Hi all of you,
I know this question has been posted in the past, i've read them all/most of them :-). I've been searching the groups and cisco site for days but can't figure this one out so if someone could help: that would be great because i'm going nuts over this pix...
This is the setup
comp with cisco vpn client internet pix 501 172.16.1.0/24 net
vpn client is version 4.6, pix is version 6.3(4)
The pix has a public ip (it's on our colocation) and is directly connected to a router.
I am able to connect to the pix with the vpn client but when i ping a machine in the 172.16.1.x net it fails. Internet connection is still up-and-running when connected to the vpn (because of the split-tunel)
When i turn on icpm trace debugging i see the packets comming from the comp and returning from the machine in the 172.16.1 range but the replies don't seem to go 'back into the tunnel'. As you can see below the local-ip pool is excluded from nat.
I've debugged all I can think of but it seems like some kind of routing issue where the pix drops the echo replies comming from 172.16.1.10 to
192.168.1.100Does anybody have any idea's? Is there something missing in the config? I've setup allot of 836/837's with vpn but you don't need to create a specific route there ...
Thanks for your help
Building configuration... : Saved : PIX Version 6.3(4) interface ethernet0 auto interface ethernet1 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password 8Ry2YjIyt7RRXU24 encrypted passwd 2KFQnbNIdI.2KYOU encrypted hostname pixfirewall fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names access-list 100 permit ip 172.16.1.0 255.255.255.0 192.168.100.0
255.255.255.0 pager lines 24 mtu outside 1500 mtu inside 1500 ip address outside [PUBLIC IP] 255.255.255.0 ip address inside 172.16.1.2 255.255.255.0 ip audit info action alarm ip audit attack action alarm ip local pool mypool 192.168.100.100-192.168.100.200 pdm history enable arp timeout 14400 nat (inside) 0 access-list 100 nat (inside) 1 0.0.0.0 0.0.0.0 route outside 0.0.0.0 0.0.0.0 [PUBLIC ROUTER] 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec crypto ipsec transform-set myset esp-3des esp-md5-hmac crypto dynamic-map dynmap 100 set transform-set myset crypto map newmap 200 ipsec-isakmp dynamic dynmap crypto map newmap interface outside isakmp enable outside isakmp identity address isakmp policy 200 authentication pre-share isakmp policy 200 encryption 3des isakmp policy 200 hash md5 isakmp policy 200 group 2 isakmp policy 200 lifetime 86400 vpngroup test address-pool mypool vpngroup test default-domain test-domain vpngroup test split-tunnel 100 vpngroup test idle-time 1800 vpngroup test password ******** telnet timeout 5 ssh timeout 5 console timeout 0 terminal width 80 Cryptochecksum:d7bfa50e8e18401ba0b1720a3ca3411d : end