Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
395
Views
0
Helpful
1
Replies

PIX515 VPN - connected - but cannot access internal network

darrenchew
Level 1
Level 1

‎07-23-2002 09:07 AM - edited ‎02-21-2020 11:57 AM

G'day,

I am using a PIX-515R and the Secure VPN Client 3.5.2. I am able to successfully authenticate and establish a connection however I am unable to ping any host on LAN/DMZ/WWW when connected.

ipconfig /all reveals that the IP address on my NIC has not changed, and I understand that it is supposed to be replaced with the VPN IP address, and other IP addressing information specified by the vpngroup command.

Clicking on the padlock in the system tray under general, it appears that the VPN Client has successfully obtained a IP address from the VPN clients pool, however under the statistics tab I can see no secured routes to the internal network. I see 2 entries:

1) 0.0.0.0, 0.0.0.0

2) 203.47.xxx.200, 255.255.255.255

This is consistent with the information provided by the route print command.

Does anyone know what I am doing wrong? Any gotchas?

Here's some of the config from the firewall:

access-list nonat permit ip 10.0.0.0 255.0.0.0 10.0.0.0 255.0.0.0

access-list nonat permit ip 10.0.0.0 255.0.0.0 192.168.1.0 255.255.255.0

access-list nonat permit ip 192.168.1.0 255.255.255.0 10.1.100.0 255.255.255.0

access-list nonat permit ip 192.168.1.0 255.255.255.0 10.0.0.0 255.0.0.0

nat (inside) 0 access-list nonat

nat (inside) 1 10.0.0.0 255.0.0.0 0 0

nat (dmz) 0 access-list nonat

sysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set TSET_VPNCLIENT esp-3des esp-md5-hmac

crypto dynamic-map dyna 1 set transform-set TSET_VPNCLIENT

crypto map vpnclient 1 ipsec-isakmp dynamic dyna

crypto map vpnclient client authentication RADIUS

crypto map vpnclient interface outside

isakmp enable outside

isakmp identity address

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption 3des

isakmp policy 1 hash md5

isakmp policy 1 group 2

isakmp policy 1 lifetime 86400

vpngroup vicscouts address-pool vpnclnt_pool

vpngroup vicscouts dns-server 192.168.1.1 192.168.1.2

vpngroup vicscouts wins-server 10.1.22.1

vpngroup vicscouts default-domain vicscouts.asn.au

vpngroup vicscouts idle-time 1800

vpngroup vicscouts password ********

Many thanks in advance,

Labels:
0 Helpful
1 Reply 1

paqiu
Level 1
Level 1

‎07-23-2002 05:03 PM

Hi,

The routes you got in your VPN clients are correct. Because you are not using "vpngroup split-tunnel" command, so you can not browse internet when you get connected to the VPN.

VPN client ip address will not change "ipconfig/all", it only show up in the vpn client status window.

Is your client PC sitting behind a PAT eqiupment (ADSL router) or using dial-up connection , get a public ip address directly ? Because "IPSEC over PAT" to a PIX is not supported at this moment.

One more thing, please do not use overlapping ip address with your inside network in your IP pool. Otherwise, you will not be able to pass any traffic due to the routing issue.

your inside network using 10.0.0.0 and 192.168.1.0

pleae change the pool to 192.168.100.0 and also change the no-nat access-list to bypass the VPN traffic.

Best Regards,

0 Helpful
Customers Also Viewed These Support Documents