08-28-2009 02:14 AM
I have a remote site and i need to access the network through remote VPN and i made the configuration and remote VPN is connected but not able to ping the internal host including PIX inside IP
PIX OS : 8X.0.X.X
PIX IS : 192.168.170.1
config :
interface Ethernet0
nameif outside
security-level 0
ip address XX.8X.XX.XX 255.255.255.224
!
interface Ethernet1
nameif inside
security-level 100
ip address 192.168.170.1 255.255.255.0
!
interface Ethernet2
description STATE Failover Interface
speed 100
duplex full
!
interface Ethernet3
shutdown
no nameif
no security-level
no ip address
ftp mode passive
dns server-group DefaultDNS
domain-name LYCASWE
access-list 101 extended permit ip any 192.168.170.248 255.255.255.248
access-list 110 extended permit ip 192.168.170.0 255.255.255.0 10.195.0.0 255.25
5.0.0
access-list VPN-MAR extended permit ip 192.168.170.0 255.255.255.0 10.195.0.0 25
5.255.0.0
pager lines 24
logging console debugging
mtu outside 1500
mtu inside 1500
ip local pool RemoteVPNpool 192.168.170.250-192.168.170.254
failover
failover polltime unit 3 holdtime 9
failover link STATE Ethernet2
failover interface ip STATE 172.16.35.1 255.255.255.0 standby 172.16.35.2
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 110
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 XX.8X.XX.XX 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa authentication ssh console LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set VPN_OFFICE-set esp-3des esp-sha-hmac
crypto ipsec transform-set RVPN esp-des esp-md5-hmac
crypto ipsec transform-set RVPN1 esp-3des esp-md5-hmac
crypto dynamic-map DYN-map 1 set transform-set RVPN RVPN1
crypto map Sweden-map 11 match address VPN-MAR
crypto map Sweden-map 11 set peer xx7.xx8.1xx.xx
crypto map Sweden-map 11 set transform-set VPN_OFFICE-set
crypto map Sweden-map 20 ipsec-isakmp dynamic DYN-map
crypto map Sweden-map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 13
authentication pre-share
encryption 3des
hash md5
group 1
lifetime 86400
crypto isakmp policy 14
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 28800
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 10.0.0.0 255.0.0.0 inside
ssh timeout 10
console timeout 0
management-access inside
service-policy global_policy global
group-policy RAswe internal
group-policy RAswe attributes
user-authentication enable
username admin password XXXXXXXX encrypted
tunnel-group xx7.xx8.1xx.xx type ipsec-l2l
tunnel-group xx7.xx8.1xx.xx ipsec-attributes
pre-shared-key
tunnel-group RAswe type ipsec-ra
tunnel-group RAswe general-attributes
address-pool RemoteVPNpool
default-group-policy RAswe
tunnel-group RAswe ipsec-attributes
pre-shared-key
08-28-2009 05:07 AM
1) Use a seperate IP Subnet for remote VPN connections
2) You need to add the VPN subnet to your no-nat rule, acl 110
3) You will not be able to ping the inside IP of the PIX - this is normal and by design.
4) If you want to access the remote site over the IPSEC tunnel you need to enable same security traffic.
HTH>
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide