Remote access VPN issues using Pix 501

Unanswered Question
Jan 28th, 2008
User Badges:

We have taken over a network where there was little to no documentation. I have a remote access VPN terminated on a Pix 501 that is having a connectivity issue. I can connect using Cisco VPN Client. There is a server on the inside network that is used for mail etc. It has an IP of 192.168.0.4. I cannot ping it from my VPN session but from the Pix itself, I can ping it. There are different source IP's as the IP pool for the VPN session is 172.16.x.x and the inside network is 192.168.x.x. I can ping other hosts on the same inside network that are in the ARP table of the Pix. I have attached the configuration of the Pix 501. After researching, I cannot figure out what the issue is. I was assuming it was the route inside 172.16.x.x was set incorrectly but I can ping some hosts on the 192.168.x.x network. Thanks



Attachment: 
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
ajagadee Mon, 01/28/2008 - 17:57
User Badges:
  • Cisco Employee,

route inside 172.16.0.0 255.255.0.0 192.168.5.1


The above static route looks interesting and its not even pointing to an ip address that is on the same subnet inside interface.


I would remove the route and see if you are able to ping the 0.4 address. Also, I see a static conigured for 0.4 address, so did you get a chance to do a clear xlate after you configured the VPN Client and applied NAT 0 Command to bypass NAT for IPSEC Traffic.


Regards,

Arul


** Please rate all helpful posts **

mark.blanchfield Mon, 01/28/2008 - 18:22
User Badges:

Aru,


Hi. Thanks for responding. I did try and remove that route inside command and I still could not ping the server. I also tried removing those static translations and did a clear xlate but still no luck. This one has me puzzled. Especially since I can ping other hosts on that network and also ping the server but only from the Pix. The source on the Pix would be different 192.168.0.x than when I am connected using the VPN 172.16.1.x. That is the biggest difference. If it was routing, I would assume I could not ping any host on the 192.168.0.x network from the VPN session. I did remove that route inside as all of the other config examples did not have a specific route statement for the local pool even though it is not on the inside network. I have limited knowledge of their network as we just were told to manage it. Thanks again.

ajagadee Mon, 01/28/2008 - 19:21
User Badges:
  • Cisco Employee,

Mark,


Can you try sending like 100 pings to the 0.4 server and post the output of "show crypto ipsec sa". I am interested in the encrypts/decrypts value to see if the packets are even making to the server or not.


Regards,

Arul


** Please rate all helpful posts **

mark.blanchfield Tue, 01/29/2008 - 04:49
User Badges:

Arul,


Hi. Thanks for responding. Attached is the output of the show crypto ipsec sa after sending the pings to the server. Also, I cannot get on the server for a day or so as it is at a remote property and we are just taking over their network but I will check the gateway settings when I can. Thanks.





Attachment: 
ajagadee Tue, 01/29/2008 - 06:05
User Badges:
  • Cisco Employee,

Mark,


Thanks! From the outputs it is clear that the packets are making to the Pix. Now, the question is now the routing on the server.


Will wait for your udpate.


Regards,

Arul


** Please rate all helpful posts **

ajagadee Mon, 01/28/2008 - 19:25
User Badges:
  • Cisco Employee,

Mark,


Can you also check the routing on 0.4 server. Is the default gateway of that server pointing to the Pix 501 or does it have a route for the 172.16.0.0 pointing to the Pix 501 inside interface.


Regards,

Arul


** Please rate all helpful posts **

mark.blanchfield Tue, 01/29/2008 - 06:15
User Badges:

Arul,


Thanks for responding. I tried changing the local pool to the 192.168.0.x network but still cannot ping the server. What is confusing is that I can ping the server from the Pix when I SSH into it?? That is what I cannot get. It does seem that the server can reach the Pix as I can ping it from the Pix. Thanks again for your assistance on this.

mark.blanchfield Tue, 01/29/2008 - 06:43
User Badges:

Also, I cannot ping the switch that is directly connected behind the Pix. It has an IP of 192.168.0.8. I can ping it from the Pix but not from the VPN session. That is the same symptoms as the server that is plugged into that switch. There are no separate VLANs that on the switch that might separate the traffic. I have the config for the switch but I cannot access it. Thanks.

ajagadee Tue, 01/29/2008 - 06:46
User Badges:
  • Cisco Employee,

Can you post the configuration from the switch. Looks like a default gateway or routing issue on the switch and server.


You are able to ping from the Pix because the inside interface belongs to the same subnet and they belong to the same VLAN. So, this will work without a default gateway on the server or switch. But for any traffic other than the one you are connected on, you need a default gateway or proper routing.


Regards,

Arul


** Please rate all helpful posts **

mark.blanchfield Tue, 01/29/2008 - 06:59
User Badges:

Arul,


Just found out that there is no gateway set on the switch and the server is set to an IP address that I have no idea what it is so good possibility it is set incorrectly. We have techs going there tomorrow to change it to the proper IP. Thanks again!!

ajagadee Tue, 01/29/2008 - 07:00
User Badges:
  • Cisco Employee,

Mark,


Thanks for the update and Rating :-)


Regards,

Arul

Actions

This Discussion