We have a Cisco PIX 515 with software 7.1(2). It accepts Cisco VPN Client connections without any problem, but no routing is performed towards the internal networks directly connected to the PIX. For instance, my PC is assigned IP address 172.16.2.57 and, then, internal Windows server 172.16.0.12 does not answer ping or RDP attempts. The most irritating thing is that these attempts are registered in Syslog, but always terminated with "SYN timeout", as follows:
2009-01-06 23:23:01 Local4.Info 126.96.36.199 %PIX-6-302013: Built inbound TCP connection 3315917 for outside:172.16.2.57/1283 (172.16.2.57/1283) to inside:ALAI2/3389 (ALAI2/3389)
2009-01-06 23:23:31 Local4.Info 188.8.131.52 %PIX-6-302014: Teardown TCP connection 3315917 for outside:172.16.2.57/1283 to inside:ALAI2/3389 duration 0:00:30 bytes 0 SYN Timeout
We tried to enable and disable "nat-control", "same-security-traffic permit inter-interface" and "same-security-traffic permit intra-interface" but results are the same: the VPN connection completes successfully but remote clients cannot reach the internal servers.
I'm attaching the relevant configurations to fully understand the problem:
ip address xx.yy.zz.tt 255.255.255.240
ip address 172.16.0.1 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.16.0.0 255.255.255.0 172.16.2.56 255.255.255.248
access-list outside_cryptomap_dyn_20 extended permit ip 172.16.0.0 255.255.255.0 172.16.2.56 255.255.255.248
access-list VPN_client_group_splitTunnelAcl standard permit 172.16.0.0 255.255.255.0
ip local pool pool_vpn_clientes 172.16.2.57-172.16.2.62 mask 255.255.255.248
global (outside) 12 xx.yy.zz.tt
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 12 172.16.0.12 255.255.255.255
group-policy VPN_clientes internal
group-policy VPN_clientes attributes
default-domain value xxyyzz.net
group-policy VPN_client_group internal
group-policy VPN_client_group attributes
split-tunnel-network-list value VPN_client_group_splitTunnelAcl
default-domain value xxyyzz.local
I'm not attaching any cryptographic algorithms details because the VPN is completed successfully, as I said at the beginning. Besides, routing tables are not relevant in my opinion, because the unreachable hosts are directly connected to the internal LAN of the PIX 515.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...