PIX VPN, Connect made, but can't access Inside Network
--begin ciscomoderator note-- The following post has been edited to remove potentially confidential information. Please refrain from posting confidential information on the site to reduce security risks to your network. -- end ciscomoderator note --
I will appreciate any help that can be offered. I seem to have a symptom of a PIX VPN problem with many solutions, that is; I can connect and establish a SA, but cannot access the network on the other side of the PIX. Ive tried almost everything Ive been able to learn here, and come up empty.
Heres my situation; I have a network of one core router and 14 spokes. Each spoke router services another network. All are private networks in the 192.168.xxx.yyy range. All routers at the spoke have a default gateway that points back to the hub. The hub has a default gateway pointing to the PIX that's located on its subnet.The PIX connects to a border router that is Telco equipment and its configuration is unknown. The Telco provided the address range of A.B.C.224 255.255.255.248. The PIX outside interface has an IP of A.B.C.230 Ive PATed A.B.C.226 and NATed A.B.C.227-A.B.C.229, but you can see that in the config below.
The PIX is used to provide internet service to approximately 100 users. This all works fine. Now my new task has been to get (for now) three users access to the private network (so the 192.168.0.0) from their homes using VPN encryption of broadband internet access. The VPN client workstations are Laptops running Win XP.
OK, What Ive accomplished so far is to establish an IPSEC tunnel from a client using Cisco VPN Client 3.6.3. My PIX is configured with a VAC, 3DES keys, and Ver 6.2.2 of the PIX Firewall software. I have configured XAUTH (Radius) and am using a Win2K Server to provide RADIUS authentication and using the transform set of ESP-3DES ESP-MD5-HMAC. This is all working as well. The SA gets established and the connection is good. An IP address is assigned from the pool. There is a static route in the core router of IP ROUTE 192.168.133.24 255.255.255.248 192.168.128.5 (that last IP is the PIX Inside interface and the subnetted route is the address pool). There is also a route in the PIX of ROUTE 192.168.0.0 255.255.0.0 192.168.128.2 1 (the last route is the core router).
OK, so heres whats happening. I connect to my ISP and bring up the VPN Dialer. I connect to the address A.B.C.230 and get a prompt for the RADIUS authentication. I reply and get XAUTH granted. The SA is established and everything is looking great. I try to ping a server on the inside and the pings timeout. On the PIX, with DEBIG CRYPTO IPSEC and ISAKMP running I get the following error to the pings:
IPSEC<ipsec_cipher_handler>: ERR: bad pkt 192.168.133.24 -> 192.168.128.22
This error occurs for each ping.
Does anyone know where Ive gone wrong. I still have some hair, please help me save the rest
Configuration has been sanitized.
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password *********** encrypted
passwd *********** encrypted
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
name 192.168.128.24 WebSense
name 192.168.128.21 Backup
name 192.168.128.0 OSHQ
name 192.168.128.15 Radius
access-list outside_cryptomap_dyn_20 permit ip any 192.168.133.24 255.255.255.248
access-list VPN permit ip 192.168.133.24 255.255.255.248 192.168.0.0 255.255.0.0
pager lines 40
logging monitor emergencies
logging buffered critical
logging trap critical
logging host inside Radius
interface ethernet0 auto
interface ethernet1 auto
icmp deny any outside
mtu outside 1500
mtu inside 1500
ip address outside A.B.C.230 255.255.255.248
ip address inside 192.168.128.5 255.255.255.0
ip verify reverse-path interface outside
ip audit name Pol1 attack action alarm drop reset
ip audit name Pol2 attack action alarm
ip audit name Pol3 info action alarm drop reset
ip audit name Pol4 info action alarm
ip audit interface outside Pol3
ip audit interface outside Pol1
ip audit interface inside Pol4
ip audit interface inside Pol2
ip audit info action alarm
ip audit attack action alarm
ip local pool Test 192.168.128.80-192.168.128.89
ip local pool Access_OSHQ 192.168.133.24-192.168.133.31
Re: PIX VPN, Connect made, but can't access Inside Network
Found my own answer. Don't put your group address pool within the inside range of IP addresses. I moved the pool to 192.168.127.1-192.168.127.254 255.255.128.0. Made the same changes to the access-list and that did the trick. Of course I put a route in the core router for the x.x.127.x back to the PIX.
Re: PIX VPN, Connect made, but can't access Inside Network
We have just gone through a similar excercise. We are setting up IPSec VPN groups with XAuth. We had previously established aaa services over TACACS+ with the Cisco Secure ACS3.2. We found that after XAuth, the user permissions had to be set inside of the ACS to allow (authorize) particular VPN traffic.
The challenge is you can not rely on your PIX logs and debugs to determine this variable. Check the logs on the ACS box and see what you find.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...