Cisco VPN Client to PIX 506E -> they can see me, i cant see them
I have successfully established a vpn connection to the pix. i get properly authenticated using MS IAS with the VPN. If I ping, browse whatever no packets seem to come back through the VPN LINK. The guys in the office (at the other side of the vpn can see me and even access the shares on my PC) I can see packets coming through the link .... so, they can see me... but i cannot see them... has anyone an idea what that could be ?? let me qoute some parts of the config :)
please note that i obfuscated the real life IP Addresses
they are picked randomly and are not actually used in our
case .... they are used to explain the config only
The office network behind the pix is multihomed (2 NICS)
The actual office PCs are in the 111.192.168.x network
and the servers in the 18.104.22.168/255.255.255.240
there are also some servers belonging to the following
Ah, and by the way the vpn users are using 111.192.169.x
access-list 101 permit ip 22.214.171.124 255.255.255.0 126.96.36.199 255.255.255.0
ip address outside 188.8.131.52 255.255.255.252
ip address inside 184.108.40.206 255.255.255.240
ip local pool ippool 220.127.116.11-18.104.22.168
Not always a good idea to use the NAT 0 except with your vpn traffic. This can be causing some confusion on the pix. Use NAT (inside) 1 instead to allow what traffic to be allowed to NAT. Make sure you do a clear xlate if these are removed.
Your Q. !-- is there a route missing for the vpn traffic ?? --!
Route on the pix, no. Route on your server, maybe. Is there a router on the inside of the pix(22.214.171.124)? What device is this, this subnet isn't located on the pix so how does the pix get to 126.96.36.199(unless there is another interface thats not shown)? From whats showed, it would go out the default route to 188.8.131.52 located on the outside interface. Can you even ping 192.168.169.0 from the pix? I am assuming that this is the subnet your trying to access from the clients.
Test it to a non dual homed pc if you can. Stick your laptop or another pc on the local lan that has only a single nic. This way we can do process of elimanation and track down to where the problem might lie.
Now you do say your connected, which is good. Check on your client after you ping to see if your getting encrypted ipsec packets and decrypted ipsec packets. You can also do a "show crypto ipsec sa" on the pix to see if the pix is encrypting and decrypting your connection. You'll have to search for your specific ip address if you have multiple SA's on the pix. Sometimes it will show old so make sure you go all the way through the list.
You said they can see your pc and ping it? What address are they trying to access it from? The pool address or your public address? Check encrypts/decrypts as well when they are doing this. These steps will help eliminate where the problem lies.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...