Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Pinging Through a VPN

I am trying to setup VPN on my PIX 515e and I believe I am almost there but not quite.

I currently can connect to the PIX with a VPN client on the outside but I can't ping a PC that is on the inside.

Inside: 10.0.0.1

Outside: 10.0.1.1

I created an ACL test:

access-l test ext permit ip any 10.0.0.1 255.255.255.0

access-l test ext permit ip 10.0.0.1 255.255.255.0 any

and applied this to a group and created a user that inherited from this group.

I also created a PAT:

global (outside) 1 10.0.1.1

nat (inside) 1 10.0.0.0 255.255.255.0

And I made an exception for the VPN:

access-list nonat permit ip 10.1.1.0 255.255.255.0 10.0.0.0 255.255.255.0

nat (inside) 0 access-list nonat

I am not sure if this is right, I have been basically piecing together stuff all over that I have read. Thanks for any help and I will post more if needed.

12 REPLIES
Green

Re: Pinging Through a VPN

Could you post your whole config?

New Member

Re: Pinging Through a VPN

: Saved

:

PIX Version 7.0(4)

!

hostname MTBFirewall

domain-name default.domain.invalid

enable password 8Ry2YjIyt7RRXU24 encrypted

names

!

interface Ethernet0

nameif outside

security-level 0

ip address 10.0.1.1 255.255.255.0

!

interface Ethernet1

nameif inside

security-level 100

ip address 10.0.0.1 255.255.255.0

!

interface Ethernet2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet3

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet4

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet5

shutdown

no nameif

no security-level

no ip address

!

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

access-list nonat extended permit ip 10.0.1.0 255.255.255.0 10.0.0.0 255.255.255.0

access-list test extended permit ip any 10.0.0.0 255.255.255.0

access-list test extended permit ip 10.0.0.0 255.255.255.0 any

pager lines 24

logging asdm informational

mtu outside 1500

mtu inside 1500

ip local pool vpnpool 10.0.0.10-10.0.0.100

no failover

asdm image flash:/asdm

no asdm history enable

arp timeout 14400

global (outside) 1 10.0.1.1

nat (inside) 0 access-list nonat

nat (inside) 1 10.0.0.0 255.255.255.0

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

group-policy Administrator internal

group-policy vpncert internal

group-policy vpncert attributes

vpn-idle-timeout 30

username reedd password CTC5SyxxMxM0xKeg encrypted privilege 15

username reedd attributes

vpn-group-policy Administrator

http server enable

http 10.0.0.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set myset esp-3des esp-md5-hmac

crypto dynamic-map dynmap 10 set transform-set myset

crypto map mymap 10 ipsec-isakmp dynamic dynmap

crypto map mymap interface outside

isakmp enable outside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

tunnel-group vpncert type ipsec-ra

tunnel-group vpncert general-attributes

address-pool vpnpool

default-group-policy vpncert

tunnel-group vpncert ipsec-attributes

pre-shared-key *

telnet timeout 5

ssh timeout 5

console timeout 0

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

Cryptochecksum:adf3011e30aba333b6e3a7fecaac04b7

: end

Green

Re: Pinging Through a VPN

Firstly, your vpn client pool should not be the same subnet as your inside. Also, your nat exemption acl is backwards. Change your vpn pool and go from there...

ip local pool vpnpool 192.168.1.1-192.168.1.100

access-list nonat extended permit ip 10.0.0.0 255.255.255.0 192.168.1.0 255.255.255.0

New Member

Re: Pinging Through a VPN

Thanks for the help! I guess I need some education but I thought you want the client on the same subnet as the inside as to act like they are on that LAN!!

So I basically will have 3 different subnets??

Green

Re: Pinging Through a VPN

Yes. It will be like they are on your inside subnet but you don't want the subnet to be the same.

New Member

Re: Pinging Through a VPN

Ok did that but I still am unable to ping the inside PC from the outside one.

Could you possibly give more info for me please,

thanks a lot.

New Member

Re: Pinging Through a VPN

Thanks for the help! I guess I need some education but I thought you want the client on the same subnet as the inside as to act like they are on that LAN!!

So I basically will have 3 different subnets??

Green

Re: Pinging Through a VPN

Try adding...

isakmp nat-traversal

New Member

Re: Pinging Through a VPN

Alright I setup everything as instructed but I still can't ping from the outside to the inside.

I can ping from the inside to the outside, so I think it might be some ACL error or NAT error possibly.

Thanks again!

Green

Re: Pinging Through a VPN

Post a "show run sysopt". Make sure you have sysopt connection permit-ipsec. Also, post the new config.

New Member

Re: Pinging Through a VPN

SYSOPT:

MTBFirewall(config)# sh run sysopt

no sysopt connection timewait

sysopt connection tcpmss 1380

sysopt connection tcpmss minimum 0

no sysopt nodnsalias inbound

no sysopt nodnsalias outbound

no sysopt radius ignore-secret

no sysopt uauth allow-http-cache

sysopt connection permit-ipsec

MTBFirewall(config)#

CONFIG:

MTBFirewall(config)# sh run

: Saved

:

PIX Version 7.0(4)

!

hostname MTBFirewall

domain-name default.domain.invalid

enable password xxxx

names

!

interface Ethernet0

nameif outside

security-level 0

ip address 10.1.1.1 255.255.255.0

!

interface Ethernet1

nameif inside

security-level 100

ip address 10.0.0.1 255.255.255.0

!

interface Ethernet2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet3

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet4

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet5

shutdown

no nameif

no security-level

no ip address

!

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

access-list nonat extended permit ip 10.0.0.0 255.255.255.0 10.0.3.0 255.255.255.0

access-list test extended permit ip any 10.0.0.0 255.255.255.0

access-list test extended permit ip 10.0.0.0 255.255.255.0 any

pager lines 24

logging asdm informational

mtu outside 1500

mtu inside 1500

ip local pool vpnpool 10.0.3.1-10.0.3.100

no failover

asdm image flash:/asdm

no asdm history enable

arp timeout 14400

global (outside) 1 10.0.1.1

nat (inside) 1 10.0.0.0 255.255.255.0

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

group-policy Administrator internal

group-policy vpncert internal

group-policy vpncert attributes

vpn-idle-timeout 30

username reedd password encrypted privilege 15

username reedd attributes

vpn-group-policy Administrator

http server enable

http 10.0.0.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set myset esp-3des esp-md5-hmac

crypto dynamic-map dynmap 10 set transform-set myset

crypto map mymap 10 ipsec-isakmp dynamic dynmap

crypto map mymap interface outside

isakmp enable outside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

isakmp nat-traversal 20

tunnel-group vpncert type ipsec-ra

tunnel-group vpncert general-attributes

address-pool vpnpool

default-group-policy vpncert

tunnel-group vpncert ipsec-attributes

pre-shared-key *

telnet timeout 5

ssh timeout 5

console timeout 0

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

Cryptochecksum:xxx

: end

MTBFirewall(config)#

Re: Pinging Through a VPN

When you modified the ACL you most likely lost this line:

nat (inside) 0 access-list nonat

Just add it again and it should be fine.

120
Views
0
Helpful
12
Replies