Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PIX 6.3(5) VPN not routing

OK, this one has me puzzled. It has been a while since I configured a PIX for Client VPN access, so I dont know what I am missing. I have done quite a few ASA setups, no problem, but this PIX one has me stumped.

Internal network 192.168.1.0/24, VPN pool 192.168.10.0/24.

NoNat ACL 192.168.1.0/24 192.168.10.0/24

nat (inside) 0 access-list NoNat

VPN ACL 192.168.1.0/24 192.168.10.0/24

vpngroup group split-tunnel VPN

I am connecting OK, authenticating against radius, the route tab on the client shows 192.168.1.0/24, but I cant ping nor remote desktop to anything behind the PIX. I ran debug icmp trace and did not see any traffic either.

The show cry ips sa shows me encrypted and decrypted traffic though, the client only shows encrypted. The client is version 5.0.03.0560, PIX OS is 6.3(5)

I should note I tried this from both an XP machine and a Macbook. Same results.

3 REPLIES

Re: PIX 6.3(5) VPN not routing

Make sure ANY other device that does handle the routing on the network knows the 192.168.10.0/24 network is handled by the PIX.

HTH>

New Member

Re: PIX 6.3(5) VPN not routing

That's not a problem, the default gateway for everything is the PIX. Further troubleshooting has led me to show crypto map command to verify that the dynamic ACL is working, and I found something interesting. The ACL for no nat does not appear.

access-list dynacl18; 1 elements

access-list dynacl18 line 1 permit ip any host 192.168.10.1 (hitcnt=172)

I am not seeing

access-list dynacl17; 1 elements

access-list dynacl17 line 1 permit ip host (outside IP) host 192.168.10.1

as per the example found here

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a008009448c.shtml

I am seeing full traffic though, and this is what is puzzling me, it seems as the the client is blocking thr traffic.

local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

remote ident (addr/mask/prot/port): (192.168.10.1/255.255.255.255/0/0)

current_peer: :4203

dynamic allocated peer ip: 192.168.10.1

PERMIT, flags={}

#pkts encaps: 123, #pkts encrypt: 123, #pkts digest 123

#pkts decaps: 123, #pkts decrypt: 123, #pkts verify 123

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

Client

Packets

Encrypted 123

Decrypted 0

New Member

Re: PIX 6.3(5) VPN not routing

I found the problem, I had mistakenly thought Nat Traversal was enabled, I found it wasn't, that was the problem.

185
Views
0
Helpful
3
Replies