Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
xbw
New Member

vpn client can't access to internal pix/asa

I am using pix 7.0 and vpn client 4.8 .

I can connect with the pix outside (208.87.60.177).but the vpn client I can't see the subnet of the pix inside (168.x.x.0).VPN client can't access internal subnet .Please help

me,thanks!

1、Network Diagram

vpn client-----(Internet)------pix---168.x.x.x

2、CONFIGURATION

pixfirewall(config)# show run

: Saved

:

PIX Version 7.0(4)12

!

interface Ethernet0

nameif outside

security-level 0

ip address isp_addr 255.255.255.192 standby isp_addr

!

interface Ethernet1

nameif inside

security-level 100

ip address 168.x.x.x.255.255.0 standby 168.50.6.151

!

access-list inside_nat0_outbound extended permit ip any 172.16.16.0 255.255.255.0

access-list outside_cryptomap_dyn_20 extended permit ip any 172.16.16.0 255.255.255.0

ip local pool hpcisco 172.16.16.1-172.16.16.254 mask 255.255.255.0

failover

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 168.x.x.x.255.255.0

route outside 0.0.0.0 0.0.0.0 isp 1

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

isakmp enable outside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

isakmp policy 65535 authentication pre-share

isakmp policy 65535 encryption 3des

isakmp policy 65535 hash sha

isakmp policy 65535 group 2

isakmp policy 65535 lifetime 86400

tunnel-group hpcisco type ipsec-ra

tunnel-group hpcisco general-attributes

address-pool hpcisco

tunnel-group hpcisco ipsec-attributes

pre-shared-key *

10 REPLIES

Re: vpn client can't access to internal pix/asa

have you enabled nat traversal ..? If you are behind a device doing NAT the you need to enabled this feature

isakmp nat-traversal 30

xbw
New Member

Re: vpn client can't access to internal pix/asa

very thanks,I had added this command.but situation is the same.

isakmp nat-traversal 30

Re: vpn client can't access to internal pix/asa

Can you post the output of

show running-config sysopt

xbw
New Member

Re: vpn client can't access to internal pix/asa

thanks,Result of the command: "show running-config sysopt"

no sysopt connection timewait

sysopt connection tcpmss 1380

sysopt connection tcpmss minimum 0

no sysopt nodnsalias inbound

no sysopt nodnsalias outbound

no sysopt radius ignore-secret

no sysopt uauth allow-http-cache

sysopt connection permit-ipsec

Re: vpn client can't access to internal pix/asa

Can you please add the following access list and apply it to the Internal interface

access-list Inside_out extended permit ip any

172.16.16.0 255.255.255.0

access-group Inside_out in interface Inside

xbw
New Member

Re: vpn client can't access to internal pix/asa

I had added the access-list,but showing access-list

indicat hitcnt=0,as following.thanks!

access-list Inside_out; 1 elements

access-list Inside_out line 1 extended permit ip any 172.16.16.0 255.255.255.0 (hitcnt=0)

New Member

Re: vpn client can't access to internal pix/asa

Does your inside router know what to do with 172.16.16.0? You may have to add a static route to it:

ip route 172.16.16.0 255.255.255.0 168.x.x.x (where 168.x.x.x is the inside address of the pix).

xbw
New Member

Re: vpn client can't access to internal pix/asa

I had tried.but Can't work.

New Member

Re: vpn client can't access to internal pix/asa

hi

can you change your access-list configuration

like

access-list outside_cryptomap_dyn_20 extended permit ip 168.50.x.x 255.255.255.0 172.16.16.0 255.255.255.0

gopikrish

Cisco Employee

Re: vpn client can't access to internal pix/asa

Hello,

I hope that the problem is solved by now. In case if it is not could you paste the complete configuration please. Probably an attachment.

There could be many posibilities for the VPN client not to communicate. With 7.0 I have limited experience however, conceptually it is not very different from 6.x.

Please paste the complete configuration.

Connect with the VPN client.

Ping somthing on the inside.

Check the encryption, decryption status on the Client.

Check the sh cry ipsec sa and note the decryption counter. If you see somethin here that means you received what Client had sent.

Then check if you are (PIX) is encrypting something.

Vikas

175
Views
9
Helpful
10
Replies
CreatePlease to create content