Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
366
Views
8
Helpful
6
Replies

VPN client PC can receive the settings from the PIX firewall

xbw
Level 1
Level 1

‎04-25-2006 09:29 AM

Hi All,

I am trying to setup an IP Pool on a different subnet than my local LAN. If I setup a vpn pool using my internal LAN addresses everything works fine.

When I use an IP Pool other than my local LAN, I can connect to the PIX and the VPN client PC can receive the settings from the PIX firewall, however I am unable to see the local LAN.

Below is the config, am I missing a route or an access-list?

All help gratefully appreciated.

PIX Version 7.0(1)

names

!

interface Ethernet0

nameif Outside

security-level 0

ip address 192.168.10.253 255.255.255.0

!

interface Ethernet1

nameif inside

security-level 100

ip address 10.10.10.253 255.255.255.0

!

interface Ethernet2

nameif DMZ

security-level 50

ip address 131.131.x.x.255.255.0

!

enable password xxxx

passwd xxxx

hostname pixfirewall

domain-name wtm

ftp mode passive

clock timezone EST 10

access-list Outside_access_in extended permit icmp any any

access-list inside_nat0_outbound extended permit ip any 10.10.10.224 255.255.255.240

access-list Outside_cryptomap_dyn_20 extended permit ip any 10.10.10.224 255.255.255.240

pager lines 24

logging asdm informational

mtu inside 1500

mtu DMZ 1500

mtu Outside 1500

ip local pool Dial-In 10.10.11.1-10.10.11.239 mask 255.255.255.0

monitor-interface inside

monitor-interface DMZ

monitor-interface Outside

asdm image flash:/asdm-501.bin

asdm location 10.10.10.224 255.255.255.240 inside

no asdm history enable

arp timeout 14400

global (Outside) 10 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 10 0.0.0.0 0.0.0.0

access-group Outside_access_in in interface Outside

route Outside 0.0.0.0 0.0.0.0 192.168.10.254 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

group-policy try internal

group-policy try attributes

dns-server value 10.10.10.16 10.10.10.2

username xxx password xxx encrypted privilege 0

username xxxx attributes

vpn-group-policy try

http server enable

http 10.10.10.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map Outside_dyn_map 20 match address Outside_cryptomap_dyn_20

crypto dynamic-map Outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto map Outside_map 65535 ipsec-isakmp dynamic Outside_dyn_map

crypto map Outside_map interface Outside

isakmp identity address

isakmp enable Outside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

isakmp nat-traversal 20

telnet 10.10.10.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

tunnel-group try type ipsec-ra

tunnel-group try general-attributes

address-pool Dial-In

default-group-policy try

tunnel-group try ipsec-attributes

pre-shared-key welcome

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

Cryptochecksum:xxxx

: end

Labels:
0 Helpful
6 Replies 6

spremkumar
Level 9
Level 9

‎04-25-2006 10:02 PM

Hi

Can you change this and try ?

no access-list inside_nat0_outbound extended permit ip any 10.10.10.224 255.255.255.240

access-list inside_nat0_outbound extended permit ip 10.10.10.0 255.255.255.0 10.10.11.0 255.255.255.0

regds

xbw
Level 1
Level 1
In response to spremkumar

‎04-26-2006 01:03 AM

My last configuration is as following,My client can connet with pix(218.87.6.77 isp address),but still can't ping inside any host.how can i do .help me,thanks!

: Saved

:

PIX Version 7.0(4)12

!

hostname pixfirewall

domain-name default.domain.invalid

enable password xxxx

names

!

interface Ethernet0

nameif outside

security-level 0

ip address 218.87.x.x.255.255.192 standby 218.x.x.76

!

interface Ethernet1

nameif inside

security-level 100

ip address 168.50.x.x.x.255.0 standby 168.x.x.151

!

interface Ethernet2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet3

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet4

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet5

shutdown

no nameif

no security-level

no ip address

!

passwd xxxx

ftp mode passive

same-security-traffic permit intra-interface

access-list inside_nat0_outbound extended permit ip any 10.10.10.0 255.255.255.240

access-list outside_cryptomap_dyn_20 extended permit ip any 10.10.10.0 255.255.255.240

access-list Outside_access_in extended permit icmp any any

pager lines 24

mtu outside 1500

mtu inside 1500

ip local pool hpcisco 10.10.10.1-10.10.10.10 mask 255.255.255.0

failover

asdm image flash:/asdm-501.bin

no asdm history enable

arp timeout 14400

nat-control

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 168.x.x.x.255.255.0

access-group Outside_access_in in interface outside

route outside 0.0.0.0 0.x.x.x.87.6.65 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

username xxxx password xxxx

http server enable

http 0.0.0.0 0.0.0.0 outside

http 0.0.0.0 0.0.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

isakmp enable outside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

isakmp nat-traversal 20

tunnel-group hpcisco type ipsec-ra

tunnel-group hpcisco general-attributes

address-pool hpcisco

tunnel-group hpcisco ipsec-attributes

pre-shared-key *

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 outside

ssh 0.0.0.0 0.0.0.0 inside

ssh timeout 5

ssh version 1

console timeout 0

!

class-map inspection_default

match default-inspection-traffic

policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

!

service-policy global_policy global

Cryptochecksum:xxxx

: end

0 Helpful

spremkumar
Level 9
Level 9
In response to xbw

‎04-26-2006 02:23 AM

Hi

Then create a access-list permitting the traffic from your local lan to the vpn ip pool and bind the same to the nat 0 statement so that the reverse flow dont get natted..

access-list inside_nat0_outbound extended permit ip 168.50.6.0 255.255.255.0 10.10.10.0 255.255.255.0

regds

xbw
Level 1
Level 1
In response to spremkumar

‎04-26-2006 03:05 AM

My last configuration is as following,my user and password are hpcisco,can you connet with my pix and help me.thanks.

asdm image flash:/asdm-501.bin

no asdm history enable

: Saved

:

PIX Version 7.0(4)12

!

hostname pixfirewall

domain-name default.domain.invalid

enable password 8Ry2YjIyt7RRXU24 encrypted

names

!

interface Ethernet0

nameif outside

security-level 0

ip address 218.87.6.77 255.255.255.192 standby 218.87.6.76

!

interface Ethernet1

nameif inside

security-level 100

ip address 168.50.6.150 255.255.255.0 standby 168.50.6.151

!

interface Ethernet2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet3

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet4

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet5

shutdown

no nameif

no security-level

no ip address

!

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

same-security-traffic permit intra-interface

access-list inside_nat0_outbound extended permit ip 168.50.6.0 255.255.255.0 10.10.10.0 255.255.255.0

access-list outside_cryptomap_dyn_20 extended permit ip any 10.10.10.0 255.255.255.240

access-list Outside_access_in extended permit icmp any any

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

ip local pool hpcisco 10.10.10.1-10.10.10.10 mask 255.255.255.0

failover

monitor-interface outside

monitor-interface inside

icmp permit any outside

icmp permit any inside

asdm image flash:/asdm-501.bin

no asdm history enable

arp timeout 14400

nat-control

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 168.50.6.0 255.255.255.0

access-group Outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 218.87.6.65 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

username hpcisco password qBAk4em/9YLY0.2x encrypted

http server enable

http 0.0.0.0 0.0.0.0 outside

http 0.0.0.0 0.0.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

isakmp enable outside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

isakmp nat-traversal 20

tunnel-group hpcisco type ipsec-ra

tunnel-group hpcisco general-attributes

address-pool hpcisco

tunnel-group hpcisco ipsec-attributes

pre-shared-key *

telnet 0.0.0.0 0.0.0.0 outside

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 outside

ssh 0.0.0.0 0.0.0.0 inside

ssh timeout 5

ssh version 1

console timeout 0

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

!

service-policy global_policy global

Cryptochecksum:8cdd22aa73f7a58ebabb7eb0eb20a417

: end

0 Helpful

Fernando_Meza
Level 7
Level 7
In response to xbw

‎04-26-2006 04:23 PM

I think you mihgt have some issue with this instruction

access-list outside_cryptomap_dyn_20 extended permit ip any 10.10.10.0 255.255.255.240

I suggest changing it to:

access-list outside_cryptomap_dyn_20 extended permit ip any 10.10.10.0 255.255.255.0

xbw
Level 1
Level 1
In response to Fernando_Meza

‎04-26-2006 07:09 PM

I had changed the access-list,but I still can't ping local pix (inside)and other hosts

0 Helpful
Customers Also Viewed These Support Documents