1. Home
  2. Cisco Systems
  3. PIX VPN can't access internal network

PIX VPN can't access internal network

Hi

I havve a bit of a problem that I hope that somone will help me with..

I can connect with the vpn client thru my second ISP line on work but not fra home..

Wenn I connect I can't access the internal network (no ping etc..)

This is my config

: Saved : Written by enable_15 at 22:44:36.762 UTC Fri Aug 4 2006 PIX Version 6.3(4) interface ethernet0 auto interface ethernet1 100full interface ethernet2 auto shutdown nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 intf2 security4 enable password *************** encrypted passwd *************** encrypted hostname pixfirewall domain-name inet.local fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names name 10.0.31.6 INET06 name 10.0.16.1 DLOG-ITDR01 name 10.0.16.2 DLOG-ITDR02 access-list outside_access_in permit tcp any any eq www access-list outside_access_in permit tcp any any eq 3389 access-list outside_access_in permit tcp any any eq 3397 access-list outside_access_in permit ip 10.0.25.0 255.255.255.0 any access-list inside_outbound_nat0_acl permit ip any 10.0.25.0

255.255.255.0 access-list outside_cryptomap_dyn_40 permit ip any 10.0.25.0 255.255.255.0 pager lines 24 logging buffered debugging mtu outside 1500 mtu inside 1500 mtu intf2 1500 ip address outside 192.168.1.2 255.255.255.0 ip address inside 10.0.31.200 255.255.240.0 no ip address intf2 ip audit info action alarm ip audit attack action alarm ip local pool ippool-1 10.0.25.1-10.0.25.10 pdm location DLOG-ITDR01 255.255.255.255 inside pdm location INET06 255.255.255.255 inside pdm location xxx.xxx.xxx.xxx 255.255.255.255 outside pdm location 10.0.25.0 255.255.255.0 outside pdm location DLOG-ITDR02 255.255.255.255 inside pdm location DLOG-ITDR02 255.255.255.255 outside pdm location 10.0.0.0 255.255.0.0 outside pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list inside_outbound_nat0_acl nat (inside) 1 10.0.16.0 255.255.240.0 0 0 static (inside,outside) tcp interface www INET06 www netmask 255.255.255.255 0 0 static (inside,outside) tcp interface 3389 DLOG-ITDR01 3389 netmask 255.255.255.255 0 0 static (inside,outside) tcp interface 3397 DLOG-ITDR02 3397 netmask 255.255.255.255 0 0 access-group outside_access_in in interface outside rip inside default version 1 route outside 0.0.0.0 0.0.0.0 192.168.1.1 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local http server enable http xxx.xxx.xxx.xxx 255.255.255.255 outside http DLOG-ITDR01 255.255.255.255 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto dynamic-map outside_dyn_map 40 match address outside_cryptomap_dyn_40 crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-MD5 crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map crypto map outside_map interface outside isakmp enable outside isakmp keepalive 20 30 isakmp nat-traversal 10 isakmp policy 20 authentication pre-share isakmp policy 20 encryption 3des isakmp policy 20 hash sha isakmp policy 20 group 2 isakmp policy 20 lifetime 86400 vpngroup Medarbejder-VPN address-pool ippool-1 vpngroup Medarbejder-VPN dns-server 10.0.31.1 vpngroup Medarbejder-VPN default-domain inet.local vpngroup Medarbejder-VPN idle-time 1800 vpngroup Medarbejder-VPN password *************** telnet timeout 5 ssh timeout 5 console timeout 0 terminal width 80 Cryptochecksum:*************** : end

Thanks

Bjarne

Reply to
Bjarne
Loading thread data ...

No-NAT problems, since you allready have Isakmp nat-t

you need to reverse these two ACLs (above) HTH Martin

Reply to
Martin Bilgrav

Reply to
Martin Bilgrav

Sorry about that - That is not correct what I just wrote ... I mistakenly looked at the wrong lines... Your ACL and config looks just fine ...

You do nat have the "sysopt connection permit-ipsec" command Also : You are using RIP - Verify that the Pool you have used is routed the right way. Veify that your VPN client is set for UDP encap of IPSEC (Transperent tunneling), and when connected you use UDP/4500 on the status Tab

getting late....

HTH Martin

Reply to
Martin Bilgrav

Thanks alot..

It seems to work :-)

Mart>

Reply to
Bjarne

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.