I have a frustrating problem that I just can't figure out; When a client connects to our terminal server (or any server or desktop) with a cisco vpn client, the connection drops. This happens between 30 seconds and 5 minutes after the connection has been made.
But the VPN connection stays up and I can ping the inside of the Pix. But not the address of the the "disconnected" unit. After a while I can connect/ping again.
This never happens with the Pix to Pix or the Sonicwall to Pix connections. Everything works fine with the static VPNs.
If someone could have mercy with me and take a look at my config (adresses, passwords etc. changed) and perhaps spot something I haven't. Don't pay too much attention to the ACLs, I'm aware of certain security issues there.
There is a connection between the DMZ and the inside LAN at the moment, could this be the root of the problem?
asdm image flash:/asdm asdm location 0.0.0.0 255.255.255.0 outside asdm location 0.0.0.0 0.0.0.0 outside no asdm history enable : Saved : PIX Version 7.2(1)19 ! hostname hhfw01 domain-name hatt9 enable password K4avLhVsdlfkjwPTE encrypted names dns-guard ! interface Ethernet0 nameif outside security-level 0 pppoe client vpdn group hatt9 ip address pppoe setroute ! interface Ethernet1 nameif inside security-level 100 ip address 192.168.41.1 255.255.255.0 ! interface Ethernet2 speed 100 duplex full nameif DMZ security-level 97 ip address 191.248.161.17 255.255.255.240 ! passwd 2KFQnbNIdI.WWWOU encrypted ftp mode passive dns server-group DefaultDNS domain-name hatt same-security-traffic permit inter-interface access-list inside_access_out extended permit ip any any access-list inside_access_out extended permit tcp 0.0.0.0 255.255.255.0 interface outside access-list inside_access_out extended permit tcp any interface DMZ inactive access-list inside_access_out extended permit icmp any any echo-reply inactive access-list inside_access_in extended permit ip any any access-list inside_access_in extended permit tcp interface DMZ any inactive access-list inside_access_in extended permit udp interface DMZ any inactive access-list outside_access_in extended permit ip any any access-list outside_access_in extended permit tcp any interface DMZ inactive access-list outside_access_in extended permit ip any interface DMZ inactive access-list outside_access_in extended permit icmp any interface DMZ echo-reply access-list hh_splitTunnelAcl standard permit 192.168.41.0
255.255.255.0 access-list outside_cryptomap extended permit ip any 192.168.41.160 255.255.255.224 access-list dmz_access_in extended permit ip any any access-list dmz_access_in extended permit tcp any any access-list dmz_access_in extended permit icmp any any echo-reply access-list dmz_access_out extended permit ip any interface outside access-list dmz_access_out extended permit tcp any any access-list dmz_access_out extended permit udp any any access-list inbound extended permit tcp any any eq www access-list inbound extended permit tcp any any eq ftp access-list inbound extended permit tcp any any eq smtp access-list inbound extended permit udp any eq 3283 any eq 3283 access-list inbound extended permit tcp any any eq https access-list outside_20_cryptomap extended permit ip 192.168.41.0 255.255.255.0 192.168.10.0 255.255.255.0 access-list inside_nat0_outbound extended permit ip 192.168.41.0 255.255.255.0 192.168.10.0 255.255.255.0 access-list inside_nat0_outbound extended permit ip 192.168.41.0 255.255.255.0 192.168.41.160 255.255.255.224 access-list inside_nat0_outbound extended permit ip 192.168.41.0 255.255.255.0 host 191.248.161.26 access-list inside_nat0_outbound extended permit ip 192.168.41.0 255.255.255.0 host 191.248.161.28 access-list inside_nat0_outbound extended permit ip 192.168.41.0 255.255.255.0 192.168.1.0 255.255.255.0 access-list inside_nat0_outbound extended permit ip 192.168.41.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list hat_splitTunnelAcl standard permit 192.168.41.0 255.255.255.0 access-list outside_cryptomap_1 extended permit ip any 192.168.41.160 255.255.255.224 access-list outside_40_cryptomap extended permit ip 192.168.41.0 255.255.255.0 192.168.1.0 255.255.255.0 access-list outside_60_cryptomap extended permit ip 192.168.41.0 255.255.255.0 192.168.2.0 255.255.255.0 pager lines 24 logging enable logging asdm informational mtu outside 1500 mtu inside 1500 mtu DMZ 1500 ip local pool vpnclients 192.168.41.170-192.168.41.180 mask 255.255.255.0 asdm image flash:/asdm no asdm history enable arp timeout 14400 nat-control global (outside) 101 interface nat (inside) 0 access-list inside_nat0_outbound nat (inside) 101 0.0.0.0 0.0.0.0 nat (DMZ) 101 0.0.0.0 0.0.0.0 outside static (inside,outside) tcp interface www 192.168.41.2 www netmask 255.255.255.255 static (inside,outside) tcp interface 8080 192.168.41.22 8080 netmask 255.255.255.255 static (inside,outside) tcp interface smtp 192.168.41.3 smtp netmask 255.255.255.255 static (inside,outside) tcp interface https 192.168.41.3 https netmask 255.255.255.255 static (DMZ,outside) 191.248.161.26 191.248.161.26 netmask 255.255.255.255 static (DMZ,outside) 191.248.161.28 191.248.161.28 netmask 255.255.255.255 static (inside,DMZ) 191.248.161.26 191.248.161.26 netmask 255.255.255.255 static (inside,DMZ) 191.248.161.28 191.248.161.28 netmask 255.255.255.255 static (DMZ,inside) 191.248.161.28 191.248.161.28 netmask 255.255.255.255 static (DMZ,inside) 191.248.161.26 191.248.161.26 netmask 255.255.255.255 access-group inbound in interface outside access-group inside_access_in in interface inside access-group inside_access_out out interface inside access-group dmz_access_in in interface DMZ access-group dmz_access_out out interface DMZ timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server RADIUS host 192.168.41.3 timeout 5 key master no eou allow clientless group-policy hat internal group-policy hat attributes dns-server value 192.168.41.3 vpn-tunnel-protocol IPSec split-tunnel-policy tunnelspecified split-tunnel-network-list value yourvpn_splitTunnelAcl default-domain value hatt9 group-policy hh internal group-policy hh attributes dns-server value 192.168.41.3 vpn-tunnel-protocol IPSec split-tunnel-policy tunnelspecified split-tunnel-network-list value hh_splitTunnelAcl default-domain value hatt9 username admin password FOGca/gfTrozRbXj encrypted privilege 0 username admin attributes vpn-group-policy DfltGrpPolicy username user password xz/qJ7PGUI/hUZ6i encrypted privilege 0 username user attributes vpn-group-policy DfltGrpPolicy http server enable http 0.0.0.0 0.0.0.0 inside http 192.168.41.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server community public snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5 crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-MD5 crypto map outside_map 20 match address outside_20_cryptomap crypto map outside_map 20 set peer 62.92.99.140 crypto map outside_map 20 set transform-set ESP-3DES-MD5 crypto map outside_map 40 match address outside_40_cryptomap crypto map outside_map 40 set peer 213.161.229.42 crypto map outside_map 40 set transform-set ESP-3DES-MD5 crypto map outside_map 60 match address outside_60_cryptomap crypto map outside_map 60 set peer 213.184.221.144 crypto map outside_map 60 set transform-set ESP-3DES-MD5 crypto map outside_map 80 ipsec-isakmp dynamic outside_dyn_map crypto map outside_map interface outside crypto isakmp identity hostname crypto isakmp enable outside crypto isakmp policy 10 authentication pre-share encryption 3des hash md5 group 2 lifetime 86400 crypto isakmp policy 20 authentication pre-share encryption 3des hash md5 group 1 lifetime 28800 crypto isakmp nat-traversal 20 tunnel-group 61.92.99.141 type ipsec-l2l tunnel-group 61.92.99.141 ipsec-attributes pre-shared-key * tunnel-group hat type ipsec-ra tunnel-group hat general-attributes address-pool vpnclients authentication-server-group RADIUS default-group-policy hat tunnel-group hat ipsec-attributes pre-shared-key * tunnel-group 211.161.229.42 type ipsec-l2l tunnel-group 211.161.229.42 ipsec-attributes pre-shared-key * tunnel-group 212.184.221.143 type ipsec-l2l tunnel-group 212.184.221.143 ipsec-attributes pre-shared-key * telnet timeout 5 ssh timeout 5 ssh version 1 console timeout 0 management-access inside vpdn group hatt9 request dialout pppoe vpdn group hatt9 localname snipped-for-privacy@online.net vpdn group hatt9 ppp authentication pap vpdn username snipped-for-privacy@online.net password ********* dhcpd dns 192.168.41.3 dhcpd ping_timeout 750 dhcpd auto_config outside vpnclient-wins-override dhcpd update dns ! dhcpd address 192.168.41.200-192.168.41.249 inside dhcpd dns 192.168.41.3 interface inside dhcpd domain hatt9 interface inside dhcpd enable inside ! ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect http policy-map type inspect dns migrated_dns_map_1 parameters message-length maximum 512 ! service-policy global_policy global