VPN clients can only see DHCPed IPs

Answered Question
Apr 11th, 2008

We are running a PIX 501 (6.3)

We have it set up as a firewall/vpn router on a DSL modem.

We have several computer on the inside interface, IP range 192.168.1.0

The PIX is set to give out DHCP address from 192.168.1.2 to .33

If the PIXs gives a computer an IP via DHCP outside VPN clients can contact it. If the computer self assigns its IP, either in the DHCP range or outside it, none of the VPN Clients can get to it.

This is Bad. I have several servers that need to be VPN accessible, and can not put them on DHCP and have their IPs change constantly.

Please help, I'm pulling my hair out.

Here is my config:

PIX Version 6.3(5)

interface ethernet0 100full

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password XXXXXXX encrypted

passwd XXXXXXX encrypted

hostname XXXX

domain-name xxxxx

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list nonat permit ip 192.168.1.0 255.255.255.224 192.100.1.0 255.255.255.0

access-list outside_cryptomap_dyn_20 permit icmp any any

access-list outside_cryptomap_dyn_20 permit ip 192.168.1.0 255.255.255.224 192.100.1.0 255.255.255.0

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside pppoe setroute

ip address inside 192.168.1.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool ippool 192.100.1.200-192.100.1.220

pdm location 192.168.1.0 255.255.255.224 inside

pdm location 192.100.1.0 255.255.255.0 outside

pdm location 0.0.0.0 255.255.255.255 inside

pdm location 192.168.1.0 255.255.255.255 inside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set ESP-3DES-sha esp-aes-256 esp-sha-hmac

crypto dynamic-map dynmap 20 set transform-set ESP-3DES-sha

crypto map outside_map 500 ipsec-isakmp dynamic dynmap

crypto map outside_map interface outside

isakmp enable outside

isakmp nat-traversal 20

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption aes-256

isakmp policy 20 hash sha

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

vpngroup maxhrvpn address-pool ippool

vpngroup maxhrvpn dns-server 67.69.184.199 67.69.184.7

vpngroup maxhrvpn split-tunnel outside_cryptomap_dyn_20

vpngroup maxhrvpn idle-time 1800

vpngroup maxhrvpn password ********

telnet 192.168.1.0 255.255.255.0 inside

telnet timeout 5

ssh 192.168.1.0 255.255.255.0 inside

ssh timeout 5

management-access inside

console timeout 0

vpdn group pppoex request dialout pppoe

vpdn group pppoex localname [email protected]

vpdn group pppoex ppp authentication pap

vpdn username xxxxxxx password *********

dhcpd address 192.168.1.2-192.168.1.33 inside

dhcpd dns 67.x.x.199 67.69.184.7

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

dhcpd enable inside

terminal width 80

I have this problem too.
0 votes
Correct Answer by acomiskey about 8 years 8 months ago

Whenever you remove your nonat acl, the nat (inside) 0 access-list nonat command will be removed. You need to add it back.

nat (inside) 0 access-list nonat

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.3 (3 ratings)
Loading.
acomiskey Fri, 04/11/2008 - 06:56

Check your mask on your nat exemption and crypto acl.

access-list nonat permit ip 192.168.1.0 255.255.255.0 192.100.1.0 255.255.255.0

access-list outside_cryptomap_dyn_20 permit ip 192.168.1.0 255.255.255.0 192.100.1.0 255.255.255.0

Make sure the computers you are hardcoding ip's on have the correct gateway.

tom.priore Fri, 04/11/2008 - 07:14

should the mask of the external IP Pool (192.168.100.1) match the size of our pool, 32 addresses?

If the mask were wrong, wouldn't connections fail to everything?

the clients inside are getting a 192.168.1.1 gateway either manually or by DHCP.

Thanks

acomiskey Fri, 04/11/2008 - 07:17

"should the mask of the external IP Pool (192.168.100.1) match the size of our pool, 32 addresses?"

-Shouldn't matter, either way is fine. The problem is your initial acl's had a mask which would only allow 192.168.1.0 255.255.255.224 to be reached by the vpn clients.

Also, your external pool isn't 192.168.100.1, it's 192.100.1.0.

tom.priore Fri, 04/11/2008 - 07:29

OK now it reads:

access-list nonat permit ip 192.168.1.0 255.255.255.224 192.168.100.0 255.255.255.0

access-list outside_cryptomap_dyn_20 permit icmp any any

access-list outside_cryptomap_dyn_20 permit ip 192.168.1.0 255.255.255.0 192.168.100.0 255.255.255.0

I have a system at 192.168.1.21 with a gateway of 192.168.1.1 and it is still not pingable from 192.168.100.0

Thanks for the help.

tom.priore Fri, 04/11/2008 - 07:33

I meant:

access-list nonat permit ip 192.168.1.0 255.255.255.224 192.168.100.0 255.255.255.0

access-list outside_cryptomap_dyn_20 permit icmp any any

access-list outside_cryptomap_dyn_20 permit ip 192.168.1.0 255.255.255.0 192.168.100.0 255.255.255.0

acomiskey Fri, 04/11/2008 - 07:38

I thought your pool was 192.100.1.0? If so it should read...

access-list nonat permit ip 192.168.1.0 255.255.255.0 192.100.1.0 255.255.255.0

access-list outside_cryptomap_dyn_20 permit ip 192.168.1.0 255.255.255.0 192.100.1.0 255.255.255.0

You don't need the icmp in your crypto acl.

tom.priore Fri, 04/11/2008 - 07:53

Still not there..

Will taking out the icmp disable ping?

It now reads:

PIX Version 6.3(5)

interface ethernet0 100full

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxx

passwd xxx

hostname gozar

domain-name xxxxxx

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

name 192.168.1.7 tftp-host

access-list nonat permit ip 192.168.1.0 255.255.255.0 192.100.1.0 255.255.255.0

access-list outside_cryptomap_dyn_20 permit ip 192.168.1.0 255.255.255.0 192.100.1.0 255.255.255.0

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside pppoe setroute

ip address inside 192.168.1.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool ippool 192.168.100.200-192.168.100.220

pdm location 192.168.1.0 255.255.255.224 inside

pdm location 0.0.0.0 255.255.255.255 inside

pdm location 192.168.1.0 255.255.255.255 inside

pdm location 68.50.110.0 255.255.255.0 outside

pdm location 68.50.110.165 255.255.255.255 inside

pdm location 68.50.110.165 255.255.255.255 outside

pdm location 192.168.100.0 255.255.255.0 outside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http 0.0.0.0 0.0.0.0 outside

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

tftp-server inside tftp-host pixflash

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set ESP-3DES-sha esp-aes-256 esp-sha-hmac

crypto dynamic-map dynmap 20 set transform-set ESP-3DES-sha

crypto map outside_map 500 ipsec-isakmp dynamic dynmap

crypto map outside_map interface outside

isakmp enable outside

isakmp nat-traversal 20

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption aes-256

isakmp policy 20 hash sha

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

vpngroup maxvpn address-pool ippool

vpngroup maxvpn dns-server 67.69.184.199

vpngroup maxvpn idle-time 1800

vpngroup maxvpn password ********

telnet 192.168.1.0 255.255.255.0 inside

telnet timeout 5

ssh 192.168.1.0 255.255.255.0 inside

ssh timeout 5

management-access inside

console timeout 0

vpdn group pppoex request dialout pppoe

vpdn group pppoex localname [email protected]

vpdn group pppoex ppp authentication pap

vpdn username xxxxxx password ********

dhcpd address 192.168.1.2-192.168.1.33 inside

dhcpd dns 67.69.184.199 67.69.184.7

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

dhcpd enable inside

terminal width 80

Cryptochecksum:xxx

acomiskey Fri, 04/11/2008 - 07:58

You're missing...

nat (inside) 0 access-list nonat

"Will taking out the icmp disable ping?"

-No.

tom.priore Fri, 04/11/2008 - 08:56

Thanks for all your help.

I'm still not there yet.

The Nats read:

nat (inside) 0 access-list nonat

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

The Access list reads:

access-list nonat permit ip 192.168.1.0 255.255.255.0 192.100.1.0 255.255.255.0

access-list outside_cryptomap_dyn_20 permit ip 192.168.1.0 255.255.255.0 192.100.1.0 255.255.255.0

Does the order matter?

how about the pdm entries:

pdm location 192.168.1.0 255.255.255.224 inside

pdm location 0.0.0.0 255.255.255.255 inside

pdm location 192.168.1.0 255.255.255.255 inside

pdm location 68.50.110.0 255.255.255.0 outside

pdm location 68.50.110.165 255.255.255.255 inside

pdm location 68.50.110.165 255.255.255.255 outside

pdm location 192.168.100.0 255.255.255.0 outside

acomiskey Fri, 04/11/2008 - 09:25

Same problems as before?

Acl's look fine, order doesn't matter. PDM entries don't matter either.

You left off your split tunnel...

vpngroup maxhrvpn split-tunnel outside_cryptomap_dyn_20

tom.priore Fri, 04/11/2008 - 10:04

Hmm. I added the split tunnel. Now I can only ping 192.168.1.1 and nothing else.

How does the split tunnel work? Do I need to send routing down to the client.

acomiskey Fri, 04/11/2008 - 10:15

All the split tunnel says is "This is the traffic I want to be tunneled, or part of the vpn". So in your case it would be what you defined here...

access-list outside_cryptomap_dyn_20 permit ip 192.168.1.0 255.255.255.0 192.100.1.0 255.255.255.0

Post your new config.

tom.priore Fri, 04/11/2008 - 10:21

Here it is:

PIX Version 6.3(5)

interface ethernet0 100full

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxxx encrypted

passwd xxxx encrypted

hostname gozar

domain-name xxxxx

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

name 192.168.1.7 tftp-host

access-list nonat permit ip 192.168.1.0 255.255.255.0 192.100.1.0 255.255.255.0

access-list outside_cryptomap_dyn_20 permit ip 192.168.1.0 255.255.255.0 192.100.1.0 255.255.255.0

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside pppoe setroute

ip address inside 192.168.1.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool ippool 192.168.100.200-192.168.100.220

pdm location 192.168.1.0 255.255.255.224 inside

pdm location 0.0.0.0 255.255.255.255 inside

pdm location 192.168.1.0 255.255.255.255 inside

pdm location 68.50.110.0 255.255.255.0 outside

pdm location 68.50.110.165 255.255.255.255 inside

pdm location 68.50.110.165 255.255.255.255 outside

pdm location 192.168.100.0 255.255.255.0 outside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

tftp-server inside tftp-host pixflash

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set ESP-3DES-sha esp-aes-256 esp-sha-hmac

crypto dynamic-map dynmap 20 set transform-set ESP-3DES-sha

crypto map outside_map 500 ipsec-isakmp dynamic dynmap

crypto map outside_map interface outside

isakmp enable outside

isakmp nat-traversal 20

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption aes-256

isakmp policy 20 hash sha

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

vpngroup maxvpn address-pool ippool

vpngroup maxvpn dns-server 67.69.184.199

vpngroup maxvpn idle-time 1800

vpngroup maxvpn password ********

vpngroup maxhrvpn split-tunnel outside_cryptomap_dyn_20

vpngroup maxhrvpn idle-time 1800

telnet 192.168.1.0 255.255.255.0 inside

telnet timeout 5

ssh 192.168.1.0 255.255.255.0 inside

ssh timeout 5

management-access inside

console timeout 0

vpdn group pppoex request dialout pppoe

vpdn group pppoex localname xxxxx

vpdn group pppoex ppp authentication pap

vpdn username xxxxx password ********

dhcpd address 192.168.1.2-192.168.1.33 inside

dhcpd dns 67.69.184.199 67.69.184.7

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

dhcpd enable inside

terminal width 80

acomiskey Fri, 04/11/2008 - 10:27

You changed your pool!

ip local pool ippool 192.168.100.200-192.168.100.220

should be...

ip local pool ippool 192.100.1.200-192.100.1.220

Keeping my fingers crossed.

Just so you understand, the pool needs to be reflected in your nonat and split tunnel acl's. So it could be...

access-list nonat permit ip 192.168.1.0 255.255.255.0 192.100.1.0 255.255.255.0

access-list outside_cryptomap_dyn_20 permit ip 192.168.1.0 255.255.255.0 192.100.1.0 255.255.255.0

ip local pool ippool 192.100.1.200-192.100.1.220

or...

access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.100.0 255.255.255.0

access-list outside_cryptomap_dyn_20 permit ip 192.168.1.0 255.255.255.0 192.168.100.0 255.255.255.0

ip local pool ippool 192.168.100.200-192.168.100.220

tom.priore Fri, 04/11/2008 - 10:41

I changes the pool/access list to match.

still no contact to anything but 192.168.1.1

PIX Version 6.3(5)

interface ethernet0 100full

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxxxxx encrypted

passwd xxxxxx encrypted

hostname xxxxx

domain-name xxxxx

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

name 192.168.1.7 tftp-host

access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.100.0 255.255.255.0

access-list outside_cryptomap_dyn_20 permit ip 192.168.1.0 255.255.255.0 192.168.100.0 255.255.255.0

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside pppoe setroute

ip address inside 192.168.1.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool ippool 192.168.100.200-192.168.100.220

pdm location 192.168.1.0 255.255.255.224 inside

pdm location 0.0.0.0 255.255.255.255 inside

pdm location 192.168.1.0 255.255.255.255 inside

pdm location 68.50.110.0 255.255.255.0 outside

pdm location 68.50.110.165 255.255.255.255 inside

pdm location 68.50.110.165 255.255.255.255 outside

pdm location 192.168.100.0 255.255.255.0 outside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

tftp-server inside tftp-host pixflash

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set ESP-3DES-sha esp-aes-256 esp-sha-hmac

crypto dynamic-map dynmap 20 set transform-set ESP-3DES-sha

crypto map outside_map 500 ipsec-isakmp dynamic dynmap

crypto map outside_map interface outside

isakmp enable outside

isakmp nat-traversal 20

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption aes-256

isakmp policy 20 hash sha

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

vpngroup maxvpn address-pool ippool

vpngroup maxvpn dns-server 67.69.184.199

vpngroup maxvpn idle-time 1800

vpngroup maxvpn password ********

vpngroup maxhrvpn split-tunnel outside_cryptomap_dyn_20

vpngroup maxhrvpn idle-time 1800

telnet 192.168.1.0 255.255.255.0 inside

telnet timeout 5

ssh 192.168.1.0 255.255.255.0 inside

ssh timeout 5

management-access inside

console timeout 0

vpdn group pppoex request dialout pppoe

vpdn group pppoex localname xxxxxx

vpdn group pppoex ppp authentication pap

vpdn username xxxxx password xxxx

dhcpd address 192.168.1.2-192.168.1.33 inside

dhcpd dns 67.69.184.199 67.69.184.7

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

dhcpd enable inside

terminal width 80

Correct Answer
acomiskey Fri, 04/11/2008 - 10:44

Whenever you remove your nonat acl, the nat (inside) 0 access-list nonat command will be removed. You need to add it back.

nat (inside) 0 access-list nonat

tom.priore Fri, 04/11/2008 - 12:54

It works! Thanks for your help I owe you one.

We even had a cisco engineer tell us that the VPN could only connect to DHCPed clients. I knew he was wrong!

acomiskey Fri, 04/11/2008 - 15:55

Good deal, glad it worked out. Please rate any posts you found helpful.

Actions

This Discussion