Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Remote Access VPN + gateway through pix = Deny inbound (No xlate) [HELP]

I am trying to set up my first VPN.

I want to make a remote access VPN where remote clients

on the road can VPN into a Pix and remote gateway through

the PIX out to the Internet.

remote PC <-> VPN through Internet->PIX<-Pix Lan and access outside Internet access <->

My PIX configuration below allows remote access clients

using Windows 2000 and the 2000 VPN software in Win 2000

to remotely connect up to my PIX. The remote VPN client

sees everything on the inside of my PIX Lan. The remote

VPN client however can’t remote gateway out of my pix to

the Internet.

When they try, I get logs showing:

106011: Deny inbound (No xlate) tcp src outside:192.168.1.1/2286 dst outside:207.46.104.20/80

Can somebody show me what I need to do so that a remote access

client can VPN into my PIX and then have the ability to get

out to the Internet as if they were directly on a PC on my PIX Lan?

Thank you in advance

Tom Jones

Below is my current PIX configuration:

********************************

NOTES:

PIX-501 Cisco PIX Firewall Version 6.1(1)

* IP information 10.10.10.x = Outside Internet real IP addresses

* IP information 192.168.77.x = Pix inside LAN

* IP information 192.168.1.x = what remote-access clients get when they connect

* I am using only local authentication at this time

*

********************************

PIX# show config

: Saved

:

PIX Version 6.1(1)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable xxxxxxxxxxxxxxxx xxxxxxxx encrypted

passwd xxxxxxxxxxxxxxxx encrypted

hostname PIXTEST

domain-name pixtest.com

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

access-list acl_out permit tcp any host 10.10.10.83 eq www

access-list acl_out permit icmp any any

access-list acl_out permit udp any host 10.10.10.82 eq tftp

access-list acl_vpn permit ip any any

access-list 101 permit ip 192.168.77.0 255.255.255.0 192.168.1.0 255.255.255.0

pager lines 24

logging on

logging timestamp

logging buffered informational

logging trap debugging

logging history debugging

interface ethernet0 10baset

interface ethernet1 10full

icmp permit any outside

icmp permit any inside

mtu outside 1500

mtu inside 1500

ip address outside 10.10.10.94 255.255.255.248

ip address inside 192.168.77.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool bigpool 192.168.1.1-192.168.1.254

pdm history enable

arp timeout 14401

global (outside) 1 interface

nat (inside) 0 access-list 101

! - - Note I have tried changing nat (inside) 1

nat (inside) 1 192.168.77.0 255.255.255.0 75 75

static (inside,outside) 10.10.10.83 192.168.77.245 netmask 255.255.255.255 0 0

static (inside,outside) 10.10.10.82 192.168.77.254 netmask 255.255.255.255 0 0

access-group acl_out in interface outside

route outside 0.0.0.0 0.0.0.0 10.10.10.93 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

http server disable

http 192.168.77.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

sysopt connection permit-pptp

no sysopt route dnat

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto dynamic-map dynmap 10 set transform-set myset

crypto map mymap 10 ipsec-isakmp dynamic dynmap

crypto map mymap client configuration address initiate

crypto map mymap client configuration address respond

crypto map mymap interface outside

isakmp enable outside

isakmp key ******** address 0.0.0.0 netmask 0.0.0.0

isakmp identity address

isakmp client configuration address-pool local bigpool outside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 1

isakmp policy 10 lifetime 86400

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

vpngroup vpn3000-all address-pool bigpool

vpngroup vpn3000-all dns-server 192.168.77.245

vpngroup vpn3000-all default-domain pixtest.com

vpngroup vpn3000-all idle-time 1800

vpngroup vpn3000-all password ********

telnet 192.168.77.0 255.255.255.0 inside

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 60

vpdn group 1 accept dialin pptp

vpdn group 1 ppp authentication pap

vpdn group 1 ppp authentication chap

vpdn group 1 ppp authentication mschap

vpdn group 1 ppp encryption mppe 40

vpdn group 1 client configuration address local bigpool

vpdn group 1 pptp echo 60

vpdn group 1 client authentication local

vpdn username remoteuser password remotepassword

vpdn enable outside

dhcpd address 192.168.77.10-192.168.77.20 inside

dhcpd dns 192.168.77.245

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd domain pixtest.com

dhcpd enable inside

terminal width 80

Cryptochecksum:85eec5ada264eb9f0bd39215324f09ea

PIX#

2 REPLIES
Cisco Employee

Re: Remote Access VPN + gateway through pix = Deny inbound (No x

Hi,

This is not possible with the Pix. PIX will never send a packet out of the same interface from where it received it.

You can enable Split Tunneling for the group connecting using Cisco VPN Client and this will allow the users to access the lan behind the Pix and also access the internet.

Regards,

Arul

New Member

Re: Remote Access VPN + gateway through pix = Deny inbound (No x

Errrrr... What a big set back for me...... re:

"...PIX will never send a packet out of the same interface from where it received it..."

Does anybody know if a Cisco 2600 class router with Nat enabled will allow a remote access VPN connection where the remote VPN user may gateway out to the Internet throught the IOS router (and follow other routes in the 2600)?

I think I may of made a small $$$ mistake thinking the Cisco PIX would handle my VPN needs.

errr Tom Jones

147
Views
0
Helpful
2
Replies