Re: VPN Client 3.5 Not Able to Access LAN !!!

tauseef · ‎06-09-2003

Hi,

I have a Pix 515 which is Connected to a branch office Pix and the PIX to PIX VPN is working fine without any Errors / Issues.

I am now Configuring a Client 3.5 VPN to Get Connected to access the LAN.

The Client Can Log into the PIX , and Get an IP address from the Local IP Pool.

But the Client is NOT ABLE TO PING any IP address on the LAN.

Any Clues where I could be Wrong .....

sh conf

: Saved

:

PIX Version 6.1(1)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 dmz security50

enable password ***

passwd *** encrypted

hostname moti-firewall

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

access-list 110 permit ip 128.0.2.0 255.255.255.0 129.0.2.0 255.255.255.0

access-list 110 permit ip 128.0.2.0 255.255.255.0 130.0.2.0 255.255.255.0

pager lines 24

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto

mtu outside 1500

mtu inside 1500

mtu dmz 1500

ip address outside X.X.X.178 255.255.255.240

ip address inside 128.0.2.100 255.255.0.0

ip address dmz 127.0.0.1 255.255.255.255

ip audit info action alarm

ip audit attack action alarm

ip local pool mypool 130.0.2.1-130.0.2.50

no failover

failover timeout 0:00:00

failover poll 15

failover ip address outside 0.0.0.0

failover ip address inside 0.0.0.0

failover ip address dmz 0.0.0.0

pdm history enable

arp timeout 14400

global (outside) 1 X.X.X.179

nat (inside) 0 access-list 110

nat (inside) 1 128.0.2.0 255.255.255.0 0 0

nat (inside) 1 128.0.0.0 255.255.0.0 0 0

nat (inside) 1 128.0.0.0 255.0.0.0 0 0

static (inside,outside) X.X.X.180 128.0.2.5 netmask 255.255.255.255 0 0

conduit permit icmp any any

conduit permit tcp host X.X.X.180 eq smtp any

conduit permit tcp host X.X.X.180 eq domain any

conduit permit tcp host X.X.X.180 eq www any

route outside 0.0.0.0 0.0.0.0 X.X.X.177 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si

p 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto dynamic-map dynmap 10 set transform-set myset

crypto map transam 1 ipsec-isakmp

crypto map transam 1 match address 110

crypto map transam 1 set peer Y.Y.Y.106

crypto map transam 1 set transform-set myset

crypto map transam 20 ipsec-isakmp dynamic dynmap

crypto map transam interface outside

isakmp enable outside

isakmp key ******** address Y.Y.Y.106 netmask 255.255.255.255

isakmp identity address

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption des

isakmp policy 1 hash md5

isakmp policy 1 group 1

isakmp policy 1 lifetime 1000

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup motiuae address-pool mypool

vpngroup motiuae dns-server 128.0.2.7

vpngroup motiuae wins-server 128.0.2.7

vpngroup motiuae idle-time 1800

vpngroup motiuae password ********

telnet 128.0.0.0 255.255.0.0 inside

telnet 128.0.0.0 255.255.0.0 dmz

telnet timeout 5

ssh timeout 5

terminal width 80

Cryptochecksum:18ae397f9b63fb97f3dad62897604ee4

moti-firewall#

Thanx in Advance.

Tauseef

gfullage · ‎06-09-2003

You've told the PIX that the traffic to encrypt and send over the L2L tunnel matches access-list 110. ACL 110 has traffic from your local subnet going to the VPN pool of addresses for the clients (2nd line). When a client connects and pings, their ping packet will reach the internal host and be replied to. When the reply hits the PIX, it'll go through the crypto map entries starting from the top down. The first crypto map section is the L2L tunnel (transam 1) which tells the PIX to send this traffic over it, therefore the reply gets sent over the L2L tunnel rather than sent back to the client.

You need to separate your L2L ACL and your NAT 0 ACL, so do this:

> access-list 100 permit ip 128.0.2.0 255.255.255.0 129.0.2.0 255.255.255.0

> crypto map transam 1 match address 100

This will leave your nat 0 ACL intact, but change your L2L crypto map ACL to only specify the L2L traffic, rather than the client traffic also.

tauseef · ‎06-10-2003

Hi ,

Thanx for the Input , but Alas its ending up the same result.

The VPN Client 3.5 Gets Authenticated , Gets An IP Address , But does not ping any Workstation /Server within the LAN .

The Updated Config is as follows :-