE phase 2


isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400


VPN Group Policies



vpngroup VPN-TECMANT address-pool VPNPOOL

vpngroup VPN-TECMANT dns-server 192.168.10.2

vpngroup VPN-TECMANT split-tunnel 101

vpngroup VPN-TECMANT idle-time 1800

vpngroup VPN-TECMANT password ********


telnet timeout 5

ssh 192.168.10.1 255.255.255.255 inside

ssh 192.168.0.0 255.255.0.0 inside

ssh 192.168.10.0 255.255.255.0 inside

ssh timeout 60


management-access inside

console timeout 0



!!! DHCP server enable for internal clients


dhcpd address 192.168.10.10-192.168.10.99 inside

dhcpd dns 200.91.75.5 196.40.31.66

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd enable inside

terminal width 80


Cryptochecksum:8c64136e5261c33e7c9f19d288e40deb

: end


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
ajagadee Fri, 11/16/2007 - 09:14
User Badges:
  • Cisco Employee,

You need NAT 0 configuration to bypass NAT for vpn clients.


nat (inside) 0 access-list 110


access-list 110 permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0


This should solve your IP Reachability issue from the VPN Clients.


Also, I am curious to know why you have this statement in the configuration.


nat (outside) 1 192.168.10.0 255.255.255.0 0 0


Regards,

Arul


* Please rate helpful posts *

glenn.guzman Fri, 11/16/2007 - 16:47
User Badges:

Thx a bunch!! Working just fine....

btw...

about the nat (outside) 1 192.168.10.0 255.255.255.0 0 0 statement... thats a typo.. i forgot to exclude that on the running-config i posted...

ajagadee Sun, 11/18/2007 - 08:08
User Badges:
  • Cisco Employee,

Thanks for the update and rating.


Regards,

Arul

Actions

This Discussion