Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

no one can seem to help. can you?

i have a pix 525 and am trying to setup remote access to it. i can connect but i can't ping any ips on the lan...at all. in fact the only thing it does is connect and get an ip. below is the config. i have added in a crypto isakmp nat-traversal 30 to it that is not shown.

show config
: Saved
: Written by enable_15 at 06:25:46.787 UTC Fri Oct 18 2013
!
PIX Version 8.0(4)
!
hostname thcvpn01
domain-name somewhere.net
enable password * encrypted
passwd * encrypted
names
!
interface Ethernet0
nameif outside
security-level 0
ip address dhcp setroute
!
interface Ethernet1
nameif inside
security-level 100
ip address 10.1.1.1 255.0.0.0
!
interface Ethernet2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet3
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet4
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet5
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
dns domain-lookup outside
dns domain-lookup inside
dns server-group DefaultDNS
name-server 208.67.222.222
name-server 208.67.222.220
domain-name somewhere.net
object-group icmp-type ICMPObject
icmp-object echo-reply
icmp-object source-quench
icmp-object time-exceeded
icmp-object unreachable
access-list outside_access_in extended permit icmp any any object-group ICMPObject
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
ip local pool ThcIPPool 10.1.1.40-10.1.1.49
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat-control
global (outside) 101 interface
nat (inside) 101 10.0.0.0 255.0.0.0
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.0.0.0 255.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set THCTransformSet esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map THCDynamicMap 1 set transform-set THCTransformSet
crypto dynamic-map THCDynamicMap 1 set security-association lifetime seconds 288
00
crypto dynamic-map THCDynamicMap 1 set security-association lifetime kilobytes 4
608000
crypto dynamic-map THCDynamicMap 1 set reverse-route
crypto map THCCryptoMap 1 ipsec-isakmp dynamic THCDynamicMap
crypto map THCCryptoMap interface outside
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 43200
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username [username] password [password] encrypted
tunnel-group THCVpnGroup type remote-access
tunnel-group THCVpnGroup general-attributes
address-pool ThcIPPool
tunnel-group THCVpnGroup ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:0be52458c95d5dd080d82401982201ee
thcvpn01(config-pmap-c)#
thcvpn01(config-pmap-c)#
thcvpn01(config-pmap-c)#

                  

thanks,

jeff

9 ACCEPTED SOLUTIONS

Accepted Solutions
Super Bronze

no one can seem to help. can you?

Hi,

Please change your LAN networks mask to something else than /8, for example /24 (255.255.255.0)

interface Ethernet1

nameif inside

security-level 100

ip address 10.1.1.1 255.255.255.0

Then you could change the VPN Pool to something else also

ip local pool VPN-POOL 10.1.10.1-10.1.10.254

tunnel-group THCVpnGroup general-attributes

no address-pool ThcIPPool

address-pool VPN-POOL

no ip local pool ThcIPPool 10.1.1.40-10.1.1.49

Then you will need NAT0 configurations

access-list INSIDE-NAT0 remark NAT0 configurations

access-list INSIDE-NAT0 permit ip 10.1.1.0 255.255.255.0 10.1.10.0 255.255.255.0

nat (inside) 0 access-list INSIDE-NAT0

- Jouni

Super Bronze

Re: no one can seem to help. can you?

Hi,

No one needs a single connected network with a mask /8. You are essentially saying to your firewall that it is connected to a network segment that holds the complete 10.0.0.0/8 network. There really no reason to have such a network mask configured on your interface. Its more likely to cause problems than actually help with anything. Furthermore you will never have as many hosts in the network segment to warrant that mask nor could such a network be operational with so many hosts broadcasting traffic.

You have the whole 10.0.0.0/8 network configured on the LAN interface of the PIX yet you are using the a minor fraction of those addresses in the VPN Pool. If your hosts on the LAN actually were using the network mask /8 then this would mean that they would never forward the traffic from the LAN to the PIX to the VPN user. The reason is that because of the /8 mask they would think the VPN users were part of their connected network and therefore with ARP they would try to determine the MAC address of the host (which is actually not directly connected as its behind the PIX) and would fail.

Its more simple if you keep your subnets using /24 mask for users. You can then also allocate one /24 subnet for the VPN Pool.

In your original configuration you also had no NAT0 configuration so the connections could have not worked because of that alone.

The below NAT0 configuration essentially uses the ACL configuration to tell the PIX when it should not apply any NAT to the traffic. As the ACL has the source subnet that I suggested for your LAN interface and the destination subnet that I suggested for VPN Pool use then it would naturally mean that no NAT should be performed between these subnets.

The ACL itself is attached to the "inside" interface for NAT0 purposes with a "nat" command. The ID number 0 simply refers to NAT0.

access-list INSIDE-NAT0 remark NAT0 configurations

access-list INSIDE-NAT0 permit ip 10.1.1.0 255.255.255.0 10.1.10.0 255.255.255.0

nat (inside) 0 access-list INSIDE-NAT0

- Jouni

Super Bronze

Re: no one can seem to help. can you?

Hi,

You should add the network mask to the VPN Pool configuration

ip local pool ThcIPPool 10.1.2.1-10.1.2.50 mask 255.255.255.0

I guess it adds the default mask of /8 if you dont specify it.

What connections are you testing through the VPN?

You could try adding these for ICMP though I am not sure if they help in your situation.

policy-map global_policy

class inspection_default

  inspect icmp

  inspect icmp error

- Jouni

Super Bronze

Re: no one can seem to help. can you?

Hi,

You didnt mention what type of connections are you attempting to form through the VPN?

Can you also take the following output from the PIX after you have tested some connections through it and the VPN is still connected

show crypto ipsec sa

It seems to me that configurations everything should be ok. Naturally you dont have any DNS servers configured on your VPN though I am not sure if you are connecting with DNS name or IP address.

The default gateway gotten from the VPN Connection might look wierd. Though I guess it usually should either be the IP address you are getting from the firewall or it might not show any default gateway since we are not talking about a traditional network adapter. The VPN users a virtual adapter through which it forwards the traffic.

- Jouni

Super Bronze

no one can seem to help. can you?

Hi,

You should probably consider enabling the management of the device remotely so you can test VPN connectivity and manage the firewall without needing to change location.

You could for example allow SSH from certain IP address so you can access the PIX remotely

ssh version 2

ssh outside

The reason your Internet connection stops working during the VPN connection is that its Full Tunnel at the moment to my understanding. In other words all traffic should be forwarded to the VPN connection and therefore to the PIX.

You can try adding these configurations to the PIX and see if you can access the Internet then during the connection

same-security-traffic permit intra-interface

nat (outside) 1 10.1.2.0 255.255.255.0

This should enable the VPN Client user to connect to the Internet through the PIX (since all traffic is forwarded to the PIX)

You naturally also have the option to configure this VPN as a Split Tunnel VPN which would essentially mean that only traffic to certain networks would be tunneled (to the LAN) and rest of the traffic from your VPN Client computer would use the local network or local Internet connection.

This could be done with

access-list SPLIT-TUNNEL standard permit 10.1.1.0 255.255.255.0

group-policy THCVpnGroup internal

group-policy THCVpnGroup attributes

dns-server value

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value SPLIT-TUNNEL

tunnel-group THCVpnGroup general-attributes

default-group-policy THCVpnGroup

With the above though your Internet connections would go out of the VPN Client users local Internet connection and only traffic to the network 10.1.1.0/24 would be tunneled. This would make my previous NAT configuration example useless as the Internet traffic of the VPN Client would no more go through the PIX.

What I am looking for with the "show crypto ipsec sa" command is to determine if traffic is flowing at all from the LAN to the VPN Client.

Have you considered the possibility that the problem is on the actual hosts on the LAN? If they dont allow your connection attempts because of a software firewall or perhaps even some missconfigured or lacking network settings?

- Jouni

Super Bronze

no one can seem to help. can you?

Hi,

The only thing for which you would need "same-security-traffic permit intra-interface" is the traffic that is coming from the Client and going to the Internet throuhg the firewall (through the VPN Connection). This should not working unless you have it configured.

If you are using the Split Tunnel configuration then the only traffic coming to the firewall is the traffic destined to the LAN network and it wont require the above mentioned command. Only if you use the Full Tunnel configuration for Internet access through the firewall will you require that command enabled.

This command should not cause any problem related to security since you should be controlling traffic with interface ACL or in VPN connections case perhaps VPN Filter ACL

If you were to change the current VPN to Full Tunnel you would need to change these configurations

group-policy THCVpnGroup attributes

no split-tunnel-network-list value SPLIT-TUNNEL

split-tunnel-policy tunnelall

Please do remember to take the time to mark replys as the correct answer if they answered your question.

Feel free to ask more if needed.

- Jouni

Super Bronze

no one can seem to help. can you?

Hi,

The idea with Split Tunnel configuration was that only traffic towards your LAN would come through the VPN. The Internet traffic from the VPN user would go trough its local Internet connection essentially bypassing the VPN connection.

If you are going to use Full Tunnel mode VPN and want to connect to the Internet then you need the Dynamic PAT rule for the VPN users and also the "same-security-traffic permit inter-interface"

Looking how you have configured the Dynamic PAT for your internal LAN users

global (outside) 101 interface

nat (inside) 101 10.0.0.0 255.0.0.0

It would seem to me that you would have to configure

nat (outside) 101 10.1.2.0 255.255.255.0

For the VPN users to have Dynamic PAT translation towards the Internet. It should not need the "outside" at the end of the "nat" command as its only needed when the destination interface has a lower "security-level" than the source interface. In this case the source and destination interface would be the same interface (outside) and therefore it should not be needed.

The previous example command that I gave

nat (outside) 1 10.1.2.0 255.255.255.0

Was wrong from my part as the ID number should be the same you have (101) and not 1.

The above configuration should not have any effect on your internal LAN users Internet traffic.

There should also be no need to reload the PIX after making these changes. Depending if you have saved your configuration in between it might actually cause problems.

The configuration you mentioned

vpn-tunnel-protocol IPSec

Doesnt have anything to do with what traffic is allowed through the VPN Connection. It just stated in the Group Policy what type of VPN Connection is allowed for this Group Policys users. Though in your case with the PIX firewall you wont have many other options even.  But again, it should have no effect on the operation of the VPN. Its just a configuration that tells the PIX specifically what type of VPN is allowed for these users.

- Jouni

Super Bronze

no one can seem to help. can you?

Hi,

To be honest, I dont see why adding that command should cause any problems for users on your LAN since it doesnt in anyway match the network on the LAN or have anything to do with its interface.

Could you provide the exact configuration you had with the above added command

- Jouni

Super Bronze

Re: no one can seem to help. can you?

Hi,

To my understanding the "nat" command does NOT require the parameter "outside" at the end.

This would be needed if you were performing NAT/PAT for these users towards an interface which "security-level" was higher than the source interface. And in this situation the only interface towards which you are performing NAT/PAT (for which the "nat" command is meant for) is the "outside" interface so essentially the same interface where the NAT/PAT is source from. So we see that the "security-level" of the source and the destination interface is equal as the source/destination interface is the same interface.

So try to add it with just

nat (outside) 101 10.1.2.0 255.255.255.0

And then test again.

Atleast I can't see anything wrong with the configurations since you have

  • Dynamic PAT configuration for the Internet traffic that should apply to all outbound traffic for the internal users. This is done with the "nat" and "global" commands using the ID 101 (expect the one mentioned above)
  • NAT0 configurations that enables the VPN users to connect to the internal network and vice versa while avoiding any translations whatsoever. The "nat" command with the ID 0 and using "access-list" accomplishes this.

Naturally you can make the current "inside" users "nat" command more specific

no nat (inside) 101 10.0.0.0 255.0.0.0

nat (inside) 101 10.0.0.0 255.255.255.0

But other than the above listed thing I dont see any reason why your connections should not work. It would be more logical if you had just problems with the VPN users but to have the internal traffic to Internet stop doesnt make sense. Only thing I can see as a possible problem is using the "outside" parameter in the "nat" command meant for the VPN users.

Follow the above instructions and let me know if it helps

- Jouni

33 REPLIES
Super Bronze

no one can seem to help. can you?

Hi,

Please change your LAN networks mask to something else than /8, for example /24 (255.255.255.0)

interface Ethernet1

nameif inside

security-level 100

ip address 10.1.1.1 255.255.255.0

Then you could change the VPN Pool to something else also

ip local pool VPN-POOL 10.1.10.1-10.1.10.254

tunnel-group THCVpnGroup general-attributes

no address-pool ThcIPPool

address-pool VPN-POOL

no ip local pool ThcIPPool 10.1.1.40-10.1.1.49

Then you will need NAT0 configurations

access-list INSIDE-NAT0 remark NAT0 configurations

access-list INSIDE-NAT0 permit ip 10.1.1.0 255.255.255.0 10.1.10.0 255.255.255.0

nat (inside) 0 access-list INSIDE-NAT0

- Jouni

New Member

Re: no one can seem to help. can you?

hi,

thank you for your reply. i am dying to try this but i am inside of the network at this time. please help me to understand this.

change 1 i don't understand: you are rqeuesting that i narrow my subnet and put my ip pool outside of that range? how does this differ from what i have and why is this required? it doesn't seem like it would be. if you could help me understand that, it would be very helpful.

change 2 not sure exactly what it is doing: is to allow IP traffic for the ip address range? and use NAT on the inside interface with security level 0 allowing the traffic specified in the access-list?

thanks,

jeff

Super Bronze

Re: no one can seem to help. can you?

Hi,

No one needs a single connected network with a mask /8. You are essentially saying to your firewall that it is connected to a network segment that holds the complete 10.0.0.0/8 network. There really no reason to have such a network mask configured on your interface. Its more likely to cause problems than actually help with anything. Furthermore you will never have as many hosts in the network segment to warrant that mask nor could such a network be operational with so many hosts broadcasting traffic.

You have the whole 10.0.0.0/8 network configured on the LAN interface of the PIX yet you are using the a minor fraction of those addresses in the VPN Pool. If your hosts on the LAN actually were using the network mask /8 then this would mean that they would never forward the traffic from the LAN to the PIX to the VPN user. The reason is that because of the /8 mask they would think the VPN users were part of their connected network and therefore with ARP they would try to determine the MAC address of the host (which is actually not directly connected as its behind the PIX) and would fail.

Its more simple if you keep your subnets using /24 mask for users. You can then also allocate one /24 subnet for the VPN Pool.

In your original configuration you also had no NAT0 configuration so the connections could have not worked because of that alone.

The below NAT0 configuration essentially uses the ACL configuration to tell the PIX when it should not apply any NAT to the traffic. As the ACL has the source subnet that I suggested for your LAN interface and the destination subnet that I suggested for VPN Pool use then it would naturally mean that no NAT should be performed between these subnets.

The ACL itself is attached to the "inside" interface for NAT0 purposes with a "nat" command. The ID number 0 simply refers to NAT0.

access-list INSIDE-NAT0 remark NAT0 configurations

access-list INSIDE-NAT0 permit ip 10.1.1.0 255.255.255.0 10.1.10.0 255.255.255.0

nat (inside) 0 access-list INSIDE-NAT0

- Jouni

New Member

Re: no one can seem to help. can you?

no dice. it is still not working. i did pretty much what you said but left my naming convention in place. below is the updated config. as a side note, the remote host gets the following. is this right? it doesn't seem cor:

ip:          10.1.2.1

subnet:   255.0.0.0

gateway:10.0.01

thcvpn01(config)#

thcvpn01(config)# show config

: Saved

: Written by enable_15 at 10:10:46.746 UTC Thu Oct 31 2013

!

PIX Version 8.0(4)

!

hostname thcvpn01

domain-name somewhere.net

enable password * encrypted

passwd * encrypted

names

!

interface Ethernet0

nameif outside

security-level 0

ip address dhcp setroute

!

interface Ethernet1

nameif inside

security-level 100

ip address 10.1.1.1 255.255.255.0

!

interface Ethernet2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet3

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet4

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet5

shutdown

no nameif

no security-level

no ip address

!

ftp mode passive

dns domain-lookup outside

dns domain-lookup inside

dns server-group DefaultDNS

name-server 208.67.222.222

name-server 208.67.222.220

domain-name somewhere.net

object-group icmp-type ICMPObject

icmp-object echo-reply

icmp-object source-quench

icmp-object time-exceeded

icmp-object unreachable

access-list outside_access_in extended permit icmp any any object-group ICMPObje

ct

access-list inside-nat0 extended permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0

pager lines 24

logging asdm informational

mtu outside 1500

mtu inside 1500

ip local pool ThcIPPool 10.1.2.1-10.1.2.50

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat-control

global (outside) 101 interface

nat (inside) 0 access-list inside-nat0

nat (inside) 101 10.0.0.0 255.0.0.0

access-group outside_access_in in interface outside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 10.0.0.0 255.0.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set THCTransformSet esp-3des esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map THCDynamicMap 1 set transform-set THCTransformSet

crypto dynamic-map THCDynamicMap 1 set security-association lifetime seconds 288

00

crypto dynamic-map THCDynamicMap 1 set security-association lifetime kilobytes 4

608000

crypto dynamic-map THCDynamicMap 1 set reverse-route

crypto map THCCryptoMap 1 ipsec-isakmp dynamic THCDynamicMap

crypto map THCCryptoMap interface outside

crypto isakmp enable outside

crypto isakmp policy 1

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 43200

crypto isakmp policy 65535

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp nat-traversal 30

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 10.1.1.50-10.1.1.254 inside

dhcpd dns 208.67.222.222 208.67.222.220 interface inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

username [username] password [password] encrypted

tunnel-group THCVpnGroup type remote-access

tunnel-group THCVpnGroup general-attributes

address-pool ThcIPPool

tunnel-group THCVpnGroup ipsec-attributes

pre-shared-key *

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:b34407e1d9ba47886a6eaa9aab7253f5

thcvpn01(config)#

thcvpn01(config)#

jeff

Super Bronze

Re: no one can seem to help. can you?

Hi,

You should add the network mask to the VPN Pool configuration

ip local pool ThcIPPool 10.1.2.1-10.1.2.50 mask 255.255.255.0

I guess it adds the default mask of /8 if you dont specify it.

What connections are you testing through the VPN?

You could try adding these for ICMP though I am not sure if they help in your situation.

policy-map global_policy

class inspection_default

  inspect icmp

  inspect icmp error

- Jouni

New Member

Re: no one can seem to help. can you?

hi,

i added the netmask command and the following icmp commands. i now get the following

ip: 10.1.2.1

netmask:255.255.255.0

gateway:10.1.2.2

the gateway still doesn't seem right to me and i am still unable to have any lan access

jeff

Super Bronze

Re: no one can seem to help. can you?

Hi,

You didnt mention what type of connections are you attempting to form through the VPN?

Can you also take the following output from the PIX after you have tested some connections through it and the VPN is still connected

show crypto ipsec sa

It seems to me that configurations everything should be ok. Naturally you dont have any DNS servers configured on your VPN though I am not sure if you are connecting with DNS name or IP address.

The default gateway gotten from the VPN Connection might look wierd. Though I guess it usually should either be the IP address you are getting from the firewall or it might not show any default gateway since we are not talking about a traditional network adapter. The VPN users a virtual adapter through which it forwards the traffic.

- Jouni

New Member

Re: no one can seem to help. can you?

i can get the output from that command later tonight. i have ran that command in the past and granted i did not know for sure, but there didn't appear to be anything out of the ordinary that indicated a problem.

not following what you mean by the type of connection. its not site to site. i believe its type "user" i put in the ip address, group THCVpnGroup and group password into the cisco client and then when i connect it prompts me for the username and password. once i put the password in, and connect i get an ip address and all connectivity to the internet disappears.

i can't ping any internal ip address or get on the internet. i am not using any hostnames for anything, strictly ip addresses to verify connectivity.

if nothing shows up in that command, what would be the next couple of steps. i ask because i have to go from one location to the next test this so it takes a lot of moving around. it would be good to get a series of steps all at one time.

jeff

Super Bronze

no one can seem to help. can you?

Hi,

You should probably consider enabling the management of the device remotely so you can test VPN connectivity and manage the firewall without needing to change location.

You could for example allow SSH from certain IP address so you can access the PIX remotely

ssh version 2

ssh outside

The reason your Internet connection stops working during the VPN connection is that its Full Tunnel at the moment to my understanding. In other words all traffic should be forwarded to the VPN connection and therefore to the PIX.

You can try adding these configurations to the PIX and see if you can access the Internet then during the connection

same-security-traffic permit intra-interface

nat (outside) 1 10.1.2.0 255.255.255.0

This should enable the VPN Client user to connect to the Internet through the PIX (since all traffic is forwarded to the PIX)

You naturally also have the option to configure this VPN as a Split Tunnel VPN which would essentially mean that only traffic to certain networks would be tunneled (to the LAN) and rest of the traffic from your VPN Client computer would use the local network or local Internet connection.

This could be done with

access-list SPLIT-TUNNEL standard permit 10.1.1.0 255.255.255.0

group-policy THCVpnGroup internal

group-policy THCVpnGroup attributes

dns-server value

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value SPLIT-TUNNEL

tunnel-group THCVpnGroup general-attributes

default-group-policy THCVpnGroup

With the above though your Internet connections would go out of the VPN Client users local Internet connection and only traffic to the network 10.1.1.0/24 would be tunneled. This would make my previous NAT configuration example useless as the Internet traffic of the VPN Client would no more go through the PIX.

What I am looking for with the "show crypto ipsec sa" command is to determine if traffic is flowing at all from the LAN to the VPN Client.

Have you considered the possibility that the problem is on the actual hosts on the LAN? If they dont allow your connection attempts because of a software firewall or perhaps even some missconfigured or lacking network settings?

- Jouni

New Member

no one can seem to help. can you?

hi

ok. now it allows me to see the inside network and get online. awesome. thank you very much for your help up to this point.

my gut feeling is that what i did is not very secure? same-security-traffic permit intra-interface

i removed that and it appears to work without it. the difference is in the split tunnel commands that were added.

it would be good to have a split tunnel and a full tunnel if you can help me work through it. i will need to reset my configuration back to where it wasn't working get the copy of the diag output and post it here.

will post back soon and thanks again.

jeff

Super Bronze

no one can seem to help. can you?

Hi,

The only thing for which you would need "same-security-traffic permit intra-interface" is the traffic that is coming from the Client and going to the Internet throuhg the firewall (through the VPN Connection). This should not working unless you have it configured.

If you are using the Split Tunnel configuration then the only traffic coming to the firewall is the traffic destined to the LAN network and it wont require the above mentioned command. Only if you use the Full Tunnel configuration for Internet access through the firewall will you require that command enabled.

This command should not cause any problem related to security since you should be controlling traffic with interface ACL or in VPN connections case perhaps VPN Filter ACL

If you were to change the current VPN to Full Tunnel you would need to change these configurations

group-policy THCVpnGroup attributes

no split-tunnel-network-list value SPLIT-TUNNEL

split-tunnel-policy tunnelall

Please do remember to take the time to mark replys as the correct answer if they answered your question.

Feel free to ask more if needed.

- Jouni

New Member

no one can seem to help. can you?

hi,

im going to do a few things when we are done. i am going to back and mark all of the answers as correct answers and i am also going to make a quick guide so others can easily do what i am trying to do.

ok. so split tunnel is working great.

i added the "same-security-traffic permit intra-interface" command back in

when i reloaded the config i noticed that there was an "warning on line 72". i had left out "outside" from the end of the nat (outside) 1 10.1.2.0 255.255.255.0 outside command. i appended it to correct the problem and after reloading the pix device, all lan connectivity outbound went down so i can't leave that command in place.

in making changes for the split tunnel above i believe i have partially remedied the problem with full tunnel though. my guess it was the vpn-tunnel-protocol IPSec command when connected in full tunnel i can get to the inside hosts now, but there is still no internet connection.

below is the updated config:

PIX Version 8.0(4)
!
hostname thcvpn01
domain-name somewhere.net
enable password * encrypted
passwd * encrypted
names
!
interface Ethernet0
nameif outside
security-level 0
ip address dhcp setroute
!
interface Ethernet1
nameif inside
security-level 100
ip address 10.1.1.1 255.255.255.0
!
interface Ethernet2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet3
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet4
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet5
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
dns domain-lookup outside
dns domain-lookup inside
dns server-group DefaultDNS
name-server 208.67.222.222
name-server 208.67.222.220
domain-name somewhere.net
same-security-traffic permit intra-interface
object-group icmp-type ICMPObject
icmp-object echo-reply
icmp-object source-quench
icmp-object time-exceeded
icmp-object unreachable
access-list outside_access_in extended permit icmp any any object-group ICMPObje
ct
access-list inside-nat0 extended permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.2
55.255.0
access-list SPLIT-TUNNEL standard permit 10.1.1.0 255.255.255.0
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
ip local pool ThcIPPool 10.1.2.1-10.1.2.50 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat-control
global (outside) 101 interface
nat (inside) 0 access-list inside-nat0
nat (inside) 101 10.0.0.0 255.0.0.0
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.1.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set THCTransformSet esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map THCDynamicMap 1 set transform-set THCTransformSet
crypto dynamic-map THCDynamicMap 1 set security-association lifetime seconds 288
00
crypto dynamic-map THCDynamicMap 1 set security-association lifetime kilobytes 4
608000
crypto dynamic-map THCDynamicMap 1 set reverse-route
crypto map THCCryptoMap 1 ipsec-isakmp dynamic THCDynamicMap
crypto map THCCryptoMap interface outside
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 43200
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 30
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
ssh version 2
console timeout 0
dhcpd address 10.1.1.50-10.1.1.254 inside
dhcpd dns 208.67.222.222 208.67.222.220 interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy THCVpnGroup internal
group-policy THCVpnGroup attributes
dns-server value 208.67.222.222 208.67.222.220
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelall
username [username] password [password] encrypted
tunnel-group THCVpnGroup type remote-access
tunnel-group THCVpnGroup general-attributes
address-pool ThcIPPool
default-group-policy THCVpnGroup
tunnel-group THCVpnGroup ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
  inspect icmp
  inspect icmp error
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:*

thcvpn01(config)#
thcvpn01(config)#
thcvpn01(config)#
thcvpn01(config)#
thcvpn01(config)#

Super Bronze

no one can seem to help. can you?

Hi,

The idea with Split Tunnel configuration was that only traffic towards your LAN would come through the VPN. The Internet traffic from the VPN user would go trough its local Internet connection essentially bypassing the VPN connection.

If you are going to use Full Tunnel mode VPN and want to connect to the Internet then you need the Dynamic PAT rule for the VPN users and also the "same-security-traffic permit inter-interface"

Looking how you have configured the Dynamic PAT for your internal LAN users

global (outside) 101 interface

nat (inside) 101 10.0.0.0 255.0.0.0

It would seem to me that you would have to configure

nat (outside) 101 10.1.2.0 255.255.255.0

For the VPN users to have Dynamic PAT translation towards the Internet. It should not need the "outside" at the end of the "nat" command as its only needed when the destination interface has a lower "security-level" than the source interface. In this case the source and destination interface would be the same interface (outside) and therefore it should not be needed.

The previous example command that I gave

nat (outside) 1 10.1.2.0 255.255.255.0

Was wrong from my part as the ID number should be the same you have (101) and not 1.

The above configuration should not have any effect on your internal LAN users Internet traffic.

There should also be no need to reload the PIX after making these changes. Depending if you have saved your configuration in between it might actually cause problems.

The configuration you mentioned

vpn-tunnel-protocol IPSec

Doesnt have anything to do with what traffic is allowed through the VPN Connection. It just stated in the Group Policy what type of VPN Connection is allowed for this Group Policys users. Though in your case with the PIX firewall you wont have many other options even.  But again, it should have no effect on the operation of the VPN. Its just a configuration that tells the PIX specifically what type of VPN is allowed for these users.

- Jouni

New Member

no one can seem to help. can you?

hi,

i applogize for not getting back to you until now. i have been crazy busy with work and have not been home really even in a few days.

im not going to be able to get back to this until this weekend friday night EST. i will message back shortly.

thanks again for all of your help. hang in there with me   you have been aces fantastic so far and all of your answers have been spot on. a true professional.

jeff

Super Bronze

no one can seem to help. can you?

Hi,

Thank you for letting me know about the situation.

Will wait for the follow up.

- Jouni

New Member

Re: no one can seem to help. can you?

hi,

i added the command back on: nat (outside) 101 10.1.2.0 255.255.255.0

previous scenario

  • inside hosts could get on the internet
  • inside hosts could see the other inside hosts
  • outside hosts could see inside hosts
  • outside hosts could not get internet connection

the result of adding that command is:

  • all of my inside hosts lost connectivity to the internet any more
  • all inside hosts can ping other inside hosts
  • the outside host can't connect to the inside hosts any more
  • the outside host however, can connect to the internet

because of that problem i could not reply to the thread so i removed the command back out

then ran the show crypto ipsec sa command with the outside host connected in full tunnel mode

attached is the show crypto ipsec sa output without the nat command applied

thcvpn01(config)# show crypto ipsec sa
interface: outside
Crypto map tag: THCDynamicMap, seq num: 1, local addr: [public ip address]

local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (10.1.2.2/255.255.255.255/0/0)
current_peer: 166.137.105.67, username: [username]
dynamic allocated peer ip: 10.1.2.2

#pkts encaps: 2, #pkts encrypt: 2, #pkts digest: 2
#pkts decaps: 520, #pkts decrypt: 520, #pkts verify: 520
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 2, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0

local crypto endpt.: [public ip address]/4500, remote crypto endpt.: 166.137.105.67/40012
path mtu 1500, ipsec overhead 66, media mtu 1500
current outbound spi: A058D8D9

inbound esp sas:
spi: 0x07543F1A (122961690)
transform: esp-3des esp-md5-hmac no compression
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 12288, crypto-map: THCDynamicMap
sa timing: remaining key lifetime (sec): 28757
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0xA058D8D9 (2690177241)
transform: esp-3des esp-md5-hmac no compression
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 12288, crypto-map: THCDynamicMap
sa timing: remaining key lifetime (sec): 28748
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001

Crypto map tag: THCDynamicMap, seq num: 1, local addr: [public ip address]

local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (10.1.2.1/255.255.255.255/0/0)
current_peer: 166.137.105.67, username: [username]

dynamic allocated peer ip: 10.1.2.1

#pkts encaps: 2053, #pkts encrypt: 2053, #pkts digest: 2053
#pkts decaps: 4623, #pkts decrypt: 4623, #pkts verify: 4623
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 2053, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0

local crypto endpt.: [public ip address]/4500, remote crypto endpt.: 166.137.105.67/54305
path mtu 1500, ipsec overhead 66, media mtu 1500
current outbound spi: 0B3CD1AA

inbound esp sas:
spi: 0xB17C3EC8 (2977709768)
transform: esp-3des esp-md5-hmac no compression
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 8192, crypto-map: THCDynamicMap
sa timing: remaining key lifetime (sec): 27963
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x0B3CD1AA (188535210)
transform: esp-3des esp-md5-hmac no compression
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 8192, crypto-map: THCDynamicMap
sa timing: remaining key lifetime (sec): 27962
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001

thcvpn01(config)#
thcvpn01(config)#
thcvpn01(config)#
thcvpn01(config)#
thcvpn01(config)#

Super Bronze

no one can seem to help. can you?

Hi,

To be honest, I dont see why adding that command should cause any problems for users on your LAN since it doesnt in anyway match the network on the LAN or have anything to do with its interface.

Could you provide the exact configuration you had with the above added command

- Jouni

New Member

Re: no one can seem to help. can you?

hi,

here is the show config with that nat command in, while my inside hosts lose connectivity to the internet

thcvpn01(config)# show config

: Saved

: Written by enable_15 at 07:33:33.113 UTC Fri Nov 8 2013

!

PIX Version 8.0(4)

!

hostname thcvpn01

domain-name somewhere.net

enable password* encrypted

passwd * encrypted

names

!

interface Ethernet0

nameif outside

security-level 0

ip address dhcp setroute

!

interface Ethernet1

nameif inside

security-level 100

ip address 10.1.1.1 255.255.255.0

!

interface Ethernet2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet3

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet4

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet5

shutdown

no nameif

no security-level

no ip address

!

ftp mode passive

dns domain-lookup outside

dns domain-lookup inside

dns server-group DefaultDNS

name-server 208.67.222.222

name-server 208.67.222.220

domain-name somewhere.net

same-security-traffic permit intra-interface

object-group icmp-type ICMPObject

icmp-object echo-reply

icmp-object source-quench

icmp-object time-exceeded

icmp-object unreachable

access-list outside_access_in extended permit icmp any any object-group ICMPObje

ct

access-list inside-nat0 extended permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.2

55.255.0

access-list SPLIT-TUNNEL standard permit 10.1.1.0 255.255.255.0

pager lines 24

logging asdm informational

mtu outside 1500

mtu inside 1500

ip local pool ThcIPPool 10.1.2.1-10.1.2.50 mask 255.255.255.0

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat-control

global (outside) 101 interface

nat (outside) 101 10.1.2.0 255.255.255.0 outside

nat (inside) 0 access-list inside-nat0

nat (inside) 101 10.0.0.0 255.0.0.0

access-group outside_access_in in interface outside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 10.1.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set THCTransformSet esp-3des esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map THCDynamicMap 1 set transform-set THCTransformSet

crypto dynamic-map THCDynamicMap 1 set security-association lifetime seconds 288

00

crypto dynamic-map THCDynamicMap 1 set security-association lifetime kilobytes 4

608000

crypto dynamic-map THCDynamicMap 1 set reverse-route

crypto map THCCryptoMap 1 ipsec-isakmp dynamic THCDynamicMap

crypto map THCCryptoMap interface outside

crypto isakmp enable outside

crypto isakmp policy 1

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 43200

crypto isakmp policy 65535

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp nat-traversal 30

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 5

ssh version 2

console timeout 0

dhcpd address 10.1.1.50-10.1.1.254 inside

dhcpd dns 208.67.222.222 208.67.222.220 interface inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

group-policy THCVpnGroup internal

group-policy THCVpnGroup attributes

dns-server value 208.67.222.222 208.67.222.220

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelall

username [username] password [password] encrypted

tunnel-group THCVpnGroup type remote-access

tunnel-group THCVpnGroup general-attributes

address-pool ThcIPPool

default-group-policy THCVpnGroup

tunnel-group THCVpnGroup ipsec-attributes

pre-shared-key *

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip

  inspect xdmcp

  inspect icmp

  inspect icmp error

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:d57ad5e7f32936cf000c4be69d4385cb

thcvpn01(config)#

thcvpn01(config)#

thcvpn01(config)#

thanks

jeff

Super Bronze

Re: no one can seem to help. can you?

Hi,

To my understanding the "nat" command does NOT require the parameter "outside" at the end.

This would be needed if you were performing NAT/PAT for these users towards an interface which "security-level" was higher than the source interface. And in this situation the only interface towards which you are performing NAT/PAT (for which the "nat" command is meant for) is the "outside" interface so essentially the same interface where the NAT/PAT is source from. So we see that the "security-level" of the source and the destination interface is equal as the source/destination interface is the same interface.

So try to add it with just

nat (outside) 101 10.1.2.0 255.255.255.0

And then test again.

Atleast I can't see anything wrong with the configurations since you have

  • Dynamic PAT configuration for the Internet traffic that should apply to all outbound traffic for the internal users. This is done with the "nat" and "global" commands using the ID 101 (expect the one mentioned above)
  • NAT0 configurations that enables the VPN users to connect to the internal network and vice versa while avoiding any translations whatsoever. The "nat" command with the ID 0 and using "access-list" accomplishes this.

Naturally you can make the current "inside" users "nat" command more specific

no nat (inside) 101 10.0.0.0 255.0.0.0

nat (inside) 101 10.0.0.0 255.255.255.0

But other than the above listed thing I dont see any reason why your connections should not work. It would be more logical if you had just problems with the VPN users but to have the internal traffic to Internet stop doesnt make sense. Only thing I can see as a possible problem is using the "outside" parameter in the "nat" command meant for the VPN users.

Follow the above instructions and let me know if it helps

- Jouni

New Member

Re: no one can seem to help. can you?

awesome! it appears to be working. i do not know why i got that error message saying it needs outside at the end.

look like everything is functioning as expected.

the only thing i have to do now is go back and make myself two seperate groups to use, one for split tunnel and one for full tunnel and i should be good to go.

once i do that i will make post with my configuration and lan layout so others can do the same thing easier.

talk to you soon!

jeff

Super Bronze

Re: no one can seem to help. can you?

Hi,

I am not 100% sure but you might get a notifications just because of the fact that you are doing a "nat" configuration on your external interface that usually is not expected. The main reason for this message might be that the "security-level" of the interface is "0" so there is a VERY HIGH likelyhood that your destination interface would have higher "security-level" so the firewall devices you to warn you about the fact that you might need the "outside" parameter. But naturally in this situation the source/destination interface is the same interface making the "security-level" equal so the warning message doesnt have to be considered at all.

Here is a link to the Software 8.0 Command Reference about the "nat" command. If you look a bit further you will find the explanation for the "outside" parameter. You can easily find both the Command Reference and Configuration Guide searching them through Google. They are very helpfull for checking configuration format and effect and usage guidelines.

Again here is the link to the "nat" command

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/no.html#wp1737858

There are other situations where a firewall might give you an warning message thats actual purpose is to information of a POSSIBLE situation or problem you might be running to.

So it doesnt always require you to do anything.

Sadly I have no knowledge that Cisco would have a documentation of the different WARNING messages that Cisco firewalls might give. Usually have to go look for them online or through Cisco directly.

Let me know if you get the setup working correctly for you.

Please do remember to mark the correct answers and/or rate helpfulls anwers if the problems/questions are resolved

Feel free to ask more though if needed and naturally make a new post if you run into some problematic situation or configuration need in the future

- Jouni

New Member

Re: no one can seem to help. can you?

hi,

strangely enough that warning is upon entering the command. your answers perfect sense.

im so close to being able to wrap this up.

i have a single config with 2 seperate groups on it. one for split tunnel and one for full tunnel and i proved that they are sending properly with the tracert command.

awesome! thank you so much for all of your help.

2 last quick things

1) i can't ping any inside hosts by hostname when connected to either tunnel type. what is needed to allow the host name resolution?

2) is there anyway to setup a third tunnel type to allow only internet connectivity? if so how would one do that?

thanks again

jeff

Super Bronze

Re: no one can seem to help. can you?

Hi,

Originally atleast you had configured DNS servers as public server so if the VPN user uses those DNS server then he probably wont be able to ping any internal host by their internal name. I would look into changing the DNS servers under the "group-policy" so that the primary one is your internal DNS server and secondary is a public DNS server.

You can also go under the "group-policy" configuration mode and then use the question mark "?" to check the different options you can get. If any of the commands/parameters aint clear then I would refer to the documentation in my earlier reply which is the Command Reference. It should contain a better explanation for that command/parameter.

I am not sure what is the aim with only allowing the VPN user Internet connectivity. The only thing I can think of right away would be to give the user possibility to use the central firewalls public IP address which might have been set at some remote 3rd party site as the only allowed public IP address to access some service. This would give the user the chance to still access that 3rd party site even he/she wasnt at the office.

I guess there are couple of approaches for this.

You could create a Full Tunnel VPN (like on of the existing ones) and then use a VPN Filter ACL to first block all traffic to the LAN network and then allow all other traffic. This would essentially mean that the user could only access public IP address spaces as you have blocked the access to Internal networks only. Naturally the other approach to this solution would be to use the same Full Tunnel VPN you have created so far BUT attaching the VPN Filter ACL under the "username" configurations if you are using LOCAL usernames on the firewall for VPN AAA.

I guess the other option would be to create a VPN for which you create a "group-policy" that define Split Tunnel Policy so that it excludes some network (rather than includes them like normal Split Tunnel). In that case you could define your LAN network as the exluded address space which would essentially mean that all traffic except that directed to your LAN network would go through the VPN.

On a last note, notice that you have (if I dont remember wrong) a lot of opportunities to set different Split Tunnel rules and VPN Filter ACLs for users based on their LOCAL login "username" configured on the firewall. This should be possible with using the "username attributes" configuration space. This might essentially give you a possibility of creating a single Full Tunnel VPN group for ALL users and simply using different "group-policy" and VPN Filter ACLS to control what certain users can access.  Naturally this might not be possible if the requirement is to specifically let some users use their local Internet connection rather than tunnel it through the VPN.

Hope I made any sense

- Jouni

New Member

Re: no one can seem to help. can you?

hi,

there is the dns-server attribute which seems like the best bet obvioulsy. my only problem is that the outside hosts can't ping the inside ip which would also be the ip address of the local dns server for the inside hosts.

i tried it and it is not working. the machines are not part of any domain at this point so there is no fully qualified domain name for the machines.

pinging the shortname appends a dns suffix onto them, that is coming from another vpn connection on the nic. so basically it is appending a suffix that really it should not be.

jeff

New Member

Re: no one can seem to help. can you?

hi,

sorry to bother you.

some how i boned my config up and im not sure what happened. everything looks ok.

i can't seem to ping any inside hosts, by host name or by ip. all of the web traffic functions properly, with split tunnel and full tunnel.

do you have a few minutes?

jeff      

Super Bronze

no one can seem to help. can you?

Hi,

Would need to see the current configuration

- Jouni

New Member

Re: no one can seem to help. can you?

Hi,

i spoke incorrectly, slightly.

all outside access is working properly, proven through tracert.

i have 3 access groups. full tunnel, split tunnel and web only. web only should allow no access to the inside interface. it will solely be for secure browsing in remote locations and on other people's networks.

full tunnel and webonly are not capable of pinging ip or host name of any inside host on 10.1.1.X. i don't have other outside hosts at this point, so i am unsure if they can ping an outside host or not.

split tunnel can only ping by ip hosts on 10.1.1.X

Below is the current config. 8.8.8.8 and 8.8.4.4 are google dns ips.

show config

: Saved

: Written by enable_15 at 00:02:36.769 UTC Fri Nov 29 2013

!

PIX Version 8.0(4)

!

hostname vpnhost

domain-name somewhere.net

enable password * encrypted

passwd * encrypted

names

!

interface Ethernet0

nameif outside

security-level 0

ip address dhcp setroute

!

interface Ethernet1

nameif inside

security-level 100

ip address 10.1.1.1 255.255.255.0

!

interface Ethernet2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet3

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet4

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet5

shutdown

no nameif

no security-level

no ip address

!

ftp mode passive

dns domain-lookup outside

dns domain-lookup inside

dns server-group DefaultDNS

name-server 8.8.8.8

name-server 8.8.4.4

domain-name somewhere.net

same-security-traffic permit intra-interface

object-group icmp-type ICMPObject

icmp-object echo-reply

icmp-object source-quench

icmp-object time-exceeded

icmp-object unreachable

access-list ThcInsideFullTunnel-nat0 extended permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0

access-list outside_access_in extended permit icmp any any object-group ICMPObject

access-list ThcInsideSplitTunnel-nat0 extended permit ip 10.1.1.0 255.255.255.0 10.1.3.0 255.255.255.0

access-list THCSplitTunnelAccessList standard permit 10.1.1.0 255.255.255.0

pager lines 24

logging asdm informational

mtu outside 1500

mtu inside 1500

ip local pool ThcIPFullTunnelPool 10.1.2.1-10.1.2.254 mask 255.255.255.0

ip local pool ThcIPSplitTunnelPool 10.1.3.1-10.1.3.254 mask 255.255.255.0

ip local pool ThcIPWebOnlyTunnelPool 10.1.4.1-10.1.4.254 mask 255.255.255.0

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat-control

global (outside) 101 interface

nat (outside) 101 10.1.2.0 255.255.255.0

nat (outside) 101 10.1.3.0 255.255.255.0

nat (outside) 101 10.1.4.0 255.255.255.0

nat (inside) 0 access-list ThcInsideSplitTunnel-nat0

nat (inside) 101 10.0.0.0 255.0.0.0

access-group outside_access_in in interface outside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 10.0.0.0 255.0.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set THCTransformSet esp-3des esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map THCDynamicMap 1 set transform-set THCTransformSet

crypto dynamic-map THCDynamicMap 1 set security-association lifetime seconds 28800

crypto dynamic-map THCDynamicMap 1 set security-association lifetime kilobytes 4608000

crypto dynamic-map THCDynamicMap 1 set reverse-route

crypto map THCCryptoMap 1 ipsec-isakmp dynamic THCDynamicMap

crypto map THCCryptoMap interface outside

crypto isakmp enable outside

crypto isakmp policy 1

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 43200

crypto isakmp policy 65535

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp nat-traversal 30

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 10.1.1.50-10.1.1.254 inside

dhcpd dns 8.8.8.8 8.8.4.4 interface inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

group-policy THCFullTunnel internal

group-policy THCFullTunnel attributes

dns-server value 8.8.8.8 8.8.4.4

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelall

group-policy THCSplitTunnel internal

group-policy THCSplitTunnel attributes

dns-server value 8.8.8.8 8.8.4.4

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value THCSplitTunnelAccessList

group-policy THCWebOnlyTunnel internal

group-policy THCWebOnlyTunnel attributes

dns-server value 8.8.8.8 8.8.4.4

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelall

username user password * encrypted

tunnel-group THCFullTunnel type remote-access

tunnel-group THCFullTunnel general-attributes

address-pool ThcIPFullTunnelPool

default-group-policy THCFullTunnel

tunnel-group THCFullTunnel ipsec-attributes

pre-shared-key *

tunnel-group THCSplitTunnel type remote-access

tunnel-group THCSplitTunnel general-attributes

address-pool ThcIPSplitTunnelPool

default-group-policy THCSplitTunnel

tunnel-group THCSplitTunnel ipsec-attributes

pre-shared-key *

tunnel-group THCWebOnlyTunnel type remote-access

tunnel-group THCWebOnlyTunnel general-attributes

address-pool ThcIPWebOnlyTunnelPool

default-group-policy THCWebOnlyTunnel

tunnel-group THCWebOnlyTunnel ipsec-attributes

pre-shared-key *

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip

  inspect xdmcp

  inspect icmp

  inspect icmp error

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:c979c3c6ba8f17411d144647d1f913a8

thanks,

jeff

Super Bronze

no one can seem to help. can you?

Hi,

I am not quite sure what the problem is

If we first consider the Full Tunnel and Split Tunnel VPN Client connections then I assume these need to have access to the LAN network 10.1.1.0/24

There is atleast a problem related to the NAT0 configuration which only mentions one of the VPN Pools.

You should probably create a new ACL to which you configure any NAT0 related configuration for the "inside" networks.

So as the Full Tunnel and Split Tunnel VPNs have pools 10.1.2.0/24 and 10.1.3.0/24 we need the following configurations

access-list INSIDE-NAT0 remark NAT0 configurations for LAN

access-list INSIDE-NAT0 permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0

access-list INSIDE-NAT0 permit ip 10.1.1.0 255.255.255.0 10.1.3.0 255.255.255.0

no nat (inside) 0 access-list ThcInsideSplitTunnel-nat0

nat (inside) 0 access-list INSIDE-NAT0

This should enable the VPN users to connect to the LAN network.

I don't see anything that should prevent this traffic.

With regards to the WebOnly VPN I don't see anything that should be problem regarding just connecting to the Internet. The VPN is configured as Full Tunnel and there is a Dynamic PAT configuration with the NAT ID 101.

- Jouni

New Member

Re: no one can seem to help. can you?

Hi,

ok. you were close. i had the access lists but i needed a nat (inside) 0 access-list ThcInsideFullTunnel-nat0 to get the access list working.

i didn't take your advice because im trying to keep stuff seperated out, so i can retrace my steps and see what belongs to each other in the event of an issue.

so now both the full and split tunnels can ping inside ips, but no host names.

any ideas what is wrong there?

jeff

699
Views
0
Helpful
33
Replies