Vpn clients can't access one remote internal network

Unanswered Question

I have Pix 515E with multiple vpn connections going to our remote location across the country. I am having a problem where when some connects to the PIX with the Cisco Vpn client they can't access one of our remote locations through a site to site VPN connection. They can access other site to site VPN remote network just not this one. I been pulling my hair out on this one help!


Main PIX 515E


name 192.168.1.200 MAIL_INTERNAL
name 209.101.124.2 MAIL_EXTERNAL
name 192.168.11.0 Morgan_Hill
name 192.168.111.0 Escondido
name 10.126.19.0 Alabama
dns-guard


network-object 10.126.18.0 255.255.255.0
network-object 10.126.26.0 255.255.255.0
network-object 192.168.11.0 255.255.255.0
network-object 192.168.111.0 255.255.255.0
network-object 10.126.24.0 255.255.255.0
network-object 10.126.25.0 255.255.255.0
network-object 10.126.1.0 255.255.255.0
network-object 10.1.11.0 255.255.255.0
network-object 10.126.27.0 255.255.255.0
network-object 10.126.19.0 255.255.255.0
network-object 192.168.252.0 255.255.255.0


interface Ethernet1
speed 10
duplex full
nameif inside
security-level 100
ip address 10.126.1.254 255.255.255.0


access-list vpn_to_site_dynamic extended permit ip 10.126.24.0 255.255.255.0 192.168.252.0 255.255.255.0
access-list vpn_to_site_dynamic extended permit ip 10.126.11.0 255.255.255.0 192.168.252.0 255.255.255.0
access-list vpn_to_site_dynamic extended permit ip 10.126.27.0 255.255.255.0 192.168.252.0 255.255.255.0
access-list vpn_to_site_dynamic extended permit ip 10.126.19.0 255.255.255.0 192.168.252.0 255.255.255.0
access-list vpn_to_site_dynamic extended permit ip 10.126.17.0 255.255.255.0 192.168.252.0 255.255.255.0
access-list vpn_to_site_dynamic extended permit ip 10.126.28.0 255.255.255.0 192.168.252.0 255.255.255.0
access-list vpn_to_site_dynamic extended permit ip 192.168.1.0 255.255.255.0 192.168.252.0 255.255.255.0
access-list vpn_to_site_dynamic extended permit ip 192.168.111.0 255.255.255.0 192.168.252.0 255.255.255.0
access-list vpn_to_site_dynamic extended permit ip 10.1.11.0 255.255.255.0 192.168.252.0 255.255.255.0
access-list vpn_to_site_dynamic extended permit ip 10.126.25.0 255.255.255.0 192.168.252.0 255.255.255.0
access-list vpn_to_site_dynamic extended permit ip 10.126.16.0 255.255.255.0 192.168.252.0 255.255.255.0
access-list vpn_to_site_dynamic extended permit ip 10.126.26.0 255.255.255.0 192.168.252.0 255.255.255.0
access-list vpn_to_site_dynamic extended permit ip 10.126.18.0 255.255.255.0 192.168.252.0 255.255.255.0

access-list nonat extended permit ip 10.126.1.0 255.255.255.0 192.168.11.0 255.255.255.0
access-list nonat extended permit ip 10.126.1.0 255.255.255.0 10.126.25.0 255.255.255.0
access-list nonat extended permit ip 10.126.1.0 255.255.255.0 10.126.24.0 255.255.255.0
access-list nonat extended permit ip 10.126.1.0 255.255.255.0 192.168.252.0 255.255.255.0
access-list nonat extended permit ip 10.126.1.0 255.255.255.0 10.1.11.0 255.255.255.0
access-list nonat extended permit ip 10.126.1.0 255.255.255.0 10.126.19.0 255.255.255.0
access-list nonat extended permit ip 10.126.1.0 255.255.255.0 10.126.17.0 255.255.255.0
access-list nonat extended permit ip 10.126.1.0 255.255.255.0 10.126.26.0 255.255.255.0
access-list nonat extended permit ip 10.1.100.0 255.255.255.0 10.126.19.0 255.255.255.0
access-list nonat extended permit ip 10.1.100.0 255.255.255.0 192.168.11.0 255.255.255.0
access-list nonat extended permit ip 10.126.1.0 255.255.255.0 192.168.111.0 255.255.255.0
access-list nonat extended permit ip 192.168.252.0 255.255.255.0 10.1.100.0 255.255.255.0
access-list nonat extended permit ip 10.1.100.0 255.255.255.0 192.168.111.0 255.255.255.0
access-list nonat extended permit ip 10.126.1.0 255.255.255.0 10.126.18.0 255.255.255.0
access-list nonat extended permit ip 10.126.1.0 255.255.255.0 10.126.27.0 255.255.255.0
access-list nonat extended permit ip 10.126.27.0 255.255.255.0 10.1.100.0 255.255.255.0
access-list nonat extended permit ip 192.168.11.0 255.255.255.0 10.1.100.0 255.255.255.0
access-list nonat extended permit ip 192.168.111.0 255.255.255.0 10.1.100.0 255.255.255.0
access-list nonat extended permit ip 10.126.1.0 255.255.255.0 10.1.100.0 255.255.255.0
access-list nonat extended permit ip 10.126.1.0 255.255.255.0 10.1.60.0 255.255.255.0
access-list nonat extended permit ip object-group Local_LAN object-group Remote_LAN
access-list nonat extended permit ip 10.126.1.0 255.255.255.0 10.126.28.0 255.255.255.0

access-list split_tunnel standard permit 192.168.252.0 255.255.255.0
access-list split_tunnel standard permit 192.168.111.0 255.255.255.0
access-list split_tunnel standard permit 10.1.11.0 255.255.255.0
access-list split_tunnel standard permit 192.168.11.0 255.255.255.0
access-list split_tunnel standard permit 10.126.18.0 255.255.255.0
access-list split_tunnel standard permit 10.126.19.0 255.255.255.0
access-list split_tunnel standard permit 10.126.17.0 255.255.255.0
access-list split_tunnel standard permit 10.126.16.0 255.255.255.0
access-list split_tunnel standard permit 10.126.25.0 255.255.255.0
access-list split_tunnel standard permit 10.126.26.0 255.255.255.0
access-list split_tunnel standard permit 10.1.100.0 255.255.255.0
access-list split_tunnel standard permit 10.126.1.0 255.255.255.0
access-list split_tunnel standard permit 10.126.28.0 255.255.255.0
access-list vpn_to_site_irs extended permit ip 192.168.11.0 255.255.255.0 10.1.11.0 255.255.255.0
access-list vpn_to_site_irs extended permit ip 192.168.111.0 255.255.255.0 10.1.11.0 255.255.255.0
access-list vpn_to_site_irs extended permit ip 192.168.252.0 255.255.255.0 10.1.11.0 255.255.255.0
access-list vpn_to_site_irs extended permit ip 10.126.1.0 255.255.255.0 10.1.11.0 255.255.255.0
access-list vpn_to_site_irs extended permit ip 10.1.100.0 255.255.255.0 10.1.11.0 255.255.255.0
access-list capt extended permit ip host 64.68.123.229 any
access-list capt extended permit ip any host 64.68.123.229
access-list vpn_to_site_nh extended permit ip 192.168.111.0 255.255.255.0 10.126.18.0 255.255.255.0
access-list vpn_to_site_nh extended permit ip 192.168.11.0 255.255.255.0 10.126.18.0 255.255.255.0
access-list vpn_to_site_nh extended permit ip 192.168.252.0 255.255.255.0 10.126.18.0 255.255.255.0
access-list vpn_to_site_nh extended permit ip 10.1.100.0 255.255.255.0 10.126.18.0 255.255.255.0
access-list vpn_to_site_al extended permit ip 192.168.111.0 255.255.255.0 10.126.19.0 255.255.255.0
access-list vpn_to_site_al extended permit ip 192.168.11.0 255.255.255.0 10.126.19.0 255.255.255.0
access-list vpn_to_site_al extended permit ip 192.168.252.0 255.255.255.0 10.126.19.0 255.255.255.0
access-list vpn_to_site_al extended permit ip 10.126.1.0 255.255.255.0 10.126.19.0 255.255.255.0
access-list vpn_to_site_al extended permit ip 10.1.100.0 255.255.255.0 10.126.19.0 255.255.255.0
access-list vpn_to_site_lm extended permit ip 192.168.11.0 255.255.255.0 10.126.25.0 255.255.255.0
access-list vpn_to_site_lm extended permit ip 192.168.252.0 255.255.255.0 10.126.25.0 255.255.255.0
access-list vpn_to_site_lm extended permit ip 192.168.111.0 255.255.255.0 10.126.25.0 255.255.255.0
access-list vpn_to_site_lm extended permit ip 10.126.16.0 255.255.255.0 10.126.25.0 255.255.255.0
access-list vpn_to_site_lm extended permit ip 10.126.1.0 255.255.255.0 10.126.25.0 255.255.255.0
access-list vpn_to_site_lm extended permit ip 10.1.100.0 255.255.255.0 10.126.25.0 255.255.255.0
access-list vpn_to_site_ob extended permit ip 192.168.11.0 255.255.255.0 10.126.26.0 255.255.255.0
access-list vpn_to_site_ob extended permit ip 192.168.252.0 255.255.255.0 10.126.26.0 255.255.255.0
access-list vpn_to_site_ob extended permit ip 192.168.12.0 255.255.255.0 10.126.26.0 255.255.255.0
access-list vpn_to_site_ob extended permit ip 192.168.111.0 255.255.255.0 10.126.26.0 255.255.255.0
access-list vpn_to_site_ob extended permit ip 10.126.1.0 255.255.255.0 10.126.26.0 255.255.255.0
access-list vpn_to_site_ob extended permit ip 10.1.100.0 255.255.255.0 10.126.26.0 255.255.255.0
access-list vpn_to_site_mh extended permit ip 10.126.1.0 255.255.255.0 192.168.11.0 255.255.255.0
access-list outside_cryptomap_30 extended permit ip 209.101.124.0 255.255.255.0 192.168.111.0 255.255.255.0
access-list outside_nat0_outbound extended permit ip 10.126.27.0 255.255.255.0 10.1.100.0 255.255.255.0
access-list outside_nat0_outbound extended permit ip 192.168.11.0 255.255.255.0 10.1.60.0 255.255.255.0
access-list outside_nat0_outbound extended permit ip 192.168.111.0 255.255.255.0 10.1.100.0 255.255.255.0
access-list vpn_to_site_sc extended permit ip 10.1.100.0 255.255.255.0 10.126.24.0 255.255.255.0
access-list vpn_to_site_oakbrook extended permit ip 10.126.1.0 255.255.255.0 10.126.27.0 255.255.255.0
access-list vpn_to_site_oakbrook extended permit ip 10.1.100.0 255.255.255.0 10.126.27.0 255.255.255.0
access-list acl_out extended permit icmp any any unreachable
access-list test extended permit ip host 10.1.60.169 host 10.126.1.64
access-list test extended permit ip host 10.126.1.64 host 10.1.60.169
access-list outside_cryptomap_2 extended permit ip object-group Local_LAN object-group Remote_LAN
access-list vpn_to_site_tx extended permit ip 10.126.1.0 255.255.255.0 10.126.28.0 255.255.255.0
access-list vpn_to_site_tx extended permit ip 192.168.11.0 255.255.255.0 10.126.28.0 255.255.255.0
access-list vpn_to_site_tx extended permit ip 192.168.111.0 255.255.255.0 10.126.28.0 255.255.255.0
access-list vpn_to_site_tx extended permit ip 10.126.16.0 255.255.255.0 10.126.28.0 255.255.255.0
access-list vpn_to_site_tx extended permit ip 10.1.100.0 255.255.255.0 10.126.28.0 255.255.255.0
access-list inside-out-acl extended deny ip any host 69.63.176.140
access-list inside-out-acl extended permit ip any any 

nat-control
global (outside) 1 209.101.124.20-209.101.124.126
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0

access-group inbound in interface outside
access-group inside-out-acl in interface inside

group-policy vpn3000 internal
group-policy vpn3000 attributes
wins-server value 10.126.1.203
dns-server value 10.126.1.203 192.168.11.217
vpn-idle-timeout 30
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split_tunnel
default-domain value corporate.bgsurplus.com
nem enable
group-policy vpn-hw-client-group internal
group-policy vpn-hw-client-group attributes
dns-server value 192.168.1.203


Main network 10.126.1.0

Remote Network 10.126.18.0

Client VPN Pool 192.168.252.0


Internally we can access the all of the remote networks just fine.

Cisco VPN client connects to the PIX 515E then is routed around  internally.


PIX 501 Remote Network

access-list nonat permit ip 10.126.18.0 255.255.255.0 192.168.111.0 255.255.255.0
access-list nonat permit ip 10.126.18.0 255.255.255.0 192.168.252.0 255.255.255.0
access-list nonat permit ip 10.126.18.0 255.255.255.0 192.168.11.0 255.255.255.0
access-list nonat permit ip 10.126.18.0 255.255.255.0 10.126.25.0 255.255.255.0
access-list nonat permit ip 10.126.18.0 255.255.255.0 10.126.26.0 255.255.255.0
access-list nonat permit ip 10.126.18.0 255.255.255.0 10.126.1.0 255.255.255.0
access-list nonat permit ip 10.126.18.0 255.255.255.0 10.1.100.0 255.255.255.0
access-list nonat permit ip 10.126.18.0 255.255.255.0 10.1.80.0 255.255.255.0
access-list vpn_to_site_redondo permit ip 10.126.18.0 255.255.255.0 192.168.252.0 255.255.255.0
access-list vpn_to_site_redondo permit ip 10.126.18.0 255.255.255.0 192.168.111.0 255.255.255.0
access-list vpn_to_site_redondo permit ip 10.126.18.0 255.255.255.0 192.168.11.0 255.255.255.0
access-list vpn_to_site_redondo permit ip 10.126.18.0 255.255.255.0 10.126.1.0 255.255.255.0
access-list vpn_to_site_redondo permit ip 10.126.18.0 255.255.255.0 10.1.100.0 255.255.255.0
access-list inbound permit icmp any any
access-list vpn_to_site_lm permit ip 10.126.18.0 255.255.255.0 10.126.25.0 255.255.255.0
pager lines 24

ip address inside 10.126.18.1 255.255.255.0

global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0

sysopt connection tcpmss 1300
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto map newmap 10 ipsec-isakmp
crypto map newmap 10 match address vpn_to_site_redondo
crypto map newmap 10 set peer 209.101.124.3
crypto map newmap 10 set transform-set myset
crypto map newmap 10 set security-association lifetime seconds 360 kilobytes 8192
crypto map newmap 20 ipsec-isakmp
crypto map newmap 20 match address vpn_to_site_lm
crypto map newmap 20 set peer 12.12.12.12 crypto map newmap 20 set transform-set myset
crypto map newmap 20 set security-association lifetime seconds 360 kilobytes 8192
crypto map newmap interface outside
isakmp enable outside
isakmp key ******** address 10.101.01.0 netmask 255.255.255.255
isakmp key ******** address 11.11.11.11 netmask 255.255.255.255
isakmp identity address
isakmp nat-traversal 20
isakmp policy 15 authentication pre-share
isakmp policy 15 encryption 3des
isakmp policy 15 hash sha
isakmp policy 15 group 1
isakmp policy 15 lifetime 86400
telnet 192.168.252.0 255.255.255.0 inside
telnet 10.126.18.0 255.255.255.0 inside
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
management-access inside
console timeout 0
dhcpd address 10.126.18.50-10.126.18.75 inside
dhcpd dns 10.126.1.203 192.168.11.217
dhcpd wins 10.126.1.203
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain corporate.bgsurplus.com
dhcpd enable inside
terminal width 80


any help would be greatly appreciated

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Todd Pula Tue, 07/20/2010 - 11:07
User Badges:
  • Silver, 250 points or more

I would review the client-to-site and site-to-site IPSec SAs in order to understand where the traffic flow is breaking down.  Look at the flow discretely in each direction.  Do you see your test traffic being encap by the connected client and decap on the hub PIX?  Do you then see the traffic being encap towards the remote VPN spoke?  Is this traffic being decap by the spoke PIX and then the response traffic being encap?  Does the hub PIX decap this traffic?  One piece that I do not see in your hub config is a NAT exemption ACE for the 10.126.18.0 to 192.168.252.0 networks  You will need this in order to prevent the return traffic from being processed by NAT.

I have the statement in bold letters for the nonat statement on the hub configuration but I will duplicate that statement here:

access-list nonat permit ip 10.126.18.0 255.255.255.0 192.168.252.0 255.255.255.0


I mirrored the same configuration of another remote VPN site-tisite location that does work word for word other that changing the remote locations IP address but itstill doesn't to this location for same reason which is the reason I'm asking for help. I tried all of the obvious things and I'm at a loss.


I hope this helps.

Jitendriya Athavale Wed, 07/21/2010 - 11:03
User Badges:
  • Cisco Employee,

could you please paste the show cry ipsec sa command on both sides for the relavant traffic


sh cry ips sa peer | b 192.168.152.0


probably this should give us what we need


so what we will do is we will see where the issue lies, whether with asa or pix

mireynol Fri, 07/23/2010 - 08:41
User Badges:

So it looks like on the head end you are trying to hairpin the IPSec Remote access traffic back out the outside interface to where it terminates to a Remote L2L tunnel that also terminates on the outside.  Based on your config, try this on the headend -


access-list L2L_Hairpin permit ip 192.168.252.0 255.255.255.0 10.126.18.0 255.255.255.0
!
nat (outside) 0 access-list L2L_Hairpin
!
same-security-traffic permit intra-interface

Actions

This Discussion