Remote VPN issue

vinoth.kumar · ‎08-28-2009

I have a remote site and i need to access the network through remote VPN and i made the configuration and remote VPN is connected but not able to ping the internal host including PIX inside IP

PIX OS : 8X.0.X.X

PIX IS : 192.168.170.1

config :

interface Ethernet0

nameif outside

security-level 0

ip address XX.8X.XX.XX 255.255.255.224

!

interface Ethernet1

nameif inside

security-level 100

ip address 192.168.170.1 255.255.255.0

!

interface Ethernet2

description STATE Failover Interface

speed 100

duplex full

!

interface Ethernet3

shutdown

no nameif

no security-level

no ip address

ftp mode passive

dns server-group DefaultDNS

domain-name LYCASWE

access-list 101 extended permit ip any 192.168.170.248 255.255.255.248

access-list 110 extended permit ip 192.168.170.0 255.255.255.0 10.195.0.0 255.25

5.0.0

access-list VPN-MAR extended permit ip 192.168.170.0 255.255.255.0 10.195.0.0 25

5.255.0.0

pager lines 24

logging console debugging

mtu outside 1500

mtu inside 1500

ip local pool RemoteVPNpool 192.168.170.250-192.168.170.254

failover

failover polltime unit 3 holdtime 9

failover link STATE Ethernet2

failover interface ip STATE 172.16.35.1 255.255.255.0 standby 172.16.35.2

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list 110

nat (inside) 1 0.0.0.0 0.0.0.0

route outside 0.0.0.0 0.0.0.0 XX.8X.XX.XX 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

aaa authentication ssh console LOCAL

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set VPN_OFFICE-set esp-3des esp-sha-hmac

crypto ipsec transform-set RVPN esp-des esp-md5-hmac

crypto ipsec transform-set RVPN1 esp-3des esp-md5-hmac

crypto dynamic-map DYN-map 1 set transform-set RVPN RVPN1

crypto map Sweden-map 11 match address VPN-MAR

crypto map Sweden-map 11 set peer xx7.xx8.1xx.xx

crypto map Sweden-map 11 set transform-set VPN_OFFICE-set

crypto map Sweden-map 20 ipsec-isakmp dynamic DYN-map

crypto map Sweden-map interface outside

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 13

authentication pre-share

encryption 3des

hash md5

group 1

lifetime 86400

crypto isakmp policy 14

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

crypto isakmp policy 20

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 28800

crypto isakmp policy 65535

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet 10.0.0.0 255.0.0.0 inside

ssh timeout 10

console timeout 0

management-access inside

service-policy global_policy global

group-policy RAswe internal

group-policy RAswe attributes

user-authentication enable

username admin password XXXXXXXX encrypted

tunnel-group xx7.xx8.1xx.xx type ipsec-l2l

tunnel-group xx7.xx8.1xx.xx ipsec-attributes

pre-shared-key

tunnel-group RAswe type ipsec-ra

tunnel-group RAswe general-attributes

address-pool RemoteVPNpool

default-group-policy RAswe

tunnel-group RAswe ipsec-attributes

pre-shared-key

andrew.prince · ‎08-28-2009

1) Use a seperate IP Subnet for remote VPN connections

2) You need to add the VPN subnet to your no-nat rule, acl 110

3) You will not be able to ping the inside IP of the PIX - this is normal and by design.

4) If you want to access the remote site over the IPSEC tunnel you need to enable same security traffic.

HTH>