cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1592
Views
14
Helpful
20
Replies

PIX 506E VPN Cant Ping

rgeno
Level 1
Level 1

Got a PIX 506E configured for VPN Client Access.

VPN Client connects however cannot ping anything on the LAN.

Confirmed config with other Cisco Docs and is okay.

Please help

20 Replies 20

JORGE RODRIGUEZ
Level 10
Level 10

Does your config have NAT-T enabled? if not please enable it and try, if no joy please post sanitized pix config, it could be your acl no allowing VPN pool network access to your inside network.

PIX(config)#isakmp nat-traversal 20

Rgds

-Jorge

Jorge Rodriguez

Yes, tried that and still not working:

Config below:

access-list vpn permit ip host 10.32.1.1 192.168.10.0 255.255.255.0

access-list split_vpn ip host 10.32.1.1 192.168.10.0 255.255.255.0

ip local pool vpnpool 192.168.10.0 mask 255.255.255.0

crypto ipsec transform-set espvpn esp-des esp-md5-hmac

crypto dynamic-map money 10 set transform-set espvpn

crypto map pixnet 10 ipsec-isakmp dynamic money

crypto map pixnet client configuration address initiate

crypto map pixnet client authentication LOCAL

crypto map pixnet interface outside

isakmp nat-traversal 20

vpngroup vpnclient address-pool vpnpool

vpngroup vpnclient dns-server 10.32.1.1

vpngroup vpnclient split-tunnel split_vpn

vpngroup vpnclient idle-time 1800

vpngroup vpnclient password *******

Any nat statements?

I would add bellow statement, please try and let me know.

nat(inside) 0 access-list vpn

Jorge Rodriguez

yes, forgot to include that in config earlier.

One statement I have noticed your vpn pool range, you would normally configure a range .

ip local pool vpnpool 192.168.10.0 mask 255.255.255.0

I do not think a connected host would get an IP from the pool, when client connect can you issue " show ip local pool" to confirm and address has been porvided by your current vpn pool.

Normally would would configure a range in this syntax.

ip local pool vpnpool 192.168.10.xx-192.168.10.xx

Enabling NAT-T should have resolved it, but wander if your vpn pool is your issue.

Jorge Rodriguez

Thanks for noticing,

yeah, it assigns an IP Address, i've changed that to 192.168.10.1 - 192.168.10.20 and it assigns an IP Address however still unable to ping

The host you are trying to ping 10.32.1.1 does it responds to pings from internal LAN.

Note that this is the only host permited in your acl.

Jorge Rodriguez

yes it does

Hi Jorge, nice new badge m8 :)

Ralema, can you please attach your full sanitized config?

find config attached

once you have it, download and delete

dude,

I suggest next time you uploade your config, remove any passwords / public IP's.

francisco.

Ralema,

Please do below modifications

no vpngroup pixnet split-tunnel 110

vpngroup pixnet split-tunnel 120

fixup protocol icmp

Also I see a statement with "tcp" in your ACL 110 which is your exempt nat ACL. It is not recommended to use port statements in network ACLs for firewall devices, like split tunnels, NATs that it would impact the L3 processing of firewall that it will also have to process the port portion of packets during rouitng.

Also you know that you ve permit your VPN clients to be able to establish connection with only 172.16.1.3 and 172.16.1.20 , so try pinging them. Also make sure no software firewall is enabled, If enabled, modify the exceptions according to that (Windows firewall exceptions by default permit traffic from same subnet! That will drop VPN client connections)

Regards

Huseyin good to hear from you friend!!

Ralema, do as Huseyin suggested you'll be running in no time.

Jorge Rodriguez
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: