1. Home
  2. Cisco Systems
  3. PIX VPN Client connects but not traffic passes through

PIX VPN Client connects but not traffic passes through

I have a client with a PIX 501, version 6.3(4). For some reason that I've not been able to figure out, the VPN client that I've created for them will connect , but traffic will not pass through the PIX. The client is set to use group and user authentication, but it immediately connects without prompting for user authentication, which is also strange. Any advice is greatly appreciated. The config is posted below. The VPN client in question is the one listed as "magellan" and the internal IP that I ideally would like to connect to is

192.168.100.79, but I can't get to any IP; not even the internal IP of the PX. All help is greatly appreciated.

PIX Version 6.3(4) interface ethernet0 10baset interface ethernet1 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password xxxxxxxxxxxxxxxx encrypted passwd xxxxxxxxxxxxxx encrypted hostname pix domain-name cisco.com fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names access-list inside-outside permit tcp any interface outside eq pcanywhere-data access-list inside-outside permit udp any interface outside eq pcanywhere-status access-list inside-outside permit tcp any interface outside eq https access-list inside-outside permit tcp any host 192.168.100.42 eq 5800 access-list inside-outside permit tcp any host 192.168.100.42 eq 5900 access-list inside-outside permit tcp any host 192.168.100.59 eq 5801 access-list inside-outside permit tcp any host 192.168.100.59 eq 5901 access-list inside-outside permit tcp any host 192.168.100.61 eq 5802 access-list inside-outside permit tcp any host 192.168.100.61 eq 5902 access-list inside-outside permit tcp any host 192.168.100.62 eq 5803 access-list inside-outside permit tcp any host 192.168.100.62 eq 5903 access-list inside-outside permit tcp any host 192.168.100.63 eq 5804 access-list inside-outside permit tcp any host 192.168.100.63 eq 5904 access-list inside-outside permit tcp any host 192.168.100.161 eq 5805 access-list inside-outside permit tcp any host 192.168.100.161 eq 5905 access-list inside-outside permit tcp any host 192.168.100.64 eq 5806 access-list inside-outside permit tcp any host 192.168.100.64 eq 5906 access-list inside-outside permit tcp any host 192.168.100.65 eq 5807 access-list inside-outside permit tcp any host 192.168.100.65 eq 5907 access-list inside-outside permit tcp any interface outside eq 4125 access-list inside-outside permit tcp any interface outside eq 3389 access-list mri permit ip host 192.168.100.76 host 172.16.4.8 access-list mri permit ip host 192.168.100.76 host 172.16.4.10 access-list mri permit ip host 192.168.100.79 host 172.16.4.8 access-list mri permit ip host 192.168.100.79 host 172.16.4.10 access-list mri permit ip host 192.168.100.80 host 172.16.4.8 access-list mri permit ip host 192.168.100.80 host 172.16.4.10 access-list 100 permit ip host 192.168.100.76 host 172.16.4.10 access-list 100 permit ip host 192.168.100.76 host 172.16.4.8 access-list 100 permit ip host 192.168.100.79 host 172.16.4.10 access-list 100 permit ip host 192.168.100.79 host 172.16.4.8 access-list 100 permit ip host 192.168.100.80 host 172.16.4.10 access-list 100 permit ip host 192.168.100.80 host 172.16.4.8 access-list GEMED permit ip host xx.xx.xx.xx xx.xx.xx.xx 255.255.0.0 access-list GEMED permit ip host xx.xx.xx.xx xx.xx.xx.xx 255.255.0.0 access-list (inside,outside) permit tcp any host 192.168.100.79 eq

5731 access-list (inside,outside) permit udp any host 192.168.100.79 eq 5732 pager lines 120 logging on logging console alerts logging monitor debugging mtu outside 1500 mtu inside 1500 ip address outside 209.161.xx.xx 255.255.255.252 ip address inside 192.168.100.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm ip local pool vpnclients 192.168.200.1-192.168.200.10 pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list mri nat (inside) 1 0.0.0.0 0.0.0.0 0 0 static (inside,outside) tcp interface 3389 192.168.100.11 3389 netmask 255.255.2 55.255 0 0 static (inside,outside) tcp interface https 192.168.100.11 https netmask 255.255 .255.255 0 0 static (inside,outside) udp interface pcanywhere-status 192.168.100.31 pcanywher e-status netmask 255.255.255.255 0 0 static (inside,outside) tcp interface pcanywhere-data 192.168.100.31 pcanywhere- data netmask 255.255.255.255 0 0 static (inside,outside) tcp 209.xx.xx.xx 5800 192.168.100.42 5800 netmask 255. 255.255.255 0 0 static (inside,outside) tcp 209.xx.xx.xx 5900 192.168.100.42 5900 netmask 255. 255.255.255 0 0 static (inside,outside) tcp 209.xx.xx.xx 5801 192.168.100.59 5801 netmask 255. 255.255.255 0 0 static (inside,outside) tcp 209.xx.xx.xx 5901 192.168.100.59 5901 netmask 255. 255.255.255 0 0 static (inside,outside) tcp 209.xx.xx.xx 5802 192.168.100.61 5802 netmask 255. 255.255.255 0 0 static (inside,outside) tcp 209.xx.xx.xx 5902 192.168.100.61 5902 netmask 255. 255.255.255 0 0 static (inside,outside) tcp 209.xx.xx.xx 5803 192.168.100.62 5803 netmask 255. 255.255.255 0 0 static (inside,outside) tcp 209.xx.xx.xx 5903 192.168.100.62 5903 netmask 255. 255.255.255 0 0 static (inside,outside) tcp 209.xx.xx.xx 5804 192.168.100.63 5804 netmask 255. 255.255.255 0 0 static (inside,outside) tcp 209.xx.xx.xx 5904 192.168.100.63 5904 netmask 255. 255.255.255 0 0 static (inside,outside) tcp 209.xx.xx.xx 5805 192.168.100.161 5805 netmask 255 .255.255.255 0 0 static (inside,outside) tcp 209.xx.xx.xx 5905 192.168.100.161 5905 netmask 255 .255.255.255 0 0 static (inside,outside) tcp 209.xx.xx.xx 5806 192.168.100.64 5806 netmask 255. 255.255.255 0 0 static (inside,outside) tcp 209.xx.xx.xx 5906 192.168.100.64 5906 netmask 255. 255.255.255 0 0 static (inside,outside) tcp 209.xx.xx.xx 5807 192.168.100.65 5807 netmask 255. 255.255.255 0 0 static (inside,outside) tcp 209.xx.xx.xx 5907 192.168.100.65 5907 netmask 255. 255.255.255 0 0 static (inside,outside) tcp interface 5731 192.168.100.79 5731 netmask 255.255.2 55.255 0 0 static (inside,outside) udp interface 5732 192.168.100.79 5732 netmask 255.255.2 55.255 0 0 static (inside,outside) 10.77.xx.xx 192.168.100.76 netmask 255.255.255.255 0 0 static (inside,outside) 10.77.xx.xx 192.168.100.77 netmask 255.255.255.255 0 0 static (inside,outside) 142.179.xx.xx 192.168.100.79 netmask 255.255.255.255 0 0 access-group inside-outside in interface outside route outside 0.0.0.0 0.0.0.0 209.xx.xx.xx 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local http server enable http 209.xx.xx.xx 255.255.255.0 outside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps no floodguard enable sysopt connection permit-ipsec crypto ipsec transform-set AAADES esp-3des esp-md5-hmac crypto dynamic-map dyn20 20 set transform-set AAADES crypto map shmem 10 ipsec-isakmp crypto map shmem 10 match address GEMED crypto map shmem 10 set peer xx.xx.xx.xx crypto map shmem 10 set transform-set AAADES crypto map shmem 10 set security-association lifetime seconds 3600 kilobytes 460 8000 crypto map shmem 15 ipsec-isakmp crypto map shmem 15 match address mri crypto map shmem 15 set peer xx.xx.xx.xx crypto map shmem 15 set transform-set AAADES crypto map shmem 20 ipsec-isakmp dynamic dyn20 crypto map shmem interface outside isakmp enable outside isakmp key ******** address xx.xx.xx.xx netmask 255.255.255.255 isakmp key ******** address xx.xx.xx.xx netmask 255.255.255.255 isakmp identity address isakmp keepalive 10 3 isakmp client configuration address-pool local vpnclients outside isakmp policy 9 authentication pre-share isakmp policy 9 encryption 3des isakmp policy 9 hash md5 isakmp policy 9 group 2 isakmp policy 9 lifetime 86400 vpngroup ortho-tech address-pool vpnclients vpngroup ortho-tech dns-server 209.xx.xx.xx 209.xx.xx.xx vpngroup ortho-tech idle-time 1800 vpngroup ortho-tech password ******** vpngroup magellan-group address-pool vpnclients vpngroup magellan-group dns-server 209.xx.xx.xx 209.xx.xx.xx vpngroup magellan-group idle-time 1800 vpngroup magellan-group password ******** ssh xx.xx.xx.xx 255.255.255.255 outside ssh xx.xx.xx.xx 255.255.255.255 inside ssh timeout 60 console timeout 0 username support password xxxxxxxxxxxxxxxxxx encrypted privilege 2 username magellan password xxxxxxxxxxxxxxxxx encrypted privilege 2 terminal width 80 Cryptochecksum:6b3e1c6136fff01a48f2d8ccfea4ac8f : end
Reply to
rambur
Loading thread data ...

Try:

isakmp nat-traversal 20

formatting link

Reply to
Jyri Korhonen

Doesn't seem to make a difference. Still can't connect to anything on the other side of the PIX; can't even ping the private (inside) address of the PIX with the VPN client connected.

Reply to
rambur

You can only ever ping the interface "closest" to you; since you are connecting to the outside interface, you would be able to ping the outside interface (if the VPN allowed it), but not the remote inside interface.

There is an exception to this: if you specifically declare that a VPN connection is for management access, then you can ping it. This requires a seperate VPN.

formatting link

Reply to
Walter Roberson

255.255.255.255 0 0
255.255.255.255 0 0

You re-use the access-list "mri" there. You used it for nat 0 access-list, and you used it for crypto map match address. Never reuse an access-list: the PIX manipulates access-lists internally and if you use an access-list twice, the internal manipulation for one use will cause problems with the other use.

Your address-pool for magellan is 'vpnclients', which is 192.168.200.* . That range is outside your internal IP range, which is good -- a lot of people make the mistake of using an internal range, which leads to routing and proxy-arp problems, which you have avoided. However, your nat 0 access-list is only for 172.16.4.x so the traffic to 192.168.200.* will -not- be exempt from NAT. Your 'nat'/'global' statements are going to kick in and PAT the internal

192.168.100.x source IPs to the interface IP; your special static PAT for 192.168.100.79 may also come into play, but that PAT's to the external IP as well. And it isn't until *after* NAT processing that the VPN comes in to play.

Thus, in order to have a chance of reaching 192.168.100.79, you will have to address the interface IP, and it'd only work for those two particular ports (and not for ping.)

Recommended solution: copy the current contents of the 'mri' ACL into a new access list for use with nat (inside) 0 access-list . Add lines to that new ACL that exempt 192.168.100.* to 192.168.200.* from NAT.

Addendum: you may wish to make cleaner access-lists by using a few object-group's. For example, your mri ACL runs through all combinations of three different sources and two different destinations; if you had an object-group that listed the three sources, and another object group that listed the three destinations, then the entire access-list would simplify down to a single statement, e.g.,

access-list mri permit ip object-group mriInternalTargets object-group mriRemoteSources

Reply to
Walter Roberson

This doesn't appear to make any difference. Even with this in the PIX, I still cannot pass traffic through it when connected with the VPN client; can't even ping the private (inside) address on the PIX.

Reply to
rambur

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.