Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

PIX 506E VPN Cant Ping

Got a PIX 506E configured for VPN Client Access.

VPN Client connects however cannot ping anything on the LAN.

Confirmed config with other Cisco Docs and is okay.

Please help

20 REPLIES

Re: PIX 506E VPN Cant Ping

Does your config have NAT-T enabled? if not please enable it and try, if no joy please post sanitized pix config, it could be your acl no allowing VPN pool network access to your inside network.

PIX(config)#isakmp nat-traversal 20

Rgds

-Jorge

New Member

Re: PIX 506E VPN Cant Ping

Yes, tried that and still not working:

Config below:

access-list vpn permit ip host 10.32.1.1 192.168.10.0 255.255.255.0

access-list split_vpn ip host 10.32.1.1 192.168.10.0 255.255.255.0

ip local pool vpnpool 192.168.10.0 mask 255.255.255.0

crypto ipsec transform-set espvpn esp-des esp-md5-hmac

crypto dynamic-map money 10 set transform-set espvpn

crypto map pixnet 10 ipsec-isakmp dynamic money

crypto map pixnet client configuration address initiate

crypto map pixnet client authentication LOCAL

crypto map pixnet interface outside

isakmp nat-traversal 20

vpngroup vpnclient address-pool vpnpool

vpngroup vpnclient dns-server 10.32.1.1

vpngroup vpnclient split-tunnel split_vpn

vpngroup vpnclient idle-time 1800

vpngroup vpnclient password *******

Re: PIX 506E VPN Cant Ping

Any nat statements?

I would add bellow statement, please try and let me know.

nat(inside) 0 access-list vpn

New Member

Re: PIX 506E VPN Cant Ping

yes, forgot to include that in config earlier.

Re: PIX 506E VPN Cant Ping

One statement I have noticed your vpn pool range, you would normally configure a range .

ip local pool vpnpool 192.168.10.0 mask 255.255.255.0

I do not think a connected host would get an IP from the pool, when client connect can you issue " show ip local pool" to confirm and address has been porvided by your current vpn pool.

Normally would would configure a range in this syntax.

ip local pool vpnpool 192.168.10.xx-192.168.10.xx

Enabling NAT-T should have resolved it, but wander if your vpn pool is your issue.

New Member

Re: PIX 506E VPN Cant Ping

Thanks for noticing,

yeah, it assigns an IP Address, i've changed that to 192.168.10.1 - 192.168.10.20 and it assigns an IP Address however still unable to ping

Re: PIX 506E VPN Cant Ping

The host you are trying to ping 10.32.1.1 does it responds to pings from internal LAN.

Note that this is the only host permited in your acl.

New Member

Re: PIX 506E VPN Cant Ping

yes it does

Re: PIX 506E VPN Cant Ping

Hi Jorge, nice new badge m8 :)

Ralema, can you please attach your full sanitized config?

New Member

Re: PIX 506E VPN Cant Ping

find config attached

New Member

Re: PIX 506E VPN Cant Ping

once you have it, download and delete

Re: PIX 506E VPN Cant Ping

dude,

I suggest next time you uploade your config, remove any passwords / public IP's.

francisco.

Re: PIX 506E VPN Cant Ping

Ralema,

Please do below modifications

no vpngroup pixnet split-tunnel 110

vpngroup pixnet split-tunnel 120

fixup protocol icmp

Also I see a statement with "tcp" in your ACL 110 which is your exempt nat ACL. It is not recommended to use port statements in network ACLs for firewall devices, like split tunnels, NATs that it would impact the L3 processing of firewall that it will also have to process the port portion of packets during rouitng.

Also you know that you ve permit your VPN clients to be able to establish connection with only 172.16.1.3 and 172.16.1.20 , so try pinging them. Also make sure no software firewall is enabled, If enabled, modify the exceptions according to that (Windows firewall exceptions by default permit traffic from same subnet! That will drop VPN client connections)

Regards

Re: PIX 506E VPN Cant Ping

Huseyin good to hear from you friend!!

Ralema, do as Huseyin suggested you'll be running in no time.

New Member

Re: PIX 506E VPN Cant Ping

Done that and still no luck....unable to ping hosts.

Re: PIX 506E VPN Cant Ping

nat traversal suggestion by jorge just fits the issue but you have it.

Couple of things to check,

Make sure the PC, which connects VPN and acquires 192.168.10.x address, doesnt have an IP address locally assinged to its NIC within same subnet of 192.168.10.x

Try connecting via x port instead ping to check connectivity. For example enable remote host for Remote Desktop, run netstat -an and make sure 3389 is listening, then from VPN client, run telnet remoteclientIP 3389 and wait to get a blank screen.

Right-click VPN icon in right-bottom, click statistics then route details tab. Make sure the clients you try to reach are listed in right pane.

Save your config and reload firewall

In clientside, open up VPN Client Gui, Click log then click enable. Then click log window. Try pinging somewhere, then paste here the logs you see in that window

Run ASDM and enable its builtin syslog, catch some syslogs related to the traffic and paste here

Regards

New Member

Re: PIX 506E VPN Cant Ping

Did all that and still no good!

Telnet via port 3389 - no connection.

Routes - are visible in the route details.

Log windows shows nothing.

Unable to ping hosts

Re: PIX 506E VPN Cant Ping

Try 3 things,

1) Make sure the VPN Client has IPSEC Over UDP/NAT-T enabled, its there by default, but someone could have removed the check there.

2) Are you sure you trying to RDP to 172.16.1.3 or 172.16.1.15 (FIFTEEN) and not 172.16.1.51? Because 172.16.1.51 is not in your Split Tunnel ACL.

3) If you do 'route print' on the Windows box after the VPN connection, do you see 172.16.1.3/.15 are directed through VPN tunnel?

Regards

Farrukh

New Member

Re: PIX 506E VPN Cant Ping

Yes done (1)

(2) - it is 172.16.1.15 not .51

(3) - yes they are directed through the tunnel

Re: PIX 506E VPN Cant Ping

Does it still not work? Does the VPN Client tell you that Transparent Tunneling is active, ON the status tab?

Regards

Farrukh

476
Views
14
Helpful
20
Replies
CreatePlease to create content