1. Home
  2. Cisco Systems
  3. VPN Client does not ping the network

VPN Client does not ping the network

Hi All,

I am a PIX VPN newbie with a ACL problem.

We have a tunnenl to another site but we want to have VPN clients connecting at the same time.

Clients can connect and get an ip but cannot ping the internal 10 network, not even the gateway or connect to a tcp port.

I've been told that its a ACL but what and where do i do that?

PIX Version 6.3(1) interface ethernet0 10full interface ethernet1 10full nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password 8Ry2YjIyt7RRXU24 encrypted passwd 2KFQnbNIdI.2KYOU encrypted hostname pixfirewall domain-name ciscopix.com clock timezone EST -5 clock summer-time EDT recurring fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol ils 389 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 names name 10.1.1.11 IBMRouter name 10.1.1.4 AS400 access-list pixtosw permit ip 10.1.1.0 255.255.255.0 172.17.0.0

255.255.0.0 pager lines 24 mtu outside 1500 mtu inside 1500 ip address outside 12.24.177.248 255.255.255.224 ip address inside 10.1.1.100 255.255.0.0 ip audit info action alarm ip audit attack action alarm ip local pool VPNCL 10.1.15.30-10.1.15.49 pdm location 10.1.1.200 255.255.255.255 inside pdm location 10.1.1.0 255.255.255.0 inside pdm location 172.17.0.0 255.255.0.0 outside pdm location AS400 255.255.255.255 inside pdm location IBMRouter 255.255.255.255 inside pdm logging informational 100 pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list pixtosw nat (inside) 1 0.0.0.0 0.0.0.0 0 0 route outside 0.0.0.0 0.0.0.0 12.24.177.225 1 timeout xlate 0:05:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server LOCAL protocol local http server enable http 10.1.0.0 255.255.0.0 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps tftp-server inside 10.1.1.200 \ floodguard enable sysopt connection permit-ipsec crypto ipsec transform-set strongsha esp-3des esp-sha-hmac crypto map tosonicwall 20 ipsec-isakmp crypto map tosonicwall 20 match address pixtosw crypto map tosonicwall 20 set peer 12.2.174.3 crypto map tosonicwall 20 set transform-set strongsha crypto map tosonicwall interface outside isakmp enable outside isakmp key ******** address 12.2.174.3 netmask 255.255.255.255 isakmp identity address isakmp policy 20 authentication pre-share isakmp policy 20 encryption 3des isakmp policy 20 hash sha isakmp policy 20 group 2 isakmp policy 20 lifetime 28800 telnet 10.1.1.200 255.255.255.255 inside telnet timeout 5 ssh timeout 5 console timeout 0 vpdn group VPN accept dialin pptp vpdn group VPN ppp authentication mschap vpdn group VPN ppp encryption mppe 128 required vpdn group VPN client configuration address local VPNCL vpdn group VPN client configuration dns 10.1.1.17 vpdn group VPN client configuration wins 10.1.1.17 vpdn group VPN pptp echo 300 vpdn group VPN client authentication local vpdn username VPNClient password ******** vpdn enable outside dhcpd address 10.1.1.101-10.1.2.100 inside dhcpd lease 3600 dhcpd ping_timeout 750 dhcpd auto_config outside dhcpd enable inside terminal width 80

Thanks Jan

Reply to
jdb
Loading thread data ...

In article , jdb wrote: :I am a PIX VPN newbie with a ACL problem.

:PIX Version 6.3(1)

You should update as soon as practical: there are a number of known security problems. Even if you do not have a support contract, you are entitled to a free update to 6.3(4)110; search cisco's site for "pix security advisories" for more details.

:interface ethernet0 10full :interface ethernet1 10full

Hmmm, what model is that? It can't be a 501 as you cannot set the inside interface to 10full on a 501. You only show 2 interfaces, and you have them set to only 10 Mb/s, so it seems unlikely to me that you have a high-end PIX. A 506 perhaps?

There really isn't a meaningful industry standard for 10full -- yes, they did get around to standardizing it finally, but it isn't widely implemented. Unless you have a Good Reason, you should probably configure the interfaces as 'auto'.

:access-list pixtosw permit ip 10.1.1.0 255.255.255.0 172.17.0.0 255.255.0.0

:nat (inside) 0 access-list pixtosw

:crypto map tosonicwall 20 match address pixtosw

In PIX 6.3(1), you cannot use the same access list name for nat 0 access-list as you use for crypto map match address. This is considered a bug, but with the PIX it is a good practice not to use any one access-list for multiple purposes to avoid such bugs and to avoid the situations where such conflicts are considered "features" instead of bugs...

I did not dig into your configuration to address the difficulty you reported; check to see if it still happens when you use two different ACLs for the two functions.

Reply to
Walter Roberson

Thanks Walter,

I upgraded the old 506 to v6.34 and set interfaces to auto. Could you show me an example of the ACL in my case? or would this work?

access-list Nat_acl permit ip any 10.1.15.0 255.255.255.0

is the NAT0 not going to be a problem?

Reply to
jdb

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.