1. Home
  2. Cisco Systems
  3. Client-Server VPN not able to see Inside network

Client-Server VPN not able to see Inside network

My client can connect to the VPN just fine with MS's connection. They are unable though to see any inside resource. Nor can they ping anything inside. I am recieveing a IP in the pool and can ping the gateway that is given to me.

Odd thing is when I do a tracert on a inside IP address the second address is the gateway and then it goes out to the internet.

Here is my config can anyone take a look and see where I've set something wrong at.

PIX Version 6.3(3) interface ethernet0 auto interface ethernet1 auto interface ethernet2 auto shutdown nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 dmz security50 enable password Hvup11B1njUIaHN3 encrypted passwd Hvup11B1njUIaHN3 encrypted hostname cerberus domain-name mycompany.com clock timezone EST -5 no fixup protocol dns fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 no fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names name 192.43.244.18 time.nist.gov access-list acl-out permit tcp any any eq ftp-data access-list acl-out permit tcp any any eq ftp access-list acl-out permit icmp any 1x.x.x.0 255.255.255.0 access-list acl-out permit tcp any eq ssh interface inside access-list acl-out permit tcp interface outside eq ssh any eq ssh access-list acl-out permit tcp any host x.x.x.x0 eq www access-list acl-out permit tcp any host x.x.x.x6 eq 3389 access-list acl-out permit tcp any host x.x.x.x7 eq www access-list acl-out permit tcp any host x.x.x.x5 eq smtp access-list acl-out permit tcp any host x.x.x.x0 eq 3389 access-list acl-out permit tcp any host x.x.x.x0 eq pop3 access-list acl-out permit tcp any host x.x.x.x0 eq imap4 access-list acl-out permit icmp any x.x.x.0 255.255.255.0 echo-reply access-list acl-out permit udp host x.x.x.x9 host x.x.x.x7 eq snmp access-list acl-out permit tcp any host x.x.x.x7 eq www access-list acl-in permit ip host 192.168.128.2 any access-list acl-in permit ip host 192.168.128.3 any access-list acl-in permit ip host 192.168.128.10 any access-list acl-in permit ip host 192.168.128.16 any access-list acl-in permit ip host 192.168.128.25 any access-list acl-in permit ip host 192.168.128.27 any access-list acl-in permit ip host 192.168.128.36 any access-list acl-in permit ip host 192.168.128.74 any access-list 101 permit ip 192.168.128.0 255.255.255.0 10.99.99.0

255.255.255.0 pager lines 24 logging on logging trap debugging logging host inside 192.168.128.16 icmp deny any outside mtu outside 1500 mtu inside 1500 mtu dmz 1500 ip address outside x.x.x.x2 255.255.255.0 ip address inside 192.168.128.22 255.255.255.0 ip address dmz 172.16.10.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm ip local pool vpnpool 10.99.99.1-10.99.99.254 pdm location 192.168.128.3 255.255.255.255 inside pdm location 192.168.128.11 255.255.255.255 inside pdm location 192.168.128.15 255.255.255.255 inside pdm location 192.168.128.20 255.255.255.255 inside pdm location 192.168.128.25 255.255.255.255 inside pdm history enable arp timeout 14400 global (outside) 1 x.x.x.x nat (inside) 0 access-list 101 nat (inside) 1 192.168.128.0 255.255.255.0 0 0 static (inside,outside) x.x.x.x6 192.168.128.20 netmask 255.255.255.255

0 0 static (inside,outside) x.x.x.x7 192.168.128.11 netmask 255.255.255.255

0 0 static (inside,outside) x.x.x.x0 192.168.128.3 netmask 255.255.255.255 0 0 static (inside,outside) x.x.x.x5 192.168.128.25 netmask 255.255.255.255

0 0 static (inside,outside) x.x.x.x1 192.168.128.11 netmask 255.255.255.255

0 0 static (inside,outside) x.x.x.x7 192.168.128.31 netmask 255.255.255.255

0 0 access-group acl-out in interface outside access-group acl-in in interface inside route outside 0.0.0.0 0.0.0.0 x.x.x.x9 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225

1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server LOCAL protocol local ntp authentication-key 1 md5 ******** ntp authenticate ntp trusted-key 1 ntp server time.nist.gov source outside prefer http server enable http 192.168.128.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec sysopt connection permit-pptp crypto ipsec transform-set myset esp-des esp-md5-hmac crypto dynamic-map dynmap 10 set transform-set myset crypto map mymap 10 ipsec-isakmp dynamic dynmap crypto map mymap client configuration address initiate crypto map mymap client configuration address respond crypto map mymap interface outside isakmp enable outside isakmp key ******** address 0.0.0.0 netmask 0.0.0.0 isakmp identity address isakmp client configuration address-pool local vpnpool outside isakmp policy 10 authentication pre-share isakmp policy 10 encryption des isakmp policy 10 hash md5 isakmp policy 10 group 1 isakmp policy 10 lifetime 86400 isakmp policy 20 authentication pre-share isakmp policy 20 encryption des isakmp policy 20 hash md5 isakmp policy 20 group 2 isakmp policy 20 lifetime 86400 vpngroup hsvpn address-pool vpnpool vpngroup hsvpn dns-server 192.168.128.3 vpngroup hsvpn wins-server 192.168.128.1 vpngroup hsvpn default-domain mycompany.com vpngroup hsvpn idle-time 1800 vpngroup hsvpn password ******** telnet 192.168.128.0 255.255.255.0 inside telnet timeout 5 ssh 192.168.128.0 255.255.255.0 inside ssh timeout 5 console timeout 0 vpdn group 1 accept dialin pptp vpdn group 1 ppp authentication pap vpdn group 1 ppp authentication chap vpdn group 1 ppp authentication mschap vpdn group 1 ppp encryption mppe 40 vpdn group 1 client configuration address local vpnpool vpdn group 1 pptp echo 60 vpdn group 1 client authentication local vpdn username hsvpn password ********* vpdn enable outside terminal width 80 Cryptochecksum:18674da1476e626ff236c501d1d3f7ca : end
Reply to
Shane Rogers
Loading thread data ...

Upgrading to 6.3(4) or 6.3(5) would be better. 6.3(4) fixes some security problems, and 6.3(5) has a number of bug fixes.

That line is not needed, as you have the ftp fixup turned on.

You usually want to restrict the icmp that are allowed inward, as some of them (e.g., icmp redirect) can be used to attack security. You need icmp unreachable and icmp time-exceeded, and icmp echo-reply is convenient. Everything else should be looked at closely.

That line is not useful. You cannot connect from "outside" to any other interface, not unless you have a "management" tunnel set up, which you do not have.

That line is not useful. Any traffic from outside that has a source address of your interface IP address is going to be a forged packet or a packet that routing has gone out and been routed back to the PIX; PIX 6 will always drop packets that go out and are routed back to the PIX.

We cannot be sure based upon what you have posted, but that line would appear to be redundant considering the earlier icmp line.

You permit new connections (on port 3389) in to this IP, but you do not permit new connections out from this IP, not even DNS resolution. This situation is possible, but unusual and should be re-checked.

These too are permitted incoming connections but not outgoing, which should be rechecked.

But you have a bigger problem here: it is not valid to static two different IPs to the same IP. You probably want to do static port forwarding for at least one of these.

This too is allowed incoming traffic but not outgoing. But again there are other problems, as you appear to be static'ing the same outside address, x.x.x.x7, to two different inside addresses,

192.168.128.11 and 192.168.128.31 .

There are reasons to prefer identity hostname when using dynamic maps, if the connecting hosts might change public IPs while a tunnel is active (e.g., they get a different DHCP address during the middle of a connection.)

That is not invalid, but I think you will find that in practice real DES MD5 hosts are going to use Group 1 and seldom Group 2. It would be very uncommon to encounter a host or device that refused Group 1 for DES MD5. Your Group 1 entry has the lower policy number, and therefor has higher priority than your Group 2 entry, so the arrangement you have now is NOT "Use Group 2 (more secure) if the other end supports it, and otherwise use Group 1 (less secure)". Reverse the group numbers on the entries if that was the policy you intended.

You have three types of VPN tunnel configured, and if you were using a sufficiently new Windows (XP SP2), or had specifically downloaded the updated MS VPN software for W2K, then your user's "MS's connection" might use either the IPSec dynamic connection or the PPTP; older MS software would not have the IPSec option.

If it is PPTP that you are using, then you should be aware that there have been a couple of different people reporting within the last couple of months that they are seeing PPTP in which the source IP address was the public IP of the connecting system, rather than the IP address that had been allocated by the pool. I note that you have syslog to an inside host and that you are already logging at 'debug' level: have a look through the logs and see whether you are getting some rejected packets with a 192.168.128/24 destination and a public source instead of the expected 10.99.99/24 source.

I have not seen any solutions yet to this PPTP issue. I know that a lot of people have PPTP set up to their PIX, so it has to be a fairly subtle problem. Hmmm, if I recall correctly, those posters were using the Cisco VPN client, but as we don't know what the problem was, it might or might not be the same as you are encountering... check those logs.

Reply to
Walter Roberson

This was done not by me. Basically its websites that are located on one inside webserver. How might I change that to allow both those address in on port 80 to the same internal IP then?

This was setup for a box on the inside of the network to monitor the PIX itself and the router on the the outside of the network. As well as allow someone to SSH to that box if needed. Thats what I was told anyway.

This access-list acl-out permit tcp any host x.x.x.25 eq 3389 is the outside address that someone will Terminal into it then has a static to static (inside,outside) x.x.x.25 192.168.128.25 netmask 255.255.255.255 0 0 and access-list acl-in permit ip host 192.168.128.25 any lets all back out.

Might not be right though. I admit that.

My logging server is gone. (had to realocate it for something else) so I need to setup logs somewhere else or I need to just turn logging on locally. Which I need to remember how to do.

Not sure my client is upto date 100%. I know its WinXP with SP2.

Reply to
Shane Rogers

You cannot do that with PIX 6 (and probably not with PIX 7 either.) You would need to translate them to different ports on the same server and have your web server listen on both ports. Or put up two different web servers on different internal IPs. Or change the DNS for the web servers to both have the same IP and rely upon the Host: header to differentiate between them (if so then pay a bit of attention to which site will be reached if there is no Host: header such as from a very old web client or from a telnet session from some admin trying to figure out what sites the users are going to.)

You do not need to "let all back out": the PIX automatically creates appropriate holes in the rules for return traffic. Permitting outward access from a host should only be used if the host needs to initiate connections to outside, such as to a DNS server or to send outgoing email (SMTP). Also, if you happen to have incoming UDP connections where there might not be traffic on the connection for more than 2 minutes, then you either need to raise the udp timeout or else you need to permit the return traffic outwards explicitly, as by default the PIX closes the automatic loophole for return UDP traffic after

2 minutes of inactivity in the flow.

logging buffered debug

then show log

but this tends to fill up and get overwritten quickly, so unless you have very low volume, it is a lot easier to debug with a syslog server.

Reply to
Walter Roberson

Things here seem to be working fine, but I can change it. I'll look at changing the IP address on the DNS server for the website. In the mean time how would I route the differnt port on the same IP inside?

With my Configuration what do I need to change then? If you want to talk off list so you can see the IP's we can. I don't have any issues with anything right now, but I'm willing to make it work the way its suppossed to.

I'll see if I can get some logs.

Reply to
Shane Rogers

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.