Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Pix VPN/Client acl question/problem

Hey all,

I got something that I can't quite figure out...

Got a Pix setup to do VPN, 6.2(2). Inside is 192.168.10.x, VPN pool is 192.168.11.x. I can get the client to authenticate no prob, Inside machines can ping and communicate with the client with no prob. Client cannot ping, map or do anything inside without me adding a permit statement for 192.168.11.x to 192.168.10.x which is applied to the outside interface. Why do I need this statement ? Is there any way around this ? I think it is very un-secure to have to permit something like that on the outside interface, poses a huge security problem if you ask me. Below is a sanitized config.

Thanks,

Brian

Pix(config)# wr t

Building configuration...

: Saved

:

PIX Version 6.2(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxxxxxxxx encrypted

passwd xxxxxxxxx encrypted

hostname Pix

domain-name xxx.com

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

access-list outside permit icmp any any echo-reply

access-list outside permit tcp any any eq pcanywhere-data

access-list outside permit udp any any eq pcanywhere-status

access-list outside permit ip 192.168.11.0 255.255.255.0 192.168.10.0 255.255.255.0

access-list nonat permit ip 192.168.10.0 255.255.255.0 192.168.11.0 255.255.255.0

pager lines 24

interface ethernet0 auto

interface ethernet1 auto

mtu outside 1500

mtu inside 1500

ip address outside dhcp setroute

ip address inside 192.168.10.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool ippool 192.168.11.1-192.168.11.254

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 192.168.10.0 255.255.255.0 0 0

static (inside,outside) tcp interface pcanywhere-data 192.168.10.2 pcanywhere-data netmask 255.255.255.255 0 0

static (inside,outside) udp interface pcanywhere-status 192.168.10.2 pcanywhere-status netmask 255.255.255.255 0 0

access-group outside in interface outside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

no sysopt route dnat

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto dynamic-map dynmap 10 set transform-set myset

crypto map mymap 10 ipsec-isakmp dynamic dynmap

crypto map mymap interface outside

isakmp enable outside

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup xxxxx address-pool ippool

vpngroup xxxxxx dns-server 192.168.10.9

vpngroup xxxxx wins-server 192.168.10.9

vpngroup xxxxx default-domain bns.com

vpngroup xxxxx idle-time 1800

vpngroup xxxxx password ********

telnet timeout 5

ssh x.x.x.x x.x.x.x outside

ssh x.x.x.x x.x.x.x inside

ssh timeout 5

dhcpd address 192.168.10.50-192.168.10.100 inside

dhcpd dns xxx.xxx.xxx.xxx

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd domain xxx.com

dhcpd enable inside

terminal width 80

Cryptochecksum:133ccfbbecbe4ba44e6657280422c44b

: end

[OK]

Pix(config)#

1 REPLY
New Member

Re: Pix VPN/Client acl question/problem

I figured it out. I missed "sysopt connection permit-ipsec". Which essentially tells the ipsec tunnel to disregard acl's.

Hopefully this will help someone else as well.

-Brian

79
Views
0
Helpful
1
Replies
CreatePlease to create content