Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

Unable to access the remote Host

Below is my client's pix configuration, the problem here is..... when ever he uses a Cisco VPN dialier, he can able to connect to the VPN, but unable to access any host on the remote location, but with the same vpn dialer & the VPN pcf file, when he is using with a broadband connection which doesn't route with this PIX( or not behind the PIX), it works fine. One more thing I noticed is.... only when I give a static NAT it is able to access the PC on the remote & not throught a GLOBAL NAT, when the PC is behind the PIX.

PIX Version 6.3(3)

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 dmz security50

enable password xxx encrypted

enable password xxx encrypted

passwd ta.qizy4R//ChqQH encrypted

fixup protocol dns maximum-length 1024

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol pptp 1723

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

no fixup protocol sip udp 5060

fixup protocol skinny 2000

no fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

access-list 110 permit ip any any

access-list 120 permit icmp any any

access-list 120 permit esp any any

logging console warnings

logging monitor warnings

logging buffered notifications

logging trap debugging

logging queue 0

mtu outside 1500

mtu inside 1500

mtu dmz 1500

ip address outside x.x.x.x 255.255.255.240

ip address inside 192.168.0.1 255.255.0.0

no ip address dmz

ip audit info action alarm

ip audit attack action alarm

ip local pool homeuser_vpn 192.168.1.1-192.168.1.254

pdm location 192.168.0.80 255.255.255.255 inside

pdm location 192.168.0.207 255.255.255.255 inside

pdm location 0.0.0.0 0.0.0.0 outside

pdm logging warnings 100

pdm history enable

arp timeout 14400

global (outside) 1 x.x.x.66

nat (inside) 0 access-list 123nonat

nat (inside) 1 192.168.0.0 255.255.0.0 0 0

static (inside,outside) x.x.x.70 192.168.3.1 netmask 255.255.255.255 0 0

static (inside,outside) x.x.x.76 192.168.3.2 netmask 255.255.255.255 0 0

static (inside,outside) x.x.x.77 192.168.3.3 netmask 255.255.255.255 0 0

access-group 120 in interface outside

access-group 110 in interface inside

route outside 0.0.0.0 0.0.0.0 x.x.x.x 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

aaa authentication ssh console LOCAL

ntp server x.x.x.x source outside prefer

http server enable

http 0.0.0.0 0.0.0.0 outside

http 192.168.0.207 255.255.255.255 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet 192.168.0.197 255.255.255.255 inside

telnet 192.168.0.80 255.255.255.255 inside

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 outside

ssh 192.168.0.0 255.255.0.0 inside

ssh timeout 60

console timeout 0

dhcpd lease 3600

dhcpd ping_timeout 750

username admin password xxxx encrypted privilege 15

username admin1 password xxx encrypted privilege 2

terminal width 80

Cryptochecksum:xxx

: end

123#

2 ACCEPTED SOLUTIONS

Accepted Solutions

Re: Unable to access the remote Host

Anand,

I would double check to make sure the N-NAT has something like:-

"access-list 123nonat permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0"

And enable NAT-T - as it could be his home device does not understand/support IPSEC PassThru:-

"isakmp nat-traversal 20"

And add:-

"access-list 120 permit udp any any eq 4500"

HTH.

Green

Re: Unable to access the remote Host

Like others have said, nat-traversal must be enabled on the remote vpn device to support ipsec w/ pat. If not you must have a static nat for the inside vpn client inside the pix.

21 REPLIES

Re: Unable to access the remote Host

Anand,

I would double check to make sure the N-NAT has something like:-

"access-list 123nonat permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0"

And enable NAT-T - as it could be his home device does not understand/support IPSEC PassThru:-

"isakmp nat-traversal 20"

And add:-

"access-list 120 permit udp any any eq 4500"

HTH.

Re: Unable to access the remote Host

Thanks for the reply, but this option doesn't work for me. Can giv me any other suggestions?

Re: Unable to access the remote Host

which option no-nat, NAT-T or both?

Re: Unable to access the remote Host

I tried both the options together & individually also. I still face the same issue.

Re: Unable to access the remote Host

Can you post the full config please? sanitized - remove passwords, exeternal IP addresses etc?

Re: Unable to access the remote Host

Find the exact configuration of the firewall attached.

Re: Unable to access the remote Host

Your split-tunnel ACL is very confusing - and could be made simpler, I would try:-

access-list VPN_split_tunnnel permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0

vpngroup remotestaff split-tunnel VPN_split_tunnnel

You also need to make sure that any layer 3 devices know where the Remote VPN IP subnet is, so a static route pointing back to firewall will be required - if you don't already have it.

HTH.

Re: Unable to access the remote Host

Your split-tunnel ACL is very confusing - and could be made simpler, I would try:-

access-list VPN_split_tunnnel permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0

vpngroup remotestaff split-tunnel VPN_split_tunnnel

You also need to make sure that any layer 3 devices know where the Remote VPN IP subnet is, so a static route pointing back to firewall will be required - if you don't already have it.

HTH.

Re: Unable to access the remote Host

Actually the user sitting behind this firewall will connect to the remote office VPN concentrator & then he should access the remote host which is not happening. so I don't think so the configuration present in this firewall related to one which you highlighted will help. correct me if i am wrong.

Re: Unable to access the remote Host

Sorry I am confused - the person that cannot access the remote host, is not using the VPN configuration in this posting?

He is actually sitting behind the firewall (which is the config posted here) and trying to access a remote VPN device, and the remote network?

Re: Unable to access the remote Host

Sorry I am confused - the person that cannot access the remote host, is not using the VPN configuration in this posting?

He is actually sitting behind the firewall (which is the config posted here) and trying to access a remote VPN device, and the remote network?

Re: Unable to access the remote Host

Sorry I am confused - the person that cannot access the remote host, is not using the VPN configuration in this posting?

He is actually sitting behind the firewall (which is the config posted here) and trying to access a remote VPN device, and the remote network?

Re: Unable to access the remote Host

All users are behind this firewall, any one accessing internet has to hit this firewall & then go out. So the user sitting behind this firewall has to access a remote host, so he connects to the remote peer with the VPN dialer(the remote peer is nothing but the VPN concentrator). Unable to access the remote host LAN IP only when he is behind this firewall. otherwise he can able to access when he is not routing this firewall.

Re: Unable to access the remote Host

What are the debugs from this firewall and the remote device when the user connects?

This sounds like the issue is actually at the other end.

Re: Unable to access the remote Host

The same pcf file works when he is out of office, ie. if he is connecting from home it works, but not when he in office, even though I had given any any access to the internet, but remember, he can able to work when static NAT is given his PC.

debugging I am not finding anything relevant.

Re: Unable to access the remote Host

Is NAT-T enabled at the remote end?

Re: Unable to access the remote Host

I have no idea about the remote end device, but other users are able to access from different locations, this happens only on this location & the firewall configuration which I have pasted.

Green

Re: Unable to access the remote Host

Like others have said, nat-traversal must be enabled on the remote vpn device to support ipsec w/ pat. If not you must have a static nat for the inside vpn client inside the pix.

Re: Unable to access the remote Host

Hey,

Thanks, It worked when i enabled the NAT-Traversal on the remote end firewall device. but still can't able to understand why it was able to allow only when the user has a static NAT configured & not on dynamic NAT. any how thanks once again.

Re: Unable to access the remote Host

Well after recommending that you enable NAT-T so many times in this thread, you really need to read the RFC:-

http://www.faqs.org/rfcs/rfc3947.html

Re: Unable to access the remote Host

Thanks for the documentation you provided, the reason behind me was keep threading because, it only happened to this client & not to others even the NAT-T was not enabled in the remote vpn device. finally could able to get some related document on the internet & your document made me more clear.

163
Views
5
Helpful
21
Replies
CreatePlease to create content