Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

PIX 506e- No VPN Access to Inside Network

I'm new to the PIX and used the PDM Startup Wizard and VPN Wizard to configure my PIX 506e. I have very simple needs: my inside network connects to the ISP via PPPoE and want to be able to VPN from any outside IP address and access any address on my inside network (via various protocols including ssh).

The basic configuration works fine for all outbound traffic, but there's something wrong with the VPN configuration.

When I use my Cisco VPN client (v.4.9.01) I can authenticate and make the IPSec connection, but can't see any clients on the inside network (I tested with ping and by attempting to access a web page hosted on a client). The remote client's IP address is from the vpnlocal pool that I configured in the Wizard. I didn't think I'd need ACLs to allow specific traffic over the VPN, but I'm stumped as to why I can make the VPN connection successfully, but can't do anything with it.

Attached is the configuration for the PIX. Also attached is the log from the remote Cisco VPN client attempting to make the VPN connection.

Any help will be most appreciated!

Thanks,

Tim

8 REPLIES
Green

Re: PIX 506e- No VPN Access to Inside Network

Always use a different subnet for your vpn client pool, not the same as inside subnet.

Add "isakmp nat-traversal" for clients behind nat/pat.

Your nat exemption acl is not correct. Should be something like...

access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0

New Member

Re: PIX 506e- No VPN Access to Inside Network

Thanks for the reply. I've made the suggested changes, but still have the same behavior-- I can make a remote connection, but can't access any clients on the inside network.

Attached is an updated configuration file.

Thanks for your help,

Tim

New Member

Re: PIX 506e- No VPN Access to Inside Network

I've resolved my problem, I think, by reconfiguring the subnet mask setting on the firewall to 255.255.0.0 (in addition to assigning vpn pool IP addresses out of the 192.168.2.0 range and enabling nat-traversal).

The only oddity I've noticed is that I can VPN and access devices on the internal network from a couple of locations, but one site using a Linksys WR54G allows the VPN connection, but still can't see devices on the inside network.

Any suggestions here would be great, and thanks for your other advice!

Green

Re: PIX 506e- No VPN Access to Inside Network

Hmm, not sure why changing mask on the inside interface would make that work. Could you post the current config?

New Member

Re: PIX 506e- No VPN Access to Inside Network

I'm not sure either. I'm thinking that it may have been that the one client on the inside network had a static IP (192.168.1.10) with a subnet mask of 255.255.0.0.

The updated config is attached.

--Tim

Green

Re: PIX 506e- No VPN Access to Inside Network

the issue with changing the inside mask to /16 is that now the vpn client subnet is a part of that 192.168.0.0/16, which it shouldn't be. But you say it's working?

New Member

Re: PIX 506e- No VPN Access to Inside Network

Yep, it works fine from two different sites, though not from the one behind a WR54G router for some reason.

Is there a resource for a relative network "noob" like me to find a good explanation for the IP notation you used (192.168.0.0/16)? I often see this on the Cisco site and in Cisco literature where the IP address is followed by a slash (/) and a number. I think that the number after the four octet IP refers to subnetting info, but am not sure.

Thanks for the help, and if you're not tired of me yet, I plan to post a question to this forum on setting a static translation and ACLs to allow Web traffic through the firewall. :-)

--Tim

Green

Re: PIX 506e- No VPN Access to Inside Network

Yes, this refers to the mask. An ip address has 4 octets, 8 bits each. So for example...

/8 = 255.0.0.0

/16 = 255.255.0.0

/24 = 255.255.255.0

270
Views
6
Helpful
8
Replies