PIX 501 not sending data into ipsec tunnel? (can't find sollution in groups)

Hi all of you,

I know this question has been posted in the past, i've read them all/most of them :-). I've been searching the groups and cisco site for days but can't figure this one out so if someone could help: that would be great because i'm going nuts over this pix...

This is the setup

comp with cisco vpn client internet pix 501 172.16.1.0/24 net

vpn client is version 4.6, pix is version 6.3(4)

The pix has a public ip (it's on our colocation) and is directly connected to a router.

I am able to connect to the pix with the vpn client but when i ping a machine in the 172.16.1.x net it fails. Internet connection is still up-and-running when connected to the vpn (because of the split-tunel)

When i turn on icpm trace debugging i see the packets comming from the comp and returning from the machine in the 172.16.1 range but the replies don't seem to go 'back into the tunnel'. As you can see below the local-ip pool is excluded from nat.

I've debugged all I can think of but it seems like some kind of routing issue where the pix drops the echo replies comming from 172.16.1.10 to

192.168.1.100

Does anybody have any idea's? Is there something missing in the config? I've setup allot of 836/837's with vpn but you don't need to create a specific route there ...

Thanks for your help

Building configuration... : Saved : PIX Version 6.3(4) interface ethernet0 auto interface ethernet1 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password 8Ry2YjIyt7RRXU24 encrypted passwd 2KFQnbNIdI.2KYOU encrypted hostname pixfirewall fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names access-list 100 permit ip 172.16.1.0 255.255.255.0 192.168.100.0

255.255.255.0 pager lines 24 mtu outside 1500 mtu inside 1500 ip address outside [PUBLIC IP] 255.255.255.0 ip address inside 172.16.1.2 255.255.255.0 ip audit info action alarm ip audit attack action alarm ip local pool mypool 192.168.100.100-192.168.100.200 pdm history enable arp timeout 14400 nat (inside) 0 access-list 100 nat (inside) 1 0.0.0.0 0.0.0.0 route outside 0.0.0.0 0.0.0.0 [PUBLIC ROUTER] 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec crypto ipsec transform-set myset esp-3des esp-md5-hmac crypto dynamic-map dynmap 100 set transform-set myset crypto map newmap 200 ipsec-isakmp dynamic dynmap crypto map newmap interface outside isakmp enable outside isakmp identity address isakmp policy 200 authentication pre-share isakmp policy 200 encryption 3des isakmp policy 200 hash md5 isakmp policy 200 group 2 isakmp policy 200 lifetime 86400 vpngroup test address-pool mypool vpngroup test default-domain test-domain vpngroup test split-tunnel 100 vpngroup test idle-time 1800 vpngroup test password ******** telnet timeout 5 ssh timeout 5 console timeout 0 terminal width 80 Cryptochecksum:d7bfa50e8e18401ba0b1720a3ca3411d : end
Reply to
lowlife123
Loading thread data ...

Never use the same ACL for two different purposes. Here you are using it for nat 0 access-list and also for split-tunnel .

Reply to
Walter Roberson

thanks for you reply. I've created a new access list:

access-list 100 permit ip 172.16.1.0 255.255.255.0 192.168.100.0

255.255.255.0 access-list vpnsplit permit ip 172.16.1.0 255.255.255.0 192.168.100.0 255.255.255.0 nat (inside) 0 access-list 100 vpngroup test split-tunnel vpnsplit

but it makes no difference, still no data. Is the access list itself good? A misconfigured access list could be a logical explanation.

I also tried :

access-list vpnsplit permit ip 172.16.1.0 255.255.255.0 any

but that made no difference, can't ping the host can't connect to the host.

Have you got any other tips?

Reply to
lowlife123

Cisco doc on pinging thru PIX ( not sure if your case would be consider "thru" ): "Handling ICMP Pings with the PIX Firewall"

formatting link

Reply to
Merv

"lowlife123" skrev i en meddelelse news: snipped-for-privacy@g43g2000cwa.googlegroups.com...

were is your global 1 ?

add the command : isakmp nat-t Thus enable clients behind NAT to pass traffik. I believe this to be your problem

Does your SHOW VER list the 3des license ?

Reply to
Martin Bilgrav

Thanks for you reply, the ping isn't the only thing that doesn't work. A 'simple' telnet doesn't work also. I've tried the stuff listed in the cisco document you gave me but that doesn't help. Just as a temp. solution i've created a static link between the cisco device behind the nat i want to reach and ACL-ed that one. That works fine so it is some kind of networking problem.

The other thing is i've enabled 'sysopt connection permit-ipsec' which (correct me if i'm wrong :-) means that no ACL's are applied to the traffic going into the tunnel.

I'm going realy nuts over this pix....

Reply to
lowlife123

sorry made a typo/missed some words (need more sleep :-)

"Just as a temp. solution i've created a static link between the cisco device behind the nat i want to reach and ACL-ed that one. That works fine so it is some kind of networking problem. "

should be

"Just as a temp. solution i've created a static link between the cisco device behind the PIX and the outside interface of the pix and ACL-ed that one.

That works fine so it is NOT some kind of networking problem. "

Reply to
lowlife123

sorry made a typo/missed some words (need more sleep :-)

"Just as a temp. solution i've created a static link between the cisco device behind the nat i want to reach and ACL-ed that one. That works fine so it is some kind of networking problem. "

should be

"Just as a temp. solution i've created a static link between the cisco device behind the PIX and the outside interface of the pix and ACL-ed that one.

That works fine so it is NOT some kind of networking problem. "

Reply to
lowlife123

Thanks for you reply

i've tried both your suggestions but no luck. Isn't nat-traversal used to pass ipsec packages over a nat connection? The pix doesn't nat the packages comming from the local net (hence the 'nat inside 0...' line) so this shouldn't have any effect should it?

I also tried another suggestion i got in the mail: selecting an ip-pool within the local net instead of a complete other range but no luck either.

3DES enc. is there:

VPN-DES: Enabled VPN-3DES-AES: Enabled

I've configured allot of cisco (vpn) devices but this one i realy starting to drive me nuts, how difficult can it be to set up a vpn connection with a pix ? :'(

I hope someone else has some more suggestions.

Reply to
lowlife123

Hi everybody, i got the pix working and wanted to share the answer with you.

I'm pretty sure the answer is that the pix by default blocks the vpn traffic on the outside interface (at least my pix does) and creating an access-list which permits the traffic between the local net and the ippool solved the problem.

Below a working config where 172.16.1.0 255.255.255.0 is the local net behind the pix and 192.168.100.10-192.168.100.20 is the vpn pool. This example works with Cisco VPN client 4.x from winxp to the pix. I am able to ping a device behind the pix (just make sure this device has the pix as default gateway because the packages will originate from a

192.168.100 address and thus it needs to send the replys to it's default router OR use an ippool from the same subnet) and i am able to telnet to this specific cisco device behind the pix :-)

Note: this is just a basic setup, you would want to create more security with trimmed down access-lists, extra authentication etc. etc.

Reply to
lowlife123

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.