PIX515e VPN and Inside ACL

Unanswered Question
Jul 17th, 2009
User Badges:

I have a PIX 515e that used to only be used for VPN remote access. Now I would like to allow web browsing out as well. This works fine with no access list. But I need to add an ACL to only allow certain address to go out. Ever time I apply the acl the person VPN'ed in can't get anywhere - ping, etc, because its blocked by the ACL. The strange this is that the debug says its blocking something that's allowed specifically in the ACL. Any help would be greatly appreciated. Config below:


object-group network GRP_BRP

description All BRP network

network-object 10.0.0.0 255.0.0.0

network-object 172.16.0.0 255.240.0.0

network-object host 198.212.157.65

network-object 130.1.0.0 255.255.0.0

network-object 193.46.0.0 255.255.0.0

access-list inside_outbound_nat0_acl permit ip any 10.15.0.0 255.255.255.192

access-list outside_cryptomap_dyn_20 permit ip any 10.15.0.0 255.255.255.192

access-list Inside_access_in permit icmp object-group GRP_BRP any echo log 7

access-list Inside_access_in permit tcp any any eq citrix-ica

access-list Inside_access_in permit tcp any any eq 3389

access-list Inside_access_in permit tcp any any eq ftp

access-list Inside_access_in permit tcp any any eq ftp-data

access-list Inside_access_in permit tcp any any eq 3456

access-list Inside_access_in permit tcp any any eq 3026

access-list Inside_access_in permit tcp any any eq 3320

access-list Inside_access_in permit tcp any any eq 6962

access-list Inside_access_in permit tcp any any eq ssh

access-list Inside_access_in permit tcp object-group GRP_BRP Nurun 255.255.255.0 eq www

access-list Inside_access_in permit tcp object-group GRP_BRP Nurun 255.255.255.0 eq https

access-list Inside_access_in permit tcp object-group GRP_BRP remote.transfreight.com 255.255.255.0 eq https

access-list Inside_access_in permit tcp object-group GRP_BRP remote.transfreight.com 255.255.255.0 eq www

access-list Inside_access_in permit tcp object-group GRP_BRP host Upstaging eq www

access-list Inside_access_in permit tcp object-group GRP_BRP host Upstaging eq https

access-list Inside_access_in permit tcp host AWS-Server any eq www

access-list Inside_access_in permit tcp host AWS-Server any eq https

access-list Inside_access_in permit ip host 10.52.106.1 any

ip address outside 195.165.229.162 255.255.255.240

ip address inside 10.15.3.240 255.255.252.0

ip local pool vpnpool 10.15.0.1-10.15.0.50

global (outside) 1 195.165.229.163

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 1 10.15.0.0 255.255.0.0 0 0

route outside 0.0.0.0 0.0.0.0 195.165.229.161 1

route inside 10.0.0.0 255.0.0.0 10.15.3.254 1

route outside 10.101.0.0 255.255.0.0 195.165.229.162 1

route inside 172.16.0.0 255.255.0.0 10.15.3.254 1

route inside 193.46.0.0 255.255.0.0 10.15.3.254 1

route inside 194.137.0.0 255.255.0.0 10.15.3.254 1

route outside R3G 255.255.255.0 195.165.229.162 1


no floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map client authentication RADIUS LOCAL

crypto map outside_map interface outside

isakmp enable outside

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

vpngroup VPNUsers address-pool vpnpool

vpngroup VPNUsers dns-server FIRNDC01

vpngroup VPNUsers idle-time 1800

vpngroup VPNUsers password ********


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

Add the below to the beginning of the acl, make sure they are configs lines 1 & 2:-


access-list Inside_access_in permit icmp any 10.15.0.0 255.255.255.192 log

access-list Inside_access_in permit ip any 10.15.0.0 255.255.255.192 log


Try again connectivity again, see if the first two lines get a hit and your VPN works.


HTH>

Actions

This Discussion