02-07-2008 07:04 AM - edited 03-11-2019 05:00 AM
I'm trying to ping and connect to my internal network thru a VPN connection.
The VPN connection is being made and got an IP adres on the client computer.
When I try to ping something in the internal network it does not work.
This are my ACL rules:
access-list 100 extended permit ip 10.0.0.0 255.0.0.0 128.2.0.0 255.255.0.0
access-list 100 extended permit ip 192.168.10.0 255.255.255.0 128.2.0.0 255.255.0.0
access-list nonat extended permit ip 10.0.0.0 255.0.0.0 128.2.0.0 255.255.0.0
access-list nonat extended permit ip 10.0.0.0 255.0.0.0 192.168.10.0 255.255.255.0
access-list splittunnel standard permit 10.0.0.0 255.0.0.0
access-list splittunnel standard permit 128.2.0.0 255.255.0.0
access-list inside_access_in extended permit ip any 10.0.0.0 255.0.0.0
access-list outside_access_in extended permit ip any 10.0.0.0 255.0.0.0
route inside 10.0.0.0 255.0.0.0 10.1.1.2 1
route outside 0.0.0.0 0.0.0.0 [external IP] 1
Can anyone tell me why it isnt working properly?
Solved! Go to Solution.
02-09-2008 07:39 AM
Hi Tristan
First of all, you should correct your split tunnel ACLs
no access-list splittunnel standard permit 10.0.0.0 255.0.0.0
no access-list splittunnel standard permit 128.2.0.0 255.255.0.0
access-list splittunnel standard permit 10.0.0.0 255.0.0.0 192.168.10.0 255.255.255.0
access-list splittunnel standard permit 128.2.0.0 255.255.0.0 192.168.10.0 255.255.255.0
Where is the 128.2.0.0 located? There is no route to that network that you can never reach this subnet
Make sure the following route exists in router with IP 10.1.1.2
ip route 192.168.10.0 255.255.255.0 10.1.1.7
For testing conenctivity, use telnet with desired port instead ping. You should allow icmp for getting ping to work and issue some commands like following
management-access inside
policy-map global_policy
class inspection_default
inspect icmp
Regards
02-07-2008 07:11 AM
Post a config or check config for "isakmp nat-traversal" or "crypto iskamp nat-traversal".
02-07-2008 07:34 AM
Hi
Checklist.
1. sysopt connection permit-vpn
2. nat 0 for the inside hosts against the vpn-pool
Regards,
Stefan
02-07-2008 08:26 AM
I've got the lines sysopt connection permit-vpn and isakmp nat-traversal in my config.
what do you mean by:
2. nat 0 for the inside hosts against the vpn-pool ?
02-07-2008 08:27 AM
He means this and it looks like you've already got it...
access-list nonat extended permit ip 10.0.0.0 255.0.0.0 128.2.0.0 255.255.0.0
access-list nonat extended permit ip 10.0.0.0 255.0.0.0 192.168.10.0 255.255.255.0
nat (inside) 0 access-list nonat
02-07-2008 08:28 AM
also got this lines:
nat (inside) 0 access-list nonat
nat (inside) 1 10.0.0.0 255.0.0.0
02-07-2008 08:29 AM
Can you post the config? What is the client pool?
02-08-2008 12:58 AM
hostname pixfirewall
domain-name default.domain.invalid
enable password * encrypted
names
!
interface Ethernet0
nameif outside
security-level 0
ip address [External IP]
!
interface Ethernet1
nameif inside
security-level 100
ip address 10.1.1.7 255.255.0.0
!
passwd xxx
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
same-security-traffic permit intra-interface
access-list 100 extended permit ip 10.0.0.0 255.0.0.0 128.2.0.0 255.255.0.0
access-list 100 extended permit ip 192.168.10.0 255.255.255.0 128.2.0.0 255.255.0.0
access-list nonat extended permit ip 10.0.0.0 255.0.0.0 128.2.0.0 255.255.0.0
access-list nonat extended permit ip 10.0.0.0 255.0.0.0 192.168.10.0 255.255.255.0
access-list splittunnel standard permit 10.0.0.0 255.0.0.0
access-list splittunnel standard permit 128.2.0.0 255.255.0.0
access-list inside_access_in extended permit ip any 10.0.0.0 255.0.0.0
access-list outside_access_in extended permit ip any 10.0.0.0 255.0.0.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool vpnpool 192.168.10.1-192.168.10.254
no failover
monitor-interface inside
monitor-interface outside
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm-522.bin
no asdm history enable
arp timeout 14400
nat (inside) 0 access-list nonat
nat (inside) 1 10.0.0.0 255.0.0.0
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route inside 10.0.0.0 255.0.0.0 10.1.1.2 1
route outside 0.0.0.0 0.0.0.0 [EXTERNAL IP] 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server RADIUS protocol radius
aaa-server RADIUS host 10.1.8.40
key [RADIUS KEY]
radius-common-pw [RADIUS KEY]
aaa-server myradius protocol radius
aaa-server myradius host 10.1.8.40
timeout 5
key [RADIUS KEY]
group-policy clientgroup internal
group-policy clientgroup attributes
vpn-idle-timeout 20
split-tunnel-policy tunnelspecified
split-tunnel-network-list value splittunnel
http server enable
http *.*.*.* 255.255.0.0 inside
http *.*.*.* 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto dynamic-map argenta 20 set transform-set myset
crypto map mymap 10 match address 100
crypto map mymap 10 set peer [Client VPN IP]
crypto map mymap 10 set transform-set myset
crypto map mymap 20 ipsec-isakmp dynamic [Client Name]
crypto map mymap interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp nat-traversal 20
tunnel-group [Client VPN IP] type ipsec-l2l
tunnel-group [Client VPN IP] ipsec-attributes
pre-shared-key *
tunnel-group dailin type ipsec-ra
tunnel-group dailin general-attributes
address-pool vpnpool
authentication-server-group RADIUS
default-group-policy clientgroup
tunnel-group dailin ipsec-attributes
pre-shared-key *
telnet *.*.*.* 255.255.255.0 inside
telnet *.*.*.* 255.255.0.0 inside
telnet timeout 240
ssh timeout 5
console timeout 0
no dhcpd address 10.1.1.8-10.1.2.7 inside
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
[LIST TRUNCATED]
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:*
02-09-2008 07:39 AM
Hi Tristan
First of all, you should correct your split tunnel ACLs
no access-list splittunnel standard permit 10.0.0.0 255.0.0.0
no access-list splittunnel standard permit 128.2.0.0 255.255.0.0
access-list splittunnel standard permit 10.0.0.0 255.0.0.0 192.168.10.0 255.255.255.0
access-list splittunnel standard permit 128.2.0.0 255.255.0.0 192.168.10.0 255.255.255.0
Where is the 128.2.0.0 located? There is no route to that network that you can never reach this subnet
Make sure the following route exists in router with IP 10.1.1.2
ip route 192.168.10.0 255.255.255.0 10.1.1.7
For testing conenctivity, use telnet with desired port instead ping. You should allow icmp for getting ping to work and issue some commands like following
management-access inside
policy-map global_policy
class inspection_default
inspect icmp
Regards
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: