11-16-2007 07:52 AM - edited 03-09-2019 07:24 PM
I have configured an IPSec remote access VPN connection and I'm successfully able to establish the tunnel but I can not get to any of my LAN internal
resources. I'm able to ping PIX's internal interface (192.168.10.1) and even telnet to it from the VPN client, once logged into the PIX I'm able to ping all
192.168.10.0 /24 internal resources from inside interface but wont work from the VPN client (192.168.20.0 /24)
Heres the scenario
INTERNET---->1800SERIES--->PIX515e-->LAN(192.168.50.0 /24)
1800 SERIES 201.190.x.9 /30
PIX515e 201.190.x.10 /30
Below is a clean run-config regarding mostly the VPN statement for ease of reading....
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ security50
enable password T5Gug97KpLnrmPci encrypted
passwd NHrPq0iSfkVBUBUb encrypted
hostname PIX515e
domain-name tecmant.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
!!! ACL for split tunneling
access-list 101 permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0
!!! ACL form interesting traffic
access-list 102 permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list 102 permit icmp 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0 echo
access-list 102 permit icmp 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0 echo-reply
pager lines 24
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
ip address outside 201.190.X.10 255.255.255.252
ip address inside 192.168.10.1 255.255.255.0
ip address DMZ 172.16.10.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
!!! Pool of addresses to be assigned to Remote clients
ip local pool VPNPOOL 192.168.20.0-192.168.20.254
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (outside) 1 192.168.10.0 255.255.255.0 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 201.190.X.9 1
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.10.254 255.255.255.255 inside
http 192.168.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
!!!Allow IPSec to pass through
sysopt connection permit-ipsec
!!! IKE phase 2 negotiation
crypto ipsec transform-set TECMANT-VPN esp-3des esp-sha-hmac
crypto dynamic-map VPN-MAP 10 set transform-set TECMANT-VPN
crypto map STATIC-VPN-MAP 10 ipsec-isakmp dynamic VPN-MAP
crypto map STATIC-VPN-MAP interface outside
!!!Allow ISAKMP prot on outside int.
isakmp enable outside
isakmp identity address
!!!IKE phase 2
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
VPN Group Policies
vpngroup VPN-TECMANT address-pool VPNPOOL
vpngroup VPN-TECMANT dns-server 192.168.10.2
vpngroup VPN-TECMANT split-tunnel 101
vpngroup VPN-TECMANT idle-time 1800
vpngroup VPN-TECMANT password ********
telnet timeout 5
ssh 192.168.10.1 255.255.255.255 inside
ssh 192.168.0.0 255.255.0.0 inside
ssh 192.168.10.0 255.255.255.0 inside
ssh timeout 60
management-access inside
console timeout 0
!!! DHCP server enable for internal clients
dhcpd address 192.168.10.10-192.168.10.99 inside
dhcpd dns 200.91.75.5 196.40.31.66
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd enable inside
terminal width 80
Cryptochecksum:8c64136e5261c33e7c9f19d288e40deb
: end
11-16-2007 09:14 AM
You need NAT 0 configuration to bypass NAT for vpn clients.
nat (inside) 0 access-list 110
access-list 110 permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0
This should solve your IP Reachability issue from the VPN Clients.
Also, I am curious to know why you have this statement in the configuration.
nat (outside) 1 192.168.10.0 255.255.255.0 0 0
Regards,
Arul
* Please rate helpful posts *
11-16-2007 04:47 PM
Thx a bunch!! Working just fine....
btw...
about the nat (outside) 1 192.168.10.0 255.255.255.0 0 0 statement... thats a typo.. i forgot to exclude that on the running-config i posted...
11-18-2007 08:08 AM
Thanks for the update and rating.
Regards,
Arul
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide