Re: remote VPN client can't access to interal(pix inside ) any h

xbw · ‎04-26-2006

remote VPN client can't access to interal(pix inside ) any hosts.but remote vpn client can connet with pix.Please help me.thanks ,I am in trouble.

interal (inside) pix (outside)-----(internet)-----remote vpn client.

: Saved

:

PIX Version 7.0(4)12

!

hostname pixfirewall

domain-name default.domain.invalid

enable password xxxx

names

!

interface Ethernet0

nameif outside

security-level 0

ip address 218.87.x.x.x.255.192 standby 218.x.x.76

!

interface Ethernet1

nameif inside

security-level 100

ip address 168.50.x.x.255.255.0 standby 168.x.x.151

!

interface Ethernet2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet3

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet4

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet5

shutdown

no nameif

no security-level

no ip address

!

passwd xxxx

ftp mode passive

same-security-traffic permit intra-interface

access-list inside_nat0_outbound extended permit ip any 10.10.10.0 255.255.255.240

access-list outside_cryptomap_dyn_20 extended permit ip any 10.10.10.0 255.255.255.240

access-list Outside_access_in extended permit icmp any any

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

ip local pool hpcisco 10.10.10.1-10.10.10.10 mask 255.255.255.0

failover

monitor-interface outside

monitor-interface inside

icmp permit any outside

icmp permit any inside

asdm image flash:/asdm-501.bin

no asdm history enable

arp timeout 14400

nat-control

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 168.50.6.0 255.255.255.0

access-group Outside_access_in in interface outside

route outside 0.0.0.0 0.x.x.x.87.6.65 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

username xxx password xxx

http server enable

http 0.0.0.0 0.0.0.0 outside

http 0.0.0.0 0.0.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

isakmp enable outside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

isakmp nat-traversal 20

tunnel-group hpcisco type ipsec-ra

tunnel-group hpcisco general-attributes

address-pool hpcisco

tunnel-group hpcisco ipsec-attributes

pre-shared-key *

telnet 0.0.0.0 0.0.0.0 outside

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 outside

ssh 0.0.0.0 0.0.0.0 inside

ssh timeout 5

ssh version 1

console timeout 0

!

class-map inspection_default

match default-inspection-traffic

!

policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

!

service-policy global_policy global

Cryptochecksum:xxx

: end

jmia · ‎04-26-2006

Verify your configuration with the following document:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008046f307.shtml

The thing to note here is:

The sysopt connection permit-ipsec command must be configured to permit all inbound IPSec authenticated cipher sessions. In PIX 7.0, the sysopt commands do not show up in the running configuration. In order to verify if the sysopt connection permit-ipsec command is enabled, execute the show running-config sysopt command.

All of the above and more is explained on the document.

Hope this helps and let me know if you need further help. Please rate post if it helps as it may also help others too.

Jay

xbw · ‎04-26-2006

My configuration differ form you given(url),because I

select without split-tunnel.

show running-config sysopt

no sysopt connection timewait

sysopt connection tcpmss 1380

sysopt connection tcpmss minimum 0

no sysopt nodnsalias inbound

no sysopt nodnsalias outbound

no sysopt radius ignore-secret

no sysopt uauth allow-http-cache

sysopt connection permit-ipsec

xbw · ‎04-27-2006

I Need further help.

Fernando_Meza · ‎04-27-2006

Can you try accessing the internal PCs and post the output of:

show crypto ipsec sa

show crypto isakmp sa

xbw · ‎04-28-2006

show crypto isakmp sa

Active SA: 1

Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 1

1 IKE Peer: 218.87.6.78

Type : user Role : responder

Rekey : no State : AM_ACTIVE

show crypto ipsec sa

interface: outside

Crypto map tag: hpcisco, seq num: 20, local addr: 218.87.6.76

access-list 100 permit ip any 10.10.10.0 255.255.255.0

local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

remote ident (addr/mask/prot/port): (10.10.10.1/255.255.255.255/0/0)

current_peer: 218.x.x.78, username: xxxx

dynamic allocated peer ip: 10.10.10.1

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

#send errors: 0, #recv errors: 0

local crypto endpt.: 218.87.6.76, remote crypto endpt.: 218.87.6.78

path mtu 1500, ipsec overhead 60, media mtu 1500

current outbound spi: 887012D2

inbound esp sas:

spi: 0x78BDCBC4 (2025704388)

transform: esp-3des esp-sha-hmac

in use settings ={RA, Tunnel, }

slot: 0, conn_id: 2, crypto-map: hpcisco

sa timing: remaining key lifetime (sec): 28021

IV size: 8 bytes

replay detection support: Y

outbound esp sas:

spi: 0x887012D2 (2289046226)

transform: esp-3des esp-sha-hmac

in use settings ={RA, Tunnel, }

slot: 0, conn_id: 2, crypto-map: hpcisco

sa timing: remaining key lifetime (sec): 28020

IV size: 8 bytes

replay detection support: Y

pixinternet(config)#

xbw · ‎04-28-2006

why do they is "0".#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

xbw · ‎04-28-2006

Result of the command: "show cry ipsec sa"

interface: outside

Crypto map tag: hpcisco, seq num: 20, local addr: 218.87.6.76

local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

remote ident (addr/mask/prot/port): (10.10.10.1/255.255.255.255/0/0)

current_peer: 218.64.54.96, username: hpcisco

dynamic allocated peer ip: 10.10.10.1

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 169, #pkts decrypt: 169, #pkts verify: 169

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

#send errors: 0, #recv errors: 0

local crypto endpt.: 218.87.6.76, remote crypto endpt.: 218.64.54.96

path mtu 1500, ipsec overhead 60, media mtu 1500

current outbound spi: 8F1148AE

inbound esp sas:

spi: 0x9528BCDE (2502474974)

transform: esp-3des esp-sha-hmac

in use settings ={RA, Tunnel, }

slot: 0, conn_id: 2, crypto-map: hpcisco

sa timing: remaining key lifetime (sec): 27884

IV size: 8 bytes

replay detection support: Y

outbound esp sas:

spi: 0x8F1148AE (2400274606)

transform: esp-3des esp-sha-hmac

in use settings ={RA, Tunnel, }

slot: 0, conn_id: 2, crypto-map: hpcisco

sa timing: remaining key lifetime (sec): 27884

IV size: 8 bytes

replay detection support: Y

Fernando_Meza · ‎04-29-2006

Are you sure the devices behind the PIX know the way back to the pool allocated for the remote clients ..? Your PIX is decrypting packets but it is not sending packets back ..

gzhhz · ‎04-29-2006

i met the same question,can you help?thank you in advance.

Fernando_Meza · ‎04-30-2006

Please try adding this entry:

crypto dynamic-map outside_dyn_map 20 set reverse-route

Also .. please make sure routing from your network towards the IP pool allocated for remote VPN clients is set correctly .. If you do a traceroute from your systems on the inside network to the IP Pool for remote clients .. the packets should atleast reach the inside interface of the PIX. If this is not happening then you probably have a routing issue here.

gzhhz · ‎04-30-2006

wow,i have no ideals,so i downgrade my pix flash from pix704.bin to pix633.bin,now it works correctly.

so i suggest you should rollback your flash to 633.