04-26-2006 01:59 AM
remote VPN client can't access to interal(pix inside ) any hosts.but remote vpn client can connet with pix.Please help me.thanks ,I am in trouble.
interal (inside) pix (outside)-----(internet)-----remote vpn client.
: Saved
:
PIX Version 7.0(4)12
!
hostname pixfirewall
domain-name default.domain.invalid
enable password xxxx
names
!
interface Ethernet0
nameif outside
security-level 0
ip address 218.87.x.x.x.255.192 standby 218.x.x.76
!
interface Ethernet1
nameif inside
security-level 100
ip address 168.50.x.x.255.255.0 standby 168.x.x.151
!
interface Ethernet2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet3
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet4
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet5
shutdown
no nameif
no security-level
no ip address
!
passwd xxxx
ftp mode passive
same-security-traffic permit intra-interface
access-list inside_nat0_outbound extended permit ip any 10.10.10.0 255.255.255.240
access-list outside_cryptomap_dyn_20 extended permit ip any 10.10.10.0 255.255.255.240
access-list Outside_access_in extended permit icmp any any
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
ip local pool hpcisco 10.10.10.1-10.10.10.10 mask 255.255.255.0
failover
monitor-interface outside
monitor-interface inside
icmp permit any outside
icmp permit any inside
asdm image flash:/asdm-501.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 168.50.6.0 255.255.255.0
access-group Outside_access_in in interface outside
route outside 0.0.0.0 0.x.x.x.87.6.65 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
username xxx password xxx
http server enable
http 0.0.0.0 0.0.0.0 outside
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp nat-traversal 20
tunnel-group hpcisco type ipsec-ra
tunnel-group hpcisco general-attributes
address-pool hpcisco
tunnel-group hpcisco ipsec-attributes
pre-shared-key *
telnet 0.0.0.0 0.0.0.0 outside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
ssh version 1
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
Cryptochecksum:xxx
: end
04-26-2006 02:31 AM
Verify your configuration with the following document:
The thing to note here is:
The sysopt connection permit-ipsec command must be configured to permit all inbound IPSec authenticated cipher sessions. In PIX 7.0, the sysopt commands do not show up in the running configuration. In order to verify if the sysopt connection permit-ipsec command is enabled, execute the show running-config sysopt command.
All of the above and more is explained on the document.
Hope this helps and let me know if you need further help. Please rate post if it helps as it may also help others too.
Jay
04-26-2006 02:43 AM
My configuration differ form you given(url),because I
select without split-tunnel.
show running-config sysopt
no sysopt connection timewait
sysopt connection tcpmss 1380
sysopt connection tcpmss minimum 0
no sysopt nodnsalias inbound
no sysopt nodnsalias outbound
no sysopt radius ignore-secret
no sysopt uauth allow-http-cache
sysopt connection permit-ipsec
04-27-2006 08:23 AM
I Need further help.
04-27-2006 06:44 PM
Can you try accessing the internal PCs and post the output of:
show crypto ipsec sa
show crypto isakmp sa
04-28-2006 02:07 AM
show crypto isakmp sa
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 218.87.6.78
Type : user Role : responder
Rekey : no State : AM_ACTIVE
show crypto ipsec sa
interface: outside
Crypto map tag: hpcisco, seq num: 20, local addr: 218.87.6.76
access-list 100 permit ip any 10.10.10.0 255.255.255.0
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (10.10.10.1/255.255.255.255/0/0)
current_peer: 218.x.x.78, username: xxxx
dynamic allocated peer ip: 10.10.10.1
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 218.87.6.76, remote crypto endpt.: 218.87.6.78
path mtu 1500, ipsec overhead 60, media mtu 1500
current outbound spi: 887012D2
inbound esp sas:
spi: 0x78BDCBC4 (2025704388)
transform: esp-3des esp-sha-hmac
in use settings ={RA, Tunnel, }
slot: 0, conn_id: 2, crypto-map: hpcisco
sa timing: remaining key lifetime (sec): 28021
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0x887012D2 (2289046226)
transform: esp-3des esp-sha-hmac
in use settings ={RA, Tunnel, }
slot: 0, conn_id: 2, crypto-map: hpcisco
sa timing: remaining key lifetime (sec): 28020
IV size: 8 bytes
replay detection support: Y
pixinternet(config)#
04-28-2006 02:09 AM
why do they is "0".#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
04-28-2006 05:21 AM
Result of the command: "show cry ipsec sa"
interface: outside
Crypto map tag: hpcisco, seq num: 20, local addr: 218.87.6.76
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (10.10.10.1/255.255.255.255/0/0)
current_peer: 218.64.54.96, username: hpcisco
dynamic allocated peer ip: 10.10.10.1
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 169, #pkts decrypt: 169, #pkts verify: 169
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 218.87.6.76, remote crypto endpt.: 218.64.54.96
path mtu 1500, ipsec overhead 60, media mtu 1500
current outbound spi: 8F1148AE
inbound esp sas:
spi: 0x9528BCDE (2502474974)
transform: esp-3des esp-sha-hmac
in use settings ={RA, Tunnel, }
slot: 0, conn_id: 2, crypto-map: hpcisco
sa timing: remaining key lifetime (sec): 27884
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0x8F1148AE (2400274606)
transform: esp-3des esp-sha-hmac
in use settings ={RA, Tunnel, }
slot: 0, conn_id: 2, crypto-map: hpcisco
sa timing: remaining key lifetime (sec): 27884
IV size: 8 bytes
replay detection support: Y
04-29-2006 03:06 PM
Are you sure the devices behind the PIX know the way back to the pool allocated for the remote clients ..? Your PIX is decrypting packets but it is not sending packets back ..
04-29-2006 11:46 PM
i met the same question,can you help?thank you in advance.
04-30-2006 03:56 PM
Please try adding this entry:
crypto dynamic-map outside_dyn_map 20 set reverse-route
Also .. please make sure routing from your network towards the IP pool allocated for remote VPN clients is set correctly .. If you do a traceroute from your systems on the inside network to the IP Pool for remote clients .. the packets should atleast reach the inside interface of the PIX. If this is not happening then you probably have a routing issue here.
04-30-2006 11:44 PM
wow,i have no ideals,so i downgrade my pix flash from pix704.bin to pix633.bin,now it works correctly.
so i suggest you should rollback your flash to 633.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide