Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

PIX 515E VPN configuration Problem

I am configuring a PIX 515E Firewall/VPN behind an ADSL Router ( NAT on ADSL not PIX ). Using the attached configuration, Cisco VPN 4.0.3(D) client connect and have IP address assigned but can't access any server on inside subnet, if I ping the remote user from the inside server every thing works fine. Please advise.

Many thanks

PIX Version 6.3(1)

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto shutdown

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 intf2 security4

enable password AAAAA.BBBBBB encrypted

passwd AAAAAAAA.BBBBBB encrypted

hostname PIX-Firewall

domain-name CUSTOMER.local

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

names

name 192.168.XXX.3 CSG_Server

name 192.168.XXX.2 Metaframe_Srvr

name 192.168.XXX.1 PDC

name 192.168.XXX.254 ISA_Firewall

access-list outside_access_in permit udp any eq 4500 any

access-list outside_access_in permit udp any any eq isakmp

access-list outside_access_in permit tcp any any eq 500

access-list outside_access_in permit tcp any any eq 51

access-list outside_access_in permit udp any any eq 51

access-list outside_access_in permit udp any any eq 50

access-list outside_access_in permit tcp any any eq 50

access-list outside_access_in remark https for CSG Server

access-list outside_access_in permit tcp any host CSG_Server eq https

access-list outside_access_in remark TCP port 80 for CSG Server

access-list outside_access_in permit tcp any host CSG_Server eq www

access-list outside_access_in remark TCP Port 444 for CSG Server

access-list outside_access_in permit tcp any host CSG_Server eq 444

access-list outside_access_in remark TCP-ICA Port 1494

access-list outside_access_in permit tcp any host CSG_Server eq citrix-ica

pager lines 24

icmp permit any outside

icmp permit any inside

mtu outside 1500

mtu inside 1500

mtu intf2 1500

ip address outside 192.168.YYY.2 255.255.255.0

ip address inside 192.168.XXX.250 255.255.255.0

no ip address intf2

ip audit info action alarm

ip audit attack action alarm

ip local pool VPN_clients 192.168.XXX.60-192.168.XXX.90

ip local pool VPN_clients_2 192.168.YYY.30-192.168.YYY.200

pdm location ISA_Firewall 255.255.255.255 inside

pdm location CSG_Server 255.255.255.255 inside

pdm location PDC 255.255.255.255 inside

pdm location Metaframe_Srvr 255.255.255.255 inside

pdm location 0.0.0.0 255.255.255.255 outside

pdm location 192.168.XXX.0 255.255.255.0 outside

pdm location 192.168.XXX.0 255.255.255.128 outside

pdm history enable

arp timeout 14400

nat (inside) 0 0.0.0.0 0.0.0.0 0 0

static (inside,outside) CSG_Server CSG_Server netmask 255.255.255.255 0 0

static (inside,outside) Metaframe_Srvr Metaframe_Srvr netmask 255.255.255.255 0

0

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 192.168.YYY.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http ISA_Firewall 255.255.255.255 inside

http PDC 255.255.255.255 inside

http Metaframe_Srvr 255.255.255.255 inside

http CSG_Server 255.255.255.255 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

sysopt connection permit-pptp

sysopt connection permit-l2tp

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5

crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-MD5

crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

isakmp enable outside

isakmp enable inside

isakmp identity address

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption 3des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

vpngroup CUSTOMER address-pool VPN_clients

vpngroup CUSTOMER dns-server PDC ISA_Firewall

vpngroup CUSTOMER idle-time 1800

vpngroup CUSTOMER password ********

telnet PDC 255.255.255.255 inside

telnet Metaframe_Srvr 255.255.255.255 inside

telnet CSG_Server 255.255.255.255 inside

telnet ISA_Firewall 255.255.255.255 inside

telnet timeout 5

ssh timeout 5

console timeout 0

vpdn enable outside

vpdn enable inside

terminal width 80

Cryptochecksum: aaaaaaaaaaaaaaaaaa

: end

1 REPLY
New Member

Re: PIX 515E VPN configuration Problem

Hi,

If your router is doing NAT, then you need to inform the PIX of this - the function you need is called NAT-T and can be enabled on your pix with the following command:-

isakmp nat-traversal 20

regards,

Rowan

97
Views
0
Helpful
1
Replies
CreatePlease to create content