05-03-2010 09:52 PM - edited 02-21-2020 04:38 PM
Hello all,
I have a problem need your help. Our users will use VPN to remote access to office internal private network, they are assigned IP address from 192.168.1.0-192.168.1.254
We are using Juniper firewall as our Internet firewall and it will point to ISP PE router for access Internet. The VPN client will terminate at PIX 515 firewall.
This PIX has 2 interfaces: one facing Internet and the other facing another ASA firewall which will control the traffic to internal network.
I have add the route of this segment in the ASA and other network devices, and the PIX has a default route to Juniper and route internal network to ASA.
When the user use Cisco VPN client to connect VPN, the tunnel is successful to establish, and the PIX will automatically add a host route 192.168.1.1/32 to Juniper firewall.
The problem is the VPN client cannot ping or do remote desktop to internal private network. I have checked the ACL in ASA and route in ASA for both direction are correct.
Would you please tell me the how the routing work when VPN client establish tunnel with PIX, because from the client, its default gateway is the IP address itself, for example client has IP address 192.168.1.1 and the gateway also 192.168.1.1
Thank you
Terry
05-04-2010 04:39 AM
On the PIX, please check if you have configured NAT exemption for traffic from the inside network towards the vpn pool (192.168.1.0/24).
Plus the internal network should route the 192.168.1.0/24 subnet towards the PIX inside interface.
05-04-2010 06:14 PM
Dear Halijenn,
There is no NAT for this IP address range and I have already setup static route for this IP address range to the PIX inside interface.
Thank you
05-04-2010 08:19 PM
Terry,
If you have not configured split-tunneling, then all traffic is going to be sent from the client to the PIX.
You can check this on the client (when connected), checking the statistics and route details.
If the route is 0.0.0.0 0.0.0.0 means that all traffic is being sent through the tunnel.
If you want to only send the traffic intended to the local LAN through the tunnel, you should configure split-tunneling.
The PIX/ASA by default allows VPN traffic to pass through the tunnel without being checked by the outside ACL.
Make sure you have the command: sysopt connection permit-ipsec or sysopt connection permit-vpn
Also, make sure that nat-t is enabled on both PIX/ASA and client.
Add the command: management-access inside and try to PING the inside IP of the PIX from the VPN client.
If traffic still does not flow through the tunnel, check the output of: sh cry ips sa to check the status of the encrypted/decrypted packets from the PIX perspective.
Let us know if you have any questions.
Federico.
05-05-2010 12:12 AM
Hi Federico,
There is a route 0.0.0.0 0.0.0.0 in the VPN client when it connect to VPN tunnel.
The command sysopt connection permit-vpn also appear in the PIX
Would you please tell me how to check the nat-t status? Is it the normal NAT?
when checking the sh cry ips sa, the number of decap packet is 4 times of the number of encap packet.
Thank you
Best Regards,
Terry Chow
05-05-2010 07:49 AM
Terry,
If you do have packets encrypted/decrypted that means traffic is flowing through the already-established tunnel.
Have you tried the command: management-access inside
and attempting to PING the inside IP of the PIX from the VPN client?
Also, enter the command: crypto isakmp nat-t
Federico.
05-05-2010 11:32 PM
Do you mean that you have tunneled default gateway configured towards the inside next hop?
route inside 0.0.0.0 0.0.0.0
05-06-2010 07:53 PM
Hi Halijenn,
We do not use route inside 0.0.0.0 0.0.0.0
However, the problem is solved and we found out there is some mac-address learning error in the switches.
Thank you.
Best Regards
Terry Chow
05-06-2010 07:56 PM
Perfect, thanks for sharing the issue.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: