PIX advise needed

I am able to VPN into my PIX from the Internet - I get an address from the local pool. But when I try to PING anything on the inside I get timeouts... I have tried different address pools - even one on the same subnnet as the inside interface; also tried split tunnel on & off - all results are the same... Can anyone spot the problem & advise ? TIA, Ned

*********** PIX Version 6.3(3) interface ethernet0 auto interface ethernet1 auto interface ethernet2 auto nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 ether2 security90 names

access-list 102 permit ip 172.29.0.0 255.255.0.0 192.168.2.0

255.255.255.0 access-list 102 permit ip 172.29.0.0 255.255.0.0 172.22.0.0 255.255.0.0 access-list 102 permit ip 172.29.0.0 255.255.0.0 172.30.0.0 255.255.0.0 access-list 102 permit ip 172.30.0.0 255.255.0.0 172.29.0.0 255.255.0.0 access-list 112 permit tcp any any eq www access-list 112 permit icmp any any access-list 112 permit tcp host 172.2.0.1 host 77.92.238.229 eq 3389 access-list 112 permit tcp host 172.22.0.1 host 77.92.238.229 eq 3389 access-list 112 permit ip any any

ip address outside 77.92.238.226 255.255.255.248 ip address inside 172.29.11.254 255.255.0.0 no ip address ether2 ip audit info action alarm ip audit attack action alarm ip local pool LAN1vpn 192.168.2.1-192.168.2.100 ip local pool mypool1 172.22.0.1-172.22.0.6 ip local pool mypool2 172.29.11.1-172.29.11.6 pdm history enable arp timeout 14400 global (outside) 1 77.92.238.227 nat (inside) 0 access-list 102 nat (inside) 1 0.0.0.0 0.0.0.0 0 0 static (inside,outside) 77.92.238.229 172.29.11.250 netmask

255.255.255.255 0 0

access-group 112 in interface outside route outside 0.0.0.0 0.0.0.0 77.92.152.1 1 route inside 172.30.0.0 255.255.0.0 172.29.11.253 1

no snmp-server enable traps floodguard enable sysopt connection permit-ipsec crypto ipsec transform-set trns1 esp-3des esp-sha-hmac crypto ipsec transform-set trmset1 esp-3des esp-sha-hmac crypto dynamic-map map2 10 set transform-set trmset1 crypto map map1 10 ipsec-isakmp dynamic map2 crypto map map1 interface outside isakmp enable outside isakmp identity address isakmp nat-traversal 20 isakmp policy 10 authentication pre-share isakmp policy 10 encryption 3des isakmp policy 10 hash sha isakmp policy 10 group 2 isakmp policy 10 lifetime 86400

vpngroup user5 address-pool LAN1vpn vpngroup user5 idle-time 600 vpngroup user5 password ******** vpngroup user6 address-pool mypool1 vpngroup user6 split-tunnel 102 vpngroup user6 idle-time 600 vpngroup user6 password ******** vpngroup user7 address-pool mypool2 vpngroup user7 split-tunnel 102 vpngroup user7 idle-time 600 vpngroup user7 password ********

console timeout 0 dhcpd address 172.29.50.1-172.29.50.200 inside dhcpd dns 162.23.132.10 162.23.132.11 dhcpd lease 3000 dhcpd ping_timeout 1000 dhcpd enable inside

******************* ixfirewall(config)# 32: ICMP echo-request from outside:172.29.11.1 to 172.29.11 .254 ID=1280 seq=2304 length=40 33: ICMP echo-request from outside:172.29.11.1 to 172.29.11.254 ID=1280 seq=2560 length=40 34: ICMP echo-request from outside:172.29.11.1 to 172.29.11.254 ID=1280 seq=2816 length=40 ***********************8
Reply to
Ned
Loading thread data ...

You must assure that your traffic is part of your nat (0) access-list

adding the following line should help

access-list 102 permit ip 172.29.11.0 255.255.255.0 172.29.11.0

255.255.255.0

Reply to
mcaissie

I have added that to my NAT 0 access list but stiull can't get through to the inside LAN. Interestingly, when I have my VPN established, ans I try to PING the inside ip address 172.29.11.254 the debug shows... pixfirewall(config)# 1040: ICMP echo-request from outside:172.29.11.1 to 172.29.11.254

1041: ICMP echo-request from outside:172.29.11.1 to 172.29.11.254 ID=1280 seq=87 1042: ICMP echo-request from outside:172.29.11.1 to 172.29.11.254 ID=1280 seq=89 ICMP echo-request from outside:172.29.11.1 to 172.29.11.254 ... When I try to PING the address 172.29.11.253 (a router down in the LAN) the debug shows the echo reply attempts but I still dont see the replies on my VPN client... pixfirewall(config)# 1032: ICMP echo-request from outside:172.29.11.1 to 172.29.11.253 1033: ICMP echo-reply from inside:172.29.11.253 to 172.29.11.1 ID=1280 seq=7424 1034: ICMP echo-request from outside:172.29.11.1 to 172.29.11.253 ID=1280 seq=76 1035: ICMP echo-reply from inside:172.29.11.253 to 172.29.11.1 ID=1280 seq=7680 Maybe there is a problem with my access-list...

access-list 102 permit ip 172.29.0.0 255.255.0.0 192.168.2.0

255.255.255.0 access-list 102 permit ip 172.29.0.0 255.255.0.0 172.22.0.0 255.255.0.0 access-list 102 permit ip 172.29.0.0 255.255.0.0 172.30.0.0 255.255.0.0 access-list 102 permit ip 172.30.0.0 255.255.0.0 172.29.0.0 255.255.0.0 access-list 102 permit ip 172.29.0.0 255.255.0.0 172.29.0.0 255.255.0.0 access-list acl_in permit ip any any access-group acl_in in interface inside

Thanks for your interest...

Reply to
Ned

I'm not sure if it's a good idea to assign addresses from the "inside" network to the VPN clients. IMO, they should get addresses in a sub-net that's not assigned to any PIX interface. But the "nat 0" ACL is an important point.

Regards

fw

Reply to
Frank Winkler

I have two different VPN pool address subnets. The first one gives addresses 172.22.x.x ; this was include in my original access list...but it still didn't work.. (I added another pool to use the same subnet as the inside after seeing it as an example on the Cisco website.. access-list 102 permit ip 172.29.0.0 255.255.0.0 172.22.0.0

255.255.0.0 do I also need the "reverse access list" permit 172.22.0.0 to 172.29.0.0 ??? Thanks
Reply to
Ned

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.