Can connect to PIX 501 with VPN client and ping internal addresses but some limitations

Scenario: Internet---x.x.x.x---ADSL--192.168.1.1192.168.1.2--(e)-PIX-(i)--

10.0.0.1 (10.0.0.0/24)

I have to use the ADSL with NAT (and not bridge) as provider does not support PPPoE only PPPoA I can connect with Cisco VPN client 4.0.3(C) I can ping/telnet to any address on 10.0.0.0 network What I can't do is map a drive to any of the other XP hosts on the 10.

0.0.0 network I also get the following occurring within the log "No route to 10.1.2. 255 from 10.1.2.1"

Main parts of the config are posted below.

Questions:

  1. Why the error "No route to 10.1.2.255 from 10.1.2.1" ?

  1. Are the following required in order to get to the 10.0.0.0 network once connected via VPN using pool 10.1.2.0/24 ? (tried lots to get things to work and not sure if this is required or not, but main functionality is finally working)

access-list outside_crypto permit ip any 10.1.2.0 255.255.255.0 crypto dynamic-map dynmap 10 match address outside_crypto

  1. Any glaring problems/things that should be changed/removed?

  1. Above is the main requirement. I also have an issue getting "no translation group found" when trying to connect via Putty to 10.0.0.

35 (Dune) using SSH tunnel on port 443. ADSL modem has NAT/PAT set to forward to 10.0.0.35 (Dune) incoming 443 outgoing 443

tried various options and currently: access-list outside_access_in permit ip any host Dune static (inside,outside) tcp interface https Dune https netmask 255.

255.255.255 0 0

What do I need to do for this to work/remove the "no translation group found" issue? (I don't have immediate access now, so may post a seperate query on this if there's no "simple" answer.

Thanks, Mark PIX Version 6.3(5) interface ethernet0 auto interface ethernet1 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 domain-name localdomain.com fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol pptp 1723 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names name 10.0.0.35 Dune access-list outside_access_in permit ip 10.1.2.0 255.255.255.0 interface inside log access-list outside_access_in permit ip any host Dune access-list outside_access_in permit tcp any interface outside eq https access-list 101 permit ip 10.0.0.0 255.255.255.0 10.1.2.0 255.255.255.

0 access-list outside_crypto permit ip any 10.1.2.0 255.255.255.0 icmp permit any inside mtu outside 1500 mtu inside 1500 ip address outside 192.168.1.2 255.255.255.0 ip address inside 10.0.0.1 255.255.255.0 ip local pool ippool 10.1.2.1-10.1.2.254 mask 255.255.255.0 pdm location Dune 255.255.255.255 inside pdm location 10.0.0.0 255.0.0.0 inside pdm location 192.168.1.0 255.255.255.0 outside pdm location 10.1.2.0 255.255.255.0 outside pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list 101 nat (inside) 1 0.0.0.0 0.0.0.0 0 0 static (inside,outside) tcp interface https Dune https netmask 255. 255.255.255 0 0 access-group outside_access_in in interface outside rip inside default version 2 route outside 0.0.0.0 0.0.0.0 192.168.1.1 1

management-access insidetelnet 10.1.2.0 255.255.255.0 insidehttp 10.1.

2.0 255.255.255.0 inside floodguard enable sysopt connection permit-ipsec crypto ipsec transform-set myset esp-des esp-md5-hmac crypto dynamic-map dynmap 10 match address outside_crypto crypto dynamic-map dynmap 10 set transform-set myset crypto map mymap 10 ipsec-isakmp dynamic dynmap crypto map mymap interface outside isakmp enable outside isakmp identity address isakmp nat-traversal 20 isakmp policy 10 authentication pre-share isakmp policy 10 encryption des isakmp policy 10 hash md5 isakmp policy 10 group 2 isakmp policy 10 lifetime 86400 vpngroup vpn3000 address-pool ippool vpngroup vpn3000 dns-server 10.0.0.1 vpngroup vpn3000 wins-server 10.0.0.1 vpngroup vpn3000 default-domain localdomain.com vpngroup vpn3000 idle-time 1800 vpngroup vpn3000 password ******** telnet 10.0.0.0 255.0.0.0 inside telnet timeout 60 ssh timeout 5 console timeout 0 dhcpd address 10.0.0.201-10.0.0.232 inside dhcpd dns 192.168.1.1 dhcpd lease 3600 dhcpd ping_timeout 750 dhcpd auto_config outside dhcpd enable inside
Reply to
Mark
Loading thread data ...

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.