Unable to get to internal resources after successfully tunneling-in!!

Unanswered Question
Nov 16th, 2007

I have configured an IPSec remote access VPN connection and I'm successfully able to establish the tunnel but I can not get to any of my LAN internal

resources. I'm able to ping PIX's internal interface (192.168.10.1) and even telnet to it from the VPN client, once logged into the PIX I'm able to ping all

192.168.10.0 /24 internal resources from inside interface but wont work from the VPN client (192.168.20.0 /24)

Heres the scenario

INTERNET---->1800SERIES--->PIX515e-->LAN(192.168.50.0 /24)

1800 SERIES 201.190.x.9 /30

PIX515e 201.190.x.10 /30

Below is a clean run-config regarding mostly the VPN statement for ease of reading....

PIX Version 6.3(4)

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 DMZ security50

enable password T5Gug97KpLnrmPci encrypted

passwd NHrPq0iSfkVBUBUb encrypted

hostname PIX515e

domain-name tecmant.com

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

!!! ACL for split tunneling

access-list 101 permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0

!!! ACL form interesting traffic

access-list 102 permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0

access-list 102 permit icmp 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0 echo

access-list 102 permit icmp 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0 echo-reply

pager lines 24

mtu outside 1500

mtu inside 1500

mtu DMZ 1500

ip address outside 201.190.X.10 255.255.255.252

ip address inside 192.168.10.1 255.255.255.0

ip address DMZ 172.16.10.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

!!! Pool of addresses to be assigned to Remote clients

ip local pool VPNPOOL 192.168.20.0-192.168.20.254

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (outside) 1 192.168.10.0 255.255.255.0 0 0

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

route outside 0.0.0.0 0.0.0.0 201.190.X.9 1

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http 192.168.10.254 255.255.255.255 inside

http 192.168.10.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

!!!Allow IPSec to pass through

sysopt connection permit-ipsec

!!! IKE phase 2 negotiation

crypto ipsec transform-set TECMANT-VPN esp-3des esp-sha-hmac

crypto dynamic-map VPN-MAP 10 set transform-set TECMANT-VPN

crypto map STATIC-VPN-MAP 10 ipsec-isakmp dynamic VPN-MAP

crypto map STATIC-VPN-MAP interface outside

!!!Allow ISAKMP prot on outside int.

isakmp enable outside

isakmp identity address

!!!IKE phase 2

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

VPN Group Policies

vpngroup VPN-TECMANT address-pool VPNPOOL

vpngroup VPN-TECMANT dns-server 192.168.10.2

vpngroup VPN-TECMANT split-tunnel 101

vpngroup VPN-TECMANT idle-time 1800

vpngroup VPN-TECMANT password ********

telnet timeout 5

ssh 192.168.10.1 255.255.255.255 inside

ssh 192.168.0.0 255.255.0.0 inside

ssh 192.168.10.0 255.255.255.0 inside

ssh timeout 60

management-access inside

console timeout 0

!!! DHCP server enable for internal clients

dhcpd address 192.168.10.10-192.168.10.99 inside

dhcpd dns 200.91.75.5 196.40.31.66

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd enable inside

terminal width 80

Cryptochecksum:8c64136e5261c33e7c9f19d288e40deb

: end

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
ajagadee Fri, 11/16/2007 - 09:14

You need NAT 0 configuration to bypass NAT for vpn clients.

nat (inside) 0 access-list 110

access-list 110 permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0

This should solve your IP Reachability issue from the VPN Clients.

Also, I am curious to know why you have this statement in the configuration.

nat (outside) 1 192.168.10.0 255.255.255.0 0 0

Regards,

Arul

* Please rate helpful posts *

glenn.guzman Fri, 11/16/2007 - 16:47

Thx a bunch!! Working just fine....

btw...

about the nat (outside) 1 192.168.10.0 255.255.255.0 0 0 statement... thats a typo.. i forgot to exclude that on the running-config i posted...

Actions

This Discussion