1. Home
  2. Cisco Systems
  3. vpn client to pix not working

vpn client to pix not working

Hi all,

Got a config posted below. I am trying to set up remote vpn client to connect to my lan via the pix. I got the config so it can connect and pull the 172 address from the pool and shows it is connected but I cannot ping or connect to anything on the 10. network. I can't even ping the inside interface of the pix this is a 506E so it wouldn't be anything to do with licensing and I am using ciscos client v4.0.4 which according to cisco will work with AES-128. Any suggestions I am stumped thanks.

PIX Version 6.3(4) interface ethernet0 auto interface ethernet1 auto nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password H5/7IulqGXhpEm2J encrypted passwd H5/7IulqGXhpEm2J encrypted hostname pix domain-name rhi fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names access-list outside_cryptomap_20 permit ip 10.2.1.0 255.255.255.0

192.168.1.0 255.255.255.0 access-list outside_cryptomap_20 permit ip 10.2.1.0 255.255.255.0 172.16.1.0 255.255.255.0 pager lines 24 mtu outside 1500 mtu inside 1500 ip address outside 28.40.88.11 255.255.255.240 ip address inside 10.2.1.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm ip local pool cvpn 172.16.1.1-172.16.1.5 no pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list outside_cryptomap_20 nat (inside) 1 0.0.0.0 0.0.0.0 0 0 route outside 0.0.0.0 0.0.0.0 28.40.88.11 1 timeout xlate 0:05:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec crypto ipsec transform-set esp-aes-128-md5 esp-aes esp-md5-hmac crypto ipsec transform-set esp-aes-128-sha esp-aes esp-sha-hmac crypto dynamic-map vpnmerge 10 set transform-set esp-aes-128-sha crypto map outside_map 20 ipsec-isakmp crypto map outside_map 20 match address outside_cryptomap_20 crypto map outside_map 20 set peer 6.1.10.5 crypto map outside_map 20 set transform-set esp-aes-128-md5 crypto map outside_map 30 ipsec-isakmp dynamic vpnmerge crypto map outside_map interface outside isakmp enable outside isakmp key ******** address 6.1.10.5 netmask 255.255.255.255 isakmp identity address isakmp policy 20 authentication pre-share isakmp policy 20 encryption aes isakmp policy 20 hash md5 isakmp policy 20 group 5 isakmp policy 20 lifetime 86400 isakmp policy 25 authentication pre-share isakmp policy 25 encryption aes isakmp policy 25 hash sha isakmp policy 25 group 2 isakmp policy 25 lifetime 86400 vpngroup merge address-pool cvpn vpngroup merge dns-server 64.28.40.226 4.2.2.1 vpngroup merge wins-server 192.168.1.31 vpngroup merge default-domain pac.rhi.com vpngroup merge idle-time 1800 vpngroup merge password ******** telnet timeout 5 ssh 0.0.0.0 0.0.0.0 outside ssh 0.0.0.0 0.0.0.0 inside ssh timeout 5 management-access inside console timeout 0 dhcpd address 10.2.1.50-10.2.1.100 inside dhcpd dns 64.28.40.226 4.2.2.1 dhcpd lease 3600 dhcpd ping_timeout 750 dhcpd enable inside terminal width 80 Cryptochecksum:76c54154c87acb8038249f400882c5d9
Reply to
jspr
Loading thread data ...

You may need an acl permit icmp any any and apply it to interfaces to be able to ping the pix

however:

these acl-s state that,

the traffic going to the vpn should not be NATed, this is good.

i assume this is for the vpn client,

and these are for a site-to-site vpn tunnel with a peer having address

6.1.10.5. if i'm right, and you have both a tunnel and the vpn client, then because of this:

the traffic originating from the 10/8 network, going to the 172.16/16 network will go to 6.1.10.5, because it has higher precedence, and will not go to the vpn client, because of the lowes precedence.

So i'm thinking that you're expecting the traffic from the internal network to go to the vpn client's 172.16... address, but instead it goes towards 6.1.10.5.

I may be incorrect though :)

regards Adam

A: No. Q: Should I include quotations after my reply?

Reply to
Adam KOSA

Adam thanks for the reply, I put the policy setting on the dynamic map isakmp to 10 and still getting the same thing connect but no ping or anything any other suggestions? Thanks

Reply to
jspr

i'd ping something behind the pix, and while doing this, try to debug icmp traffic and see if the request gets through, and what happens with the reply.

regards Adam

A: No. Q: Should I include quotations after my reply?

Reply to
Adam KOSA

Adam thanks for the input, got it working the problem was that I had one ACL for the site to site vpn client and nat 0. I created a nonat acl for the traffic from the client and the site to site and included that in the nat 0 and then had a sep. one for the site to site and that was included in the crypto map statement.

thanks for the help

Reply to
jspr

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.