PIX 506e VPN issue - cannot ping internal network

Hi All,

I'm having an issue with remote connecting to my network using PPTP. The VPN connection authenticated fine, however I cannot ping any of the machines on the internal network.

Myself and the other network guys have gone through the config, and can't find out why this is, and I was really hoping someone would be able to help me. The guy who configured the PIX has done a runner to Australia, so we're a bit up a creek here!!

The relevant config is copied below -

Building configuration... : Saved : PIX Version 6.3(1) interface ethernet0 auto interface ethernet1 auto nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password XX encrypted passwd XX encrypted hostname X domain-name XX fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol ils 389 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 names name X mail_outside name 192.168.1.9 srvroom name 192.168.1.8 inbound_SMTP name 192.116.106.242 ARCPHC name 172.168.0.0 HQ name X LondonPIX name 192.168.1.11 DC name 192.168.1.1 mailserv name 192.168.1.3 notes name 192.168.1.4 fileserv object-group service DNS tcp-udp description DNS port-object eq domain object-group service LANGlobal tcp group-object DNS port-object eq ftp port-object eq pop3 port-object eq domain port-object eq www port-object eq https object-group service test udp group-object DNS port-object eq dnsix port-object eq nameserver port-object eq domain access-list outside_access_in remark Allow Mail delivery access-list outside_access_in permit tcp any any eq smtp access-list outside_access_in remark Allow X ARC HQ Connectivity access-list outside_access_in permit ip HQ 255.255.252.0 any access-list outside_access_in permit tcp any eq smtp host mail_outside eq smtp access-list outside_access_in remark Allow IPsec Traffic access-list outside_access_in permit udp host ARCPHC host X eq isakmp access-list outside_access_in remark Allow IPsec Traffic access-list outside_access_in permit ah host ARCPHC host X access-list outside_access_in remark Allow IPsec Traffic access-list outside_access_in permit esp host ARCPHC host X access-list outside_access_in permit tcp any object-group LANGlobal X

255.255.255.0 object-group LANGlobal access-list outside_access_in remark Web Access access-list outside_access_in permit tcp any host X eq www access-list outside_access_in permit icmp HQ 255.255.0.0 X 255.255.255.0 access-list outside_access_in deny udp any eq 1434 any access-list outside_access_in remark Allow ICMP access-list outside_access_in permit icmp any any access-list outside_access_in deny tcp any any access-list outside_access_in remark Block everything to come in. access-list inside_access_in permit ip any any access-list inside_access_in permit icmp 192.168.1.0 255.255.255.0 HQ 255.255.0.0 access-list inside_access_in deny udp any eq 1434 any access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 HQ 255.255.252.0 access-list outside_cryptomap_20 permit ip 192.168.1.0 255.255.255.0 HQ 255.255.252.0 pager lines 24 icmp permit any outside mtu outside 1500 mtu inside 1500 ip address outside X 255.255.255.240 ip address inside 192.168.1.5 255.255.255.0 ip audit info action alarm ip audit attack action alarm ip local pool vpn_pool 192.168.1.200-192.168.1.210 pdm location mail_outside 255.255.255.255 outside pdm location 192.168.1.192 255.255.255.224 outside pdm location srvroom 255.255.255.255 inside pdm location inbound_SMTP 255.255.255.255 inside pdm location notes 255.255.255.255 inside pdm location HQ 255.255.252.0 outside pdm location LondonPIX 255.255.255.255 outside pdm location ARCPHC 255.255.255.255 outside pdm location LondonPIX 255.255.255.255 inside pdm location HQ 255.255.0.0 outside pdm location mailserv 255.255.255.255 inside pdm location DC 255.255.255.255 inside pdm location fileserv 255.255.255.255 inside pdm location 192.168.1.2 255.255.255.255 inside pdm location 192.168.1.7 255.255.255.255 inside pdm logging informational 100 pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list inside_outbound_nat0_acl nat (inside) 1 192.168.1.0 255.255.255.0 0 0 static (inside,outside) mail_outside inbound_SMTP netmask 255.255.255.255 0 0 static (inside,outside) X fileserv netmask 255.255.255.255 0 0 static (inside,outside) X notes netmask 255.255.255.255 0 0 static (inside,outside) X 192.168.1.7 netmask 255.255.255.255 0 0 access-group outside_access_in in interface outside access-group inside_access_in in interface inside route outside 0.0.0.0 0.0.0.0 62.189.104.254 1 timeout xlate 0:05:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server LOCAL protocol local http server enable http srvroom 255.255.255.255 inside http notes 255.255.255.255 inside http mailserv 255.255.255.255 inside http DC 255.255.255.255 inside http fileserv 255.255.255.255 inside http 192.168.1.7 255.255.255.255 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec sysopt connection permit-pptp crypto ipsec transform-set X crypto map outside_map 20 ipsec-isakmp crypto map outside_map 20 match address outside_cryptomap_20 crypto map outside_map 20 set peer ARCPHC crypto map outside_map 20 set transform-set ESP-DES-MD5 crypto map outside_map interface outside isakmp enable outside isakmp key ******** address ARCPHC netmask 255.255.255.255 no-xauth no-config-mode isakmp policy 20 authentication pre-share isakmp policy 20 encryption des isakmp policy 20 hash md5 isakmp policy 20 group 2 isakmp policy 20 lifetime 86400 telnet srvroom 255.255.255.255 inside telnet mailserv 255.255.255.255 inside telnet fileserv 255.255.255.255 inside telnet 192.168.1.7 255.255.255.255 inside telnet timeout 5 ssh timeout 5 console timeout 10 vpdn group HQ1 accept dialin pptp vpdn group HQ1 ppp authentication mschap vpdn group HQ1 ppp encryption mppe 40 vpdn group HQ1 client configuration address local vpn_pool vpdn group HQ1 client configuration dns DC vpdn group HQ1 client configuration wins mailserv vpdn group HQ1 pptp echo 60 vpdn group HQ1 client authentication local vpdn username HQ1 password ********* vpdn username HQ2 password ********* vpdn username HQ3 password ********* vpdn username HQ4 password ********* vpdn username HQ5 password ********* vpdn enable outside dhcprelay server DC inside dhcprelay enable outside dhcprelay setroute outside

: end [OK]

Would really appreciate if someone could point me in the right direction...cheers..

K
Reply to
kammy_boy186
Loading thread data ...

In article , wrote: :I'm having an issue with remote connecting to my network using PPTP. :The VPN connection authenticated fine, however I cannot ping any of the :machines on the internal network.

:PIX Version 6.3(1)

6.3(1) has a number of known security problems. I recommend that you look on cisco's site under the keywords PIX Security Advisories for information on free updates.

:name X mail_outside

:name X LondonPIX

You cannot use two 'name' statements with the same IP address.

:access-list outside_access_in permit tcp any any eq smtp

:access-list outside_access_in permit tcp any eq smtp host mail_outside eq smtp

That line is redundant:

The first line I quoted permits smtp from anywhere outside to anywhere inside, so the later line that is more selective about smtp will never match since matches go top down.

Also, remote SMTP clients (and servers) will almost never use the smtp port (25) as their -source- port for SMTP transactions.

:access-list outside_access_in remark Allow IPsec Traffic :access-list outside_access_in remark Allow IPsec Traffic :access-list outside_access_in remark Allow IPsec Traffic

Duplicate remark statements will sometimes be thrown away.

:access-list outside_access_in permit tcp any object-group LANGlobal X

255.255.255.0 object-group LANGlobal

:access-list outside_access_in permit tcp any host X eq www

In what you posted, you treat X both as a host and as a subnet base address. That would be wrong unless the two X's are really different things.

:access-list outside_access_in permit icmp any any

:access-list outside_access_in deny tcp any any

That's redundant -- when you get to the end of the list, anything not permitted will be denied.

:access-list inside_access_in permit ip any any :access-list inside_access_in permit icmp 192.168.1.0 255.255.255.0 HQ

255.255.0.0

Until PIX 7.0, the PIX doesn't handle anything other than IP, so all the lines after the first are redundant since icmp and so on are subsets of ip.

:access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 HQ

255.255.252.0

:name 172.168.0.0 HQ

:access-list outside_cryptomap_20 permit ip 192.168.1.0 255.255.255.0 HQ

255.255.252.0

You want a VPN that covers traffic to large chunks of AOL ??

NetRange: 172.128.0.0 - 172.191.255.255 NetName: AOL-172BLK NetHandle: NET-172-128-0-0-1 TechHandle: AOL-NOC-ARIN TechName: America Online, Inc.

Are you sure you don't mean 172.16.0.0 instead of 172.168.0.0 ??

:ip address outside X 255.255.255.240

If that is the same X that appeared in some of your ACL entries, then you need to recode the ACL entries to use the keyword 'interface outside' instead of 'host X'.

:ip address inside 192.168.1.5 255.255.255.0

:ip local pool vpn_pool 192.168.1.200-192.168.1.210

:vpdn group HQ1 accept dialin pptp

:vpdn group HQ1 client configuration address local vpn_pool

Classic mistake. The pool you allocate for any incoming VPN must be of addresses that are "outside" relative to your inside interface. IPSec, PPTP and so on only work on traffic that crosses the PIX, but when you allocate a PPTP IP that is within the range covered by the inside interface, then when any host on the inside goes to send packets to the PPTP host, the PIX looks at the packet, sees that the "route" to the destination back through the inside interface, and promptly discards the packet.

Try:

ip local pool vpn_pool 192.168.2.200-192.168.2.210

By the way: did you want your PPTP users to be able to access the IPSec tunnel to HQ?

Reply to
Walter Roberson

Many thanks Walter.

I created a new VPN IP pool 192.168.2.200 - 192.168.2.210 and tried again but it didn't work, so I added 192.168.2.0/24 as an Outside Network on the PIX and then created a rule allowing 192.168.2.0/24 [outside] to 192.168.1.0/24 [inside], but I am still having the same problem :(

Obviously, 192.168.2.0/24 is not really an outside address, but I'm assuming the PIX classes VPN connections as such and there needs to be a way it can communicate with the internal network?

Any pointers?

K
Reply to
kammy_boy186

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.