Troubleshooting VPN Remote Access on PIX as PPPoe client
Hello, my customer has a PIX 506E set up to terminate remote access VPN sessions and is also set up as a PPPoE client for an ADSL network. I am able to establish a VPN session and receive an IP address from the client pool. At this point, I start a ping from my remote client to an address inside the PIX. When running a "debug icmp trace" on the PIX, I can see the echo-requests originating from my client, but the echo-replies do not make it back to my client address. Instead, they are being sent to a 67.x.x.x address that I suspect is the PPPoE server.
I am at a loss on how to get the VPN traffic moving in both directions through the tunnel.
Here's the PIX config:
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxxx
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
access-list outside_cryptomap_dyn_20 permit ip 192.168.252.0 255.255.255.0 192.168.253.0 255.255.255.0
access-list outside_cryptomap_dyn_20 permit ip 192.168.253.0 255.255.255.0 192.168.252.0 255.255.255.0
access-list outside_cryptomap_dyn_20 permit icmp any any echo-reply
pager lines 24
icmp permit any outside
icmp permit any inside
mtu outside 1492
mtu inside 1492
ip address outside pppoe setroute
ip address inside 192.168.253.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool i-pool 192.168.252.1-192.168.252.254
Re: Troubleshooting VPN Remote Access on PIX as PPPoe client
One thing I noticed is that you have applied an access-list to your outside interface which permits traffic from 192.168.x.x - not sure if you want to do that. Also to make the config a bit clearer, you should have 2 acls (one for defining VPN network parameters and one for the interface access alone... I also tend to create one for Nat as well if needed.)
Lastly, I assume that the clients are all set up to route traffic to 192.168.253.254. This would be a big problem if the default route is set to another network device since the pix cannot send it back properly to the vpn client if it never receives the packet. All in all, it appears that the source of your problem may be with the client network's ability to recognize the 192.168.252.0/24 subnet.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...