05-10-2008 06:26 AM - edited 03-09-2019 08:41 PM
Below is my client's pix configuration, the problem here is..... when ever he uses a Cisco VPN dialier, he can able to connect to the VPN, but unable to access any host on the remote location, but with the same vpn dialer & the VPN pcf file, when he is using with a broadband connection which doesn't route with this PIX( or not behind the PIX), it works fine. One more thing I noticed is.... only when I give a static NAT it is able to access the PC on the remote & not throught a GLOBAL NAT, when the PC is behind the PIX.
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
enable password xxx encrypted
enable password xxx encrypted
passwd ta.qizy4R//ChqQH encrypted
fixup protocol dns maximum-length 1024
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
no fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
access-list 110 permit ip any any
access-list 120 permit icmp any any
access-list 120 permit esp any any
logging console warnings
logging monitor warnings
logging buffered notifications
logging trap debugging
logging queue 0
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside x.x.x.x 255.255.255.240
ip address inside 192.168.0.1 255.255.0.0
no ip address dmz
ip audit info action alarm
ip audit attack action alarm
ip local pool homeuser_vpn 192.168.1.1-192.168.1.254
pdm location 192.168.0.80 255.255.255.255 inside
pdm location 192.168.0.207 255.255.255.255 inside
pdm location 0.0.0.0 0.0.0.0 outside
pdm logging warnings 100
pdm history enable
arp timeout 14400
global (outside) 1 x.x.x.66
nat (inside) 0 access-list 123nonat
nat (inside) 1 192.168.0.0 255.255.0.0 0 0
static (inside,outside) x.x.x.70 192.168.3.1 netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.76 192.168.3.2 netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.77 192.168.3.3 netmask 255.255.255.255 0 0
access-group 120 in interface outside
access-group 110 in interface inside
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa authentication ssh console LOCAL
ntp server x.x.x.x source outside prefer
http server enable
http 0.0.0.0 0.0.0.0 outside
http 192.168.0.207 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 192.168.0.197 255.255.255.255 inside
telnet 192.168.0.80 255.255.255.255 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 192.168.0.0 255.255.0.0 inside
ssh timeout 60
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 750
username admin password xxxx encrypted privilege 15
username admin1 password xxx encrypted privilege 2
terminal width 80
Cryptochecksum:xxx
: end
123#
Solved! Go to Solution.
05-12-2008 12:43 AM
Anand,
I would double check to make sure the N-NAT has something like:-
"access-list 123nonat permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0"
And enable NAT-T - as it could be his home device does not understand/support IPSEC PassThru:-
"isakmp nat-traversal 20"
And add:-
"access-list 120 permit udp any any eq 4500"
HTH.
05-15-2008 08:59 AM
Like others have said, nat-traversal must be enabled on the remote vpn device to support ipsec w/ pat. If not you must have a static nat for the inside vpn client inside the pix.
05-12-2008 12:43 AM
Anand,
I would double check to make sure the N-NAT has something like:-
"access-list 123nonat permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0"
And enable NAT-T - as it could be his home device does not understand/support IPSEC PassThru:-
"isakmp nat-traversal 20"
And add:-
"access-list 120 permit udp any any eq 4500"
HTH.
05-12-2008 06:35 PM
Thanks for the reply, but this option doesn't work for me. Can giv me any other suggestions?
05-13-2008 12:30 AM
which option no-nat, NAT-T or both?
05-13-2008 05:04 AM
I tried both the options together & individually also. I still face the same issue.
05-13-2008 06:16 AM
Can you post the full config please? sanitized - remove passwords, exeternal IP addresses etc?
05-13-2008 03:56 PM
05-14-2008 12:25 AM
Your split-tunnel ACL is very confusing - and could be made simpler, I would try:-
access-list VPN_split_tunnnel permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0
vpngroup remotestaff split-tunnel VPN_split_tunnnel
You also need to make sure that any layer 3 devices know where the Remote VPN IP subnet is, so a static route pointing back to firewall will be required - if you don't already have it.
HTH.
05-14-2008 12:26 AM
Your split-tunnel ACL is very confusing - and could be made simpler, I would try:-
access-list VPN_split_tunnnel permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0
vpngroup remotestaff split-tunnel VPN_split_tunnnel
You also need to make sure that any layer 3 devices know where the Remote VPN IP subnet is, so a static route pointing back to firewall will be required - if you don't already have it.
HTH.
05-14-2008 05:06 AM
Actually the user sitting behind this firewall will connect to the remote office VPN concentrator & then he should access the remote host which is not happening. so I don't think so the configuration present in this firewall related to one which you highlighted will help. correct me if i am wrong.
05-14-2008 05:18 AM
Sorry I am confused - the person that cannot access the remote host, is not using the VPN configuration in this posting?
He is actually sitting behind the firewall (which is the config posted here) and trying to access a remote VPN device, and the remote network?
05-14-2008 05:19 AM
Sorry I am confused - the person that cannot access the remote host, is not using the VPN configuration in this posting?
He is actually sitting behind the firewall (which is the config posted here) and trying to access a remote VPN device, and the remote network?
05-14-2008 05:20 AM
Sorry I am confused - the person that cannot access the remote host, is not using the VPN configuration in this posting?
He is actually sitting behind the firewall (which is the config posted here) and trying to access a remote VPN device, and the remote network?
05-14-2008 05:53 PM
All users are behind this firewall, any one accessing internet has to hit this firewall & then go out. So the user sitting behind this firewall has to access a remote host, so he connects to the remote peer with the VPN dialer(the remote peer is nothing but the VPN concentrator). Unable to access the remote host LAN IP only when he is behind this firewall. otherwise he can able to access when he is not routing this firewall.
05-15-2008 12:46 AM
What are the debugs from this firewall and the remote device when the user connects?
This sounds like the issue is actually at the other end.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: