I have a PIX 515E with OS 6.3(4). I have three networks (outside, dmz, inside). I connect with a VPN client (4.x) and I can ping and connect to the inside networks (dmz, inside) without any problem.
But when I try to ping or access any outside network I have this entry in my logs
No route to from .
I am kinda at a loss, and I am afraid taht I can't make it work that VPN clients can connect to the outside. Is there anyway to make it work?
Here is my conf from my PIX. Any kind of help would be appreciated
PIX Version 6.3(4) interface ethernet0 auto interface ethernet1 auto interface ethernet2 auto nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 bcc security50 enable password XXXXXX encrypted passwd XXXXXX encrypted hostname pfw domain-name tequila.co.jp clock timezone JST 9 fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol icmp error fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names name ftp name 192.168.5.10 asterix name 192.168.5.0 Servers name 192.168.12.0 IT_Group name 192.168.7.0 Printers name 192.168.5.220 testlinuxbox access-list inside_access_in remark from asterix to a server in poland access-list inside_access_in deny tcp host asterix host \ eq www log 1 interval 1 access-list inside_access_in remark from asterix to a server in poland access-list inside_access_in deny tcp host asterix host \ eq www log 1 interval 1 access-list inside_access_in remark from spybot to outside world access-list inside_access_in deny tcp any eq 3107 any log 1 interval 1 access-list inside_access_in remark connections to samba outbound access-list inside_access_in deny tcp any any eq 445 log 1 interval 1 access-list inside_access_in remark allow all IP traffic from LAN to WAN access-list inside_access_in permit ip any any log interval 1 access-list bcc_access_in remark allow all IP traffic from BCC to WAN/LAN access-list bcc_access_in permit ip any any log interval 1 access-list bcc_access_in remark allow printing from BCC range access-list bcc_access_in permit tcp 172.16.0.0 255.255.0.0 Printers\ 255.255.255.0 access-list bcc_access_in remark domain to ramen access-list bcc_access_in permit udp 172.16.88.0 255.255.255.0 host\ 192.168.5.15 eq domain log access-list bcc_access_in remark domain to soba access-list bcc_access_in permit udp 172.16.88.0 255.255.255.0 host\ 192.168.5.11 eq domain access-list bcc_access_in remark allow BCC range to HTTP on testlinux box access-list bcc_access_in permit tcp 172.16.88.0 255.255.255.0 host\ testlinuxbox eq www access-list outside_access_in remark allow ICMP back packages access-list outside_access_in permit icmp any any log interval 1 access-list outside_access_in permit tcp any host ftp eq 3389 access-list outside_access_in permit tcp any interface outside eq 37337 access-list outside_access_in permit tcp any interface outside eq 10000 access-list inside_outbound_nat0_acl remark tbwa vpn to inside access-list inside_outbound_nat0_acl permit ip any 192.168.226.0 255.255.255.0 access-list inside_outbound_nat0_acl remark vpn to inside access-list inside_outbound_nat0_acl permit ip any 192.168.225.0 255.255.255.0 access-list bcc_outbound_nat0_acl remark vpn to bcc access-list bcc_outbound_nat0_acl permit ip any 192.168.225.0 255.255.255.0 access-list bcc_outbound_nat0_acl remark tbwa vpn to bcc access-list bcc_outbound_nat0_acl permit ip any 192.168.226.0 255.255.255.0 access-list outside_cryptomap_dyn_4 remark tequila vpn access-list outside_cryptomap_dyn_4 permit ip any 192.168.225.0 255.255.255.0 access-list outside_cryptomap_dyn_4 remark tbwa vpn access-list outside_cryptomap_dyn_4 permit ip any 192.168.226.0 255.255.255.0 pager lines 24 logging on logging timestamp logging facility 23 icmp permit host 192.168.12.6 inside icmp permit host 192.168.12.200 inside mtu outside 1500 mtu inside 1500 mtu bcc 1500 ip address outside 255.255.255.224 ip address inside 192.168.1.5 255.255.0.0 ip address bcc 172.16.15.13 255.255.0.0 ip audit info action alarm ip audit attack action alarm ip local pool Tequila 192.168.225.2-192.168.225.250 ip local pool Tbwa 192.168.226.2-192.168.226.250 no failover failover timeout 0:00:00 failover poll 15 no failover ip address outside no failover ip address inside no failover ip address bcc pdm location 192.168.1.0 255.255.255.0 inside pdm location IT_Group 255.255.255.0 inside pdm location ftp 255.255.255.255 outside pdm location 192.168.12.6 255.255.255.255 inside pdm location 255.255.255.255 outside pdm location asterix 255.255.255.255 inside pdm location 255.255.255.255 outside pdm location Servers 255.255.255.0 inside pdm location 192.168.12.200 255.255.255.255 inside pdm location 192.168.5.15 255.255.255.255 inside pdm location 192.16.5.50 255.255.255.255 inside pdm location 172.16.88.222 255.255.255.255 bcc pdm location 172.16.88.220 255.255.255.255 bcc pdm location 172.16.88.0 255.255.255.0 bcc pdm location 192.168.5.11 255.255.255.255 inside pdm location 192.168.12.14 255.255.255.255 inside pdm location Printers 255.255.255.0 inside pdm location testlinuxbox 255.255.255.255 inside pdm location 255.255.255.255 bcc pdm logging informational 100 pdm history enable arp timeout 14400 global (outside) 10 interface global (inside) 10 interface global (bcc) 10 interface nat (inside) 0 access-list inside_outbound_nat0_acl nat (inside) 10 192.168.0.0 255.255.0.0 0 0 nat (bcc) 0 access-list bcc_outbound_nat0_acl nat (bcc) 10 172.16.0.0 255.255.0.0 0 0 static (inside,outside) tcp interface 37337 testlinuxbox ssh netmask\ 255.255.255.255 0 0 static (inside,outside) tcp interface 10000 testlinuxbox www netmask\ 255.255.255.255 0 0 static (inside,bcc) Printers Printers netmask 255.255.255.0 0 0 static (inside,bcc) 192.168.5.15 192.168.5.15 netmask 255.255.255.255 0 0 static (inside,bcc) 192.168.5.11 192.168.5.11 netmask 255.255.255.255 0 0 static (bcc,outside) ftp 172.16.88.220 netmask 255.255.255.255 0 0 static (inside,bcc) testlinuxbox testlinuxbox netmask 255.255.255.255 0 0 access-group outside_access_in in interface outside access-group inside_access_in in interface inside access-group bcc_access_in in interface bcc rip inside passive version 2 rip inside default version 2 rip bcc passive version 2 rip bcc default version 2 route outside 0.0.0.0 0.0.0.0 211.14.136.193 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local aaa authentication ssh console LOCAL ntp server 192.168.5.15 source inside prefer http server enable http 192.168.1.0 255.255.255.0 inside http IT_Group 255.255.255.0 inside snmp-server host inside 192.168.12.14 snmp-server location tokyo no snmp-server contact snmp-server community pixfwteq no snmp-server enable traps floodguard enable sysopt connection permit-ipsec crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto dynamic-map outside_dyn_map 4 match address outside_cryptomap_dyn_4 crypto dynamic-map outside_dyn_map 4 set transform-set ESP-3DES-SHA crypto dynamic-map outside_dyn_map 4 set security-association lifetime seconds\ 36000 kilobytes 4608000 crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map crypto map outside_map interface outside isakmp enable outside isakmp key ******** address 0.0.0.0 netmask 255.255.255.255 no-xauth isakmp nat-traversal 50 isakmp log 500 isakmp policy 8 authentication pre-share isakmp policy 8 encryption 3des isakmp policy 8 hash md5 isakmp policy 8 group 2 isakmp policy 8 lifetime 86400 isakmp policy 20 authentication rsa-sig isakmp policy 20 encryption des isakmp policy 20 hash md5 isakmp policy 20 group 2 isakmp policy 20 lifetime 5000 isakmp policy 30 authentication pre-share isakmp policy 30 encryption des isakmp policy 30 hash md5 isakmp policy 30 group 2 isakmp policy 30 lifetime 10000 vpngroup ATest address-pool TestA vpngroup ATes vpngroup ATest password ******** vpngroup BTest address-pool Tbwa vpngroup BTest dns-server 192.168.5.15 192.168.5.11 vpngroup BTest default-domain tokyo.tbwa.jp vpngroup BTest idle-time 1800 vpngroup BTest password ******** telnet timeout 5 ssh 192.168.12.6 255.255.255.255 inside ssh 192.168.12.200 255.255.255.255 inside ssh timeout 5 management-access outside console timeout 0 vpdn username foo password ******** vpdn enable outside dhcpd lease 3600 dhcpd ping_timeout 750 dhcpd auto_config outside dhcprelay server 192.168.5.15 outside terminal width 80 Cryptochecksum:f26168e296f9e3881d921d5617e2bd14