PIX506E VPN/ACL Config Help

I would recommend upgrading to 6.3(4) [which you can do for free even if you have no support contract], or 6.3(5) if you have a support contract.

Some suggestions:

1) Switch to SHA instead of MD5. Or if you prefer, add another transform set for 3DES/SHA and list that first on the 'set transform-set' line. To accompany that, create an isakmp policy with a higher priority (lower policy number) for 3DES SHA.

2) Add the command isakmp nat-traversal 20

3) As you have 3DES and 6.3, your license also permits you to use AES. I suggest adding at least AES-128/SHA as an even higher priority than 3DES/SHA .

I don't see any obvious problems with your configuration, but in some cases the nat-traversal can allow connections to work that would not otherwise function.

Hi,

Thanks for the reply Walter.

I've not updated the firmware yet as I'm doing this remotely so I'll look into that tomorrow when I'm at work.

However I did make the config changes as you suggested without any further luck. I can establish the connection without any issues, I just can't access any of the services within the 192.168.30.0/24 subnet.

This is the current config if anyone has any other suggestions?

Building configuration... : Saved : PIX Version 6.3(3) interface ethernet0 auto interface ethernet1 auto nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password *************** encrypted passwd *************** encrypted hostname pixfirewall domain-name mycompany fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names access-list mycompany_splitTunnelAcl permit ip 192.168.30.0

255.255.255.0 any access-list inside_outbound_nat0_acl permit ip 192.168.30.0 255.255.255.0 192.168.100.0 255.255.255.0 access-list outside_cryptomap_dyn_20 permit ip any 192.168.100.0 255.255.255.0 pager lines 24 mtu outside 1500 mtu inside 1500 ip address outside x.x.x.x 255.255.255.0 pppoe ip address inside 192.168.30.15 255.255.255.0 ip audit info action alarm ip audit attack action alarm ip local pool mycompanyVPNpool 192.168.100.100-192.168.100.150 pdm history enable arp timeout 14400 nat (inside) 0 access-list inside_outbound_nat0_acl timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server LOCAL protocol local http server enable http 192.168.30.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20 crypto dynamic-map outside_dyn_map 20 set transform-set ESP-AES-128-SHA crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map crypto map outside_map client authentication LOCAL crypto map outside_map interface outside isakmp enable outside isakmp nat-traversal 20 isakmp policy 20 authentication pre-share isakmp policy 20 encryption aes isakmp policy 20 hash sha isakmp policy 20 group 5 isakmp policy 20 lifetime 86400 vpngroup mycompany address-pool mycompanyVPNpool vpngroup mycompany dns-server 192.168.30.2 vpngroup mycompany wins-server 192.168.30.2 vpngroup mycompany split-tunnel mycompany_splitTunnelAcl vpngroup mycompany idle-time 1800 vpngroup mycompany password ******** telnet timeout 5 ssh timeout 5 console timeout 0 vpdn group mycompany request dialout pppoe vpdn group mycompany localname mycompanymelb vpdn group mycompany ppp authentication pap vpdn username mycompanymelb password ********* username ******** password ************** encrypted privilege 15 terminal width 80 Cryptochecksum:897255bc85569c33d24027b1ea34414e : end [OK]

I'd suggest that it is time to look at the syslog messages. (I notice you have not enabled logging.)

Do the devices on your inside network know how to get to the

192.168.100.0/24 network? Probably not--in which case they use the default gateway, which is not what you want to happen.

Add a static route on your default gateway like (if a Cisco router):

ip route 192.168.100.0 255.255.255.0 192.168.30.15

tippenring. Thank you!!!!!!!!!

I didn't even think about the fact that the PCs are using a different gateway (x.x.30.10) and that it had no routes to point x.x.100.x/24 traffic to x.x.30.15

You're officially my hero for this afternoon :D

Ok. Why can't I establish multiple VPN connections, I was connected and went to connect a seperate PC and it bumped me off.

Anyone know off the top of there head before I go researching the issue?

Your description sounds like you're using vpn client software. Typically when a router is doing PAT, only one VPN client can be connected through that router at a time.

If that's the case, stop using the client software. Your Pix will handle the tunnel to the remote site for you.

I agree that that is what the problem sounds like.

However, the OP's configuration includes isakmp nat-traversal 20 so as long as the VPN client is new enough (one of the 3.x series, I don't remember which) then the PAT will be detected and the PIX will encapsulate packets so as to avoid the problem.