Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

PIX IPSec VPN Can't Reach Internal Hosts

I've been working on this one for three days now, searched CCO, google, books, etc., with no luck so I'm throwing this out there. With an Cisco 3.6 VPN client I can connect to a PIX 515 but I cannot ping nor reach any internal hosts. I set up a PPTP tunnel as a test and I could connect and ping through that one but not the IPSEC. I checked many configs on CCO and I can't see what I'm missing. I also checked the bug list and tried a few versions of clients. Any help is appreciated. The relevant parts of the config are below.

Cheers,

D

access-list compiled

access-list dmz_outbound_nat0_acl permit ip host DNSBOX any

access-list dmz_outbound_nat0_acl permit ip host WEBBOX02 any

access-list dmz_inbound_nat0_acl permit ip DMZ_Net 255.255.255.240 Corp_Net 255.255.255.0

access-list inside_access_in permit tcp Corp_Net 255.255.255.0 any eq www

access-list inside_access_in permit tcp Corp_Net 255.255.255.0 any eq https

access-list inside_access_in permit udp Corp_Net 255.255.255.0 any eq domain

access-list inside_access_in permit tcp host EXCHANGE host DNSBOX eq smtp

access-list inside_access_in permit tcp Corp_Net 255.255.255.0 host DNSBOX eq domain

access-list inside_access_in permit icmp Corp_Net 255.255.255.0 any

access-list inside_access_in permit udp host ATLDCSNS any eq ntp

access-list inside_access_in permit tcp Corp_Net 255.255.255.0 any eq ftp

access-list inside_access_in permit tcp Corp_Net 255.255.255.0 any eq ftp-data

access-list inside_access_in permit tcp Corp_Net 255.255.255.0 any eq 6081

access-list inside_access_in permit tcp Corp_Net 255.255.255.0 host ROUTER eq telnet

access-list inside_access_in permit tcp Corp_Net 255.255.255.0 any eq 801

access-list inside_access_in permit tcp Corp_Net 255.255.255.0 any eq citrix-ica

access-list inside_access_in permit tcp Test_Net 255.255.255.0 any eq www

access-list inside_access_in permit tcp Test_Net 255.255.255.0 any eq https

access-list inside_access_in permit icmp Test_Net 255.255.255.0 any

access-list dmz_access_in permit udp DMZ_Net 255.255.255.240 any eq domain

access-list dmz_access_in permit tcp host DNSBOX host EXCHANGE eq smtp

access-list dmz_access_in permit tcp DMZ_Net 255.255.255.240 any eq www

access-list dmz_access_in permit tcp host DNSBOX any eq smtp

access-list dmz_access_in permit tcp host WEBBOX any eq www

access-list dmz_access_in permit icmp any any

access-list outside_access_in permit udp any host DNSBOX eq domain

access-list outside_access_in permit tcp any host DNSBOX eq smtp

access-list outside_access_in permit tcp any DMZ_Net 255.255.255.240 eq echo

access-list outside_access_in permit tcp any host WEBBOX eq 7880

access-list outside_access_in permit tcp any host WEBBOX eq https

access-list outside_access_in permit tcp any host WEBBOX eq www

access-list nonat permit ip Corp_Net 255.255.255.0 10.2.4.0 255.255.255.0

access-list outside_nat0_inbound permit ip any any

ip address outside 66.65.99.66 255.255.255.248

ip address inside 10.2.3.2 255.255.255.0

ip address dmz 66.65.99.98 255.255.255.240

ip local pool VPNPOOL 10.2.4.1-10.2.4.254

global (outside) 10 interface

nat (outside) 0 access-list outside_nat0_inbound outside

nat (inside) 0 access-list nonat

nat (inside) 0 EXCHANGE 255.255.255.255 dns 0 0

nat (inside) 10 0.0.0.0 0.0.0.0 dns 0 0

nat (dmz) 0 access-list dmz_outbound_nat0_acl

nat (dmz) 0 access-list dmz_inbound_nat0_acl outside

nat (dmz) 0 DMZ_Net 255.255.255.240 dns 0 0

static (inside,dmz) EXCHANGE EXCHANGE dns netmask 255.255.255.255 0 0

static (dmz,outside) WEBBOX WEBBOX dns netmask 255.255.255.255 0 0

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

access-group dmz_access_in in interface dmz

route outside 0.0.0.0 0.0.0.0 ROUTER00 1

route inside Test_Net 255.255.255.0 atldcsintrt 1

floodguard enable

sysopt connection permit-ipsec

sysopt connection permit-pptp

sysopt noproxyarp outside

sysopt noproxyarp inside

sysopt route dnat

crypto ipsec transform-set vpnset esp-des esp-md5-hmac

crypto dynamic-map vpnmap 10 set transform-set vpnset

crypto map vpnmap 10 ipsec-isakmp dynamic vpnmap

crypto map vpnmap client configuration address initiate

crypto map vpnmap client configuration address respond

crypto map vpnmap interface outside

isakmp enable outside

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup MYVPN address-pool VPNPOOL

vpngroup MYVPN dns-server NS00

vpngroup MYVPN wins-server NS00

vpngroup MYVPN default-domain mydomain.com

vpngroup MYVPN split-tunnel nonat

vpngroup MYVPN idle-time 1800

vpngroup MYVPN password ********

vpdn group 1 accept dialin pptp

vpdn group 1 ppp authentication mschap

vpdn group 1 ppp encryption mppe 40

vpdn group 1 client configuration address local VPNPOOL

vpdn group 1 client configuration dns NS00

vpdn group 1 client configuration wins NS00

vpdn group 1 pptp echo 60

vpdn group 1 client authentication local

vpdn username compvpn password *********

vpdn enable outside

  • Other Security Subjects
3 REPLIES
Cisco Employee

Re: PIX IPSec VPN Can't Reach Internal Hosts

Considering your PPTP config uses the same IP pool as your IPSec config, and your PPTP works, then that says you have the "nat 0" stuff set up correctly.

Your crypto config looks OK, can't see anything obviously wrong with it. Kep in mind that the tunnel is built on UDP port 500 (ISAKMP) packets, but then all data is sent on IP protocol 50 (ESP) packets, so it's possible that ESP is being filtered out somewhere, this would still allow you to build a tunnel successfully, you just couldn't ping anything over it.

After you establish a connection, do a "sho cry ipsec sa" on the PIX and look for the tunnel for your PC (find the tunnel with the IP address out of the pool that your connection received). Look at the Packets Encaps and the Packets Decaps counters. Also double-click on the padlock icon in your task bar. When you ping something, does the Packets Encrypted counter on your PC go up? Does the Packets Decaps counter on the PIX go up (indicating the PIX received your packet)? Does the Packets Encaps counter on the PIX go up (indicating the host responded and the PIX has encrypted the response and sent it to your PC)? Does the Packets REceived counter on your PC go up?

You should be able to check these counters, see what increments and what doesn't, and figure out where the problem lies.

New Member

Re: PIX IPSec VPN Can't Reach Internal Hosts

I am having the exact same problem. However, I have a couple of things I would like to add:

I've experienced this problem on Windows 2000 and Windows XP frequently.

On my Windows XP machine, I was able to ping internal resources through the VPN tunnel only once. After I restarted my PC, I lost that capability. Could this have something to do with the IPSEC Agent in Windows XP? I saw some posts suggesting that all Windows IPSEC services be disabled when running the VPN Client (I am using 3.6.2 btw).

On Windows 2000 PCs, the problem may be fixed with restarting the router on the VPN client's side.

New Member

Re: PIX IPSec VPN Can't Reach Internal Hosts

Hi

To the best of my knowledge, 3.6 doesn't work very well at all, 3.6.3 is the one you want. Also, bear in mind that if your client is behind any kind of router or firewall that performs NAT or PAT, then although it may connect successfully, it won't work at all as the IPSEC packets will be disguarded. The VPN client installation process should ask about if it can disable the w2k IPSEC service, cos it won't work otherwise.

HTH

Kev

317
Views
0
Helpful
3
Replies