Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

wr net from SOHO PIX to Cntral site

PIX501-----internet-----PIX525

6.3 VPN 6.2

I'm unable to sucessfully copy the running config from the 501 via the EZ-Vpn link to a tftp server on the core network.

The client PC's on the SOHO network can access the internal netowrks (RFC1918), they can also perform TFTP transfer to the central TFTP server.

Incidentally the syslogs are being received on the central network and the NTP isn't syncing to the core NTP server either. In short the 501 has no connectivity to the internal netowrks - with little indication as to why.

The ACL on the 525 is permiting all traffic from the 501 VPN IP address, I've setup captures on the 525 and on the outside I'm seeing the IPSec packets but I'm seeing nothing on the inside interface.

Here's the output I see on the 501

TFTP write 'YCHILF00F01.cfg' at 10.x.x.x on interface 0

Timed out attempting to connect

[FAILED]

111001: Begin configuration: console writing to tftp

111004: console end configuration: FAILED

111008: User 'enable_15' executed the 'write net' command.

Not much help!

Here's the relevant 501 config

PIX Version 6.3(1)

access-list outside permit icmp any any

access-list outside permit ip any any

access-list permitall permit ip any any

ip address outside dhcp setroute

ip address inside x.x.x.1 255.255.255.0

ip verify reverse-path interface inside

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

access-group outside in interface outside

access-group permitall in interface inside

management-access outside

vpnclient server 193.35.234.2

vpnclient mode client-mode

vpnclient vpngroup ????? password ********

vpnclient username ????? password ********

vpnclient enable

Thanks in advance

Steve

7 REPLIES
New Member

Re: wr net from SOHO PIX to Cntral site

Here's some more relevant info.

I've searched the syslogs from the 525 for additional information and here's what I found.

So why aren't the tftp and syslogs going through the VPN? The 82.32 address is the outside 501, the VPN assigned address is in the 10.x.x.x network.

305005: No translation group found for udp src outside:82.32.x.x/12345 dst inside:10.25.x.x/69

305005: No translation group found for udp src outside:82.32.x.x/514 dst inside:10.25.x.x/514

305005: No translation group found for udp src

Re: wr net from SOHO PIX to Cntral site

Steve,

What does your NAT config on the 525 look like? Assuming you are doing some sort of NAT 0 ACL, try adding the 82.32.X.X address to this ACL and see if that doesn't solve the translation issues. Let me know if this is not clear.

Scott

New Member

Re: wr net from SOHO PIX to Cntral site

Here's the NAT config from the 525.

But given I'm seeing the packets arrive on the outside interface of the 525 unencrypted this means the 501 isn't sending them down the VPN pipe.

access-list acl-nonat permit ip any 10.28.0.0 255.255.252.0

access-list acl-nonat permit ip any 10.29.0.0 255.255.0.0

nat (inside) 0 access-list acl-nonat

Here's the VPNGroup config too

vpngroup YC-Hillfields address-pool YC-pool

vpngroup YC-Hillfields split-tunnel YC-SPLIT

ip local pool YC-pool 10.29.4.x

access-list YC-VPN-SPLIT permit ip 192.0.0.0 255.0.0.0 10.29.0.0 255.255.0.0

access-list YC-VPN-SPLIT permit ip 10.0.0.0 255.0.0.0 10.29.0.0 255.255.0.0

Re: wr net from SOHO PIX to Cntral site

Hmmm, doubt that the packets are arriving on your 525 from the remote PIX unencrypted since they are destined for a RFC 1918 address range. I feel sure if this was the case, one of the routers across the path would have dropped these packets. I think you are seeing the results after the decryption occurs.

Try adding this to your nonat ACL:

access-list acl-nonat permit ip any 82.32.X.X 255.255.255.255

Scott

New Member

Re: wr net from SOHO PIX to Cntral site

I'm going mad...of course the packes aren't arriving unencrypted! My brain has turned to mush :-(

OK I've added that line to the ACL and I'm getting hits on it. The wr net, syslogs etc from the 501 still aren't working though and I'm not getting any info on the 525 syslog....

So it would seem as if the packes are now getting through the 525.

Can you suggest anything else to try to find ot where the fault lies?

Thanks

New Member

Re: wr net from SOHO PIX to Cntral site

The fun continues :-)

I'm seeing this on the 501 when trying a ping from the main network, surely if the VPN is configured properly I don't need any statics?

106011: Deny inbound (No xlate) icmp src outside:10.20.20.3 dst outside:10.29.4.7 (type 8, code 0)

Re: wr net from SOHO PIX to Cntral site

Not exactly...what does your NAT config look like on the 501 now?

Scott

299
Views
0
Helpful
7
Replies
CreatePlease to create content