11-09-2007 12:42 AM - edited 02-21-2020 01:46 AM
I have a problem with a PIX 501 that allows you to establish a VPN session to a remote network (using the Cisco VPN client software) but does not permit you to ping any devices on the remote network. This problem only occurs with the PIX. I have similar environments not running PIX firewalls that do not have this problem. If I replace the PIX with a non Cisco firewall, the problem goes away or if I create a site-to-site tunnel, I can then access the remote network.
11-09-2007 05:45 AM
Post your config or add "isakmp nat-traversal".
11-13-2007 05:11 PM
Thanks for the suggestion. I added "isakmp nat-traversal" but that did not help. Here is the config
PIX Version 6.3(5)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 10.0.0.0 Head_Office
access-list inside_outbound_nat0_acl permit ip any 192.168.0.100 255.255.255.252
access-list inside_outbound_nat0_acl permit ip 10.0.10.0 255.255.255.0 Head_Office 255.255.255.0
access-list outside_cryptomap_dyn_20 permit ip any 192.168.0.100 255.255.255.252
access-list outside_cryptomap_dyn_40 permit ip any 192.168.0.100 255.255.255.252
access-list outside_cryptomap_20 permit ip 10.0.10.0 255.255.255.0 Head_Office 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 10.0.10.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool VPN-Remote-Pool 192.168.0.100-192.168.0.103
pdm location Head_Office 255.255.255.0 inside
pdm location 192.168.1.0 255.255.255.0 inside
pdm location Head_Office 255.255.255.0 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
http 10.0.10.0 255.255.255.0 inside
http Head_Office 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 match address outside_cryptomap_dyn_40
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer xxx.xxx.xxx.xxx
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address xxx.xxx.xxx.xxx netmask 255.255.255.255 no-xauth no-config-mode
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup icare address-pool VPN-Remote-Pool
vpngroup icare dns-server 10.0.10.254
vpngroup icare idle-time 1800
vpngroup icare password ********
vpngroup itsupport address-pool VPN-Remote-Pool
vpngroup itsupport dns-server 10.0.10.254
vpngroup itsupport idle-time 1800
vpngroup itsupport password ********
telnet timeout 5
ssh timeout 5
management-access outside
console timeout 20
dhcpd address 10.0.10.100-10.0.10.110 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide