1. Home
  2. Cisco Systems
  3. Cisco Pix 510 - VPN problems

Cisco Pix 510 - VPN problems

Hi,

I'm new to the Cisco Pix and firewall.

I have made a VPN configuration and can connect to the Pix through VPN. I can't se the server on the LAN side.

The LAN DHCP pool is : 10.5.75.100 - 10.5.75.131 The VPN Pool is : 10.5.75.150 - 10.5.75.160

The server on the LAN side isn't using DHCP. It's IP address is :

10.5.75.10

What must I change to make it work ? (pleas post the commands with the req. options that have to be used) Thanks.

Here is the configuration as it is now : PIX Version 6.3(4) interface ethernet0 auto interface ethernet1 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password xxxxxxxxxxxx/ encrypted passwd xxxxxxxxxxx encrypted hostname pixfirewall domain-name ciscopix.com fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names name 10.5.75.10 Server pager lines 24 mtu outside 1500 mtu inside 1500 ip address outside dhcp setroute ip address inside 10.5.75.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm ip local pool RTS 10.5.75.150-10.5.75.160 pdm location 10.5.75.0 255.255.255.0 inside pdm location 10.5.75.128 255.255.255.192 outside pdm location 10.5.75.0 255.255.255.255 inside pdm location Server 255.255.255.255 inside pdm logging informational 100 pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 1 0.0.0.0 0.0.0.0 0 0 timeout xlate 0:05:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225

1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local http server enable http 10.5.75.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-pptp crypto ipsec transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac crypto ipsec transform-set TRANS_ESP_3DES_MD5 mode transport crypto dynamic-map outside_dyn_map 20 set transform-set TRANS_ESP_3DES_MD5 crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map crypto map outside_map interface outside isakmp enable outside telnet timeout 5 ssh timeout 5 console timeout 0 vpdn group PPTP-VPDN-GROUP accept dialin pptp vpdn group PPTP-VPDN-GROUP ppp authentication mschap vpdn group PPTP-VPDN-GROUP ppp encryption mppe auto required vpdn group PPTP-VPDN-GROUP client configuration address local RTS vpdn group PPTP-VPDN-GROUP client configuration dns 193.162.153.164 194.239.134.83 vpdn group PPTP-VPDN-GROUP client configuration wins Server vpdn group PPTP-VPDN-GROUP pptp echo 60 vpdn group PPTP-VPDN-GROUP client authentication local vpdn username xxxxxxxxxxx password ******** vpdn username xxxxxxx password ******** vpdn enable outside dhcpd address 10.5.75.100-10.5.75.131 inside dhcpd dns 193.162.153.164 194.239.134.83 dhcpd wins Server dhcpd lease 3600 dhcpd ping_timeout 750 dhcpd domain RTS dhcpd auto_config outside dhcpd enable inside terminal width 80
Reply to
proximo
Loading thread data ...

Hi,

I'm new to the Cisco Pix and firewall.

I have made a VPN configuration and can connect to the Pix through VPN. I can't se the server on the LAN side.

The LAN DHCP pool is : 10.5.75.100 - 10.5.75.131 The VPN Pool is : 10.5.75.150 - 10.5.75.160

The server on the LAN side isn't using DHCP. It's IP address is :

10.5.75.10

What must I change to make it work ? (pleas post the commands with the req. options that have to be used) Thanks.

Here is the configuration as it is now : PIX Version 6.3(4) interface ethernet0 auto interface ethernet1 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password xxxxxxxxxxxx/ encrypted passwd xxxxxxxxxxx encrypted hostname pixfirewall domain-name ciscopix.com fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names name 10.5.75.10 Server pager lines 24 mtu outside 1500 mtu inside 1500 ip address outside dhcp setroute ip address inside 10.5.75.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm ip local pool RTS 10.5.75.150-10.5.75.160 pdm location 10.5.75.0 255.255.255.0 inside pdm location 10.5.75.128 255.255.255.192 outside pdm location 10.5.75.0 255.255.255.255 inside pdm location Server 255.255.255.255 inside pdm logging informational 100 pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 1 0.0.0.0 0.0.0.0 0 0 timeout xlate 0:05:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225

1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local http server enable http 10.5.75.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-pptp crypto ipsec transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac crypto ipsec transform-set TRANS_ESP_3DES_MD5 mode transport crypto dynamic-map outside_dyn_map 20 set transform-set TRANS_ESP_3DES_MD5 crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map crypto map outside_map interface outside isakmp enable outside telnet timeout 5 ssh timeout 5 console timeout 0 vpdn group PPTP-VPDN-GROUP accept dialin pptp vpdn group PPTP-VPDN-GROUP ppp authentication mschap vpdn group PPTP-VPDN-GROUP ppp encryption mppe auto required vpdn group PPTP-VPDN-GROUP client configuration address local RTS vpdn group PPTP-VPDN-GROUP client configuration dns 193.162.153.164 194.239.134.83 vpdn group PPTP-VPDN-GROUP client configuration wins Server vpdn group PPTP-VPDN-GROUP pptp echo 60 vpdn group PPTP-VPDN-GROUP client authentication local vpdn username xxxxxxxxxxx password ******** vpdn username xxxxxxx password ******** vpdn enable outside dhcpd address 10.5.75.100-10.5.75.131 inside dhcpd dns 193.162.153.164 194.239.134.83 dhcpd wins Server dhcpd lease 3600 dhcpd ping_timeout 750 dhcpd domain RTS dhcpd auto_config outside dhcpd enable inside terminal width 80
Reply to
proximo

Thanks for the quick and accurate reply Walter - It works just as it should after making the changes.

Does it mean that the following line can be deleted ? : :crypto ipsec transform-set TRANS_ESP_3DES_MD5 mode transport

Reply to
proximo

In article , proximo wrote: :I have made a VPN configuration and can connect to the Pix through VPN. : I can't se the server on the LAN side.

:The LAN DHCP pool is : 10.5.75.100 - 10.5.75.131 :The VPN Pool is : 10.5.75.150 - 10.5.75.160

The VPN pool must be "outside" relative to the inside interface. You will have to change the VPN pool range to not be in 10.5.75/24 .

:PIX Version 6.3(4) :ip address outside dhcp setroute :ip address inside 10.5.75.1 255.255.255.0 :ip local pool RTS 10.5.75.150-10.5.75.160

ip local pool RTS 10.255.75.128-10.255.75.159

Note: as well as moving to a different range, I realigned the range to fit into a subnet to make other commands easier.

:global (outside) 1 interface :nat (inside) 1 0.0.0.0 0.0.0.0 0 0

:sysopt connection permit-pptp :crypto ipsec transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac :crypto ipsec transform-set TRANS_ESP_3DES_MD5 mode transport

In PIX 6.x, L2TP is the only protocol that can use mode transport but you are using pptp.

formatting link
All other types of packets using IPSec transport mode will be discarded by the PIX Firewall.

:crypto dynamic-map outside_dyn_map 20 set transform-set TRANS_ESP_3DES_MD5 :crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map :crypto map outside_map interface outside

:vpdn group PPTP-VPDN-GROUP accept dialin pptp :vpdn group PPTP-VPDN-GROUP client configuration address local RTS

access-list pptp_nonat_acl permit ip host Server 10.255.75.128 255.255.255.224

nat (inside) 0 access-list pptp_nonat_acl

Reply to
Walter Roberson

In article , proximo wrote: :Does it mean that the following line can be deleted ? : ::crypto ipsec transform-set TRANS_ESP_3DES_MD5 mode transport

Yes, and I recommend deleting it to avoid confusion and possible packet drops.

Reply to
Walter Roberson

Thanks again for your help. ! ! !

Reply to
proximo

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.