VPN to pix 515

Answered Question
Jun 21st, 2010
User Badges:

Good day all,


I am trying to configure the VPN client to a PIX 515.  Once VPN'ed in, the traffic goes no where but on THAT subnet. The Vlan that we are attempting to reach is a 10.111.250.x/23.  Once VPN'ed in the IP address assignment is 10.111.250.33 - 10.111.250.63. We can VPN in and get the VPN assigned IP address, but we cannot get anywhere on the inside Vlan.  I was pretty sure this could be done as a layer 2.  You can see the arped entries of the VPN assigned addresses and the inside Vlan address on the Pix.


Keep in mind, my first thought was to change the VPN assigned address, but we do not want to route on this particular Vlan as access is very limited.


Is there a way to make this work?  If I have to redo attributes and policy, I can.


thank you


Dwane

Correct Answer by Federico Coto F... about 6 years 10 months ago

The output shows that the PIX is decrypting the packets but not encrypting.

So, there's a good chance that the packets are sent to the internal network but not coming back.


Check the following:

management-access inside  --> this command is to allow PING to the inside IP of the PIX from the VPN (make sure if you can PING this IP when connected)


Check that the default gateway of the inside network (behind the PIX) is the actual inside IP of the PIX.


After these tests, post again ''sh cry ips sa''


Federico.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Federico Coto F... Mon, 06/21/2010 - 06:54
User Badges:
  • Green, 3000 points or more

Hi,


It is recommended to have a separate pool of VPN addresses that won't overlap with the internal network.

Also check a couple of things:


1. Enter the command ''management-access inside'' and make sure that you can PING the inside IP of the PIX from the VPN client.

2. Make sure the command ''sysopt connection permit-ipsec'' is in the configuration.

3. Check that NAT-T is enabled on both the PIX and the VPN client.


If still does not work, please post the output of ''sh cry ips sa''


Federico.

dpatkins Mon, 06/21/2010 - 08:00
User Badges:

Thanks for the quick input.  I did perform a sysopt connection permit-vpn on the 515.  Management of this device will actually be external (outside).  And NAT-T is on.


nterface: outside
    Crypto map tag:testmap, seq num: 10, local addr: 10.10.10.10

      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
      remote ident (addr/mask/prot/port): (10.111.250.34/255.255.255.255/0/0)
      current_peer: 24.227.157.73, username: cisco
      dynamic allocated peer ip: 10.111.250.34

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 199, #pkts decrypt: 199, #pkts verify: 199
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 10.10.10.10/4500, remote crypto endpt.: 24.227.157.73/1083
      path mtu 1500, ipsec overhead 82, media mtu 1500
      current outbound spi: DA019F59

    inbound esp sas:
      spi: 0x75FDCE49 (1979567689)
         transform: esp-aes-256 esp-sha-hmac none
         in use settings ={RA, Tunnel,  NAT-T-Encaps, }
         slot: 0, conn_id: 11, crypto-map: debmap
         sa timing: remaining key lifetime (sec): 28742
         IV size: 16 bytes
         replay detection support: Y
    outbound esp sas:
      spi: 0xDA019F59 (3657539417)
         transform: esp-aes-256 esp-sha-hmac none
         in use settings ={RA, Tunnel,  NAT-T-Encaps, }
         slot: 0, conn_id: 11, crypto-map: debmap
         sa timing: remaining key lifetime (sec): 28740
         IV size: 16 bytes
         replay detection support: Y

Correct Answer
Federico Coto F... Mon, 06/21/2010 - 08:10
User Badges:
  • Green, 3000 points or more

The output shows that the PIX is decrypting the packets but not encrypting.

So, there's a good chance that the packets are sent to the internal network but not coming back.


Check the following:

management-access inside  --> this command is to allow PING to the inside IP of the PIX from the VPN (make sure if you can PING this IP when connected)


Check that the default gateway of the inside network (behind the PIX) is the actual inside IP of the PIX.


After these tests, post again ''sh cry ips sa''


Federico.

dpatkins Mon, 06/21/2010 - 08:28
User Badges:

I can now ping to the internal network.  I am not sure what we did to correct this, but it is now working.  Thank you for your help.


Dwane

Actions

This Discussion