PIX 501 blocking inside to out arp requests

Hello.

I've got a Cisco PIX 501 that I like to use as my boarder firewall/ router for my home. However, I have found one situation where I have to swap the 501 for a dumb Linksys router/NAT device.

I work from home as a software consultant, and one of the clients I work for has a VPN concentrator that I can not connect to with my PIX inline.

I think I have narrowed it down to the VPN Adapter that is created when I connect to their concentrator.

Ethernet adapter Cisco Systems VPN Adapter:

Connection-specific DNS Suffix . : XXXX.XXX Description . . . . . . . . . . . : Cisco Systems VPN Adapter Physical Address. . . . . . . . . : 00-05-9A-3C-78-00 Dhcp Enabled. . . . . . . . . . . : No IP Address. . . . . . . . . . . . : 192.168.16.2 Subnet Mask . . . . . . . . . . . : 255.255.255.224 Default Gateway . . . . . . . . . : DNS Servers . . . . . . . . . . . : 192.168.1.10

There is no 'Default Gateway'. With the PIX in line I can not connect to their server 192.168.15.2, etc.. With the Linksys in line every thing seems to work fine.

I have tried to contact their network admin to resolve the issue, but they have been very un-responsive. Is there any setting I can change on my PIX?

I'm guessing (as I'm no network guru) that the Linksys router is allowing ARP requests to traverse the device, and the PIX is blocking them since there is now pre-defined route, or maybe this guess is way off, I don't really know.

Any help would greatly be appreciated.

-Tyler

Reply to
Tyler
Loading thread data ...

Probably not..

Do you have the PIX configured to let IPsec packets through?

sysopt connection permit-ipsec

I'm assuming you are already doing NAT-T on your VPN setup since you say the Linksys one works.

Yes, this guess is way off..

Reply to
Doug McIntyre

I did not have this statement in my config.

However, other sites that I VPN to worked fine, all "seem" to be configured using IPSec over UDP (NAT / PAT) in the Cisco VPN Client I'm using to connect to the client through my PIX / Linksys router.

I have added the statement to my PIX, but I haven't had a chance to test it yet as the PIX is currently not hooked up. I'll give it a test later today when I disconnect from the client I'm working with.

Thanks

Reply to
Tyler

I have put the PIX back in place and added:

sysopt connection permit-ipsec sysopt connection permit-pptp sysopt connection permit-l2tp

One at a time testing each seperately, none of them made any difference to the connection, I am still unable to ping the address at the other end of the tunnel as when I have my Linksys Router in place.

Here is my entire config:

PIX Version 6.3(5) interface ethernet0 100full interface ethernet1 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password xx passwd xx hostname pix domain-name xxxxxx clock timezone EST -5 fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 no fixup protocol sip 5060 no fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 no names access-list inbound permit tcp any any eq ssh access-list inbound permit icmp any any access-list inbound permit tcp any any eq smtp access-list inbound permit tcp any any eq domain access-list inbound permit udp any any eq domain access-list inbound permit tcp host x.x.x.x any eq www access-list inbound permit tcp host x.x.x.x any eq 1984 access-list inbound permit tcp host x.x.x.x any eq 1984 access-list outbound permit tcp host 192.168.1.7 any eq smtp access-list outbound deny tcp any any eq smtp access-list outbound permit ip any any pager lines 255 logging on logging timestamp logging standby logging monitor alerts logging trap informational logging history debugging logging facility 19 logging host inside 192.168.1.5 mtu outside 1500 mtu inside 1500 ip address outside x.x.x.x 255.255.255.252 ip address inside 192.168.1.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm no pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 1 192.168.1.0 255.255.255.0 0 0 static (inside,outside) tcp interface ssh 192.168.1.7 ssh netmask

255.255.255.255 0 0 static (inside,outside) tcp interface smtp 192.168.1.7 smtp netmask 255.255.255.255 0 0 static (inside,outside) tcp interface domain 192.168.1.7 domain netmask 255.255.255.255 0 0 static (inside,outside) udp interface domain 192.168.1.7 domain netmask 255.255.255.255 0 0 static (inside,outside) tcp interface www 192.168.1.7 www netmask 255.255.255.255 0 0 static (inside,outside) tcp interface 1984 192.168.1.7 1984 netmask 255.255.255.255 0 0 access-group inbound in interface outside access-group outbound in interface inside route outside 0.0.0.0 0.0.0.0 x.x.x.x 1 timeout xlate 0:05:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout sip-disconnect 0:02:00 sip-invite 0:03:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local aaa authentication http console LOCAL aaa authentication ssh console LOCAL ntp server x.x.x.x source outside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection timewait sysopt connection permit-ipsec sysopt connection permit-pptp sysopt connection permit-l2tp isakmp enable inside isakmp nat-traversal 3600 telnet timeout 5 ssh 192.168.1.0 255.255.255.0 inside ssh timeout 60 console timeout 0 username XX xx terminal width 80
Reply to
Tyler

Tyler kirjoitti:

I the dns server 192.168.1.10 in your network or across the VPN? This could be the problem. Can you connect using IP addresses only

Regards

Marko

Reply to
Marko Uusitalo

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.