vpn client behind pix 501 not able to ping inside address puzzler

Unanswered Question
Sep 25th, 2008

I've got everything to work except I cant ping inside servers. Here's a ipconfig from the VPN client to the RADIUS server:

Ethernet adapter Local Area Connection 3:

Connection-specific DNS Suffix . :domainnamelocal

IP Address. . . . . . . . . . . . : 192.168.100.2

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . :

H:\>ping 192.168.1.10

Pinging 192.168.1.10 with 32 bytes of data:

Request timed out.

Request timed out.

Here's the pix configuration:

PIX Version 6.3(5)

no fixup protocol dns

access-list 10 permit ip 192.168.1.0 255.255.255.0 host 172.16.7.33

access-list 10 permit ip 192.168.1.0 255.255.255.0 host 172.16.7.14

access-list Internet permit icmp any any echo-reply

access-list Internet permit icmp any any time-exceeded

access-list Internet permit icmp any any traceroute

access-list Internet permit udp any any eq isakmp

access-list Internet permit esp any any

access-list Internet deny ip any any log

access-list NO-NAT-VPN permit ip 192.168.1.0 255.255.255.0 192.168.100.0 255.255.255.0

access-list 102 permit ip 192.168.1.0 255.255.255.0 192.168.100.0 255.255.255.0

pager lines 24

mtu outside 1492

mtu inside 1500

ip address outside outsideaddress subnetmask

ip address inside 192.168.1.254 255.255.255.0

ip verify reverse-path interface outside

ip verify reverse-path interface inside

ip audit info action alarm

ip audit attack action drop

ip local pool VPNPOOL 192.168.100.1-192.168.100.50

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list NO-NAT-VPN

nat (inside) 1 access-list 10 0 0

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) 192.168.1.10 netmask 255.255.255.255 0 0

access-group Internet in interface outside

route outside 0.0.0.0 0.0.0.0 outside addr

timeout xlate 0:05:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server RADIUS (inside) host 192.168.1.10 keyname timeout 15

aaa-server LOCAL protocol local

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set strong esp-3des esp-md5-hmac

crypto ipsec transform-set 3DES esp-3des esp-md5-hmac

crypto ipsec transform-set SHA esp-3des esp-sha-hmac

crypto dynamic-map dynmap 20 set transform-set SHA

crypto map VPN 10 ipsec-isakmp

crypto map VPN 10 match address 10

crypto map VPN 10 set peer peeraddress

crypto map VPN 10 set transform-set strong

crypto map VPN 65000 ipsec-isakmp dynamic dynmap

crypto map VPN client authentication RADIUS

crypto map VPN interface outside

isakmp enable outside

isakmp key key address peer address netmask 255.255.255.255 no-xauth no-config-mode

isakmp identity address

isakmp policy 40 authentication pre-share

isakmp policy 40 encryption 3des

isakmp policy 40 hash md5

isakmp policy 40 group 2

isakmp policy 40 lifetime 3600

isakmp policy 50 authentication rsa-sig

isakmp policy 50 encryption des

isakmp policy 50 hash sha

isakmp policy 50 group 1

isakmp policy 50 lifetime 86400

isakmp policy 60 authentication pre-share

isakmp policy 60 encryption 3des

isakmp policy 60 hash sha

isakmp policy 60 group 2

isakmp policy 60 lifetime 86400

vpngroup VPN address-pool VPNPOOL

vpngroup VPN dns-server 192.168.1.10

vpngroup VPN default-domain domain

vpngroup VPN split-tunnel 102

vpngroup VPN idle-time 1800

vpngroup VPN authentication-server RADIUS

vpngroup VPN password ********

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 15

ssh myoustide outside

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 15

management-access inside

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
singhsaju Thu, 09/25/2008 - 09:33

enable NAT-T:

isakmp nat-t 20

connect vpn client again and post results.

HTH

Saju

Actions

This Discussion