VPN Client does not ping the network

Hi All,

I am a PIX VPN newbie with a ACL problem.

We have a tunnenl to another site but we want to have VPN clients connecting at the same time.

Clients can connect and get an ip but cannot ping the internal 10 network, not even the gateway or connect to a tcp port.

I've been told that its a ACL but what and where do i do that?

PIX Version 6.3(1) interface ethernet0 10full interface ethernet1 10full nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password 8Ry2YjIyt7RRXU24 encrypted passwd 2KFQnbNIdI.2KYOU encrypted hostname pixfirewall domain-name ciscopix.com clock timezone EST -5 clock summer-time EDT recurring fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol ils 389 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 names name IBMRouter name AS400 access-list pixtosw permit ip pager lines 24 mtu outside 1500 mtu inside 1500 ip address outside ip address inside ip audit info action alarm ip audit attack action alarm ip local pool VPNCL pdm location inside pdm location inside pdm location outside pdm location AS400 inside pdm location IBMRouter inside pdm logging informational 100 pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list pixtosw nat (inside) 1 0 0 route outside 1 timeout xlate 0:05:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server LOCAL protocol local http server enable http inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps tftp-server inside \ floodguard enable sysopt connection permit-ipsec crypto ipsec transform-set strongsha esp-3des esp-sha-hmac crypto map tosonicwall 20 ipsec-isakmp crypto map tosonicwall 20 match address pixtosw crypto map tosonicwall 20 set peer crypto map tosonicwall 20 set transform-set strongsha crypto map tosonicwall interface outside isakmp enable outside isakmp key ******** address netmask isakmp identity address isakmp policy 20 authentication pre-share isakmp policy 20 encryption 3des isakmp policy 20 hash sha isakmp policy 20 group 2 isakmp policy 20 lifetime 28800 telnet inside telnet timeout 5 ssh timeout 5 console timeout 0 vpdn group VPN accept dialin pptp vpdn group VPN ppp authentication mschap vpdn group VPN ppp encryption mppe 128 required vpdn group VPN client configuration address local VPNCL vpdn group VPN client configuration dns vpdn group VPN client configuration wins vpdn group VPN pptp echo 300 vpdn group VPN client authentication local vpdn username VPNClient password ******** vpdn enable outside dhcpd address inside dhcpd lease 3600 dhcpd ping_timeout 750 dhcpd auto_config outside dhcpd enable inside terminal width 80

Thanks Jan

Reply to
Loading thread data ...

In article , jdb wrote: :I am a PIX VPN newbie with a ACL problem.

:PIX Version 6.3(1)

You should update as soon as practical: there are a number of known security problems. Even if you do not have a support contract, you are entitled to a free update to 6.3(4)110; search cisco's site for "pix security advisories" for more details.

:interface ethernet0 10full :interface ethernet1 10full

Hmmm, what model is that? It can't be a 501 as you cannot set the inside interface to 10full on a 501. You only show 2 interfaces, and you have them set to only 10 Mb/s, so it seems unlikely to me that you have a high-end PIX. A 506 perhaps?

There really isn't a meaningful industry standard for 10full -- yes, they did get around to standardizing it finally, but it isn't widely implemented. Unless you have a Good Reason, you should probably configure the interfaces as 'auto'.

:access-list pixtosw permit ip

:nat (inside) 0 access-list pixtosw

:crypto map tosonicwall 20 match address pixtosw

In PIX 6.3(1), you cannot use the same access list name for nat 0 access-list as you use for crypto map match address. This is considered a bug, but with the PIX it is a good practice not to use any one access-list for multiple purposes to avoid such bugs and to avoid the situations where such conflicts are considered "features" instead of bugs...

I did not dig into your configuration to address the difficulty you reported; check to see if it still happens when you use two different ACLs for the two functions.

Reply to
Walter Roberson

Thanks Walter,

I upgraded the old 506 to v6.34 and set interfaces to auto. Could you show me an example of the ACL in my case? or would this work?

access-list Nat_acl permit ip any

is the NAT0 not going to be a problem?

Reply to

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.