VPN client PC can receive the settings from the PIX firewall

Unanswered Question
Apr 25th, 2006
User Badges:

Hi All,


I am trying to setup an IP Pool on a different subnet than my local LAN. If I setup a vpn pool using my internal LAN addresses everything works fine.


When I use an IP Pool other than my local LAN, I can connect to the PIX and the VPN client PC can receive the settings from the PIX firewall, however I am unable to see the local LAN.


Below is the config, am I missing a route or an access-list?


All help gratefully appreciated.


PIX Version 7.0(1)

names

!

interface Ethernet0

nameif Outside

security-level 0

ip address 192.168.10.253 255.255.255.0

!

interface Ethernet1

nameif inside

security-level 100

ip address 10.10.10.253 255.255.255.0

!

interface Ethernet2

nameif DMZ

security-level 50

ip address 131.131.x.x.255.255.0

!

enable password xxxx

passwd xxxx

hostname pixfirewall

domain-name wtm

ftp mode passive

clock timezone EST 10

access-list Outside_access_in extended permit icmp any any

access-list inside_nat0_outbound extended permit ip any 10.10.10.224 255.255.255.240

access-list Outside_cryptomap_dyn_20 extended permit ip any 10.10.10.224 255.255.255.240

pager lines 24

logging asdm informational

mtu inside 1500

mtu DMZ 1500

mtu Outside 1500

ip local pool Dial-In 10.10.11.1-10.10.11.239 mask 255.255.255.0

monitor-interface inside

monitor-interface DMZ

monitor-interface Outside

asdm image flash:/asdm-501.bin

asdm location 10.10.10.224 255.255.255.240 inside

no asdm history enable

arp timeout 14400

global (Outside) 10 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 10 0.0.0.0 0.0.0.0

access-group Outside_access_in in interface Outside

route Outside 0.0.0.0 0.0.0.0 192.168.10.254 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

group-policy try internal

group-policy try attributes

dns-server value 10.10.10.16 10.10.10.2

username xxx password xxx encrypted privilege 0

username xxxx attributes

vpn-group-policy try

http server enable

http 10.10.10.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map Outside_dyn_map 20 match address Outside_cryptomap_dyn_20

crypto dynamic-map Outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto map Outside_map 65535 ipsec-isakmp dynamic Outside_dyn_map

crypto map Outside_map interface Outside

isakmp identity address

isakmp enable Outside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

isakmp nat-traversal 20

telnet 10.10.10.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

tunnel-group try type ipsec-ra

tunnel-group try general-attributes

address-pool Dial-In

default-group-policy try

tunnel-group try ipsec-attributes

pre-shared-key welcome

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

Cryptochecksum:xxxx

: end




  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 2.7 (3 ratings)
Loading.
spremkumar Tue, 04/25/2006 - 22:02
User Badges:
  • Red, 2250 points or more

Hi


Can you change this and try ?


no access-list inside_nat0_outbound extended permit ip any 10.10.10.224 255.255.255.240

access-list inside_nat0_outbound extended permit ip 10.10.10.0 255.255.255.0 10.10.11.0 255.255.255.0


regds


xbw Wed, 04/26/2006 - 01:03
User Badges:

My last configuration is as following,My client can connet with pix(218.87.6.77 isp address),but still can't ping inside any host.how can i do .help me,thanks!

: Saved


:


PIX Version 7.0(4)12


!


hostname pixfirewall


domain-name default.domain.invalid


enable password xxxx


names


!


interface Ethernet0


nameif outside


security-level 0


ip address 218.87.x.x.255.255.192 standby 218.x.x.76


!


interface Ethernet1


nameif inside


security-level 100


ip address 168.50.x.x.x.255.0 standby 168.x.x.151


!


interface Ethernet2


shutdown


no nameif


no security-level


no ip address


!

interface Ethernet3


shutdown


no nameif


no security-level


no ip address


!


interface Ethernet4


shutdown


no nameif


no security-level


no ip address


!


interface Ethernet5


shutdown


no nameif


no security-level


no ip address


!


passwd xxxx


ftp mode passive


same-security-traffic permit intra-interface


access-list inside_nat0_outbound extended permit ip any 10.10.10.0 255.255.255.240


access-list outside_cryptomap_dyn_20 extended permit ip any 10.10.10.0 255.255.255.240


access-list Outside_access_in extended permit icmp any any


pager lines 24


mtu outside 1500


mtu inside 1500


ip local pool hpcisco 10.10.10.1-10.10.10.10 mask 255.255.255.0


failover


asdm image flash:/asdm-501.bin


no asdm history enable


arp timeout 14400


nat-control


global (outside) 1 interface


nat (inside) 0 access-list inside_nat0_outbound


nat (inside) 1 168.x.x.x.255.255.0


access-group Outside_access_in in interface outside


route outside 0.0.0.0 0.x.x.x.87.6.65 1


timeout xlate 3:00:00


timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02


timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00


timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00


timeout uauth 0:05:00 absolute


username xxxx password xxxx


http server enable


http 0.0.0.0 0.0.0.0 outside


http 0.0.0.0 0.0.0.0 inside


no snmp-server location


no snmp-server contact


snmp-server enable traps snmp authentication linkup linkdown coldstart


crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac


crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20


crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA


crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map


crypto map outside_map interface outside


isakmp enable outside


isakmp policy 10 authentication pre-share


isakmp policy 10 encryption 3des


isakmp policy 10 hash sha


isakmp policy 10 group 2


isakmp policy 10 lifetime 86400


isakmp nat-traversal 20


tunnel-group hpcisco type ipsec-ra


tunnel-group hpcisco general-attributes


address-pool hpcisco


tunnel-group hpcisco ipsec-attributes


pre-shared-key *


telnet timeout 5


ssh 0.0.0.0 0.0.0.0 outside


ssh 0.0.0.0 0.0.0.0 inside


ssh timeout 5


ssh version 1


console timeout 0


!

class-map inspection_default


match default-inspection-traffic

policy-map global_policy


class inspection_default


inspect dns maximum-length 512


inspect ftp


inspect h323 h225


inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp


inspect skinny


inspect esmtp


inspect sqlnet


inspect sunrpc


inspect tftp


inspect sip


inspect xdmcp


!


service-policy global_policy global


Cryptochecksum:xxxx


: end


spremkumar Wed, 04/26/2006 - 02:23
User Badges:
  • Red, 2250 points or more

Hi


Then create a access-list permitting the traffic from your local lan to the vpn ip pool and bind the same to the nat 0 statement so that the reverse flow dont get natted..


access-list inside_nat0_outbound extended permit ip 168.50.6.0 255.255.255.0 10.10.10.0 255.255.255.0


regds


xbw Wed, 04/26/2006 - 03:05
User Badges:

My last configuration is as following,my user and password are hpcisco,can you connet with my pix and help me.thanks.



asdm image flash:/asdm-501.bin

no asdm history enable

: Saved

:

PIX Version 7.0(4)12

!

hostname pixfirewall

domain-name default.domain.invalid

enable password 8Ry2YjIyt7RRXU24 encrypted

names

!

interface Ethernet0

nameif outside

security-level 0

ip address 218.87.6.77 255.255.255.192 standby 218.87.6.76

!

interface Ethernet1

nameif inside

security-level 100

ip address 168.50.6.150 255.255.255.0 standby 168.50.6.151

!

interface Ethernet2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet3

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet4

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet5

shutdown

no nameif

no security-level

no ip address

!

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

same-security-traffic permit intra-interface

access-list inside_nat0_outbound extended permit ip 168.50.6.0 255.255.255.0 10.10.10.0 255.255.255.0

access-list outside_cryptomap_dyn_20 extended permit ip any 10.10.10.0 255.255.255.240

access-list Outside_access_in extended permit icmp any any

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

ip local pool hpcisco 10.10.10.1-10.10.10.10 mask 255.255.255.0

failover

monitor-interface outside

monitor-interface inside

icmp permit any outside

icmp permit any inside

asdm image flash:/asdm-501.bin

no asdm history enable

arp timeout 14400

nat-control

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 168.50.6.0 255.255.255.0

access-group Outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 218.87.6.65 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

username hpcisco password qBAk4em/9YLY0.2x encrypted

http server enable

http 0.0.0.0 0.0.0.0 outside

http 0.0.0.0 0.0.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

isakmp enable outside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

isakmp nat-traversal 20

tunnel-group hpcisco type ipsec-ra

tunnel-group hpcisco general-attributes

address-pool hpcisco

tunnel-group hpcisco ipsec-attributes

pre-shared-key *

telnet 0.0.0.0 0.0.0.0 outside

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 outside

ssh 0.0.0.0 0.0.0.0 inside

ssh timeout 5

ssh version 1

console timeout 0

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

!

service-policy global_policy global

Cryptochecksum:8cdd22aa73f7a58ebabb7eb0eb20a417

: end



Fernando_Meza Wed, 04/26/2006 - 16:23
User Badges:
  • Gold, 750 points or more

I think you mihgt have some issue with this instruction


access-list outside_cryptomap_dyn_20 extended permit ip any 10.10.10.0 255.255.255.240


I suggest changing it to:

access-list outside_cryptomap_dyn_20 extended permit ip any 10.10.10.0 255.255.255.0

xbw Wed, 04/26/2006 - 19:09
User Badges:

I had changed the access-list,but I still can't ping local pix (inside)and other hosts

Actions

This Discussion