PIX 515 Remote VPN issuee

Answered Question
Mar 12th, 2009

Does anyone see something that would stop a remote vpn connection from working? My L2L works like a champ. I can connect via the Remote VPN client fine, but I cannot talk to anything on the network. I do not see any routes show up under my software client under statistics. HELP!

domain-name default.domain.invalid

enable password

passwd

names

interface Ethernet0

nameif outside

security-level 0

ip address xxx.xxx.xxx.xxx 255.255.255.248

!

interface Ethernet1

nameif inside

security-level 100

ip address 192.168.3.1 255.255.255.0

!

interface Ethernet2

shutdown

no nameif

no security-level

no ip address

!

ftp mode passive

dns server-group DefaultDNS

domain-name default.domain.invalid

access-list 90 extended permit ip 192.168.3.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list 90 extended permit ip any 10.10.10.0 255.255.255.0

access-list acl_inside extended deny tcp 192.168.3.0 255.255.255.0 any eq smtp

access-list acl_inside extended permit ip any any

access-list Split_tunnel_list remark SPlit tunnel list

access-list Split_tunnel_list standard permit any

ip local pool YW#vpn 10.10.10.1-10.10.10.32 mask 255.255.255.0

no failover

icmp unreachable rate-limit 1 burst-size 1

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list 90

nat (inside) 1 0.0.0.0 0.0.0.0

access-group acl_outside in interface outside

access-group acl_inside in interface inside

route outside 0.0.0.0 0.0.0.0 69.57.59.137 1

timeout xlate 3:00:00

timeout conn 4:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa authentication ssh console LOCAL

aaa authentication telnet console LOCAL

aaa authentication http console LOCAL

aaa authentication enable console LOCAL

aaa authentication serial console LOCAL

http server enable

http 192.168.3.0 255.255.255.0 inside

crypto ipsec transform-set strong esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto dynamic-map outside_dyn_map 20 set pfs

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 40 set pfs

crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA

crypto map ToMarina 20 match address 90

crypto map ToMarina 20 set peer 69.57.51.194

crypto map ToMarina 20 set transform-set strong ESP-3DES-SHA ESP-3DES-MD5

crypto map ToMarina 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map ToMarina interface outside

crypto isakmp enable outside

crypto isakmp policy 9

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

crypto isakmp policy 20

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp nat-traversal 20

vpn-sessiondb max-session-limit 30

telnet 192.168.3.0 255.255.255.0 inside

telnet timeout 5

ssh 69.85.192.0 255.255.192.0 outside

ssh 67.177.64.0 255.255.255.0 outside

ssh timeout 5

ssh version 2

console timeout 0

group-policy YW#vpn internal

group-policy YW#vpn attributes

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value Split_tunnel_list

group-policy 69.57.51.194 internal

group-policy 69.57.51.194 attributes

vpn-tunnel-protocol IPSec

username admin password RqwfSgGaHexJEm4c encrypted privilege 15

username admin attributes

vpn-group-policy YW#vpn

tunnel-group 69.57.51.194 type ipsec-l2l

tunnel-group 69.57.51.194 ipsec-attributes

pre-shared-key *

tunnel-group YW#vpn type ipsec-ra

tunnel-group YW#vpn general-attributes

address-pool YW#vpn

authorization-server-group LOCAL

authorization-server-group (outside) LOCAL

default-group-policy YW#vpn

tunnel-group YW#vpn ipsec-attributes

pre-shared-key *

!

policy-map global_policy

class class-default

I have this problem too.
0 votes
Correct Answer by Ivan Martinon about 7 years 8 months ago

Well your main problem is your match address definition:

crypto map ToMarina 20 match address 90

this is the access-list used for the nonat that includes both S2S and Remote access traffic, being used on the match address will avoid it to get the remote access connection, so go ahead and change that to:

access-list ToMarina permit ip 192.168.3.0 255.255.255.0 192.168.2.0 255.255.255.0

no crypto map ToMarina 20 match address 90

crypto map ToMarina 20 match address ToMarina

and the other problem which is not afecting but is really misconfigured is your Split tunnel policy, you are defining the network Any as part of the split tunnel which is just as if you did nto have split tunnel enabled (hence the reason why the route shows 0.0.0.0 on the client)

Go ahead and change that to be:

access-list Split_tunnel_list standard permit 192.168.3.0 255.255.255.0

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Ivan Martinon Thu, 03/12/2009 - 14:29

Well your main problem is your match address definition:

crypto map ToMarina 20 match address 90

this is the access-list used for the nonat that includes both S2S and Remote access traffic, being used on the match address will avoid it to get the remote access connection, so go ahead and change that to:

access-list ToMarina permit ip 192.168.3.0 255.255.255.0 192.168.2.0 255.255.255.0

no crypto map ToMarina 20 match address 90

crypto map ToMarina 20 match address ToMarina

and the other problem which is not afecting but is really misconfigured is your Split tunnel policy, you are defining the network Any as part of the split tunnel which is just as if you did nto have split tunnel enabled (hence the reason why the route shows 0.0.0.0 on the client)

Go ahead and change that to be:

access-list Split_tunnel_list standard permit 192.168.3.0 255.255.255.0

gabewatson Thu, 03/12/2009 - 14:34

Thanks so much. I had tried several things and the Split tunnel policy was a last ditch effort. I originally had it setup like you are suggesting. The Crypto map is what got me. Thanks again.

Actions

This Discussion