VPN client to PIX.......Cannot access inside hosts
I have a cisco PIX515 running 6.1(4) acting as a VPN server. Tunnel comes up fine, Vpn client (3.5) recieves ip address from the pool. After that I cannot access any machines from client to the inside network.
I ran packet analyzer on the inside and saw ping packets hitting the inside servers from client and these servers are sending these packets back. I also ran icmp trace on the inside interface of the PIX and saw returning ICMP packets. Some how these packets are blocked by pix.
IPSEC and ISAKMP debugs show decrypted packets and VPN client shows encrypted packets. Some how packets are not getting encrypted and are not coming back to the vpn client.
Here is a copy of my configuration
PIX Version 6.1(4)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security10
enable password A2J7TJNJsnIJJ74R encrypted
passwd A2J7TJNJsnIJJ74R encrypted
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
access-list 100 permit tcp any host xxx.xxx.67.124 eq 32970
access-list 100 permit tcp any host xxx.xxx.67.123 eq 32970
access-list 100 permit tcp any host xxx.xxx.67.123 eq sqlnet
access-list 100 permit tcp any host xxx.xxx.67.122 eq 32970
access-list 100 permit tcp any host xxx.xxx.67.122 eq www
access-list 100 permit tcp any host xxx.xxx.67.122 eq 5905
access-list 100 permit tcp any host xxx.xxx.67.124 eq www
access-list 111 permit ip 172.20.20.0 255.255.255.0 172.20.10.0 255.255.255.0
access-list 200 permit ip 172.20.10.0 255.255.255.0 172.20.0.0 255.255.0.0
Re: VPN client to PIX.......Cannot access inside hosts
I could not find a route inside command in the PIX configuration provided by you. Considering that you are using a 515, I am assuming that your network is reasonably large and there is probably a router behind the PIX (on the inside). If that indeed is true, inserting the missing route commands to the inside networks might solve your problem.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...