Client-Server VPN not able to see Inside network

My client can connect to the VPN just fine with MS's connection. They
are unable though to see any inside resource. Nor can they ping
anything inside. I am recieveing a IP in the pool and can ping the
gateway that is given to me.
Odd thing is when I do a tracert on a inside IP address the second
address is the gateway and then it goes out to the internet.
Here is my config can anyone take a look and see where I've set
something wrong at.
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
enable password Hvup11B1njUIaHN3 encrypted
passwd Hvup11B1njUIaHN3 encrypted
hostname cerberus
domain-name mycompany.com
clock timezone EST -5
no fixup protocol dns
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.43.244.18 time.nist.gov
access-list acl-out permit tcp any any eq ftp-data
access-list acl-out permit tcp any any eq ftp
access-list acl-out permit icmp any 1x.x.x.0 255.255.255.0
access-list acl-out permit tcp any eq ssh interface inside
access-list acl-out permit tcp interface outside eq ssh any eq ssh
access-list acl-out permit tcp any host x.x.x.x0 eq www
access-list acl-out permit tcp any host x.x.x.x6 eq 3389
access-list acl-out permit tcp any host x.x.x.x7 eq www
access-list acl-out permit tcp any host x.x.x.x5 eq smtp
access-list acl-out permit tcp any host x.x.x.x0 eq 3389
access-list acl-out permit tcp any host x.x.x.x0 eq pop3
access-list acl-out permit tcp any host x.x.x.x0 eq imap4
access-list acl-out permit icmp any x.x.x.0 255.255.255.0 echo-reply
access-list acl-out permit udp host x.x.x.x9 host x.x.x.x7 eq snmp
access-list acl-out permit tcp any host x.x.x.x7 eq www
access-list acl-in permit ip host 192.168.128.2 any
access-list acl-in permit ip host 192.168.128.3 any
access-list acl-in permit ip host 192.168.128.10 any
access-list acl-in permit ip host 192.168.128.16 any
access-list acl-in permit ip host 192.168.128.25 any
access-list acl-in permit ip host 192.168.128.27 any
access-list acl-in permit ip host 192.168.128.36 any
access-list acl-in permit ip host 192.168.128.74 any
access-list 101 permit ip 192.168.128.0 255.255.255.0 10.99.99.0
255.255.255.0
pager lines 24
logging on
logging trap debugging
logging host inside 192.168.128.16
icmp deny any outside
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside x.x.x.x2 255.255.255.0
ip address inside 192.168.128.22 255.255.255.0
ip address dmz 172.16.10.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnpool 10.99.99.1-10.99.99.254
pdm location 192.168.128.3 255.255.255.255 inside
pdm location 192.168.128.11 255.255.255.255 inside
pdm location 192.168.128.15 255.255.255.255 inside
pdm location 192.168.128.20 255.255.255.255 inside
pdm location 192.168.128.25 255.255.255.255 inside
pdm history enable
arp timeout 14400
global (outside) 1 x.x.x.x
nat (inside) 0 access-list 101
nat (inside) 1 192.168.128.0 255.255.255.0 0 0
static (inside,outside) x.x.x.x6 192.168.128.20 netmask 255.255.255.255
0 0
static (inside,outside) x.x.x.x7 192.168.128.11 netmask 255.255.255.255
0 0
static (inside,outside) x.x.x.x0 192.168.128.3 netmask 255.255.255.255
0 0
static (inside,outside) x.x.x.x5 192.168.128.25 netmask 255.255.255.255
0 0
static (inside,outside) x.x.x.x1 192.168.128.11 netmask 255.255.255.255
0 0
static (inside,outside) x.x.x.x7 192.168.128.31 netmask 255.255.255.255
0 0
access-group acl-out in interface outside
access-group acl-in in interface inside
route outside 0.0.0.0 0.0.0.0 x.x.x.x9 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
ntp authentication-key 1 md5 ********
ntp authenticate
ntp trusted-key 1
ntp server time.nist.gov source outside prefer
http server enable
http 192.168.128.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap client configuration address initiate
crypto map mymap client configuration address respond
crypto map mymap interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp identity address
isakmp client configuration address-pool local vpnpool outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup hsvpn address-pool vpnpool
vpngroup hsvpn dns-server 192.168.128.3
vpngroup hsvpn wins-server 192.168.128.1
vpngroup hsvpn default-domain mycompany.com
vpngroup hsvpn idle-time 1800
vpngroup hsvpn password ********
telnet 192.168.128.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.128.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
vpdn group 1 accept dialin pptp
vpdn group 1 ppp authentication pap
vpdn group 1 ppp authentication chap
vpdn group 1 ppp authentication mschap
vpdn group 1 ppp encryption mppe 40
vpdn group 1 client configuration address local vpnpool
vpdn group 1 pptp echo 60
vpdn group 1 client authentication local
vpdn username hsvpn password *********
vpdn enable outside
terminal width 80
Cryptochecksum:18674da1476e626ff236c501d1d3f7ca
: end
Reply to
Shane Rogers
Loading thread data ...
Upgrading to 6.3(4) or 6.3(5) would be better. 6.3(4) fixes some security problems, and 6.3(5) has a number of bug fixes.
That line is not needed, as you have the ftp fixup turned on.
You usually want to restrict the icmp that are allowed inward, as some of them (e.g., icmp redirect) can be used to attack security. You need icmp unreachable and icmp time-exceeded, and icmp echo-reply is convenient. Everything else should be looked at closely.
That line is not useful. You cannot connect from "outside" to any other interface, not unless you have a "management" tunnel set up, which you do not have.
That line is not useful. Any traffic from outside that has a source address of your interface IP address is going to be a forged packet or a packet that routing has gone out and been routed back to the PIX; PIX 6 will always drop packets that go out and are routed back to the PIX.
We cannot be sure based upon what you have posted, but that line would appear to be redundant considering the earlier icmp line.
You permit new connections (on port 3389) in to this IP, but you do not permit new connections out from this IP, not even DNS resolution. This situation is possible, but unusual and should be re-checked.
These too are permitted incoming connections but not outgoing, which should be rechecked.
But you have a bigger problem here: it is not valid to static two different IPs to the same IP. You probably want to do static port forwarding for at least one of these.
This too is allowed incoming traffic but not outgoing. But again there are other problems, as you appear to be static'ing the same outside address, x.x.x.x7, to two different inside addresses, 192.168.128.11 and 192.168.128.31 .
There are reasons to prefer identity hostname when using dynamic maps, if the connecting hosts might change public IPs while a tunnel is active (e.g., they get a different DHCP address during the middle of a connection.)
That is not invalid, but I think you will find that in practice real DES MD5 hosts are going to use Group 1 and seldom Group 2. It would be very uncommon to encounter a host or device that refused Group 1 for DES MD5. Your Group 1 entry has the lower policy number, and therefor has higher priority than your Group 2 entry, so the arrangement you have now is NOT "Use Group 2 (more secure) if the other end supports it, and otherwise use Group 1 (less secure)". Reverse the group numbers on the entries if that was the policy you intended.
You have three types of VPN tunnel configured, and if you were using a sufficiently new Windows (XP SP2), or had specifically downloaded the updated MS VPN software for W2K, then your user's "MS's connection" might use either the IPSec dynamic connection or the PPTP; older MS software would not have the IPSec option.
If it is PPTP that you are using, then you should be aware that there have been a couple of different people reporting within the last couple of months that they are seeing PPTP in which the source IP address was the public IP of the connecting system, rather than the IP address that had been allocated by the pool. I note that you have syslog to an inside host and that you are already logging at 'debug' level: have a look through the logs and see whether you are getting some rejected packets with a 192.168.128/24 destination and a public source instead of the expected 10.99.99/24 source.
I have not seen any solutions yet to this PPTP issue. I know that a lot of people have PPTP set up to their PIX, so it has to be a fairly subtle problem. Hmmm, if I recall correctly, those posters were using the Cisco VPN client, but as we don't know what the problem was, it might or might not be the same as you are encountering... check those logs.
Reply to
Walter Roberson
This was done not by me. Basically its websites that are located on one inside webserver. How might I change that to allow both those address in on port 80 to the same internal IP then?
This was setup for a box on the inside of the network to monitor the PIX itself and the router on the the outside of the network. As well as allow someone to SSH to that box if needed. Thats what I was told anyway.
This access-list acl-out permit tcp any host x.x.x.25 eq 3389 is the outside address that someone will Terminal into it then has a static to static (inside,outside) x.x.x.25 192.168.128.25 netmask 255.255.255.255 0 0 and access-list acl-in permit ip host 192.168.128.25 any lets all back out.
Might not be right though. I admit that.
My logging server is gone. (had to realocate it for something else) so I need to setup logs somewhere else or I need to just turn logging on locally. Which I need to remember how to do.
Not sure my client is upto date 100%. I know its WinXP with SP2.
Reply to
Shane Rogers
You cannot do that with PIX 6 (and probably not with PIX 7 either.) You would need to translate them to different ports on the same server and have your web server listen on both ports. Or put up two different web servers on different internal IPs. Or change the DNS for the web servers to both have the same IP and rely upon the Host: header to differentiate between them (if so then pay a bit of attention to which site will be reached if there is no Host: header such as from a very old web client or from a telnet session from some admin trying to figure out what sites the users are going to.)
You do not need to "let all back out": the PIX automatically creates appropriate holes in the rules for return traffic. Permitting outward access from a host should only be used if the host needs to initiate connections to outside, such as to a DNS server or to send outgoing email (SMTP). Also, if you happen to have incoming UDP connections where there might not be traffic on the connection for more than 2 minutes, then you either need to raise the udp timeout or else you need to permit the return traffic outwards explicitly, as by default the PIX closes the automatic loophole for return UDP traffic after 2 minutes of inactivity in the flow.
logging buffered debug
then show log
but this tends to fill up and get overwritten quickly, so unless you have very low volume, it is a lot easier to debug with a syslog server.
Reply to
Walter Roberson
Things here seem to be working fine, but I can change it. I'll look at changing the IP address on the DNS server for the website. In the mean time how would I route the differnt port on the same IP inside?
With my Configuration what do I need to change then? If you want to talk off list so you can see the IP's we can. I don't have any issues with anything right now, but I'm willing to make it work the way its suppossed to.
I'll see if I can get some logs.
Reply to
Shane Rogers

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.