Re: VPN OK! Ping OK! Inside access out NOT!

Snwstrm69 · ‎03-17-2006

Hi!

I have a Cisco PIX 501 firewall that I have problems setting up. No hosts on the inside can access the outside in any way. My old firewall didn't allow VPN and strangely enough I can get this to work on the new firewall. The firewall can ping and answer pings, but not the hosts. I have tried to configure the access-list according to instructions on the net but to no avail. Can anyone help?

The configuration after resetting and restoring basic information:

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxxx

passwd xxxx

hostname pixfirewall

domain-name goldpen.se

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside 62.x.x.x.x.255.192

ip address inside 192.168.1.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

route outside 0.0.0.0 x.x.x.x.x.x.190 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.2-192.168.1.33 inside

dhcpd dns 194.22.190.10

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

dhcpd enable inside

terminal width 80

Cryptochecksum:xxxx

spremkumar · ‎03-17-2006

Hi

can you confirm the kinda VPN you are trying to establish with this PIX firewall ? Is it simple RAVPN clients forming the VPN connectivity with this PIX or is it a point to point VPN connectivity with this pix ?

also the link which you have followed to configure up the same and the configuration with which the VPN and ping is sucessfull..

regds

jackko · ‎03-17-2006

just wondering if the outbound internet issue only occurs after the vpn configuration or not.

according to the posted config, it's pretty straight forward and it shouldn't have any issue for inside host to browse the internet.

assuming the issue only occurs after the vpn configuration, please post the config with the vpn configuration instead.

froggy3132000 · ‎03-17-2006

I am just taking a guess that your inside hosts are trying to VPN outbound. If this is the case you need to add this to your config:

isakmp traversal 20

If not please elaborate.

veruscorp · ‎03-18-2006

Hard to determine without a complete list of access lists and nat exemption statements from VPN configs.

Snwstrm69 · ‎03-19-2006

Thanks everybody for the replies and your effort! It is greatly appreciated.

As requested I will elaborate. This is the configuration after a clean restart after which I have set up the basics. The hosts on the inside cannot get contact with the outside. As I mentioned the firewall can ping the world and vice versa.

My goals are primarily to get the firewall to work as one. I have a few servers I want to protect and make visible on the outside. Obviously these rules are not implemented yet.

Secondly I would like to make it possible to access the inside via VPN from home. It sounds like point to point, but I am unsure of any flavour differences? In some mysterious way I have gotten the VPN to work in previous attempts. Outside hosts have been able to log onto and access the inside. But for now that is not the problem. I think I can get it working again.

The outbound issue does occur independent of the VPN configuration or not. A VPN client connected could not connect with the outside.

This is the complete configuration as of now, and the inside hosts are unable to access the Internet.

One thought I have had is that the unit is faulty in some way? Should I send it in return?

veruscorp · ‎03-20-2006

Before throwing the firewall out, what are the basics for the hosts? You do not have icmp enabled. Enable it from any to any for troubleshooting. Then, make sure the hosts can ping the firewall and cand can ping the router in front of the firewall. Make sure the workstations have a proper gateway of 192.168.1.1 /24. Make sure the workstations have proper DNS servers configured. Maybe they can access the Internet.