vpngroup to pix515 (repost 2)

Bookmark this page: YahooMyWeb

Yahoo!

Google

Windows Live

del.icio.us digg

digg

Netscape

Subject

Author

Date

vpngroup to pix515 (repost 2)

dspnyc

06-21-06

Re: vpngroup to pix515 (repost 2)

dspnyc

06-26-06

Re: vpngroup to pix515 (repost 2)

dspnyc

06-28-06

Posted by dspnyc on June 21, 2006, 3:58 pm

Please log in for more thread options

I apologize in advance for re-posting the same question. I'm only
trying to solve an issue.

environment:
pix 515, running 6.3.3

issue:
* I'm trying to make IPSEC/PPTP connections into the pix.
* client can connect, recieves an address from "ip local pool vpn"
* once connected, client cannot reach anything on 192.168.10.0/24

recent changes:
* created specific ACLs for nonat, crypto & split tunnel. Same problem
persists.

thank you for any/all comments.

sanitized conf is below.
-----------------------------------------------------------------------
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 100full
interface ethernet3 100full
interface ethernet4 auto shutdown
interface ethernet5 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 failover security20
nameif ethernet3 dmz security20
nameif ethernet4 e4 security0
nameif ethernet5 e5 security0
hostname
domain-name
fixup protocol dns maximum-length 512
fixup protocol domain 53
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
no fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
no fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
no names
access-list soc2800 permit ip host 216.74.163.199 host 65.197.254.5
access-list soc2800 permit ip host 216.74.163.199 63.108.175.0
255.255.255.0
access-list inside permit ip 192.168.0.0 255.255.0.0 host 192.168.12.1
access-list inside permit ip 192.168.0.0 255.255.0.0 host 192.168.12.2
access-list inside permit udp 192.168.0.0 255.255.0.0 host
216.74.163.194 eq ntp
access-list inside permit udp 192.168.0.0 255.255.0.0 host
216.74.163.195 eq ntp
access-list inside permit icmp any any echo
access-list inside permit icmp any any unreachable
access-list inside permit icmp any any source-quench
access-list inside permit icmp any any time-exceeded
access-list inside remark ###### allow ftp to ftp.lim.com
access-list inside permit tcp 192.168.10.0 255.255.255.0 host
12.43.226.2 eq ftp
access-list inside permit tcp host 192.168.10.80 any eq www
access-list inside permit tcp host 192.168.10.80 any eq ftp
access-list inside permit tcp host 192.168.10.80 any eq https
access-list inside permit tcp host 192.168.10.80 any eq ssh
access-list inside permit tcp host 192.168.10.80 any eq smtp
access-list inside permit ip 10.0.0.0 255.255.0.0 host 192.168.12.1
access-list inside permit ip 10.0.0.0 255.255.0.0 host 192.168.12.2
access-list inside permit ip 192.168.0.0 255.255.0.0 10.0.0.0
255.255.0.0
access-list inside permit ip 192.168.0.0 255.255.0.0 192.168.0.0
255.255.0.0
access-list inside permit tcp host 192.168.10.80 any eq telnet
access-list inside permit tcp host 192.168.10.157 any eq https
access-list inside permit tcp host 192.168.10.156 any eq smtp
access-list inside permit tcp host 192.168.10.156 any eq https
access-list inside permit udp host 192.168.10.156 any eq ntp
access-list inside permit udp host 192.168.10.157 any eq ntp
access-list inside permit udp host 192.168.10.157 any eq domain
access-list inside permit udp host 192.168.10.156 any eq domain
access-list inside permit tcp host 192.168.10.157 any eq domain
access-list inside permit tcp host 192.168.10.156 any eq domain
access-list inside permit tcp host 192.168.10.199 any eq domain
access-list inside permit udp host 192.168.10.199 any eq domain
access-list inside permit tcp host 192.168.10.197 any eq domain
access-list inside permit udp host 192.168.10.197 any eq domain
access-list inside permit tcp 192.168.10.0 255.255.255.0 209.132.177.0
255.255.255.0 eq www
access-list inside permit tcp 192.168.10.0 255.255.255.0 209.132.177.0
255.255.255.0 eq https
access-list inside permit tcp 192.168.0.0 255.255.0.0 host
208.173.140.54 eq smtp
access-list inside permit tcp host 192.168.10.199 host 192.88.69.69 eq
ftp
access-list inside permit tcp host 192.168.10.197 host 192.88.69.69 eq
ftp
access-list inside permit tcp host 192.168.10.185 any eq smtp
access-list inside remark ##### allow all machines out to
futuresource.com and xml.marketcenter.com on 4004
access-list inside permit tcp 192.168.10.0 255.255.255.0 any eq 4004
access-list inside remark ###### allow specific machines out
access-list inside permit tcp host 192.168.10.185 any eq www
access-list inside permit tcp host 192.168.10.185 any eq https
access-list inside permit tcp host 192.168.10.200 any eq www
access-list inside permit tcp host 192.168.10.201 any eq www
access-list inside permit tcp host 192.168.10.200 any eq https
access-list inside permit tcp host 192.168.10.201 any eq https
access-list inside permit tcp host 192.168.10.200 any eq ftp
access-list inside permit tcp host 192.168.10.201 any eq ftp

access-list inside remark ###### LAN --> border network

access-list inside permit tcp 192.168.10.0 255.255.255.0 216.74.163.192
255.255.255.224 eq telnet
access-list inside remark #### allw VPN local pool ips
access-list inside permit ip 192.168.0.0 255.255.0.0 172.16.1.0
255.255.255.0
access-list outside permit icmp any any echo-reply
access-list outside permit icmp any any unreachable
access-list outside permit icmp any any time-exceeded
access-list outside permit tcp any host 216.74.163.204 eq https
access-list outside permit tcp any host 216.74.163.204 eq www
access-list outside permit tcp any host 216.74.163.209 eq www
access-list outside permit tcp any host 216.74.163.209 eq https
access-list outside permit tcp any host 216.74.163.205 eq www
access-list outside permit tcp any host 216.74.163.205 eq https
access-list outside permit tcp any host 216.74.163.203 eq www
access-list outside permit tcp any host 216.74.163.203 eq https
access-list outside permit tcp any host 216.74.163.201 eq www
access-list outside permit tcp any host 216.74.163.201 eq https
access-list outside permit tcp any host 216.74.146.250 eq www
access-list outside permit tcp host 63.145.12.27 host 216.74.146.250 eq
ssh
access-list outside permit tcp host 63.145.12.27 host 216.74.146.250 eq
10000
access-list outside permit tcp host 63.145.12.27 host 216.74.146.250 eq
8888
access-list outside permit esp host 12.146.1.11 host 216.74.146.244
access-list outside permit esp host 12.146.1.11 host 216.74.146.245
access-list outside permit tcp any host 216.74.163.202 eq 24
access-list outside permit tcp any host 216.74.146.244 eq ssh
access-list outside permit tcp any host 216.74.146.245 eq ssh
access-list outside permit ip 10.0.0.0 255.255.0.0 192.168.10.0
255.255.255.0
access-list outside permit ip 10.0.0.0 255.255.0.0 192.168.11.0
255.255.255.0
access-list outside permit ip 10.0.0.0 255.255.0.0 192.168.12.0
255.255.255.0
access-list outside permit ip 10.0.0.0 255.255.0.0 192.168.13.0
255.255.255.0
access-list outside permit ip 10.0.0.0 255.255.0.0 192.168.20.0
255.255.255.0
access-list outside permit ip 10.0.0.0 255.255.0.0 192.168.21.0
255.255.255.0
access-list outside permit ip 10.0.0.0 255.255.0.0 192.168.22.0
255.255.255.0
access-list outside permit ip 10.0.0.0 255.255.0.0 192.168.23.0
255.255.255.0
access-list outside remark ##### deny below added per SOC incident
19319363
access-list outside deny tcp any host 67.85.186.115
access-list dmz permit udp 216.74.146.240 255.255.255.240 host
216.74.163.194 eq ntp
access-list dmz permit udp 216.74.146.240 255.255.255.240 host
216.74.163.195 eq ntp
access-list dmz permit icmp any any echo
access-list dmz permit icmp any any unreachable
access-list dmz permit icmp any any time-exceeded
access-list dmz permit tcp host 216.74.146.250 host 24.213.162.100 eq
smtp
access-list dmz permit tcp host 216.74.146.250 any eq domain
access-list dmz permit udp host 216.74.146.250 any eq domain
access-list dmz permit tcp host 216.74.146.250 any eq ssh
access-list dmz permit udp host 216.74.146.244 host 12.146.1.11 eq
isakmp
access-list dmz permit udp host 216.74.146.245 host 12.146.1.11 eq
isakmp
access-list dmz permit esp host 216.74.146.245 host 12.146.1.11
access-list dmz permit esp host 216.74.146.244 host 12.146.1.11
access-list dmz permit tcp host 216.74.146.245 host 192.168.10.57 eq
2036
access-list dmz permit tcp host 216.74.146.244 host 192.168.10.57 eq
2036
access-list dmz permit tcp host 216.74.146.244 host 192.168.10.57 eq
ssh
access-list dmz permit tcp host 216.74.146.245 host 192.168.10.57 eq
ssh
access-list dmz permit tcp host 216.74.146.245 host 192.168.10.55 eq
2036
access-list dmz permit tcp host 216.74.146.244 host 192.168.10.55 eq
2036
access-list dmz permit tcp host 216.74.146.244 host 192.168.10.55 eq
ssh
access-list dmz permit tcp host 216.74.146.245 host 192.168.10.55 eq
ssh
access-list 628broadway permit ip 192.168.0.0 255.255.0.0 10.0.0.0
255.255.0.0
access-list exovpn permit ip 172.16.1.0 255.255.255.0 192.168.0.0
255.255.0.0
access-list nonat permit ip 192.168.0.0 255.255.0.0 10.0.0.0
255.255.0.0
access-list nonat permit ip 192.168.0.0 255.255.0.0 172.16.1.0
255.255.255.0
pager lines 24
logging on
logging timestamp
logging standby
logging trap debugging
logging history informational
logging facility 23
logging device-id hostname
logging host outside x.x.x.x
logging host inside x.x.x.x
no logging message 302015
no logging message 302014
no logging message 302013
icmp permit any inside
mtu outside 1500
mtu inside 1500
mtu failover 1500
mtu dmz 1500
mtu e4 1500
mtu e5 1500
ip address outside x.x.x.x 255.255.255.224
ip address inside 192.168.12.1 255.255.255.0
ip address failover 192.168.14.1 255.255.255.252
ip address dmz x.x.x.x 255.255.255.240
no ip address e4
no ip address e5
ip audit info action alarm
ip audit attack action alarm
ip local pool vpn 172.16.1.1-172.16.1.100
failover
failover timeout 0:00:00
failover poll 15
failover ip address outside x.x.x.x
failover ip address inside 192.168.12.2
failover ip address failover 192.168.14.2
failover ip address dmz x.x.x.x
no failover ip address e4
no failover ip address e5
failover link failover
no pdm history enable
arp outside 216.74.163.193 0000.0c07.ac00 alias
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 192.168.10.0 255.255.255.0 0 0
nat (inside) 1 192.168.11.0 255.255.255.0 0 0
nat (inside) 1 192.168.12.0 255.255.255.0 0 0
nat (inside) 1 192.168.13.0 255.255.255.0 0 0
nat (inside) 1 192.168.20.0 255.255.255.0 0 0
nat (inside) 1 192.168.21.0 255.255.255.0 0 0
nat (inside) 1 192.168.22.0 255.255.255.0 0 0
nat (inside) 1 192.168.23.0 255.255.255.0 0 0
static (inside,outside) tcp 216.74.163.205 www 192.168.10.99 8022
netmask 255.255.255.255 0 0
static (inside,outside) tcp 216.74.163.205 https 192.168.10.99 8021
netmask 255.255.255.255 0 0
static (inside,outside) tcp 216.74.163.201 www 192.168.10.99 8002
netmask 255.255.255.255 0 0
static (inside,outside) tcp 216.74.163.201 https 192.168.10.99 8001
netmask 255.255.255.255 0 0
static (inside,outside) tcp 216.74.163.203 www 192.168.10.99 9002
netmask 255.255.255.255 0 0
static (inside,outside) tcp 216.74.163.203 https 192.168.10.99 9001
netmask 255.255.255.255 0 0
static (inside,outside) tcp 216.74.163.204 www 192.168.10.99 8032
netmask 255.255.255.255 0 0
static (inside,outside) tcp 216.74.163.204 https 192.168.10.99 8031
netmask 255.255.255.255 0 0
static (inside,outside) tcp 216.74.163.202 24 192.168.10.156 24 netmask
255.255.255.255 0 0
static (inside,dmz) 192.168.10.0 192.168.10.0 netmask 255.255.255.0 0 0

static (inside,dmz) 192.168.11.0 192.168.11.0 netmask 255.255.255.0 0 0

static (inside,dmz) 192.168.12.0 192.168.12.0 netmask 255.255.255.0 0 0

static (inside,dmz) 192.168.13.0 192.168.13.0 netmask 255.255.255.0 0 0

static (dmz,outside) 216.74.146.240 216.74.146.240 netmask
255.255.255.240 0 0
access-group outside in interface outside
access-group inside in interface inside
access-group dmz in interface dmz
router ospf 100
network 192.168.12.0 255.255.255.0 area 0
log-adj-changes
redistribute static subnets
route outside 0.0.0.0 0.0.0.0 216.74.163.193 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ (inside) host 192.168.10.156 LehMePo23HHHee timeout
10
aaa-server TACACS+ (inside) host 192.168.10.157 LehMePo23HHHee timeout
10
aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host 192.168.10.201 1p2o3i4u!!! timeout 10
aaa-server LOCAL protocol local
aaa authentication telnet console TACACS+
aaa authentication ssh console TACACS+
aaa accounting include telnet inside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
TACACS+
aaa accounting include tcp/22 inside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
TACACS+
aaa accounting include tcp/22 outside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
TACACS+
aaa accounting include telnet outside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
TACACS+
no snmp-server location
no snmp-server contact
snmp-server community
snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set kiodex esp-3des esp-md5-hmac
crypto ipsec transform-set riptech esp-3des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set kiodex
crypto map outside 1 ipsec-isakmp
crypto map outside 1 match address 628broadway
crypto map outside 1 set peer 24.213.162.102
crypto map outside 1 set transform-set kiodex
crypto map outside 10 ipsec-isakmp
crypto map outside 10 match address soc2800
crypto map outside 10 set peer 65.201.134.9
crypto map outside 10 set transform-set riptech
crypto map outside 20 ipsec-isakmp dynamic dynmap
crypto map outside client authentication RADIUS
crypto map outside interface outside
isakmp enable outside
isakmp key ******** address x.x.x.x netmask 255.255.255.255
isakmp key ******** address x.x.x.x netmask 255.255.255.255
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup exovpn address-pool vpn
vpngroup exovpn dns-server 192.168.10.156 192.168.10.157
vpngroup exovpn wins-server 192.168.10.200
vpngroup exovpn default-domain kdx.int
vpngroup exovpn split-tunnel exovpn
vpngroup exovpn idle-time 900
vpngroup exovpn password ********
telnet timeout 10
ssh 192.168.10.0 255.255.255.0 inside
ssh timeout 10
console timeout 0
vpdn group exo-pptp accept dialin pptp
vpdn group exo-pptp ppp authentication mschap
vpdn group exo-pptp ppp encryption mppe auto
vpdn group exo-pptp client configuration address local vpn
vpdn group exo-pptp client configuration dns 192.168.10.156
192.168.10.157
vpdn group exo-pptp client configuration wins 192.168.10.200 10.0.0.10
vpdn group exo-pptp client authentication aaa RADIUS
vpdn group exo-pptp pptp echo 60
vpdn enable outside
terminal width 80

Posted by dspnyc on June 26, 2006, 4:47 pm

Please log in for more thread options

please, i really need anothe set of eyes to look at this.

david

dspnyc wrote:

> I apologize in advance for re-posting the same question. I'm only
> trying to solve an issue.
>
> environment:
> pix 515, running 6.3.3
>
> issue:
> * I'm trying to make IPSEC/PPTP connections into the pix.
> * client can connect, recieves an address from "ip local pool vpn"
> * once connected, client cannot reach anything on 192.168.10.0/24
>
> recent changes:
> * created specific ACLs for nonat, crypto & split tunnel. Same problem
> persists.
>
> thank you for any/all comments.
>
> sanitized conf is below.
> -----------------------------------------------------------------------
> interface ethernet0 100full
> interface ethernet1 100full
> interface ethernet2 100full
> interface ethernet3 100full
> interface ethernet4 auto shutdown
> interface ethernet5 auto shutdown
> nameif ethernet0 outside security0
> nameif ethernet1 inside security100
> nameif ethernet2 failover security20
> nameif ethernet3 dmz security20
> nameif ethernet4 e4 security0
> nameif ethernet5 e5 security0
> hostname
> domain-name
> fixup protocol dns maximum-length 512
> fixup protocol domain 53
> fixup protocol ftp 21
> fixup protocol h323 h225 1720
> fixup protocol h323 ras 1718-1719
> fixup protocol http 80
> no fixup protocol rsh 514
> fixup protocol rtsp 554
> fixup protocol sip 5060
> fixup protocol sip udp 5060
> no fixup protocol skinny 2000
> no fixup protocol smtp 25
> fixup protocol sqlnet 1521
> fixup protocol tftp 69
> no names
> access-list soc2800 permit ip host 216.74.163.199 host 65.197.254.5
> access-list soc2800 permit ip host 216.74.163.199 63.108.175.0
> 255.255.255.0
> access-list inside permit ip 192.168.0.0 255.255.0.0 host 192.168.12.1
> access-list inside permit ip 192.168.0.0 255.255.0.0 host 192.168.12.2
> access-list inside permit udp 192.168.0.0 255.255.0.0 host
> 216.74.163.194 eq ntp
> access-list inside permit udp 192.168.0.0 255.255.0.0 host
> 216.74.163.195 eq ntp
> access-list inside permit icmp any any echo
> access-list inside permit icmp any any unreachable
> access-list inside permit icmp any any source-quench
> access-list inside permit icmp any any time-exceeded
> access-list inside remark ###### allow ftp to ftp.lim.com
> access-list inside permit tcp 192.168.10.0 255.255.255.0 host
> 12.43.226.2 eq ftp
> access-list inside permit tcp host 192.168.10.80 any eq www
> access-list inside permit tcp host 192.168.10.80 any eq ftp
> access-list inside permit tcp host 192.168.10.80 any eq https
> access-list inside permit tcp host 192.168.10.80 any eq ssh
> access-list inside permit tcp host 192.168.10.80 any eq smtp
> access-list inside permit ip 10.0.0.0 255.255.0.0 host 192.168.12.1
> access-list inside permit ip 10.0.0.0 255.255.0.0 host 192.168.12.2
> access-list inside permit ip 192.168.0.0 255.255.0.0 10.0.0.0
> 255.255.0.0
> access-list inside permit ip 192.168.0.0 255.255.0.0 192.168.0.0
> 255.255.0.0
> access-list inside permit tcp host 192.168.10.80 any eq telnet
> access-list inside permit tcp host 192.168.10.157 any eq https
> access-list inside permit tcp host 192.168.10.156 any eq smtp
> access-list inside permit tcp host 192.168.10.156 any eq https
> access-list inside permit udp host 192.168.10.156 any eq ntp
> access-list inside permit udp host 192.168.10.157 any eq ntp
> access-list inside permit udp host 192.168.10.157 any eq domain
> access-list inside permit udp host 192.168.10.156 any eq domain
> access-list inside permit tcp host 192.168.10.157 any eq domain
> access-list inside permit tcp host 192.168.10.156 any eq domain
> access-list inside permit tcp host 192.168.10.199 any eq domain
> access-list inside permit udp host 192.168.10.199 any eq domain
> access-list inside permit tcp host 192.168.10.197 any eq domain
> access-list inside permit udp host 192.168.10.197 any eq domain
> access-list inside permit tcp 192.168.10.0 255.255.255.0 209.132.177.0
> 255.255.255.0 eq www
> access-list inside permit tcp 192.168.10.0 255.255.255.0 209.132.177.0
> 255.255.255.0 eq https
> access-list inside permit tcp 192.168.0.0 255.255.0.0 host
> 208.173.140.54 eq smtp
> access-list inside permit tcp host 192.168.10.199 host 192.88.69.69 eq
> ftp
> access-list inside permit tcp host 192.168.10.197 host 192.88.69.69 eq
> ftp
> access-list inside permit tcp host 192.168.10.185 any eq smtp
> access-list inside remark ##### allow all machines out to
> futuresource.com and xml.marketcenter.com on 4004
> access-list inside permit tcp 192.168.10.0 255.255.255.0 any eq 4004
> access-list inside remark ###### allow specific machines out
> access-list inside permit tcp host 192.168.10.185 any eq www
> access-list inside permit tcp host 192.168.10.185 any eq https
> access-list inside permit tcp host 192.168.10.200 any eq www
> access-list inside permit tcp host 192.168.10.201 any eq www
> access-list inside permit tcp host 192.168.10.200 any eq https
> access-list inside permit tcp host 192.168.10.201 any eq https
> access-list inside permit tcp host 192.168.10.200 any eq ftp
> access-list inside permit tcp host 192.168.10.201 any eq ftp
> access-list inside remark ###### LAN --> border network
> access-list inside permit tcp 192.168.10.0 255.255.255.0 216.74.163.192
> 255.255.255.224 eq telnet
> access-list inside remark #### allw VPN local pool ips
> access-list inside permit ip 192.168.0.0 255.255.0.0 172.16.1.0
> 255.255.255.0
> access-list outside permit icmp any any echo-reply
> access-list outside permit icmp any any unreachable
> access-list outside permit icmp any any time-exceeded
> access-list outside permit tcp any host 216.74.163.204 eq https
> access-list outside permit tcp any host 216.74.163.204 eq www
> access-list outside permit tcp any host 216.74.163.209 eq www
> access-list outside permit tcp any host 216.74.163.209 eq https
> access-list outside permit tcp any host 216.74.163.205 eq www
> access-list outside permit tcp any host 216.74.163.205 eq https
> access-list outside permit tcp any host 216.74.163.203 eq www
> access-list outside permit tcp any host 216.74.163.203 eq https
> access-list outside permit tcp any host 216.74.163.201 eq www
> access-list outside permit tcp any host 216.74.163.201 eq https
> access-list outside permit tcp any host 216.74.146.250 eq www
> access-list outside permit tcp host 63.145.12.27 host 216.74.146.250 eq
> ssh
> access-list outside permit tcp host 63.145.12.27 host 216.74.146.250 eq
> 10000
> access-list outside permit tcp host 63.145.12.27 host 216.74.146.250 eq
> 8888
> access-list outside permit esp host 12.146.1.11 host 216.74.146.244
> access-list outside permit esp host 12.146.1.11 host 216.74.146.245
> access-list outside permit tcp any host 216.74.163.202 eq 24
> access-list outside permit tcp any host 216.74.146.244 eq ssh
> access-list outside permit tcp any host 216.74.146.245 eq ssh
> access-list outside permit ip 10.0.0.0 255.255.0.0 192.168.10.0
> 255.255.255.0
> access-list outside permit ip 10.0.0.0 255.255.0.0 192.168.11.0
> 255.255.255.0
> access-list outside permit ip 10.0.0.0 255.255.0.0 192.168.12.0
> 255.255.255.0
> access-list outside permit ip 10.0.0.0 255.255.0.0 192.168.13.0
> 255.255.255.0
> access-list outside permit ip 10.0.0.0 255.255.0.0 192.168.20.0
> 255.255.255.0
> access-list outside permit ip 10.0.0.0 255.255.0.0 192.168.21.0
> 255.255.255.0
> access-list outside permit ip 10.0.0.0 255.255.0.0 192.168.22.0
> 255.255.255.0
> access-list outside permit ip 10.0.0.0 255.255.0.0 192.168.23.0
> 255.255.255.0
> access-list outside remark ##### deny below added per SOC incident
> 19319363
> access-list outside deny tcp any host 67.85.186.115
> access-list dmz permit udp 216.74.146.240 255.255.255.240 host
> 216.74.163.194 eq ntp
> access-list dmz permit udp 216.74.146.240 255.255.255.240 host
> 216.74.163.195 eq ntp
> access-list dmz permit icmp any any echo
> access-list dmz permit icmp any any unreachable
> access-list dmz permit icmp any any time-exceeded
> access-list dmz permit tcp host 216.74.146.250 host 24.213.162.100 eq
> smtp
> access-list dmz permit tcp host 216.74.146.250 any eq domain
> access-list dmz permit udp host 216.74.146.250 any eq domain
> access-list dmz permit tcp host 216.74.146.250 any eq ssh
> access-list dmz permit udp host 216.74.146.244 host 12.146.1.11 eq
> isakmp
> access-list dmz permit udp host 216.74.146.245 host 12.146.1.11 eq
> isakmp
> access-list dmz permit esp host 216.74.146.245 host 12.146.1.11
> access-list dmz permit esp host 216.74.146.244 host 12.146.1.11
> access-list dmz permit tcp host 216.74.146.245 host 192.168.10.57 eq
> 2036
> access-list dmz permit tcp host 216.74.146.244 host 192.168.10.57 eq
> 2036
> access-list dmz permit tcp host 216.74.146.244 host 192.168.10.57 eq
> ssh
> access-list dmz permit tcp host 216.74.146.245 host 192.168.10.57 eq
> ssh
> access-list dmz permit tcp host 216.74.146.245 host 192.168.10.55 eq
> 2036
> access-list dmz permit tcp host 216.74.146.244 host 192.168.10.55 eq
> 2036
> access-list dmz permit tcp host 216.74.146.244 host 192.168.10.55 eq
> ssh
> access-list dmz permit tcp host 216.74.146.245 host 192.168.10.55 eq
> ssh
> access-list 628broadway permit ip 192.168.0.0 255.255.0.0 10.0.0.0
> 255.255.0.0
> access-list exovpn permit ip 172.16.1.0 255.255.255.0 192.168.0.0
> 255.255.0.0
> access-list nonat permit ip 192.168.0.0 255.255.0.0 10.0.0.0
> 255.255.0.0
> access-list nonat permit ip 192.168.0.0 255.255.0.0 172.16.1.0
> 255.255.255.0
> pager lines 24
> logging on
> logging timestamp
> logging standby
> logging trap debugging
> logging history informational
> logging facility 23
> logging device-id hostname
> logging host outside x.x.x.x
> logging host inside x.x.x.x
> no logging message 302015
> no logging message 302014
> no logging message 302013
> icmp permit any inside
> mtu outside 1500
> mtu inside 1500
> mtu failover 1500
> mtu dmz 1500
> mtu e4 1500
> mtu e5 1500
> ip address outside x.x.x.x 255.255.255.224
> ip address inside 192.168.12.1 255.255.255.0
> ip address failover 192.168.14.1 255.255.255.252
> ip address dmz x.x.x.x 255.255.255.240
> no ip address e4
> no ip address e5
> ip audit info action alarm
> ip audit attack action alarm
> ip local pool vpn 172.16.1.1-172.16.1.100
> failover
> failover timeout 0:00:00
> failover poll 15
> failover ip address outside x.x.x.x
> failover ip address inside 192.168.12.2
> failover ip address failover 192.168.14.2
> failover ip address dmz x.x.x.x
> no failover ip address e4
> no failover ip address e5
> failover link failover
> no pdm history enable
> arp outside 216.74.163.193 0000.0c07.ac00 alias
> arp timeout 14400
> global (outside) 1 interface
> nat (inside) 0 access-list nonat
> nat (inside) 1 192.168.10.0 255.255.255.0 0 0
> nat (inside) 1 192.168.11.0 255.255.255.0 0 0
> nat (inside) 1 192.168.12.0 255.255.255.0 0 0
> nat (inside) 1 192.168.13.0 255.255.255.0 0 0
> nat (inside) 1 192.168.20.0 255.255.255.0 0 0
> nat (inside) 1 192.168.21.0 255.255.255.0 0 0
> nat (inside) 1 192.168.22.0 255.255.255.0 0 0
> nat (inside) 1 192.168.23.0 255.255.255.0 0 0
> static (inside,outside) tcp 216.74.163.205 www 192.168.10.99 8022
> netmask 255.255.255.255 0 0
> static (inside,outside) tcp 216.74.163.205 https 192.168.10.99 8021
> netmask 255.255.255.255 0 0
> static (inside,outside) tcp 216.74.163.201 www 192.168.10.99 8002
> netmask 255.255.255.255 0 0
> static (inside,outside) tcp 216.74.163.201 https 192.168.10.99 8001
> netmask 255.255.255.255 0 0
> static (inside,outside) tcp 216.74.163.203 www 192.168.10.99 9002
> netmask 255.255.255.255 0 0
> static (inside,outside) tcp 216.74.163.203 https 192.168.10.99 9001
> netmask 255.255.255.255 0 0
> static (inside,outside) tcp 216.74.163.204 www 192.168.10.99 8032
> netmask 255.255.255.255 0 0
> static (inside,outside) tcp 216.74.163.204 https 192.168.10.99 8031
> netmask 255.255.255.255 0 0
> static (inside,outside) tcp 216.74.163.202 24 192.168.10.156 24 netmask
> 255.255.255.255 0 0
> static (inside,dmz) 192.168.10.0 192.168.10.0 netmask 255.255.255.0 0 0
>
> static (inside,dmz) 192.168.11.0 192.168.11.0 netmask 255.255.255.0 0 0
>
> static (inside,dmz) 192.168.12.0 192.168.12.0 netmask 255.255.255.0 0 0
>
> static (inside,dmz) 192.168.13.0 192.168.13.0 netmask 255.255.255.0 0 0
>
> static (dmz,outside) 216.74.146.240 216.74.146.240 netmask
> 255.255.255.240 0 0
> access-group outside in interface outside
> access-group inside in interface inside
> access-group dmz in interface dmz
> router ospf 100
> network 192.168.12.0 255.255.255.0 area 0
> log-adj-changes
> redistribute static subnets
> route outside 0.0.0.0 0.0.0.0 216.74.163.193 1
> timeout xlate 3:00:00
> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
> 1:00:00
> timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
> timeout uauth 0:05:00 absolute
> aaa-server TACACS+ protocol tacacs+
> aaa-server TACACS+ (inside) host 192.168.10.156 LehMePo23HHHee timeout
> 10
> aaa-server TACACS+ (inside) host 192.168.10.157 LehMePo23HHHee timeout
> 10
> aaa-server RADIUS protocol radius
> aaa-server RADIUS (inside) host 192.168.10.201 1p2o3i4u!!! timeout 10
> aaa-server LOCAL protocol local
> aaa authentication telnet console TACACS+
> aaa authentication ssh console TACACS+
> aaa accounting include telnet inside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
> TACACS+
> aaa accounting include tcp/22 inside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
> TACACS+
> aaa accounting include tcp/22 outside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
> TACACS+
> aaa accounting include telnet outside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
> TACACS+
> no snmp-server location
> no snmp-server contact
> snmp-server community
> snmp-server enable traps
> floodguard enable
> sysopt connection permit-ipsec
> sysopt connection permit-pptp
> crypto ipsec transform-set kiodex esp-3des esp-md5-hmac
> crypto ipsec transform-set riptech esp-3des esp-md5-hmac
> crypto dynamic-map dynmap 10 set transform-set kiodex
> crypto map outside 1 ipsec-isakmp
> crypto map outside 1 match address 628broadway
> crypto map outside 1 set peer 24.213.162.102
> crypto map outside 1 set transform-set kiodex
> crypto map outside 10 ipsec-isakmp
> crypto map outside 10 match address soc2800
> crypto map outside 10 set peer 65.201.134.9
> crypto map outside 10 set transform-set riptech
> crypto map outside 20 ipsec-isakmp dynamic dynmap
> crypto map outside client authentication RADIUS
> crypto map outside interface outside
> isakmp enable outside
> isakmp key ******** address x.x.x.x netmask 255.255.255.255
> isakmp key ******** address x.x.x.x netmask 255.255.255.255
> isakmp identity address
> isakmp policy 10 authentication pre-share
> isakmp policy 10 encryption 3des
> isakmp policy 10 hash md5
> isakmp policy 10 group 2
> isakmp policy 10 lifetime 86400
> vpngroup exovpn address-pool vpn
> vpngroup exovpn dns-server 192.168.10.156 192.168.10.157
> vpngroup exovpn wins-server 192.168.10.200
> vpngroup exovpn default-domain kdx.int
> vpngroup exovpn split-tunnel exovpn
> vpngroup exovpn idle-time 900
> vpngroup exovpn password ********
> telnet timeout 10
> ssh 192.168.10.0 255.255.255.0 inside
> ssh timeout 10
> console timeout 0
> vpdn group exo-pptp accept dialin pptp
> vpdn group exo-pptp ppp authentication mschap
> vpdn group exo-pptp ppp encryption mppe auto
> vpdn group exo-pptp client configuration address local vpn
> vpdn group exo-pptp client configuration dns 192.168.10.156
> 192.168.10.157
> vpdn group exo-pptp client configuration wins 192.168.10.200 10.0.0.10
> vpdn group exo-pptp client authentication aaa RADIUS
> vpdn group exo-pptp pptp echo 60
> vpdn enable outside
> terminal width 80

Posted by dspnyc on June 28, 2006, 6:00 pm

Please log in for more thread options

well, after takign some more time & loking through my config, i've
solved the issue myself.

I know you've all been on the edge of your seats, following this
mystery - so here's hte answer:

added this to the ACL handling split-tunneling:

access-list exovpn line 1 permit ip 192.168.10.0 255.255.255.0
172.16.1.0 255.255.255.0
access-list exovpn line 2 permit ip 192.168.11.0 255.255.255.0
172.16.1.0 255.255.255.0

and suddenly i can get to stuff when I vpn in. magic!

;-)

dspnyc wrote:

> please, i really need anothe set of eyes to look at this.
>
> david
>
> dspnyc wrote:

> > I apologize in advance for re-posting the same question. I'm only
> > trying to solve an issue.
> >
> > environment:
> > pix 515, running 6.3.3
> >
> > issue:
> > * I'm trying to make IPSEC/PPTP connections into the pix.
> > * client can connect, recieves an address from "ip local pool vpn"
> > * once connected, client cannot reach anything on 192.168.10.0/24
> >
> > recent changes:
> > * created specific ACLs for nonat, crypto & split tunnel. Same problem
> > persists.
> >
> > thank you for any/all comments.
> >
> > sanitized conf is below.
> > -----------------------------------------------------------------------
> > interface ethernet0 100full
> > interface ethernet1 100full
> > interface ethernet2 100full
> > interface ethernet3 100full
> > interface ethernet4 auto shutdown
> > interface ethernet5 auto shutdown
> > nameif ethernet0 outside security0
> > nameif ethernet1 inside security100
> > nameif ethernet2 failover security20
> > nameif ethernet3 dmz security20
> > nameif ethernet4 e4 security0
> > nameif ethernet5 e5 security0
> > hostname
> > domain-name
> > fixup protocol dns maximum-length 512
> > fixup protocol domain 53
> > fixup protocol ftp 21
> > fixup protocol h323 h225 1720
> > fixup protocol h323 ras 1718-1719
> > fixup protocol http 80
> > no fixup protocol rsh 514
> > fixup protocol rtsp 554
> > fixup protocol sip 5060
> > fixup protocol sip udp 5060
> > no fixup protocol skinny 2000
> > no fixup protocol smtp 25
> > fixup protocol sqlnet 1521
> > fixup protocol tftp 69
> > no names
> > access-list soc2800 permit ip host 216.74.163.199 host 65.197.254.5
> > access-list soc2800 permit ip host 216.74.163.199 63.108.175.0
> > 255.255.255.0
> > access-list inside permit ip 192.168.0.0 255.255.0.0 host 192.168.12.1
> > access-list inside permit ip 192.168.0.0 255.255.0.0 host 192.168.12.2
> > access-list inside permit udp 192.168.0.0 255.255.0.0 host
> > 216.74.163.194 eq ntp
> > access-list inside permit udp 192.168.0.0 255.255.0.0 host
> > 216.74.163.195 eq ntp
> > access-list inside permit icmp any any echo
> > access-list inside permit icmp any any unreachable
> > access-list inside permit icmp any any source-quench
> > access-list inside permit icmp any any time-exceeded
> > access-list inside remark ###### allow ftp to ftp.lim.com
> > access-list inside permit tcp 192.168.10.0 255.255.255.0 host
> > 12.43.226.2 eq ftp
> > access-list inside permit tcp host 192.168.10.80 any eq www
> > access-list inside permit tcp host 192.168.10.80 any eq ftp
> > access-list inside permit tcp host 192.168.10.80 any eq https
> > access-list inside permit tcp host 192.168.10.80 any eq ssh
> > access-list inside permit tcp host 192.168.10.80 any eq smtp
> > access-list inside permit ip 10.0.0.0 255.255.0.0 host 192.168.12.1
> > access-list inside permit ip 10.0.0.0 255.255.0.0 host 192.168.12.2
> > access-list inside permit ip 192.168.0.0 255.255.0.0 10.0.0.0
> > 255.255.0.0
> > access-list inside permit ip 192.168.0.0 255.255.0.0 192.168.0.0
> > 255.255.0.0
> > access-list inside permit tcp host 192.168.10.80 any eq telnet
> > access-list inside permit tcp host 192.168.10.157 any eq https
> > access-list inside permit tcp host 192.168.10.156 any eq smtp
> > access-list inside permit tcp host 192.168.10.156 any eq https
> > access-list inside permit udp host 192.168.10.156 any eq ntp
> > access-list inside permit udp host 192.168.10.157 any eq ntp
> > access-list inside permit udp host 192.168.10.157 any eq domain
> > access-list inside permit udp host 192.168.10.156 any eq domain
> > access-list inside permit tcp host 192.168.10.157 any eq domain
> > access-list inside permit tcp host 192.168.10.156 any eq domain
> > access-list inside permit tcp host 192.168.10.199 any eq domain
> > access-list inside permit udp host 192.168.10.199 any eq domain
> > access-list inside permit tcp host 192.168.10.197 any eq domain
> > access-list inside permit udp host 192.168.10.197 any eq domain
> > access-list inside permit tcp 192.168.10.0 255.255.255.0 209.132.177.0
> > 255.255.255.0 eq www
> > access-list inside permit tcp 192.168.10.0 255.255.255.0 209.132.177.0
> > 255.255.255.0 eq https
> > access-list inside permit tcp 192.168.0.0 255.255.0.0 host
> > 208.173.140.54 eq smtp
> > access-list inside permit tcp host 192.168.10.199 host 192.88.69.69 eq
> > ftp
> > access-list inside permit tcp host 192.168.10.197 host 192.88.69.69 eq
> > ftp
> > access-list inside permit tcp host 192.168.10.185 any eq smtp
> > access-list inside remark ##### allow all machines out to
> > futuresource.com and xml.marketcenter.com on 4004
> > access-list inside permit tcp 192.168.10.0 255.255.255.0 any eq 4004
> > access-list inside remark ###### allow specific machines out
> > access-list inside permit tcp host 192.168.10.185 any eq www
> > access-list inside permit tcp host 192.168.10.185 any eq https
> > access-list inside permit tcp host 192.168.10.200 any eq www
> > access-list inside permit tcp host 192.168.10.201 any eq www
> > access-list inside permit tcp host 192.168.10.200 any eq https
> > access-list inside permit tcp host 192.168.10.201 any eq https
> > access-list inside permit tcp host 192.168.10.200 any eq ftp
> > access-list inside permit tcp host 192.168.10.201 any eq ftp
> > access-list inside remark ###### LAN --> border network
> > access-list inside permit tcp 192.168.10.0 255.255.255.0 216.74.163.192
> > 255.255.255.224 eq telnet
> > access-list inside remark #### allw VPN local pool ips
> > access-list inside permit ip 192.168.0.0 255.255.0.0 172.16.1.0
> > 255.255.255.0
> > access-list outside permit icmp any any echo-reply
> > access-list outside permit icmp any any unreachable
> > access-list outside permit icmp any any time-exceeded
> > access-list outside permit tcp any host 216.74.163.204 eq https
> > access-list outside permit tcp any host 216.74.163.204 eq www
> > access-list outside permit tcp any host 216.74.163.209 eq www
> > access-list outside permit tcp any host 216.74.163.209 eq https
> > access-list outside permit tcp any host 216.74.163.205 eq www
> > access-list outside permit tcp any host 216.74.163.205 eq https
> > access-list outside permit tcp any host 216.74.163.203 eq www
> > access-list outside permit tcp any host 216.74.163.203 eq https
> > access-list outside permit tcp any host 216.74.163.201 eq www
> > access-list outside permit tcp any host 216.74.163.201 eq https
> > access-list outside permit tcp any host 216.74.146.250 eq www
> > access-list outside permit tcp host 63.145.12.27 host 216.74.146.250 eq
> > ssh
> > access-list outside permit tcp host 63.145.12.27 host 216.74.146.250 eq
> > 10000
> > access-list outside permit tcp host 63.145.12.27 host 216.74.146.250 eq
> > 8888
> > access-list outside permit esp host 12.146.1.11 host 216.74.146.244
> > access-list outside permit esp host 12.146.1.11 host 216.74.146.245
> > access-list outside permit tcp any host 216.74.163.202 eq 24
> > access-list outside permit tcp any host 216.74.146.244 eq ssh
> > access-list outside permit tcp any host 216.74.146.245 eq ssh
> > access-list outside permit ip 10.0.0.0 255.255.0.0 192.168.10.0
> > 255.255.255.0
> > access-list outside permit ip 10.0.0.0 255.255.0.0 192.168.11.0
> > 255.255.255.0
> > access-list outside permit ip 10.0.0.0 255.255.0.0 192.168.12.0
> > 255.255.255.0
> > access-list outside permit ip 10.0.0.0 255.255.0.0 192.168.13.0
> > 255.255.255.0
> > access-list outside permit ip 10.0.0.0 255.255.0.0 192.168.20.0
> > 255.255.255.0
> > access-list outside permit ip 10.0.0.0 255.255.0.0 192.168.21.0
> > 255.255.255.0
> > access-list outside permit ip 10.0.0.0 255.255.0.0 192.168.22.0
> > 255.255.255.0
> > access-list outside permit ip 10.0.0.0 255.255.0.0 192.168.23.0
> > 255.255.255.0
> > access-list outside remark ##### deny below added per SOC incident
> > 19319363
> > access-list outside deny tcp any host 67.85.186.115
> > access-list dmz permit udp 216.74.146.240 255.255.255.240 host
> > 216.74.163.194 eq ntp
> > access-list dmz permit udp 216.74.146.240 255.255.255.240 host
> > 216.74.163.195 eq ntp
> > access-list dmz permit icmp any any echo
> > access-list dmz permit icmp any any unreachable
> > access-list dmz permit icmp any any time-exceeded
> > access-list dmz permit tcp host 216.74.146.250 host 24.213.162.100 eq
> > smtp
> > access-list dmz permit tcp host 216.74.146.250 any eq domain
> > access-list dmz permit udp host 216.74.146.250 any eq domain
> > access-list dmz permit tcp host 216.74.146.250 any eq ssh
> > access-list dmz permit udp host 216.74.146.244 host 12.146.1.11 eq
> > isakmp
> > access-list dmz permit udp host 216.74.146.245 host 12.146.1.11 eq
> > isakmp
> > access-list dmz permit esp host 216.74.146.245 host 12.146.1.11
> > access-list dmz permit esp host 216.74.146.244 host 12.146.1.11
> > access-list dmz permit tcp host 216.74.146.245 host 192.168.10.57 eq
> > 2036
> > access-list dmz permit tcp host 216.74.146.244 host 192.168.10.57 eq
> > 2036
> > access-list dmz permit tcp host 216.74.146.244 host 192.168.10.57 eq
> > ssh
> > access-list dmz permit tcp host 216.74.146.245 host 192.168.10.57 eq
> > ssh
> > access-list dmz permit tcp host 216.74.146.245 host 192.168.10.55 eq
> > 2036
> > access-list dmz permit tcp host 216.74.146.244 host 192.168.10.55 eq
> > 2036
> > access-list dmz permit tcp host 216.74.146.244 host 192.168.10.55 eq
> > ssh
> > access-list dmz permit tcp host 216.74.146.245 host 192.168.10.55 eq
> > ssh
> > access-list 628broadway permit ip 192.168.0.0 255.255.0.0 10.0.0.0
> > 255.255.0.0
> > access-list exovpn permit ip 172.16.1.0 255.255.255.0 192.168.0.0
> > 255.255.0.0
> > access-list nonat permit ip 192.168.0.0 255.255.0.0 10.0.0.0
> > 255.255.0.0
> > access-list nonat permit ip 192.168.0.0 255.255.0.0 172.16.1.0
> > 255.255.255.0
> > pager lines 24
> > logging on
> > logging timestamp
> > logging standby
> > logging trap debugging
> > logging history informational
> > logging facility 23
> > logging device-id hostname
> > logging host outside x.x.x.x
> > logging host inside x.x.x.x
> > no logging message 302015
> > no logging message 302014
> > no logging message 302013
> > icmp permit any inside
> > mtu outside 1500
> > mtu inside 1500
> > mtu failover 1500
> > mtu dmz 1500
> > mtu e4 1500
> > mtu e5 1500
> > ip address outside x.x.x.x 255.255.255.224
> > ip address inside 192.168.12.1 255.255.255.0
> > ip address failover 192.168.14.1 255.255.255.252
> > ip address dmz x.x.x.x 255.255.255.240
> > no ip address e4
> > no ip address e5
> > ip audit info action alarm
> > ip audit attack action alarm
> > ip local pool vpn 172.16.1.1-172.16.1.100
> > failover
> > failover timeout 0:00:00
> > failover poll 15
> > failover ip address outside x.x.x.x
> > failover ip address inside 192.168.12.2
> > failover ip address failover 192.168.14.2
> > failover ip address dmz x.x.x.x
> > no failover ip address e4
> > no failover ip address e5
> > failover link failover
> > no pdm history enable
> > arp outside 216.74.163.193 0000.0c07.ac00 alias
> > arp timeout 14400
> > global (outside) 1 interface
> > nat (inside) 0 access-list nonat
> > nat (inside) 1 192.168.10.0 255.255.255.0 0 0
> > nat (inside) 1 192.168.11.0 255.255.255.0 0 0
> > nat (inside) 1 192.168.12.0 255.255.255.0 0 0
> > nat (inside) 1 192.168.13.0 255.255.255.0 0 0
> > nat (inside) 1 192.168.20.0 255.255.255.0 0 0
> > nat (inside) 1 192.168.21.0 255.255.255.0 0 0
> > nat (inside) 1 192.168.22.0 255.255.255.0 0 0
> > nat (inside) 1 192.168.23.0 255.255.255.0 0 0
> > static (inside,outside) tcp 216.74.163.205 www 192.168.10.99 8022
> > netmask 255.255.255.255 0 0
> > static (inside,outside) tcp 216.74.163.205 https 192.168.10.99 8021
> > netmask 255.255.255.255 0 0
> > static (inside,outside) tcp 216.74.163.201 www 192.168.10.99 8002
> > netmask 255.255.255.255 0 0
> > static (inside,outside) tcp 216.74.163.201 https 192.168.10.99 8001
> > netmask 255.255.255.255 0 0
> > static (inside,outside) tcp 216.74.163.203 www 192.168.10.99 9002
> > netmask 255.255.255.255 0 0
> > static (inside,outside) tcp 216.74.163.203 https 192.168.10.99 9001
> > netmask 255.255.255.255 0 0
> > static (inside,outside) tcp 216.74.163.204 www 192.168.10.99 8032
> > netmask 255.255.255.255 0 0
> > static (inside,outside) tcp 216.74.163.204 https 192.168.10.99 8031
> > netmask 255.255.255.255 0 0
> > static (inside,outside) tcp 216.74.163.202 24 192.168.10.156 24 netmask
> > 255.255.255.255 0 0
> > static (inside,dmz) 192.168.10.0 192.168.10.0 netmask 255.255.255.0 0 0
> >
> > static (inside,dmz) 192.168.11.0 192.168.11.0 netmask 255.255.255.0 0 0
> >
> > static (inside,dmz) 192.168.12.0 192.168.12.0 netmask 255.255.255.0 0 0
> >
> > static (inside,dmz) 192.168.13.0 192.168.13.0 netmask 255.255.255.0 0 0
> >
> > static (dmz,outside) 216.74.146.240 216.74.146.240 netmask
> > 255.255.255.240 0 0
> > access-group outside in interface outside
> > access-group inside in interface inside
> > access-group dmz in interface dmz
> > router ospf 100
> > network 192.168.12.0 255.255.255.0 area 0
> > log-adj-changes
> > redistribute static subnets
> > route outside 0.0.0.0 0.0.0.0 216.74.163.193 1
> > timeout xlate 3:00:00
> > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
> > 1:00:00
> > timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
> > timeout uauth 0:05:00 absolute
> > aaa-server TACACS+ protocol tacacs+
> > aaa-server TACACS+ (inside) host 192.168.10.156 LehMePo23HHHee timeout
> > 10
> > aaa-server TACACS+ (inside) host 192.168.10.157 LehMePo23HHHee timeout
> > 10
> > aaa-server RADIUS protocol radius
> > aaa-server RADIUS (inside) host 192.168.10.201 1p2o3i4u!!! timeout 10
> > aaa-server LOCAL protocol local
> > aaa authentication telnet console TACACS+
> > aaa authentication ssh console TACACS+
> > aaa accounting include telnet inside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
> > TACACS+
> > aaa accounting include tcp/22 inside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
> > TACACS+
> > aaa accounting include tcp/22 outside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
> > TACACS+
> > aaa accounting include telnet outside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
> > TACACS+
> > no snmp-server location
> > no snmp-server contact
> > snmp-server community
> > snmp-server enable traps
> > floodguard enable
> > sysopt connection permit-ipsec
> > sysopt connection permit-pptp
> > crypto ipsec transform-set kiodex esp-3des esp-md5-hmac
> > crypto ipsec transform-set riptech esp-3des esp-md5-hmac
> > crypto dynamic-map dynmap 10 set transform-set kiodex
> > crypto map outside 1 ipsec-isakmp
> > crypto map outside 1 match address 628broadway
> > crypto map outside 1 set peer 24.213.162.102
> > crypto map outside 1 set transform-set kiodex
> > crypto map outside 10 ipsec-isakmp
> > crypto map outside 10 match address soc2800
> > crypto map outside 10 set peer 65.201.134.9
> > crypto map outside 10 set transform-set riptech
> > crypto map outside 20 ipsec-isakmp dynamic dynmap
> > crypto map outside client authentication RADIUS
> > crypto map outside interface outside
> > isakmp enable outside
> > isakmp key ******** address x.x.x.x netmask 255.255.255.255
> > isakmp key ******** address x.x.x.x netmask 255.255.255.255
> > isakmp identity address
> > isakmp policy 10 authentication pre-share
> > isakmp policy 10 encryption 3des
> > isakmp policy 10 hash md5
> > isakmp policy 10 group 2
> > isakmp policy 10 lifetime 86400
> > vpngroup exovpn address-pool vpn
> > vpngroup exovpn dns-server 192.168.10.156 192.168.10.157
> > vpngroup exovpn wins-server 192.168.10.200
> > vpngroup exovpn default-domain kdx.int
> > vpngroup exovpn split-tunnel exovpn
> > vpngroup exovpn idle-time 900
> > vpngroup exovpn password ********
> > telnet timeout 10
> > ssh 192.168.10.0 255.255.255.0 inside
> > ssh timeout 10
> > console timeout 0
> > vpdn group exo-pptp accept dialin pptp
> > vpdn group exo-pptp ppp authentication mschap
> > vpdn group exo-pptp ppp encryption mppe auto
> > vpdn group exo-pptp client configuration address local vpn
> > vpdn group exo-pptp client configuration dns 192.168.10.156
> > 192.168.10.157
> > vpdn group exo-pptp client configuration wins 192.168.10.200 10.0.0.10
> > vpdn group exo-pptp client authentication aaa RADIUS
> > vpdn group exo-pptp pptp echo 60
> > vpdn enable outside
> > terminal width 80

Similar Threads	Posted
vpngroup to pix515 (repost)	June 7, 2006, 10:30 am
vpngroup to pix515 (repost 2)	June 21, 2006, 3:58 pm
vpngroup to pix515	May 18, 2006, 5:57 pm
Repost: VPN error?	September 5, 2006, 6:38 pm
REPOST: OSPF Database Help	September 6, 2006, 10:46 am
Extending the PDH/E1 from PBX to VoIP router (repost)	May 19, 2006, 11:35 am
PIX 6 ssh login with AAA doesn't set privilege level [REPOST]	January 4, 2008, 11:10 am
PIX - VPNgroup statistics.	February 9, 2006, 9:27 am
VPNGROUP password	September 22, 2006, 2:04 pm
How to log or account PIX vpngroup connections?	December 13, 2005, 5:05 am
VPNGROUP command help with PIX 506e	September 1, 2006, 12:32 pm
Cisco PIX 501 vpngroup user need to be assigned a static IP	February 5, 2007, 1:59 pm
How to rename a vpngroup in Cisco PIX 515e firewall	September 18, 2007, 12:50 pm
Help with DMZ on Pix515	August 28, 2006, 5:03 am
2 ISP on PIX515	November 25, 2005, 5:03 am

Cisco Systems vpngroup to pix515 (repost 2)