Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

pix501 vpn connect but can't get anywhere

This is how I am setup. dsl >> linksys wireless router >> pix 501. The wireless also connects to a cisco 2924 >> 3com router >> T1 line. The T1 line is used for a secure website that we access. I have the pix setup, I can connect to the vpn and get an ip but I can only ping the outside interface of the pix, nothing else. I want to be able to rdp into some machines on the lan but I can't see them. From the cli I can ping the 3com router(10.29.30.238), but not any machines on the lan. The dsl's inside(192.168.50.1), which connects the the outside of the linksys router(192.168.50.2), the lan interface of the linksys(10.29.30.102), which connects to the outside of the pix(10.29.30.103), and the inside of the pix(10.29.31.1), vpn clients get an ip of 10.29.31.50.59.

Building configuration...

: Saved

:

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxx

passwd xxx

hostname pixfirewall

domain-name ciscopix.com

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol pptp 1723

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list 101 permit ip 10.29.31.0 255.255.255.0 any

pager lines 24

logging on

logging console notifications

icmp permit any outside

icmp permit any inside

mtu outside 1500

mtu inside 1500

ip address outside 10.29.30.103 255.255.255.0

ip address inside 10.29.31.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool Test 10.29.31.50-10.29.31.59

pdm location 10.29.30.0 255.255.255.0 outside

pdm location 10.29.31.0 255.255.255.0 inside

pdm location 192.168.5.0 255.255.255.0 outside

pdm location 10.29.30.0 255.255.255.0 inside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

access-group 101 in interface outside

route outside 0.0.0.0 0.0.0.0 10.29.30.102 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http 0.0.0.0 0.0.0.0 outside

http 10.29.31.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-pptp

telnet 0.0.0.0 0.0.0.0 outside

telnet 10.29.31.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

vpdn group PPTP-VPDN-GROUP accept dialin pptp

vpdn group PPTP-VPDN-GROUP ppp authentication mschap

vpdn group PPTP-VPDN-GROUP ppp encryption mppe auto

vpdn group PPTP-VPDN-GROUP client configuration address local Test

vpdn group PPTP-VPDN-GROUP client configuration dns isp dns ips

vpdn group PPTP-VPDN-GROUP pptp echo 60

vpdn group PPTP-VPDN-GROUP client authentication local

vpdn username user1 password *********

vpdn enable outside

vpdn enable inside

dhcpd address 10.29.31.2-10.29.31.33 inside

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

terminal width 80

Cryptochecksum:xxx

: end

[OK]

1 ACCEPTED SOLUTION

Accepted Solutions
Bronze

Re: pix501 vpn connect but can't get anywhere

Yes, if you RDP to a server on the inside of the pix, you can access a server on the outside of the pix (in the 10.29.30.x network).

There are a couple of requirements for this:

- The Server your first RDP to needs to have a default route to the pix (or at least a route to the 10.29.30.x network via the pix)

- The Server on the outside of the pix has to have a route back to the Pix. (It needs a route for 10.29.31.x pointing to the outside interface of the pix) This can be done with 'route add' in a dosprompt

14 REPLIES
Green

Re: pix501 vpn connect but can't get anywhere

vpn client pool should be a completely different subnet. Also may want to add isakmp nat-t.

Community Member

Re: pix501 vpn connect but can't get anywhere

Ok I changed the vpn pool to a different subent and entered the command isakmp nat-t, but I am still not able to get anywhere. I have tried pinging the outside interface from the inside and vice versa but nothing happens. Am I missing a route or something. Here is the new config, and my routes.

Building configuration...

: Saved

:

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

hostname pixfirewall

domain-name ciscopix.com

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol pptp 1723

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list inside_access_in permit ip 10.29.31.0 255.255.255.0 any

pager lines 24

logging on

logging console notifications

icmp permit any outside

icmp permit any inside

mtu outside 1500

mtu inside 1500

ip address outside 10.29.30.103 255.255.255.0

ip address inside 10.29.31.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool Test 192.168.5.1-192.168.5.10

pdm location 10.29.30.0 255.255.255.0 outside

pdm location 10.29.31.0 255.255.255.0 inside

pdm location 192.168.5.0 255.255.255.0 outside

pdm location 192.168.5.0 255.255.255.0 inside

pdm location 10.29.31.0 255.255.255.0 outside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

access-group inside_access_in in interface inside

route outside 0.0.0.0 0.0.0.0 10.29.30.102 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http 0.0.0.0 0.0.0.0 outside

http 10.29.31.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-pptp

isakmp nat-traversal 20

telnet 0.0.0.0 0.0.0.0 outside

telnet 10.29.31.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

management-access inside

console timeout 0

vpdn group PPTP-VPDN-GROUP accept dialin pptp

vpdn group PPTP-VPDN-GROUP ppp authentication mschap

vpdn group PPTP-VPDN-GROUP ppp encryption mppe auto

vpdn group PPTP-VPDN-GROUP client configuration address local Toyota

vpdn group PPTP-VPDN-GROUP client configuration dns 166.102.165.13 166.102.165.11

vpdn group PPTP-VPDN-GROUP pptp echo 60

vpdn group PPTP-VPDN-GROUP client authentication local

vpdn username user1 password *********

vpdn enable outside

vpdn enable inside

dhcpd address 10.29.31.2-10.29.31.33 inside

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

terminal width 80

Cryptochecksum:cfb56defb17d09c9d6978ad3dbd487cc

: end

[OK]

outside 0.0.0.0 0.0.0.0 10.29.30.102 1 OTHER static

outside 10.29.30.0 255.255.255.0 10.29.30.103 1 CONNECT static

inside 10.29.31.0 255.255.255.0 10.29.31.1 1 CONNECT static

Bronze

Re: pix501 vpn connect but can't get anywhere

You didn't exclude the traffic to the VPN Client from the NAT-process.

You need to add the following commands to your configuration:

access-list nonat permit ip 10.29.31.0 255.255.255.0 192.168.5.0 255.255.255.0

nat (inside) 0 access-list nonat

Please rate if the post helps!

Regards,

Michael

Community Member

Re: pix501 vpn connect but can't get anywhere

I made the change but still nothing, I can ping the outside interface when connected to the vpn, but nothing else. The next hop is 10.29.30.102 but I can't ping it or any machines connected out there. I can't find out what I am missing. Here is my updated config. Thanks again

Building configuration...

: Saved

:

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

hostname pixfirewall

domain-name ciscopix.com

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol pptp 1723

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list nonat permit ip 10.29.31.0 255.255.255.0 192.168.5.0 255.255.255.0

pager lines 24

logging on

logging console notifications

icmp permit any outside

icmp permit any inside

mtu outside 1500

mtu inside 1500

ip address outside 10.29.30.103 255.255.255.0

ip address inside 10.29.31.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool Test 192.168.5.1-192.168.5.10

pdm location 10.29.30.0 255.255.255.0 outside

pdm location 10.29.31.0 255.255.255.0 inside

pdm location 192.168.5.0 255.255.255.0 outside

pdm location 192.168.5.0 255.255.255.0 inside

pdm location 10.29.31.0 255.255.255.0 outside

pdm location 63.90.86.0 255.255.255.0 outside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list nonat

route outside 0.0.0.0 0.0.0.0 10.29.30.102 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http 0.0.0.0 0.0.0.0 outside

http 10.29.31.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-pptp

isakmp nat-traversal 20

telnet 0.0.0.0 0.0.0.0 outside

telnet 10.29.31.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

management-access inside

console timeout 0

vpdn group PPTP-VPDN-GROUP accept dialin pptp

vpdn group PPTP-VPDN-GROUP ppp authentication mschap

vpdn group PPTP-VPDN-GROUP ppp encryption mppe auto

vpdn group PPTP-VPDN-GROUP client configuration address local Test

vpdn group PPTP-VPDN-GROUP client configuration dns isp ips

vpdn group PPTP-VPDN-GROUP pptp echo 60

vpdn group PPTP-VPDN-GROUP client authentication local

vpdn username user1 password *********

vpdn enable outside

vpdn enable inside

dhcpd address 10.29.31.2-10.29.31.33 inside

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

terminal width 80

Cryptochecksum:7761d42aff797e6b57275368b3201df5

: end

[OK]

Bronze

Re: pix501 vpn connect but can't get anywhere

The configuration is now missing the command "nat (inside) 1 0.0.0.0 0.0.0.0", your NAT config should look like this:

access-list nonat permit ip 10.29.31.0 255.255.255.0 192.168.5.0 255.255.255.0

global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 0.0.0.0 0.0.0.0

I also advise you to insert the command 'management-access inside', which allows you to pings/communicate with the inside interface of your Pix.

You can test your VPN by pinging the address of your VPN Client, the inside of your Pix and everything on the inside of the Pix (a host on your internal network).

Community Member

Re: pix501 vpn connect but can't get anywhere

Ok I changed the config but still nothing. From the pix I can ping my vpn ip from the outside interface, when connected I can't ping the inside interface of the pix. The machines that I need to rdp to our on the 10.29.30.X subnet. Is this not possible to do?

Building configuration...

: Saved

:

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

hostname pixfirewall

domain-name ciscopix.com

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol pptp 1723

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list nonat permit ip 10.29.31.0 255.255.255.0 192.168.5.0 255.255.255.0

pager lines 24

logging on

logging console notifications

icmp permit any outside

icmp permit any inside

mtu outside 1500

mtu inside 1500

ip address outside 10.29.30.103 255.255.255.0

ip address inside 10.29.31.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool Test 192.168.5.1-192.168.5.10

pdm location 10.29.30.0 255.255.255.0 outside

pdm location 10.29.31.0 255.255.255.0 inside

pdm location 192.168.5.0 255.255.255.0 outside

pdm location 192.168.5.0 255.255.255.0 inside

pdm location 10.29.31.0 255.255.255.0 outside

pdm location 63.90.86.0 255.255.255.0 outside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

route outside 0.0.0.0 0.0.0.0 10.29.30.102 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http 0.0.0.0 0.0.0.0 outside

http 10.29.31.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-pptp

isakmp nat-traversal 20

telnet 0.0.0.0 0.0.0.0 outside

telnet 10.29.31.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

management-access inside

console timeout 0

vpdn group PPTP-VPDN-GROUP accept dialin pptp

vpdn group PPTP-VPDN-GROUP ppp authentication mschap

vpdn group PPTP-VPDN-GROUP ppp encryption mppe auto

vpdn group PPTP-VPDN-GROUP client configuration address local Test

vpdn group PPTP-VPDN-GROUP client configuration dns isp ips

vpdn group PPTP-VPDN-GROUP pptp echo 60

vpdn group PPTP-VPDN-GROUP client authentication local

vpdn username user1 password *********

vpdn enable outside

vpdn enable inside

dhcpd address 10.29.31.2-10.29.31.33 inside

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

terminal width 80

Cryptochecksum:d2ca3f7ab198f452bf342debd6675cde

: end

[OK]

Bronze

Re: pix501 vpn connect but can't get anywhere

The machines you want to RDP are on the outside of the Pix, you can't get to them when you have a VPN Client connection with the Pix. You can only contact machines on the 10.29.31.X network.

Community Member

Re: pix501 vpn connect but can't get anywhere

If the machine that I rdp into is on the inside of the pix, will that machine still be able to access stuff on the 10.29.30.x network. We have a server, that is on that network. If I setup routes on the pix will it be able to access it or not? Thanks again for all your help.

Bronze

Re: pix501 vpn connect but can't get anywhere

Yes, if you RDP to a server on the inside of the pix, you can access a server on the outside of the pix (in the 10.29.30.x network).

There are a couple of requirements for this:

- The Server your first RDP to needs to have a default route to the pix (or at least a route to the 10.29.30.x network via the pix)

- The Server on the outside of the pix has to have a route back to the Pix. (It needs a route for 10.29.31.x pointing to the outside interface of the pix) This can be done with 'route add' in a dosprompt

Community Member

Re: pix501 vpn connect but can't get anywhere

Doesn't the machine inside the pix have a default route to 10.29.30.x via the default route in the pix (route outside 0.0.0.0 0.0.0.0 10.29.30.102), so all I should have to do is on the machine on the outside put the default route in there. Does it make sense that I can ping some machines but not all from the outside interface on the pix while logged into the pix on the 10.29.30.x subnet. One last question is that our secured website is on the other side of the 10.29.30.238 router, would I just have to put a default route in there also pointing traffic to 10.29.31.x to the outside interface of the pix, just like the rdp machine. Thanks again

Bronze

Re: pix501 vpn connect but can't get anywhere

Doesn't the machine inside the pix have a default route to 10.29.30.x via the default route in the pix (route outside 0.0.0.0 0.0.0.0 10.29.30.102), so all I should have to do is on the machine on the outside put the default route in there.

That is correct!

Does it make sense that I can ping some machines but not all from the outside interface on the pix while logged into the pix on the 10.29.30.x subnet.

Yes, some machines block icmp or have an active firewall which doesnt allow ping.

One last question is that our secured website is on the other side of the 10.29.30.238 router, would I just have to put a default route in there also pointing traffic to 10.29.31.x to the outside interface of the pix, just like the rdp machine.

That should do it :)

Thanks again

No problem!

Community Member

Re: pix501 vpn connect but can't get anywhere

Perfect, I am going to try this all tonight when I can get to people's machines and mess with the router. Thanks again

Community Member

Re: pix501 vpn connect but can't get anywhere

If I just put a static route in the 10.29.30.238 router, which is everyone's default gateway outside of the pix. Wouldn't the machines, and printers work fine. To the 10.29.31.x subnet..

Bronze

Re: pix501 vpn connect but can't get anywhere

The default gateway should indeed have a route for network 10.29.31.x pointing to the outside of the pix.

But you should remember that the Pix is a natting firewall, so he should actually know to find the hosts behind the pix, just because they are natted.

I think that you should look up some information about how NAT and static routes really works, it could really help you solve your problem!

208
Views
0
Helpful
14
Replies
CreatePlease to create content