Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
265
Views
0
Helpful
1
Replies

PIX 501--Software VPN connection, client can't reach LAN

julianunderwood
Level 1
Level 1

‎02-26-2008 02:59 PM

Dear Netpros,

I have a PIX 501 which I have setup to accept connections via Cisco VPN client. I am able to connect and receive an IP from the NEW_VPN_POOL, but I can't reach hosts on the LAN 192.168.1.0/24. I think my access rule 201 needs to be modified but I am not sure. Could you look at my config and suggest what I may need to add? Many thank yous, Julian

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password encrypted

passwd encrypted

hostname firewall

domain-name fw.com

clock timezone EST -5

clock summer-time EDT recurring

names

access-list inside_outbound_nat0_acl permit ip any 192.168.1.0 255.255.255.0

access-list inside_outbound_nat0_acl permit icmp any any

access-list 102 permit ip 192.168.1.0 255.255.255.0 192.168.200.0 255.255.255.0

access-list pub [permit a bunch of stuff]

access-list 101 permit ip any any

pager lines 24

logging on

logging console errors

logging buffered debugging

mtu outside 1500

mtu inside 1500

ip address outside 255.255.255.240

ip address inside 192.168.1.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool NEW_VPN_POOL 192.168.200.1-192.168.200.254

pdm logging informational 100

pdm history enable

arp timeout 14400

nat (inside) 0 access-list 102

nat (inside) 1 192.168.1.0 255.255.255.0 0 0

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) 192.168.1.4 netmask 255.255.255.255 0 0

access-group pub in interface outside

conduit permit icmp any any

route outside 0.0.0.0 0.0.0.0 gw 1

sysopt connection permit-ipsec

sysopt connection permit-pptp

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto dynamic-map dynmap 11 set transform-set myset

crypto map mymap 11 ipsec-isakmp dynamic dynmap

crypto map mymap client configuration address initiate

crypto map mymap client configuration address respond

crypto map mymap interface outside

isakmp enable outside

isakmp key ******** address 0.0.0.0 netmask 0.0.0.0

isakmp identity address

isakmp client configuration address-pool local NEW_VPN_POOL outside

isakmp policy 11 authentication pre-share

isakmp policy 11 encryption des

isakmp policy 11 hash md5

isakmp policy 11 group 1

isakmp policy 11 lifetime 86400

isakmp policy 22 authentication pre-share

isakmp policy 22 encryption des

isakmp policy 22 hash md5

isakmp policy 22 group 2

isakmp policy 22 lifetime 86400

vpngroup CSH_OFFSITE address-pool NEW_VPN_POOL

vpngroup CSH_OFFSITE dns-server 192.168.1.1

vpngroup CSH_OFFSITE wins-server 192.168.1.1

vpngroup CSH_OFFSITE default-domain password

vpngroup CSH_OFFSITE idle-time 1800

vpngroup CSH_OFFSITE password ********

telnet 192.168.1.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

management-access inside

console timeout 0

vpdn enable outside

dhcpd address 192.168.1.248-192.168.1.254 inside

dhcpd dns

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

dhcpd enable inside

terminal width 80

: end

Labels:
0 Helpful
1 Reply 1

julianunderwood
Level 1
Level 1

‎02-27-2008 04:49 AM

I solved my own problem with this command:

isakmp nat-traversal [natkeepalive]

Thanks,

Julian

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents