Cisco 515 VPN Traffic can not ping internal hosts

I am trying to get clients runnign Cisco VPN software to connect to my internal network. currently the clients can connect and authenticate ok

but can't see anything on the inside network.

PIX Version 6.3(1) interface ethernet0 100full interface ethernet1 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password Gn7cdoayw6QM/xoG encrypted passwd Gn7cdoayw6QM/xoG encrypted hostname PIX515e domain-name rockeagle clock timezone EST -5 clock summer-time EDT recurring fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol ils 389 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 names name 168.24.225.12 Relabserver name 168.24.225.19 Steve name 168.24.225.21 Tina name 168.24.225.20 Tandberg name 168.24.224.0 Rockeagle name 168.24.225.11 Userfiles name 168.24.225.18 Cory access-list outside_access_in remark FTP access to Userfiles access-list outside_access_in permit tcp any host Userfiles eq ftp access-list outside_access_in remark Full TCP access to Tandberg access-list outside_access_in permit tcp any host Tandberg access-list outside_access_in remark Full TCP access to Tandberg for h323 access-list outside_access_in permit tcp any host Tandberg eq h323 access-list outside_access_in remark Full UDP access to Tandberg access-list outside_access_in remark access-list outside_access_in permit udp any host Tandberg access-list outside_access_in remark Full http access to Userfiles access-list outside_access_in permit tcp any host Userfiles eq www access-list outside_access_in remark Full ftp access to Relabserver access-list outside_access_in permit tcp any host Relabserver eq ftp access-list outside_access_in remark WWW access to Relabserver access-list outside_access_in remark access-list outside_access_in permit tcp any host Relabserver eq www access-list outside_access_in remark Allow tcp traffic to Tandberg for range 5555 to 5599 access-list outside_access_in remark access-list outside_access_in permit tcp any host Tandberg range 5555

5599 access-list outside_access_in remark Allow tcp traffic to Tandberg for range 3230 to 3235 access-list outside_access_in remark access-list outside_access_in permit tcp any host Tandberg range 3230 3235 access-list outside_access_in remark Allow udp traffic to Tandberg for range 2325 to 2387 access-list outside_access_in remark access-list outside_access_in permit udp any host Tandberg range 2325 2387 access-list outside_access_in remark Allow udp traffic to Tandberg for range 3220 to 3247 access-list outside_access_in remark access-list outside_access_in permit udp any host Tandberg range 3220 3247 access-list outside_access_in remark FTP access to Tina access-list outside_access_in permit tcp any host Tina eq ftp access-list outside_access_in remark PPTP for VPN to RELABSERVER access-list outside_access_in permit tcp any host Relabserver eq pptp access-list outside_access_in remark GRE for VPN on RELABSERVER access-list outside_access_in permit tcp any host Relabserver eq 47 access-list outside_access_in remark PCAnywhere access to Userfiles access-list outside_access_in permit tcp any host Userfiles eq pcanywhere-data access-list outside_access_in permit esp any any access-list outside_access_in permit gre any any access-list outside_access_in permit tcp any eq pptp host Relabserver access-list inside_outbound_nat0_acl permit ip any 168.24.224.240 255.255.255.240 access-list outside_cryptomap_dyn_20 permit ip any 168.24.224.240 255.255.255.240 pager lines 24 mtu outside 1500 mtu inside 1500 ip address outside 168.24.192.141 255.255.255.248 ip address inside 168.24.224.1 255.255.254.0 ip audit info action alarm ip audit attack action alarm ip local pool VPN Cory ip local pool Steve Steve ip local pool VPNAdd 168.24.224.245-168.24.224.249 failover failover timeout 0:00:00 failover poll 15 failover ip address outside 168.24.192.142 failover ip address inside 168.24.224.2 pdm location Rockeagle 255.255.254.0 inside pdm location Userfiles 255.255.255.255 inside pdm location Relabserver 255.255.255.255 inside pdm location Cory 255.255.255.255 inside pdm location Steve 255.255.255.255 inside pdm location Tina 255.255.255.255 inside pdm location 168.24.225.0 255.255.255.0 inside pdm location Tandberg 255.255.255.255 inside pdm location 192.168.1.1 255.255.255.255 inside pdm location 192.168.1.0 255.255.255.0 inside pdm location 72.152.146.187 255.255.255.255 outside pdm location 128.192.83.0 255.255.255.0 outside pdm location 168.24.224.240 255.255.255.240 outside pdm logging informational 100 pdm history enable arp timeout 14400 nat (inside) 0 access-list inside_outbound_nat0_acl static (inside,outside) Relabserver Relabserver netmask 255.255.255.255 0 0 static (inside,outside) Rockeagle Rockeagle netmask 255.255.254.0 0 0 access-group outside_access_in in interface outside route outside 0.0.0.0 0.0.0.0 168.24.192.137 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server LOCAL protocol local ntp server 132.163.4.101 source outside http server enable http 72.152.146.187 255.255.255.255 outside http 128.192.83.0 255.255.255.0 outside http Rockeagle 255.255.254.0 inside http 192.168.1.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server community rockeagle no snmp-server enable traps floodguard enable sysopt connection permit-ipsec sysopt connection permit-pptp sysopt connection permit-l2tp crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto dynamic-map inside_dyn_map 20 set transform-set ESP-3DES-MD5 crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20 crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5 crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map crypto map outside_map interface outside isakmp enable outside isakmp policy 20 authentication pre-share isakmp policy 20 encryption 3des isakmp policy 20 hash md5 isakmp policy 20 group 2 isakmp policy 20 lifetime 86400 vpngroup state address-pool VPNAdd vpngroup state dns-server Userfiles 128.192.110.221 vpngroup state wins-server Userfiles 128.192.1.31 vpngroup state default-domain rockeagle vpngroup state idle-time 1800 vpngroup state password ******** telnet 72.152.146.186 255.255.255.255 outside telnet Rockeagle 255.255.254.0 inside telnet timeout 5 ssh 72.152.146.186 255.255.255.255 outside ssh timeout 5 management-access inside console timeout 0 vpdn username a password ********* vpdn username b password ********* vpdn enable outside dhcprelay server Userfiles inside dhcprelay enable outside terminal width 80 Cryptochecksum:1e38b95a71ebb4117009e37fdb1495e8 : end
Reply to
cpritcha
Loading thread data ...

You should upgrade, there are known security problems in 6.3(1),

6.3(3), and 6.3(5). You can get a free upgrade at least as far as 6.3(4) even if you do not have a support contract.

For the purpose of debugging this problem, we can ignore that ACL since you have sysopt connection permit-ipsec in effect.

Okay, those are appropriate for the case where the VPN clients will have IPs in the range 168.24.224.240 -> .255

And there we hit the problem. In order for your nat0 and dyn_20 to work, your VPN clients have to have IPs in the 168.24.224 range, but that's the same range you have for your inside IPs. That isn't going to work: when the outgoing packets for those clients hit the inside interface, the PIX would see that they are destined to part of the inside interface IP range and would drop the packets.

You do not use those two pools.

You do not have pptp or l2tp defined so you might as get rid of the latter two of those.

It is unusual these days to use 3DES with MD5: there are known collision attacks on MD5 that reduce its theoretical security.

As per above, 3DES + MD5 is unusual these days. If you are at 6.3(1) and you can use 3DES, your license also allows you to use AES (note: use group 5 for AES). You could put AES-128/SHA and 3DES/SHA as higher priority (lower policy numbers) than your 3DES/MD5, and thereby get the increased security for systems that support it while not affecting connections to any devices that don't support those two.

As discussed above, your VPN address pool must not be part of the same IP range as your inside interface. Use one of the private IP ranges.

You designate an external dns server, but your default domain is "rockeagle" instead of a qualified domain name. Will the external dns server know how to resolve "rockeagle" as a top-level domain?

That can complicate matters: in order to use a management-access properly, you need a distinct tunnel with a different transport-mode . I don't know if the VPN client is able to negotiate those tunnels automatically.

Reply to
Walter Roberson

Thanks for the info. I don't know very much about pix firewalls and don't have a budget to hire a Cisco expert. What commands would you suggest to fix my problems.

Reply to
cpritcha

Thanks for the info. I don't know very much about pix firewalls and don't have a budget to hire a Cisco expert. What commands would you suggest to fix my problems.

Reply to
cpritcha

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.