Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
592
Views
0
Helpful
7
Replies

wr net from SOHO PIX to Cntral site

SteveGodfrey
Level 1
Level 1

‎10-02-2003 07:05 AM - edited ‎02-20-2020 11:01 PM

PIX501-----internet-----PIX525

6.3 VPN 6.2

I'm unable to sucessfully copy the running config from the 501 via the EZ-Vpn link to a tftp server on the core network.

The client PC's on the SOHO network can access the internal netowrks (RFC1918), they can also perform TFTP transfer to the central TFTP server.

Incidentally the syslogs are being received on the central network and the NTP isn't syncing to the core NTP server either. In short the 501 has no connectivity to the internal netowrks - with little indication as to why.

The ACL on the 525 is permiting all traffic from the 501 VPN IP address, I've setup captures on the 525 and on the outside I'm seeing the IPSec packets but I'm seeing nothing on the inside interface.

Here's the output I see on the 501

TFTP write 'YCHILF00F01.cfg' at 10.x.x.x on interface 0

Timed out attempting to connect

[FAILED]

111001: Begin configuration: console writing to tftp

111004: console end configuration: FAILED

111008: User 'enable_15' executed the 'write net' command.

Not much help!

Here's the relevant 501 config

PIX Version 6.3(1)

access-list outside permit icmp any any

access-list outside permit ip any any

access-list permitall permit ip any any

ip address outside dhcp setroute

ip address inside x.x.x.1 255.255.255.0

ip verify reverse-path interface inside

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

access-group outside in interface outside

access-group permitall in interface inside

management-access outside

vpnclient server 193.35.234.2

vpnclient mode client-mode

vpnclient vpngroup ????? password ********

vpnclient username ????? password ********

vpnclient enable

Thanks in advance

Steve

0 Helpful
7 Replies 7

SteveGodfrey
Level 1
Level 1

‎10-02-2003 07:31 AM

Here's some more relevant info.

I've searched the syslogs from the 525 for additional information and here's what I found.

So why aren't the tftp and syslogs going through the VPN? The 82.32 address is the outside 501, the VPN assigned address is in the 10.x.x.x network.

305005: No translation group found for udp src outside:82.32.x.x/12345 dst inside:10.25.x.x/69

305005: No translation group found for udp src outside:82.32.x.x/514 dst inside:10.25.x.x/514

305005: No translation group found for udp src

0 Helpful

scoclayton
Level 7
Level 7
In response to SteveGodfrey

‎10-02-2003 08:31 AM

Steve,

What does your NAT config on the 525 look like? Assuming you are doing some sort of NAT 0 ACL, try adding the 82.32.X.X address to this ACL and see if that doesn't solve the translation issues. Let me know if this is not clear.

Scott

0 Helpful

SteveGodfrey
Level 1
Level 1
In response to scoclayton

‎10-02-2003 08:41 AM

Here's the NAT config from the 525.

But given I'm seeing the packets arrive on the outside interface of the 525 unencrypted this means the 501 isn't sending them down the VPN pipe.

access-list acl-nonat permit ip any 10.28.0.0 255.255.252.0

access-list acl-nonat permit ip any 10.29.0.0 255.255.0.0

nat (inside) 0 access-list acl-nonat

Here's the VPNGroup config too

vpngroup YC-Hillfields address-pool YC-pool

vpngroup YC-Hillfields split-tunnel YC-SPLIT

ip local pool YC-pool 10.29.4.x

access-list YC-VPN-SPLIT permit ip 192.0.0.0 255.0.0.0 10.29.0.0 255.255.0.0

access-list YC-VPN-SPLIT permit ip 10.0.0.0 255.0.0.0 10.29.0.0 255.255.0.0

0 Helpful

scoclayton
Level 7
Level 7
In response to SteveGodfrey

‎10-02-2003 08:50 AM

Hmmm, doubt that the packets are arriving on your 525 from the remote PIX unencrypted since they are destined for a RFC 1918 address range. I feel sure if this was the case, one of the routers across the path would have dropped these packets. I think you are seeing the results after the decryption occurs.

Try adding this to your nonat ACL:

access-list acl-nonat permit ip any 82.32.X.X 255.255.255.255

Scott

0 Helpful

SteveGodfrey
Level 1
Level 1
In response to scoclayton

‎10-02-2003 12:03 PM

I'm going mad...of course the packes aren't arriving unencrypted! My brain has turned to mush :-(

OK I've added that line to the ACL and I'm getting hits on it. The wr net, syslogs etc from the 501 still aren't working though and I'm not getting any info on the 525 syslog....

So it would seem as if the packes are now getting through the 525.

Can you suggest anything else to try to find ot where the fault lies?

Thanks

0 Helpful

SteveGodfrey
Level 1
Level 1
In response to SteveGodfrey

‎10-02-2003 12:46 PM

The fun continues :-)

I'm seeing this on the 501 when trying a ping from the main network, surely if the VPN is configured properly I don't need any statics?

106011: Deny inbound (No xlate) icmp src outside:10.20.20.3 dst outside:10.29.4.7 (type 8, code 0)

0 Helpful

scoclayton
Level 7
Level 7
In response to SteveGodfrey

‎10-02-2003 12:54 PM

Not exactly...what does your NAT config look like on the 501 now?

Scott

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card