Announcement

Collapse
No announcement yet.

cisco PIX vpn connectivity woes

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • cisco PIX vpn connectivity woes

    i'm pretty new to the pix world. i'm trying to learn a few things using various tutorials i've found on the net.

    i have a pix 501 that i'm trying to use as a VPN endpoint. i have a winxp machine running vpn client 4.0.

    here's the setup:

    (internet)-----[cisco 831]-----[pix 501]-----(internal network)

    i can connect to the pix and am assigned an IP address, but beyond this nothing happens.

    i cannot look inside the internal network, and i cannot pass through the VPN to connect to the outside world either (browsing, etc).

    here's my pix configuration. maybe someone can find something in here that will help.

    i read someplace about something to do with a "split scope." while i wasn't really able to understand fully what that means, i gathered it had something to do with the pix dealing with two separate networks. is there some specific command that i need to implement? also, can someone give me the layperson's explanation of what this "split scope" does if it is the source of the problem?

    PIX Version 6.3(5)
    interface ethernet0 auto
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password xxxxxxx encrypted
    passwd xxxxxxxxxxx encrypted
    hostname phobos
    domain-name solhome
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    access-list 101 permit ip 192.168.100.240 255.255.255.240 10.10.100.8 255.255.255.252
    access-list 101 permit ip 10.10.100.0 255.255.255.248 10.10.10.8 255.255.255.252
    access-list 102 permit ip 192.168.100.240 255.255.255.240 10.10.100.8 255.255.255.252
    access-list 102 permit ip 10.10.100.0 255.255.255.248 10.10.10.8 255.255.255.252
    pager lines 24
    mtu outside 1500
    mtu inside 1500
    ip address outside 10.10.100.3 255.255.255.248
    ip address inside 192.168.100.242 255.255.255.240
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool vpnpool 10.10.100.9-10.10.100.14
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list 102
    nat (inside) 1 192.168.100.240 255.255.255.240 0 0
    conduit permit ip host 10.10.100.9 any
    conduit permit ip host 10.10.100.10 any
    route inside 0.0.0.0 0.0.0.0 192.168.100.241 1
    route outside 0.0.0.0 0.0.0.0 10.10.100.1 255
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout sip-disconnect 0:02:00 sip-invite 0:03:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    crypto ipsec transform-set trmset esp-aes-256 esp-sha-hmac
    crypto dynamic-map map2 10 set transform-set trmset
    crypto map map1 10 ipsec-isakmp dynamic map2
    crypto map map1 interface outside
    isakmp enable outside
    isakmp identity address
    isakmp client configuration address-pool local vpnpool outside
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption aes-256
    isakmp policy 10 hash sha
    isakmp policy 10 group 2
    isakmp policy 10 lifetime 86400
    vpngroup vpnclients address-pool vpnpool
    vpngroup vpnclients dns-server 192.168.100.252
    vpngroup vpnclients wins-server 192.168.100.253
    vpngroup vpnclients default-domain solhome
    vpngroup vpnclients split-tunnel 101
    vpngroup vpnclients idle-time 1800
    vpngroup vpnclients password ********
    telnet timeout 5
    ssh 10.10.100.6 255.255.255.255 outside
    ssh 192.168.100.254 255.255.255.255 inside
    ssh 192.168.100.253 255.255.255.255 inside
    ssh 192.168.100.252 255.255.255.255 inside
    ssh 192.168.100.243 255.255.255.255 inside
    ssh timeout 5
    console timeout 0
    terminal width 80

  • #2
    Re: cisco PIX vpn connectivity woes

    Hi there,

    Sorry so long to get back to you on this. How is this going? Anything new?

    I believe you are talking about a "split tunnel".

    With a "regular" VPN client, when you connect to a VPN server (your PIX), you are ONLY connected to that VPN's Internal network. What this means for most people is that when they connect to their VPN, they can no longer browse the Internet.

    Well, most people want to both be able to connect to the Internet AND browse the internal LAN (even though it is a security risk). To be able to connect to both, you need to enable a "split tunnel".

    Let's say that you were connecting to a VPN server with a Windows workstation (endpoint). To enable a split tunnel, UNCHECK "use default gateway on remote network" on the properties for the VPN client. I attached a graphic so you can see what it looks like...

    Now, in your case, the PIX is the VPN tunnel. For that, I would refer to Cisco's PIX tech config page where they have over 100 PIX configuration examples. Here is one that is a working Router to PIX VPN configuration. That may should be a good example for you.

    I hope that helps.

    Please let us know how things are going.
    Attached Files
    Last edited by daviddavis; 31st July 2007, 11:08.
    David Davis - Petri Forums Moderator & Video Training Author
    Train Signal - The Global Leader in IT Video Training
    TrainSignalTraining.com - Free IT Training Products
    Personal Websites: HappyRouter.com & VMwareVideos.com

    Comment


    • #3
      Re: cisco PIX vpn connectivity woes

      thanks for the response!

      i all but gave up on this thread.

      the link to the examples is also great.

      unfortunately, i'm having the same problem. after your explanation, i understand split-scope much better. i've also come to the realization that i'm not going to need split-scope.

      all i really want to do is access my internal network when i'm away from home to maintain the network and remotely troubleshoot any problems that come up.

      unfortunately, i am not able to do much right now. i can connect to the PIX w/o any issue, but i can't browse the internal network after the tunnel is established.

      any and all help will be greatly appreciated.

      thanks again.

      Comment


      • #4
        Re: cisco PIX vpn connectivity woes

        Hi there,

        I was confused when you said that you have a PC with the VPN client.

        Are you trying to use the PC to connect to the PIX to create an encrypted tunnel over the Internet? Or are you trying to use the PIX to create an encrypted tunnel, over the Internet, to the router?

        Let's say that you have a PC, connect to the inside port of the PIX. The PIX is connecting to the router, over the internet (site to site vpn). you don't need the VPN client on the PC.

        To configure this, I would seriously consider copying your config off the router and the PIX. Then take this config (Router to PIX VPN configuration) and use it as an example, submitting your own IP addresses on the router and PIX both.

        See how it goes. If you are still having trouble with that config, then please repost both the router and PIX configs here and I will try to troubleshoot them with you.

        If we can get your configs to almost match the sample config, then it should just be a matter of replacing IP addresses. Once you have a working config, then you can back it up, and begin to add more features (like accepting VPN clients over the Internet), one feature at a time.

        I hope that helps!

        Thanks,
        David Davis - Petri Forums Moderator & Video Training Author
        Train Signal - The Global Leader in IT Video Training
        TrainSignalTraining.com - Free IT Training Products
        Personal Websites: HappyRouter.com & VMwareVideos.com

        Comment


        • #5
          Re: cisco PIX vpn connectivity woes

          thanks for the follow-up.

          i'm sorry i was ambiguous about what i was trying to do.

          you had it right the first time though. i am trying to connect a PC to my PIX 501 to create an encrypted tunnel over the internet.

          i'll alter the layout a bit:

          PC-------(internet)-------cisco 831------pix 501-------(internal network)

          i'm using cisco vpn client v.4.8.

          i've altered my configuration a bit following a little bit of two examples.

          i can connect successfully to the PIX, but beyond that, I can't do much. I can't ping/connect to anything on the internal network.

          i'll post that shortly, as well as the error the VPN client software shows when i successfully connect.

          thanks again.

          PIX Version 6.3(5)
          interface ethernet0 auto
          interface ethernet1 100full
          nameif ethernet0 outside security0
          nameif ethernet1 inside security100
          enable password xxxx encrypted
          passwd xxxx encrypted
          hostname phobos
          domain-name solhome.com
          fixup protocol dns maximum-length 512
          fixup protocol ftp 21
          fixup protocol h323 h225 1720
          fixup protocol h323 ras 1718-1719
          fixup protocol http 80
          fixup protocol rsh 514
          fixup protocol rtsp 554
          fixup protocol sip 5060
          fixup protocol sip udp 5060
          fixup protocol skinny 2000
          fixup protocol smtp 25
          fixup protocol sqlnet 1521
          fixup protocol tftp 69
          names
          access-list 101 permit ip 192.168.100.240 255.255.255.240 192.168.101.0 255.255.255.0
          access-list 102 permit ip 192.168.100.240 255.255.255.240 192.168.101.0 255.255.255.0
          pager lines 24
          mtu outside 1500
          mtu inside 1500
          ip address outside 10.10.100.3 255.255.255.248
          ip address inside 192.168.100.242 255.255.255.240
          ip audit info action alarm
          ip audit attack action alarm
          ip local pool vpnclients 192.168.101.1-192.168.101.254
          pdm history enable
          arp timeout 14400
          nat (inside) 0 access-list 101
          route outside 0.0.0.0 0.0.0.0 10.10.100.1 1
          timeout xlate 3:00:00
          timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
          timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
          timeout sip-disconnect 0:02:00 sip-invite 0:03:00
          timeout uauth 0:05:00 absolute
          aaa-server TACACS+ protocol tacacs+
          aaa-server TACACS+ max-failed-attempts 3
          aaa-server TACACS+ deadtime 10
          aaa-server RADIUS protocol radius
          aaa-server RADIUS max-failed-attempts 3
          aaa-server RADIUS deadtime 10
          aaa-server LOCAL protocol local
          no snmp-server location
          no snmp-server contact
          snmp-server community public
          no snmp-server enable traps
          floodguard enable
          sysopt connection permit-ipsec
          crypto ipsec transform-set trmset1 esp-aes-256 esp-sha-hmac
          crypto dynamic-map map2 10 set transform-set trmset1
          crypto map map1 10 ipsec-isakmp dynamic map2
          crypto map map1 interface outside
          isakmp enable outside
          isakmp identity address
          isakmp client configuration address-pool local vpnclients outside
          isakmp nat-traversal 10
          isakmp policy 10 authentication pre-share
          isakmp policy 10 encryption aes-256
          isakmp policy 10 hash sha
          isakmp policy 10 group 2
          isakmp policy 10 lifetime 86400
          vpngroup vpnclients address-pool vpnclients
          vpngroup vpnclients dns-server 192.168.100.254 192.168.100.253
          vpngroup vpnclients default-domain solhome.com
          vpngroup vpnclients split-tunnel 101
          vpngroup vpnclients idle-time 1800
          vpngroup vpnclients password ********
          telnet timeout 5
          ssh timeout 5
          console timeout 0
          terminal width 80
          Cryptochecksum:f8816237ff68eac7c8481512fa8aadaa
          : end
          Last edited by xyyz; 23rd August 2007, 12:36. Reason: including config

          Comment


          • #6
            Re: cisco PIX vpn connectivity woes

            Hi there,

            I don't really see any obvious error in your config.

            I compared it to this config
            http://www.cisco.com/en/US/products/...801e71c0.shtml

            which seems to mirror your config almost exactly.

            The only diff I see is that they use different ACLs for the split tunnel statement and the NAT statement, however, the ACL would be exactly the same - so I don't see why that would matter.

            So, once connected to the VPN can you ping the following, by IP number (not name)?
            ping 10.10.100.3
            ping 192.168.100.242

            if you are trying to ping an internal client device, does it have, say, the windows firewall on and blocking inbound ping?

            Let me know

            Thanks!
            David Davis - Petri Forums Moderator & Video Training Author
            Train Signal - The Global Leader in IT Video Training
            TrainSignalTraining.com - Free IT Training Products
            Personal Websites: HappyRouter.com & VMwareVideos.com

            Comment


            • #7
              Re: cisco PIX vpn connectivity woes

              thank you again for the response. i apologize for taking so long in my reply.

              unfortunately, i'm away on project until the end of october, so i have very limited access to the network.

              i really do want to resolve this issue.

              here's one thing i noticed before i left. i was able to get some access through the network, but with only one IP address. i was able to ping and access the web-based menu on my print server which is 192.168.100.248 (i think it's .248, but it could be .249 or .250). i found this really strange.

              i noticed an error in the VPN client logs. while i don't remember the exact error, it had something to do with not being able to add a network or netmask. i'll see if i can find the error in a follow-up post.

              Comment


              • #8
                Re: cisco PIX vpn connectivity woes

                Hi,

                Try adding a route inside command to the PIX config from the PC's IP range to the internal network.

                I've come across similar things before when setting up site to site VPNs with PIX's and they do sometimes get confused with the routes...

                I have only had a real quick look over the config, will have another look tomorrow...

                Cheers

                Jonathan
                MCSA/MCSE 2000
                MCSA/MCSE 2003
                CCNA

                I love pies.

                Comment

                Working...
                X