PIX 506E VPN Cant Ping

Unanswered Question
JORGE RODRIGUEZ Mon, 05/26/2008 - 17:37
User Badges:
  • Green, 3000 points or more

Does your config have NAT-T enabled? if not please enable it and try, if no joy please post sanitized pix config, it could be your acl no allowing VPN pool network access to your inside network.



PIX(config)#isakmp nat-traversal 20


Rgds

-Jorge


Yes, tried that and still not working:


Config below:

access-list vpn permit ip host 10.32.1.1 192.168.10.0 255.255.255.0

access-list split_vpn ip host 10.32.1.1 192.168.10.0 255.255.255.0


ip local pool vpnpool 192.168.10.0 mask 255.255.255.0


crypto ipsec transform-set espvpn esp-des esp-md5-hmac

crypto dynamic-map money 10 set transform-set espvpn


crypto map pixnet 10 ipsec-isakmp dynamic money

crypto map pixnet client configuration address initiate

crypto map pixnet client authentication LOCAL

crypto map pixnet interface outside


isakmp nat-traversal 20


vpngroup vpnclient address-pool vpnpool

vpngroup vpnclient dns-server 10.32.1.1

vpngroup vpnclient split-tunnel split_vpn

vpngroup vpnclient idle-time 1800

vpngroup vpnclient password *******






JORGE RODRIGUEZ Mon, 05/26/2008 - 18:16
User Badges:
  • Green, 3000 points or more

Any nat statements?

I would add bellow statement, please try and let me know.


nat(inside) 0 access-list vpn


JORGE RODRIGUEZ Mon, 05/26/2008 - 18:53
User Badges:
  • Green, 3000 points or more

One statement I have noticed your vpn pool range, you would normally configure a range .


ip local pool vpnpool 192.168.10.0 mask 255.255.255.0


I do not think a connected host would get an IP from the pool, when client connect can you issue " show ip local pool" to confirm and address has been porvided by your current vpn pool.



Normally would would configure a range in this syntax.


ip local pool vpnpool 192.168.10.xx-192.168.10.xx



Enabling NAT-T should have resolved it, but wander if your vpn pool is your issue.

JORGE RODRIGUEZ Mon, 05/26/2008 - 19:35
User Badges:
  • Green, 3000 points or more

The host you are trying to ping 10.32.1.1 does it responds to pings from internal LAN.

Note that this is the only host permited in your acl.

husycisco Mon, 05/26/2008 - 21:57
User Badges:
  • Gold, 750 points or more

Hi Jorge, nice new badge m8 :)


Ralema, can you please attach your full sanitized config?


francisco_1 Tue, 05/27/2008 - 14:52
User Badges:
  • Gold, 750 points or more

dude,


I suggest next time you uploade your config, remove any passwords / public IP's.


francisco.

husycisco Wed, 05/28/2008 - 01:51
User Badges:
  • Gold, 750 points or more

Ralema,

Please do below modifications


no vpngroup pixnet split-tunnel 110

vpngroup pixnet split-tunnel 120

fixup protocol icmp


Also I see a statement with "tcp" in your ACL 110 which is your exempt nat ACL. It is not recommended to use port statements in network ACLs for firewall devices, like split tunnels, NATs that it would impact the L3 processing of firewall that it will also have to process the port portion of packets during rouitng.

Also you know that you ve permit your VPN clients to be able to establish connection with only 172.16.1.3 and 172.16.1.20 , so try pinging them. Also make sure no software firewall is enabled, If enabled, modify the exceptions according to that (Windows firewall exceptions by default permit traffic from same subnet! That will drop VPN client connections)


Regards



JORGE RODRIGUEZ Wed, 05/28/2008 - 05:52
User Badges:
  • Green, 3000 points or more

Huseyin good to hear from you friend!!


Ralema, do as Huseyin suggested you'll be running in no time.

husycisco Thu, 05/29/2008 - 02:15
User Badges:
  • Gold, 750 points or more

nat traversal suggestion by jorge just fits the issue but you have it.

Couple of things to check,

Make sure the PC, which connects VPN and acquires 192.168.10.x address, doesnt have an IP address locally assinged to its NIC within same subnet of 192.168.10.x


Try connecting via x port instead ping to check connectivity. For example enable remote host for Remote Desktop, run netstat -an and make sure 3389 is listening, then from VPN client, run telnet remoteclientIP 3389 and wait to get a blank screen.


Right-click VPN icon in right-bottom, click statistics then route details tab. Make sure the clients you try to reach are listed in right pane.


Save your config and reload firewall


In clientside, open up VPN Client Gui, Click log then click enable. Then click log window. Try pinging somewhere, then paste here the logs you see in that window


Run ASDM and enable its builtin syslog, catch some syslogs related to the traffic and paste here


Regards

Farrukh Haroon Tue, 06/10/2008 - 18:22
User Badges:
  • Red, 2250 points or more

Try 3 things,


1) Make sure the VPN Client has IPSEC Over UDP/NAT-T enabled, its there by default, but someone could have removed the check there.


2) Are you sure you trying to RDP to 172.16.1.3 or 172.16.1.15 (FIFTEEN) and not 172.16.1.51? Because 172.16.1.51 is not in your Split Tunnel ACL.


3) If you do 'route print' on the Windows box after the VPN connection, do you see 172.16.1.3/.15 are directed through VPN tunnel?


Regards


Farrukh

Farrukh Haroon Wed, 06/11/2008 - 17:54
User Badges:
  • Red, 2250 points or more

Does it still not work? Does the VPN Client tell you that Transparent Tunneling is active, ON the status tab?


Regards


Farrukh

Actions

This Discussion