Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
xbw
Community Member

I have a very very hard problem,Please help me!

I can connect to the PIX and the VPN client PC can receive the settings from the PIX firewall, however I am unable to see and ping the local LAN.

Network Diagram

vpn client-----(Internet)------pix---168.x.x.x

Below is the config, am I missing a route or an access-list?

All help gratefully appreciated.

: Saved

:

PIX Version 7.0(4)12

!

hostname pixfirewall

!

interface Ethernet0

nameif outside

security-level 0

ip address 218.87.6.77 255.255.255.192 standby 218.87.6.76

!

interface Ethernet1

nameif inside

security-level 100

ip address 168.50.6.150 255.255.255.0 standby 168.50.6.151

!

same-security-traffic permit intra-interface

access-list inside_nat0_outbound extended permit ip 168.50.6.0 255.255.255.0 10.10.10.0 255.255.255.0

access-list outside_cryptomap_dyn_20 extended permit ip 168.50.6.0 255.255.255.0 10.10.10.0 255.255.255.0

access-list outside_cryptomap_dyn_20 extended permit ip any 10.10.10.0 255.255.255.0

access-list Outside_access_in extended permit icmp any any

access-list splittunnel standard permit 168.50.6.0 255.255.255.0

ip local pool hpcisco 10.10.10.1-10.10.10.10 mask 255.255.255.0

failover

icmp permit any outside

icmp permit any inside

nat-control

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 168.50.6.0 255.255.255.0

access-group Outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 218.87.6.65 1

group-policy hpcisco internal

group-policy hpcisco attributes

vpn-idle-timeout 20

split-tunnel-policy tunnelspecified

split-tunnel-network-list value splittunnel

http server enable

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

isakmp enable outside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

isakmp nat-traversal 20

tunnel-group hpcisco type ipsec-ra

tunnel-group hpcisco general-attributes

address-pool hpcisco

default-group-policy hpcisco

tunnel-group hpcisco ipsec-attributes

pre-shared-key *

!

Cryptochecksum:xxx

: end

4 REPLIES
Community Member

Re: I have a very very hard problem,Please help me!

hi there i can solve ur problem.u have not assigned the

vpn-address-assign local

this command is required to tell that the vpn clients will be assigned addresess locally. plus pls check in ur policy map with the command

sh run policy-map global_policy

whether u have enabled inspection for icmp.

pls also check with this command

sh sysopt

it should show u

sysopt connection permit-ipsec

thsi has to be there for avoiding the crypto acl check on the outside for the vpn clients .

tell whether this has helped u . waiting for ur reply.

regards

sebastan

xbw
Community Member

Re: I have a very very hard problem,Please help me!

1、 I haven't enabled inspection for icmp

Result of the command: "sh run policy-map global_policy"

!

policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

!

2、Result of the command: "show run syso"

no sysopt connection timewait

sysopt connection tcpmss 1380

sysopt connection tcpmss minimum 0

no sysopt nodnsalias inbound

no sysopt nodnsalias outbound

no sysopt radius ignore-secret

no sysopt uauth allow-http-cache

sysopt connection permit-ipsec

3、I don't understand vpn-address-assign local

Result of the command: "show running-config all vpn-addr-assign"

vpn-addr-assign aaa

vpn-addr-assign dhcp

vpn-addr-assign local

xbw
Community Member

Re: I have a very very hard problem,Please help me!

Can you still help me,thanks.

Community Member

Re: I have a very very hard problem,Please help me!

You've probably solved this already by now, but version 7 needs an access list permiting inside traffic out.

eaccess-list inside_out permit ip any any

access-group inside_out in interface inside

Cheers Tony

119
Views
10
Helpful
4
Replies
CreatePlease to create content