VPN Tunnel UP but no traffic passing (PIX515)

Answered Question
Sep 9th, 2009

I'm setting up remote access for offsite engineers to access my network (using cisco vpn client). I use PIX 515E Software version 7.0(3)20 as a vpn server. I can establish a tunnel, but i cannot access any network resources. I can as well ping the outside interface of the PIX. this is my setup: internet-router-pix-dmz(server farm). attached please find my configuration. thanks in advance.

Attachment: 
I have this problem too.
0 votes
Correct Answer by jeromecandiff about 7 years 3 months ago

After a quick look at your policy it appears that the IP Pool, which is assigned to clients behind the Outside interface, is routed behind the DMZ. I dont think this will work.

Additionally the Split policy that is defined appears to be backwards. Im pretty sure that you intend to send traffic FROM the IP pool to 196.26.12.64/26. Your split acl is defined the other way around.

Also, your routing table does not contain a route for the 196 network, so the firewall will use the default route on the outside. If this is intentional, both the clients and the dst reside on the outside, which is considered hairpinning. This is allowed on the ASA only with the Same-Security setting configured.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
jeromecandiff Wed, 09/09/2009 - 09:20

After a quick look at your policy it appears that the IP Pool, which is assigned to clients behind the Outside interface, is routed behind the DMZ. I dont think this will work.

Additionally the Split policy that is defined appears to be backwards. Im pretty sure that you intend to send traffic FROM the IP pool to 196.26.12.64/26. Your split acl is defined the other way around.

Also, your routing table does not contain a route for the 196 network, so the firewall will use the default route on the outside. If this is intentional, both the clients and the dst reside on the outside, which is considered hairpinning. This is allowed on the ASA only with the Same-Security setting configured.

Actions

This Discussion