cisco client 4.6 connects, but cannot ping resources

i'm at a loss. I'm a beginner at cisco ios and pix. I can connect with cisco 4.6 client, but i cannot ping any inside or outside ips, i can only ping my own ip address. curious thing is that it assigns my pc an ip in the vpn pool, but it also shows that my default gateway is the same ip as my client machine. here is the config:

PIX Version 6.3(5) interface ethernet0 auto interface ethernet1 auto nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password nUM2QN9DebHxc1Gp encrypted passwd nUM2QN9DebHxc1Gp encrypted hostname pix-breck domain-name mycompany.local clock timezone CST -6 clock summer-time CDT recurring fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names access-list mycompany_splitTunnelAcl permit ip any any access-list inside_outbound_nat0_acl permit ip any 192.168.13.0

255.255.255.224 access-list outside_cryptomap_dyn_20 permit tcp any 192.168.13.0 255.255.255.224 access-list 200 permit icmp any any pager lines 24 mtu outside 1500 mtu inside 1500 ip address outside xxx.xxx.xxx.xxx 255.255.254.0 ip address inside 192.168.0.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm ip local pool vpnpool 192.168.13.5-192.168.13.25 pdm location 192.168.0.0 255.255.255.0 inside pdm logging informational 100 pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 1 192.168.0.0 255.255.0.0 0 0 rip outside default version 2 route inside 192.168.13.0 255.255.255.0 192.168.0.1 1 timeout xlate 0:05:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout sip-disconnect 0:02:00 sip-invite 0:03:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local http server enable http 192.168.0.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20 crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5 crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map crypto map outside_map interface outside isakmp enable outside isakmp nat-traversal 20 isakmp policy 20 authentication pre-share isakmp policy 20 encryption 3des isakmp policy 20 hash md5 isakmp policy 20 group 2 isakmp policy 20 lifetime 86400 vpngroup mycompany address-pool vpnpool vpngroup mycompany dns-server 192.168.0.10 vpngroup mycompany wins-server 192.168.0.10 vpngroup mycompany default-domain mycompany.local vpngroup mycompany split-tunnel mycompany_splitTunnelAcl vpngroup mycompany idle-time 1800 vpngroup mycompany password ********** telnet 192.168.0.10 255.255.255.255 inside telnet timeout 5 ssh timeout 5 console timeout 15 dhcpd address 192.168.0.100-192.168.0.100 inside dhcpd lease 3600 dhcpd ping_timeout 750 dhcpd auto_config outside terminal width 80 banner exec Unauthorized access will be prosecuted! Cryptochecksum:b613c16b963d63cd28dbfc6a1a3a5c23

any ideas? I am suspect at this: !-- static (inside,outside) 192.168.13.0 192.168.13.0 netmask

255.255.255.0 0 0
Reply to
Sevinfooter
Loading thread data ...

Your split tunnel list is mucked. You have a permit IP any any in there.

Reply to
Brian V

hit send before I was done. In addition to the split tunnel, your routing and NAT is messed up.

The split tunnel ACL should read: access-list mycompany_splitTunnelAcl permit ip 192.168.0.0 255.255.255.0 any

paste this in: no access-list mycompany_splitTunnelAcl permit ip any any access-list mycompany_splitTunnelAcl permit ip 192.168.0.0 255.255.255.0 any

NAT, nope, shouldn't be there. paste this in: clear xlate no static (inside,outside) 192.168.13.0 192.168.13.0 netmask 255.255.255.0 0

0 clear xlate access-list nonat permit ip any 192.168.13.0 255.255.255.0 nat (inside) 0 access-list nonat

The routing...192.168.13.X is not inside, it's your VPN. You need to remove it. no route inside 192.168.13.0 255.255.255.0 192.168.0.1 1

That should take care of it.

-Brian

Reply to
Brian V

Thank you very much! I was very confused.

Reply to
Sevinfooter

Sounds like a NAT problem, since you have ISAKMP NAT-T in your Config.

This is you crypto-domain and the same should go into a NAT 0 statement

See - No nat 0 here ! Add this command: nat (inside) 0 access-list inside_outbound_nat0_acl

I see one more potential problem here You run RIP !! and you have static route with the same IP as your VPN pool. Is might NOT cause any problems, but it might. I recommend you use a subnet for you VPN pool that is free within your perimeters. fx 172.16.0.1-.172.16.0.31 but check your routetable first. and all routers !

It doesnt make sense to do tunnelsplit on ip any any !! remove that line : no vpngroup mycompany split-tunnel mycompany_splitTunnelAcl

or change it to: access-list mycompany_splitTunnelAcl permit ip (IP OF YOUR INSIDE LANs + MASK; 192.168.0.0 255.255.255.0 ) any vpngroup mycompany split-tunnel mycompany_splitTunnelAcl

Please note that you have difference between your NAT-1 startement and you Inside IP.

Also please be aware that tunnelsplits are considered a security flaw.

Hell no !

Also verify that your CCVPN client have the Transparent tunneling on UDP enabled. Verify in the client that the secured routes are correct (tunnelsplit), and the encrypted and deccrytped packets are somewhat ok and increasing during a ping fx

HTH Martin

Reply to
Martin Bilgrav

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.