Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Cisco 515E PIX Firewall VPN Problem

Hello everybody,

I have a problem about VPN connection. actually, I can connect to my company via VPN but, I cannot reach the resources such as local computers, servers especially domain controller. when I connected with VPN, I am able got my VPN IPs, DNS and WINS information. But when I ping some server, It is timed out. I checked nat's configration and ip routes but I couldn't see any error. Logs says that:" Built inbound UDP connection 1026765 for outside:192.168.5.1/58072 (192.168.5.1/58072) to inside: DN50/53 (DN50/53)" . But UDP ports are allowed in my PIX.

you can find below my NAT conf.

nat-control

global (outside) 1 1.2.3.5 ( Reel IP )

global (outside) 2 1.2.3.4 ( Reel IP )

nat (outside) 2 192.168.5.0 255.255.255.0

nat (outside) 2 172.25.0.0 255.255.0.0

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 2 192.168.0.48 255.255.255.248

nat (inside) 1 0.0.0.0 0.0.0.0

Is there anyone have an idea, to resolve my problem ??

Thanks,

Serdar Karahanoglu

2 REPLIES

Re: Cisco 515E PIX Firewall VPN Problem

Hi,

Is your network setup something like this?

--------

then, check on the L3-switch if it has the correct route for the vpn-ip-pool (pointing towards the PIX internal interface).

Also, check the contents of the ACL inside_nat0_outbound whether the IP and subnet masks are correct.

New Member

Re: Cisco 515E PIX Firewall VPN Problem

Hi,

Actually I am changing my topology right now, Here is my new topology

New!!

--------

If you forget about ISA , my VPN clients can reach PIX and , obey the policy, getting their IPs (192.168.5.X) and DNS. And have a NAT for VPN s reach to Internal.

access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.5.0 255.255.255.0

another one : access-list 80 standard permit 192.168.5.0 255.255.255.0

I think they are correct . Do u have any idea on it ?

94
Views
0
Helpful
2
Replies