1. Home
  2. Cisco Systems
  3. VPN PLEASE HELP!

VPN PLEASE HELP!

Ok need some help pretty quickly, got a new pix firewall and can't get the damn vpn working properly. I'm sure its something dumb, but can't figure it out. I am able to connect to the vpn and authenticate just fine, but am unable to communicate with any of the systems behind the pix, in fact after checking the logs, when i try and browse to any internal site or connect to any system behind, I don't see anything in the logs, almost like the client side is messed up. Below is my config and below that is the routes given to the client once they connect. Please help me!?!? =) Thanks inadvance.

: Saved PIX Version 7.0(4) ! hostname pix0-bw domain-name nexdlevel.com enable password 2KFQnbNIdI.2KYOU encrypted names ! interface Ethernet0 nameif outside security-level 0 ip address 63.x.x.200 255.255.255.0 ! interface Ethernet1 nameif inside security-level 100 ip address 172.16.1.1 255.255.255.0 ! passwd 2KFQnbNIdI.2KYOU encrypted ftp mode passive access-list 101 extended permit ip 172.16.1.0 255.255.255.0 172.16.2.0

255.255.255.0 access-list 101 extended permit icmp 172.16.1.0 255.255.255.0 172.16.2.0 255.255.255.0 access-list 102 standard permit 172.16.1.0 255.255.255.0 access-list 102 standard permit 172.16.2.0 255.255.255.0 access-list inbound extended permit ip any any access-list inbound extended permit tcp any any access-list inbound extended permit udp any any pager lines 24 logging enable logging console alerts logging trap debugging logging facility 23 logging host inside 172.16.1.3 mtu outside 1500 mtu inside 1500 ip local pool bigpool 172.16.2.1-172.16.2.254 no asdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 1 0.0.0.0 0.0.0.0 static (inside,outside) 63.x.x.199 172.16.1.3 netmask 255.255.255.255 access-group inbound in interface outside route outside 0.0.0.0 0.0.0.0 63.x.x.1 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute group-policy vpn3000-all internal group-policy vpn3000-all attributes wins-server value 172.16.1.3 dns-server value 172.16.1.3 vpn-idle-timeout 30 split-tunnel-policy tunnelspecified split-tunnel-network-list value 102 default-domain value iyd.com username jtrooney password 0Iv9/eZsaVXuicgH encrypted username jtrooney attributes vpn-group-policy vpn3000-all no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec transform-set myset esp-des esp-md5-hmac crypto dynamic-map dynmap 10 set transform-set myset crypto map mymap 10 ipsec-isakmp dynamic dynmap crypto map mymap interface outside isakmp identity address isakmp enable outside isakmp policy 10 authentication pre-share isakmp policy 10 encryption des isakmp policy 10 hash md5 isakmp policy 10 group 1 isakmp policy 10 lifetime 86400 isakmp policy 20 authentication pre-share isakmp policy 20 encryption des isakmp policy 20 hash md5 isakmp policy 20 group 2 isakmp policy 20 lifetime 86400 tunnel-group DefaultRAGroup general-attributes address-pool (outside) bigpool tunnel-group DefaultRAGroup ipsec-attributes pre-shared-key * tunnel-group vpn3000-all type ipsec-ra tunnel-group vpn3000-all general-attributes address-pool bigpool default-group-policy vpn3000-all tunnel-group vpn3000-all ipsec-attributes pre-shared-key * telnet 0.0.0.0 0.0.0.0 outside telnet 0.0.0.0 0.0.0.0 inside telnet timeout 5 ssh 63.x.x.0 255.255.255.0 outside ssh 0.0.0.0 0.0.0.0 inside ssh timeout 60 console timeout 0 ! class-map inspection_default match default-inspection-traffic ! ! policy-map global_policy class inspection_default inspect dns maximum-length 512 inspect ftp inspect h323 h225 inspect h323 ras inspect netbios inspect rsh inspect rtsp inspect skinny inspect esmtp inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp ! service-policy global_policy global Cryptochecksum:0730349c6a31ede02cace6e9306701b6 : end

Active Routes: Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 192.168.10.1 192.168.10.234 30 63.85.86.200 255.255.255.255 192.168.10.1 192.168.10.234 1 127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1 172.16.0.0 255.255.0.0 172.16.2.1 172.16.2.1 10 172.16.1.0 255.255.255.0 172.16.2.1 172.16.2.1 1 172.16.2.0 255.255.255.0 172.16.2.1 172.16.2.1 1 172.16.2.1 255.255.255.255 127.0.0.1 127.0.0.1 10 172.16.255.255 255.255.255.255 172.16.2.1 172.16.2.1 10 192.168.10.0 255.255.255.0 192.168.10.234 192.168.10.234 30 192.168.10.234 255.255.255.255 127.0.0.1 127.0.0.1 30 192.168.10.255 255.255.255.255 192.168.10.234 192.168.10.234 30 224.0.0.0 240.0.0.0 172.16.2.1 172.16.2.1 10 224.0.0.0 240.0.0.0 192.168.10.234 192.168.10.234 30 255.255.255.255 255.255.255.255 172.16.2.1 172.16.2.1 1 255.255.255.255 255.255.255.255 192.168.10.234 192.168.10.234 1 Default Gateway: 192.168.10.1 =========================================================================== Persistent Routes: None

Reply to
jtrooney
Loading thread data ...

Hi,

I had a similar problem once and what worked for me was adding this:

isakmp nat-traversal 20

The nat-traversal is what was specifically added to take care of those issues and allow all the IPSEC to be handled properly via UDP behind NAT.

Hope this helps,

PP

Reply to
PacoPepe

Looks like I'm getting closer...after running the isakmp nat-transversal I can see the traffic getting to the pix now. This is what I get now:

Aug 21 21:44:57 172.16.1.1 %PIX-6-609001: Built local-host outside:172.16.2.1 Aug 21 21:44:57 172.16.1.1 %PIX-3-305005: No translation group found for tcp src outside:172.16.2.1/4768 dst inside:172.16.1.3/22

Any thoughts?

BTW Thanks!!! =)

Pac> Hi,

Reply to
jtrooney

hello,

use static mapp> Looks like I'm getting closer...after running the isakmp

Reply to
asr

This is happening due to NAT issues. You must place a NAT statement: nat (inside) 0 access-list no-nat access-list no-nat permit ip x.x.x.x x.x.x.x any

If using the PDM goto the NAT section and click the button that states NAT exemptions and enter the subnets for local and remote sides of the tunnels.

Reply to
Chad Mahoney

not quite, if you do that all traffic will break. You got the right idea tho, he does need to add a nonat statement. Couple different ways to do it.

access-list nonat permit ip nat (inside) 0 access-list nonat

or

access-list nonat permit ip any nat (inside) 0 access-list nonat

Reply to
Brian V

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.