cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
931
Views
5
Helpful
21
Replies

Unable to access the remote Host

Anand Narayana
Level 6
Level 6

Below is my client's pix configuration, the problem here is..... when ever he uses a Cisco VPN dialier, he can able to connect to the VPN, but unable to access any host on the remote location, but with the same vpn dialer & the VPN pcf file, when he is using with a broadband connection which doesn't route with this PIX( or not behind the PIX), it works fine. One more thing I noticed is.... only when I give a static NAT it is able to access the PC on the remote & not throught a GLOBAL NAT, when the PC is behind the PIX.

PIX Version 6.3(3)

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 dmz security50

enable password xxx encrypted

enable password xxx encrypted

passwd ta.qizy4R//ChqQH encrypted

fixup protocol dns maximum-length 1024

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol pptp 1723

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

no fixup protocol sip udp 5060

fixup protocol skinny 2000

no fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

access-list 110 permit ip any any

access-list 120 permit icmp any any

access-list 120 permit esp any any

logging console warnings

logging monitor warnings

logging buffered notifications

logging trap debugging

logging queue 0

mtu outside 1500

mtu inside 1500

mtu dmz 1500

ip address outside x.x.x.x 255.255.255.240

ip address inside 192.168.0.1 255.255.0.0

no ip address dmz

ip audit info action alarm

ip audit attack action alarm

ip local pool homeuser_vpn 192.168.1.1-192.168.1.254

pdm location 192.168.0.80 255.255.255.255 inside

pdm location 192.168.0.207 255.255.255.255 inside

pdm location 0.0.0.0 0.0.0.0 outside

pdm logging warnings 100

pdm history enable

arp timeout 14400

global (outside) 1 x.x.x.66

nat (inside) 0 access-list 123nonat

nat (inside) 1 192.168.0.0 255.255.0.0 0 0

static (inside,outside) x.x.x.70 192.168.3.1 netmask 255.255.255.255 0 0

static (inside,outside) x.x.x.76 192.168.3.2 netmask 255.255.255.255 0 0

static (inside,outside) x.x.x.77 192.168.3.3 netmask 255.255.255.255 0 0

access-group 120 in interface outside

access-group 110 in interface inside

route outside 0.0.0.0 0.0.0.0 x.x.x.x 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

aaa authentication ssh console LOCAL

ntp server x.x.x.x source outside prefer

http server enable

http 0.0.0.0 0.0.0.0 outside

http 192.168.0.207 255.255.255.255 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet 192.168.0.197 255.255.255.255 inside

telnet 192.168.0.80 255.255.255.255 inside

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 outside

ssh 192.168.0.0 255.255.0.0 inside

ssh timeout 60

console timeout 0

dhcpd lease 3600

dhcpd ping_timeout 750

username admin password xxxx encrypted privilege 15

username admin1 password xxx encrypted privilege 2

terminal width 80

Cryptochecksum:xxx

: end

123#

2 Accepted Solutions

Accepted Solutions

andrew.prince
Level 10
Level 10

Anand,

I would double check to make sure the N-NAT has something like:-

"access-list 123nonat permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0"

And enable NAT-T - as it could be his home device does not understand/support IPSEC PassThru:-

"isakmp nat-traversal 20"

And add:-

"access-list 120 permit udp any any eq 4500"

HTH.

View solution in original post

Like others have said, nat-traversal must be enabled on the remote vpn device to support ipsec w/ pat. If not you must have a static nat for the inside vpn client inside the pix.

View solution in original post

21 Replies 21

andrew.prince
Level 10
Level 10

Anand,

I would double check to make sure the N-NAT has something like:-

"access-list 123nonat permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0"

And enable NAT-T - as it could be his home device does not understand/support IPSEC PassThru:-

"isakmp nat-traversal 20"

And add:-

"access-list 120 permit udp any any eq 4500"

HTH.

Thanks for the reply, but this option doesn't work for me. Can giv me any other suggestions?

which option no-nat, NAT-T or both?

I tried both the options together & individually also. I still face the same issue.

Can you post the full config please? sanitized - remove passwords, exeternal IP addresses etc?

Find the exact configuration of the firewall attached.

Your split-tunnel ACL is very confusing - and could be made simpler, I would try:-

access-list VPN_split_tunnnel permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0

vpngroup remotestaff split-tunnel VPN_split_tunnnel

You also need to make sure that any layer 3 devices know where the Remote VPN IP subnet is, so a static route pointing back to firewall will be required - if you don't already have it.

HTH.

Your split-tunnel ACL is very confusing - and could be made simpler, I would try:-

access-list VPN_split_tunnnel permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0

vpngroup remotestaff split-tunnel VPN_split_tunnnel

You also need to make sure that any layer 3 devices know where the Remote VPN IP subnet is, so a static route pointing back to firewall will be required - if you don't already have it.

HTH.

Actually the user sitting behind this firewall will connect to the remote office VPN concentrator & then he should access the remote host which is not happening. so I don't think so the configuration present in this firewall related to one which you highlighted will help. correct me if i am wrong.

Sorry I am confused - the person that cannot access the remote host, is not using the VPN configuration in this posting?

He is actually sitting behind the firewall (which is the config posted here) and trying to access a remote VPN device, and the remote network?

Sorry I am confused - the person that cannot access the remote host, is not using the VPN configuration in this posting?

He is actually sitting behind the firewall (which is the config posted here) and trying to access a remote VPN device, and the remote network?

Sorry I am confused - the person that cannot access the remote host, is not using the VPN configuration in this posting?

He is actually sitting behind the firewall (which is the config posted here) and trying to access a remote VPN device, and the remote network?

All users are behind this firewall, any one accessing internet has to hit this firewall & then go out. So the user sitting behind this firewall has to access a remote host, so he connects to the remote peer with the VPN dialer(the remote peer is nothing but the VPN concentrator). Unable to access the remote host LAN IP only when he is behind this firewall. otherwise he can able to access when he is not routing this firewall.

What are the debugs from this firewall and the remote device when the user connects?

This sounds like the issue is actually at the other end.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: