Announcement

Collapse
No announcement yet.

really wierd pix 501 problem

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • really wierd pix 501 problem

    Hi all,
    i am at my wits end with this problem - hopefully, someone can help. here is the situation:
    I am in my office. we have a pix 501 (version 6.3(5)) being used as a firewall router etc. connected to a dsl line with a static ip. we are trying to connect to the vpn at our parent company. everyone connects to the vpn just fine, but only the first person who connects can actually work. what happens is that we get a remote ip from the vpn server, but after that nothing. the first person who connected can ping the servers on the internal host network, and work with the program that we use(via the vpn) but no one else can. all the ip ranges are different, so that is not the problem. someone HELP ME PLEASE!!!!!
    we are trying to connect to a quality bytes server express ??? linux based firewall using windows xp pro pptp vpn client...site to site would be the obvious fix, but is not possible at this time. essentially, my question is: is this a problem on my end or their end...and how do i resolve it. CONFIG ATTACHED: all sensitive info replaces with ******

    PIX Version 6.3(5)
    interface ethernet0 auto
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password ********* encrypted
    passwd ********* encrypted
    hostname *******
    domain-name *******
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol pptp 1723
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    name 192.168.16.0 lan
    name 192.168.16.2 server
    access-list vpn1_splitTunnelAcl permit ip lan 255.255.255.0 any
    access-list inside_outbound_nat0_acl permit ip lan 255.255.255.0 192.168.16.80 255.255.255.240
    access-list outside_cryptomap_dyn_20 permit ip any 192.168.16.80 255.255.255.240
    access-list outside_cryptomap_dyn_40 permit ip any 192.168.16.80 255.255.255.240
    access-list vpn2_splitTunnelAcl permit ip lan 255.255.255.0 any
    access-list outside_cryptomap_dyn_60 permit ip any 192.168.16.80 255.255.255.240
    access-list vpn3_splitTunnelAcl permit ip lan 255.255.255.0 any
    access-list outside_cryptomap_dyn_80 permit ip any 192.168.16.80 255.255.255.240
    access-list vpn4_splitTunnelAcl permit ip lan 255.255.255.0 any
    access-list outside_cryptomap_dyn_100 permit ip any 192.168.16.80 255.255.255.240
    access-list outside_cryptomap_dyn_120 permit ip any 192.168.16.80 255.255.255.240
    access-list vpn5_splitTunnelAcl permit ip lan 255.255.255.0 any
    access-list outside_cryptomap_dyn_140 permit ip any 192.168.16.80 255.255.255.240
    access-list kedem_splitTunnelAcl permit ip lan 255.255.255.0 any
    access-list outside_cryptomap_dyn_160 permit ip any 192.168.16.80 255.255.255.240
    access-list inbound permit tcp any any eq 475
    access-list inbound permit udp any any eq 475
    access-list outside_access_in permit tcp any any eq 3389
    access-list outside_access_in permit gre any any
    access-list outside_access_in permit tcp any any eq https
    access-list outside_access_in permit tcp any any eq www
    access-list inside_access_in permit gre any any
    access-list inside_access_in permit tcp any any
    access-list inside_access_in permit udp any any
    pager lines 24
    mtu outside 1500
    mtu inside 1500
    ip address outside pppoe setroute
    ip address inside 192.168.16.254 255.255.255.0
    ip verify reverse-path interface outside
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool pool1 192.168.16.81-192.168.16.91
    pdm location 192.117.155.160 255.255.255.255 outside
    pdm location 192.114.80.31 255.255.255.255 outside
    pdm location server 255.255.255.255 inside
    pdm location 192.114.80.0 255.255.255.128 outside
    pdm location 0.0.0.0 255.255.255.255 inside
    pdm location 0.0.0.0 255.255.255.255 outside
    pdm location 192.168.0.51 255.255.255.255 inside
    pdm history enable
    arp timeout 14400
    global (outside) 10 interface
    nat (inside) 0 access-list inside_outbound_nat0_acl
    nat (inside) 10 0.0.0.0 0.0.0.0 0 0
    static (inside,outside) tcp ********* 3389 server 3389 netmask 255.255.255.255 0 0
    access-group outside_access_in in interface outside
    access-group inside_access_in in interface inside
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout sip-disconnect 0:02:00 sip-invite 0:03:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local
    http server enable
    http ********** 255.255.255.255 outside
    http ********** 255.255.255.255 outside
    http 0.0.0.0 255.255.255.255 outside
    http 0.0.0.0 0.0.0.0 inside
    http 192.168.0.51 255.255.255.255 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
    crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
    crypto dynamic-map outside_dyn_map 40 match address outside_cryptomap_dyn_40
    crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-MD5
    crypto dynamic-map outside_dyn_map 60 match address outside_cryptomap_dyn_60
    crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-MD5
    crypto dynamic-map outside_dyn_map 80 match address outside_cryptomap_dyn_80
    crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-MD5
    crypto dynamic-map outside_dyn_map 100 match address outside_cryptomap_dyn_100
    crypto dynamic-map outside_dyn_map 100 set transform-set ESP-3DES-MD5
    crypto dynamic-map outside_dyn_map 120 match address outside_cryptomap_dyn_120
    crypto dynamic-map outside_dyn_map 120 set transform-set ESP-3DES-MD5
    crypto dynamic-map outside_dyn_map 140 match address outside_cryptomap_dyn_140
    crypto dynamic-map outside_dyn_map 140 set transform-set ESP-3DES-MD5
    crypto dynamic-map outside_dyn_map 160 match address outside_cryptomap_dyn_160
    crypto dynamic-map outside_dyn_map 160 set transform-set ESP-3DES-MD5
    crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
    crypto map outside_map interface outside
    isakmp enable outside
    isakmp nat-traversal 20
    isakmp policy 20 authentication pre-share
    isakmp policy 20 encryption 3des
    isakmp policy 20 hash md5
    isakmp policy 20 group 2
    isakmp policy 20 lifetime 86400
    vpngroup vpn1 address-pool pool1
    vpngroup vpn1 split-tunnel vpn1_splitTunnelAcl
    vpngroup vpn1 idle-time 1800
    vpngroup vpn1 password ********
    vpngroup vpn2 address-pool pool1
    vpngroup vpn2 split-tunnel vpn2_splitTunnelAcl
    vpngroup vpn2 idle-time 1800
    vpngroup vpn2 password ********
    vpngroup vpn3 address-pool pool1
    vpngroup vpn3 split-tunnel vpn3_splitTunnelAcl
    vpngroup vpn3 idle-time 1800
    vpngroup vpn3 password ********
    vpngroup vpn4 address-pool pool1
    vpngroup vpn4 split-tunnel vpn4_splitTunnelAcl
    vpngroup vpn4 idle-time 1800
    vpngroup vpn4 password ********
    vpngroup vpn5 address-pool pool1
    vpngroup vpn5 split-tunnel vpn5_splitTunnelAcl
    vpngroup vpn5 idle-time 1800
    vpngroup vpn5 password ********
    vpngroup kedem address-pool pool1
    vpngroup kedem split-tunnel kedem_splitTunnelAcl
    vpngroup kedem idle-time 1800
    vpngroup kedem password ********
    telnet 0.0.0.0 0.0.0.0 inside
    telnet timeout 5
    ssh *********** 255.255.255.128 outside
    ssh timeout 5
    console timeout 0
    vpdn group pppoe_group request dialout pppoe
    vpdn group pppoe_group localname ********
    vpdn group pppoe_group ppp authentication pap
    vpdn username ********* password *********
    dhcpd address 192.168.16.50-192.168.16.80 inside
    dhcpd dns 192.116.202.222
    dhcpd lease 3600
    dhcpd ping_timeout 750
    username ************ encrypted privilege 15
    terminal width 80
    Cryptochecksum:********************
    : end
    [OK]
Working...
X