Announcement

Collapse
No announcement yet.

Cisco PIX VPN Client connects but no Traffic

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Cisco PIX VPN Client connects but no Traffic

    hi,
    i have a problem with cisco pix firewall 506E version 6.3
    we have a cisco pix firewall version 6.3 at our center office and users in different locations make connection to this pix. This is a vpn over ipsec connection. They use cisco vpn client 5.0.02. After connecting to pix they log in to the windows Exchange 2003 server by MS OUTLOOK and access their e-mails.
    one of the users work in a customer's office once a day. From this location he connects to pix with his laptop and get ip from pix but after that he can't connect to the server with MS OUTLOOK and also unable to ping any network resource. After about 15 minutes the connection is lost.
    this laptop can connect from other locations there is no problem.

    below is the configuration of my PIX 506E and and Customers's PIX as well. So any change/Recomendation to my config or cutomer's PIX will highly be appriciated.

    ------------------------------------MY PIX 506E-----------------------------------------

    PIX Version 6.3(5)
    interface ethernet0 auto
    interface ethernet1 auto
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    hostname 12345
    domain-name company.com
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    access-list 112 permit icmp any any
    access-list 103 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
    access-list 101 permit tcp any host 212.*.*.* eq www
    access-list 101 permit tcp any host 212.*.*.* eq telnet
    access-list 101 permit tcp any host 212.*.*.* eq smtp
    access-list 101 permit tcp any host 212.*.*.* eq pop3
    access-list 101 permit tcp host 212.*.*.* host 212.*.*.*
    access-list 101 permit tcp host 212.*.*.* host 212.*.*.*
    access-list 101 permit tcp host 212.*.*.* host 212.*.*.*
    access-list 101 permit tcp host 212.*.*.* host 212.*.*.*
    access-list 101 permit tcp host 212.*.*.* host 212.*.*.*
    access-list olayan_splitTunnelAcl permit ip 192.168.1.0 255.255.255.0 any
    pager lines 24
    mtu outside 1500
    mtu inside 1500
    ip address outside 212.*.*.* 255.*.*.*
    ip address inside 192.168.*.* 255.*.*.*
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool vpnpool 192.168.2.1-192.168.2.20
    arp timeout 14400
    global (outside) 10 interface
    nat (inside) 0 access-list 103
    nat (inside) 10 0.0.0.0 0.0.0.0 0 0
    static (inside,outside) 212.*.*.* 192.168.*.* netmask 255.255.*.* 0 0
    access-group 101 in interface outside
    route outside 0.0.0.0 0.0.0.0 212.*.*.* 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout sip-disconnect 0:02:00 sip-invite 0:03:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    crypto ipsec transform-set vpnset esp-3des esp-md5-hmac
    crypto dynamic-map map2 10 set transform-set vpnset
    crypto map map1 10 ipsec-isakmp dynamic map2
    crypto map map1 interface outside
    isakmp enable outside
    isakmp nat-traversal 20
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption 3des
    isakmp policy 10 hash md5
    isakmp policy 10 group 2
    isakmp policy 10 lifetime 86400
    vpngroup abcd address-pool vpnpool
    vpngroup abcd dns-server 192.*.*.* 212.*.*.*
    vpngroup abcd default-domain odecoyanbu.com
    vpngroup abcd split-tunnel vpdy
    vpngroup abcd idle-time 1800
    vpngroup abcd password ********
    vpngroup olayan address-pool vpnpool
    vpngroup olayan dns-server 192.168.*.* 212.*.*.*
    vpngroup olayan default-domain odecoyanbu.com
    vpngroup olayan split-tunnel olayan_splitTunnelAcl
    vpngroup olayan idle-time 1800
    vpngroup olayan password ********
    console timeout 0
    vpdn username *** password *********
    vpdn username *** password *********
    vpdn enable outside
    username ***** password ***********
    terminal width 80
    Cryptochecksum:12b9ad520c0c5197f54dbed41a61d8f8
    : end


    ------------------------------Customer PIX CONFIG-------------------------------
    Building configuration...
    : Saved
    :
    PIX Version 6.3(4)
    interface ethernet0 100full
    interface ethernet1 100full
    interface ethernet2 100full
    interface ethernet3 100full
    interface ethernet4 100full
    interface ethernet5 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    nameif ethernet2 dmz security10
    nameif ethernet3 intf3 security6
    nameif ethernet4 intf4 security8
    nameif ethernet5 intf5 security10
    enable password PmNe1e0C3tJdCLe8 encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    hostname ******
    domain-name *****.com
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    access-list 110 permit ip any any
    access-list outside permit udp any host 212.*.*.* eq pcanywhere-status
    access-list outside permit tcp any host 212.*.*.* eq pcanywhere-data
    access-list outside permit ip any any
    access-list outside permit icmp any any
    access-list outside permit esp host 81.*.*.* host 212.*.*.*
    access-list outside permit gre host 81.*.*.* host 212.*.*.*
    access-list outside permit tcp host 194.*.*.* host 212.*.*.*
    access-list outside permit tcp host 194.*.*.* host 212.*.*.* eq ssh
    access-list outside permit tcp host 194.*.*.* host 212.*.*.* eq https
    access-list outside permit esp host 81.*.*.* host 212.*.*.*
    access-list outside permit gre host 81.*.*.* host 212.*.*.*
    access-list outside permit icmp any host 212.*.*.*
    access-list inside permit icmp any any
    access-list 112 permit udp any host 212.*.*.* eq pcanywhere-status
    access-list 112 permit tcp any host 212.*.*.* eq pcanywhere-data
    access-list 112 permit icmp any any
    access-list 112 permit ip any host 212.*.*.*
    access-list 112 permit ip any host 212.*.*.*
    access-list 112 permit tcp any host 212.*.*.* eq https
    access-list 112 permit ip 212.*.*.* 255.255.255.0 host 212.*.*.*
    access-list 112 permit ip any host 212.*.*.*
    access-list 112 permit tcp any host 212.*.*.* eq 5900
    access-list 112 permit esp host 81.*.*.* host 212.*.*.*
    access-list 112 permit gre host 81.*.*.* host 212.*.*.*
    access-list 112 permit tcp host 194.*.*.* host 212.*.*.*
    access-list 112 permit tcp host 194.*.*.* host 212.*.*.* eq ssh
    access-list 112 permit tcp host 194.*.*.* host 212.*.*.* eq https
    access-list 112 permit esp host 81.*.*.* host *.*.*
    access-list 112 permit gre host 81.*.*.* host 212.*.*.*
    pager lines 24
    mtu outside 1500
    mtu inside 1500
    mtu dmz 1500
    mtu intf3 1500
    mtu intf4 1500
    mtu intf5 1500
    ip address outside 212.*.*.* 255.*.*.*
    ip address inside 10.*.*.* 255.255.255.0
    ip address dmz 212.*.*.* 255.*.*.*
    ip address intf3 192.*.*.* 255.255.255.0
    no ip address intf4
    no ip address intf5
    ip audit info action alarm
    ip audit attack action alarm
    no failover
    failover timeout 0:00:00
    failover poll 15
    no failover ip address outside
    no failover ip address inside
    no failover ip address dmz
    no failover ip address intf3
    no failover ip address intf4
    no failover ip address intf5
    pdm location 10.10.0.0 255.255.0.0 inside
    pdm location 192.*.*.* 255.255.255.0 inside
    pdm location 10.*.*.* 255.255.0.0 dmz
    pdm location 81.*.*.* 255.255.255.255 outside
    pdm location 81.*.*.* 255.255.255.255 outside
    pdm location 194.*.*.* 255.255.255.255 outside
    pdm location 212.*.*.* 255.255.255.255 outside
    pdm location 212.*.*.* 255.255.255.255 dmz
    pdm location 192.*.*.* 255.255.255.0 intf3
    pdm location 10.*.*.* 255.255.255.255 inside
    pdm location 10.*.*.* 255.255.255.255 inside
    pdm location 10.*.*.* 255.255.255.255 inside
    pdm location 10.*.*.* 255.255.255.255 inside
    pdm location 10.*.*.* 255.255.0.0 intf3
    pdm location 212.*.*.* 255.255.255.0 outside
    pdm location 212.*.*.* 255.255.255.255 outside
    pdm logging informational 100
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 1 10.*.*.* 255.255.255.0 0 0
    nat (dmz) 0 access-list 110
    nat (intf3) 1 192.*.*.* 255.255.255.0 0 0
    static (inside,outside) 212.*.*.* 10.*.*.* netmask 255.255.255.255 0 0
    static (inside,outside) 212.*.*.* 10.*.*.* netmask 255.255.255.255 0 0
    static (inside,outside) 212.*.*.* 10.*.*.* netmask 255.255.255.255 0 0
    static (inside,outside) 212.*.*.* 10.*.*.* netmask 255.255.255.255 0 0
    access-group 112 in interface outside
    route outside 0.0.0.0 0.0.0.0 212.76.86.17 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local
    http server enable
    http 0.0.0.0 0.0.0.0 outside
    http 192.*.*.* 255.255.255.0 inside
    http 10.*.*.* 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    console timeout 0
    terminal width 80
    Cryptochecksum:901f0b54c1f049238758dace4d2b9b95
    : end

  • #2
    Re: Cisco PIX VPN Client connects but no Traffic

    the problem looks like there is no tunnel between the pixes, there is no lan-lan crypto map - see if this document helps otherwise I will help you with the commands

    http://www.cisco.com/en/US/partner/p...80094761.shtml
    Last edited by jburk; 27th July 2009, 21:02.
    Cisco CCNA, CCDA, CCVP, Advanced Wireless Design Specialist, CCIP (in progress)

    Comment


    • #3
      Re: Cisco PIX VPN Client connects but no Traffic

      Dear JBURK,

      Good Day!

      I appriciate your concern to help me out. I tried to open the link but the document is not available at the cisco web site as it is transfered or removed. Please Re-paste the correct link again.

      Well I am not that expert that I may comment strongly but what I got from your message that you want me to configur Site to Site VPN thru CISCO Firewalls.
      If it is so, then I would love to update you that I don't want to create permanent VPN with that customer. Just want my user conects the CISCO PIX at central Office using VPN Client.

      I hope you got my requirement.
      Waiting for your spontanious reply.
      thnx

      Comment


      • #4
        Re: Cisco PIX VPN Client connects but no Traffic

        which clientvpn belongs to your customer? abcd or olayan
        Cisco CCNA, CCDA, CCVP, Advanced Wireless Design Specialist, CCIP (in progress)

        Comment


        • #5
          Re: Cisco PIX VPN Client connects but no Traffic

          VPN Client belongs to OLAYAN VPNGroup

          Comment

          Working...
          X