Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
543
Views
0
Helpful
2
Replies

VPN Tunnel UP but no traffic passing (PIX515)

Go to solution
IT_Data_CorporateNet
Level 1
Level 1

‎09-09-2009 09:01 AM

I'm setting up remote access for offsite engineers to access my network (using cisco vpn client). I use PIX 515E Software version 7.0(3)20 as a vpn server. I can establish a tunnel, but i cannot access any network resources. I can as well ping the outside interface of the PIX. this is my setup: internet-router-pix-dmz(server farm). attached please find my configuration. thanks in advance.

Labels:
26792-pix515e
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
jeromecandiff
Level 1
Level 1

‎09-09-2009 09:20 AM

After a quick look at your policy it appears that the IP Pool, which is assigned to clients behind the Outside interface, is routed behind the DMZ. I dont think this will work.

Additionally the Split policy that is defined appears to be backwards. Im pretty sure that you intend to send traffic FROM the IP pool to 196.26.12.64/26. Your split acl is defined the other way around.

Also, your routing table does not contain a route for the 196 network, so the firewall will use the default route on the outside. If this is intentional, both the clients and the dst reside on the outside, which is considered hairpinning. This is allowed on the ASA only with the Same-Security setting configured.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
jeromecandiff
Level 1
Level 1

‎09-09-2009 09:20 AM

After a quick look at your policy it appears that the IP Pool, which is assigned to clients behind the Outside interface, is routed behind the DMZ. I dont think this will work.

Additionally the Split policy that is defined appears to be backwards. Im pretty sure that you intend to send traffic FROM the IP pool to 196.26.12.64/26. Your split acl is defined the other way around.

Also, your routing table does not contain a route for the 196 network, so the firewall will use the default route on the outside. If this is intentional, both the clients and the dst reside on the outside, which is considered hairpinning. This is allowed on the ASA only with the Same-Security setting configured.

0 Helpful

Go to solution
IT_Data_CorporateNet
Level 1
Level 1
In response to jeromecandiff

‎09-09-2009 09:43 PM

Lovely! Its all working now ....its was the reverse split policy. Thanks alot.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents