Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
393
Views
0
Helpful
3
Replies

PIX 6.3(5) VPN not routing

tahequivoice
Level 2
Level 2

‎07-22-2009 07:21 AM

OK, this one has me puzzled. It has been a while since I configured a PIX for Client VPN access, so I dont know what I am missing. I have done quite a few ASA setups, no problem, but this PIX one has me stumped.

Internal network 192.168.1.0/24, VPN pool 192.168.10.0/24.

NoNat ACL 192.168.1.0/24 192.168.10.0/24

nat (inside) 0 access-list NoNat

VPN ACL 192.168.1.0/24 192.168.10.0/24

vpngroup group split-tunnel VPN

I am connecting OK, authenticating against radius, the route tab on the client shows 192.168.1.0/24, but I cant ping nor remote desktop to anything behind the PIX. I ran debug icmp trace and did not see any traffic either.

The show cry ips sa shows me encrypted and decrypted traffic though, the client only shows encrypted. The client is version 5.0.03.0560, PIX OS is 6.3(5)

I should note I tried this from both an XP machine and a Macbook. Same results.

Labels:
0 Helpful
3 Replies 3

andrew.prince
Level 10
Level 10

‎07-22-2009 07:52 AM

Make sure ANY other device that does handle the routing on the network knows the 192.168.10.0/24 network is handled by the PIX.

HTH>

0 Helpful

tahequivoice
Level 2
Level 2
In response to andrew.prince

‎07-22-2009 08:19 AM

That's not a problem, the default gateway for everything is the PIX. Further troubleshooting has led me to show crypto map command to verify that the dynamic ACL is working, and I found something interesting. The ACL for no nat does not appear.

access-list dynacl18; 1 elements

access-list dynacl18 line 1 permit ip any host 192.168.10.1 (hitcnt=172)

I am not seeing

access-list dynacl17; 1 elements

access-list dynacl17 line 1 permit ip host (outside IP) host 192.168.10.1

as per the example found here

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a008009448c.shtml

I am seeing full traffic though, and this is what is puzzling me, it seems as the the client is blocking thr traffic.

local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

remote ident (addr/mask/prot/port): (192.168.10.1/255.255.255.255/0/0)

current_peer: :4203

dynamic allocated peer ip: 192.168.10.1

PERMIT, flags={}

#pkts encaps: 123, #pkts encrypt: 123, #pkts digest 123

#pkts decaps: 123, #pkts decrypt: 123, #pkts verify 123

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

Client

Packets

Encrypted 123

Decrypted 0

0 Helpful

tahequivoice
Level 2
Level 2

‎07-22-2009 08:44 AM

I found the problem, I had mistakenly thought Nat Traversal was enabled, I found it wasn't, that was the problem.

0 Helpful
Customers Also Viewed These Support Documents