Discussions

Cisco PIX 501 VPN NATing

Tags:
+
0 Votes
Locked

Cisco PIX 501 VPN NATing

brady711
I've been searching for days for the solution to this problem. A lot of people seem to have the problem, but no one has posted a solution, i.e., exact commands to solve the problem.

I have a Cisco PIX 501 and am trying to create a VPN that would allow employees to remote in from home. Employees can remote in using Windows but cannot access any LAN resources. The problem seems to be that I am not writing the NAT correctly from the remote IP pool to the LAN IP pool. Each pool has a different internal scheme and different subnets.

Here's the "sh run":

Result of firewall command: "sh run"

: Saved
:
PIX Version 6.3(5)
interface ethernet0 100full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxxxxxxxx encrypted
passwd xxxxxxxxxxx encrypted
hostname GMP-Hawaii
domain-name ciscopix.com
clock timezone HST -10
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
no names
access-list inside_outbound_nat0_acl permit ip 192.9.200.0 255.255.255.0 192.9.210.0 255.255.255.224
access-list outside_access_in deny ip any any
access-list inside permit udp any any eq domain
access-list inside permit tcp any any eq www
access-list inside permit tcp any any eq https
access-list inside permit tcp any any eq smtp
access-list inside permit tcp any any eq pop3
access-list inside permit tcp any any eq domain
access-list inside permit tcp any any eq 465
access-list inside permit tcp any any eq 995
access-list inside permit tcp any any eq ftp
access-list inside permit tcp any any eq 3389
access-list inside permit tcp any any eq aol
access-list inside deny ip any any
pager lines 24
logging on
logging timestamp
icmp permit host 205.172.3.14 outside
icmp permit 192.9.200.0 255.255.255.0 outside
icmp permit 192.9.200.0 255.255.255.0 inside
icmp permit host 192.9.200.2 inside
mtu outside 1500
mtu inside 1500
ip address outside 64.129.12.246 255.255.255.0
ip address inside 192.9.200.28 255.255.255.0
ip verify reverse-path interface outside
ip audit name Attach attack action alarm drop reset
ip audit interface outside Attach
ip audit info action alarm
ip audit attack action alarm
ip local pool Remote 192.9.210.1-192.9.210.25 mask 255.255.255.0
pdm location 205.172.3.14 255.255.255.255 outside
pdm location 192.9.210.0 255.255.255.224 outside
pdm location 192.9.200.222 255.255.255.255 outside
pdm location 64.129.12.246 255.255.255.255 outside
pdm location 192.9.200.222 255.255.255.255 inside
pdm location 64.129.0.0 255.255.255.0 inside
pdm location 64.129.0.0 255.255.0.0 inside
pdm location 64.129.0.0 255.255.255.255 inside
pdm location 192.9.200.0 255.255.255.0 outside
pdm logging debugging 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 3389 192.9.200.222 3389 netmask 255.255.255.255 0 0
static (inside,outside) 64.129.0.0 64.129.0.0 netmask 255.255.255.255 0 0
route outside 0.0.0.0 0.0.0.0 64.129.12.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 0.0.0.0 0.0.0.0 outside
http 192.9.200.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-pptp
telnet timeout 5
ssh timeout 5
management-access inside
console timeout 0
vpdn group PPTP-VPDN-GROUP accept dialin pptp
vpdn group PPTP-VPDN-GROUP ppp authentication mschap
vpdn group PPTP-VPDN-GROUP ppp encryption mppe auto
vpdn group PPTP-VPDN-GROUP client configuration address local Remote
vpdn group PPTP-VPDN-GROUP client configuration dns 216.136.95.2 64.132.94.250
vpdn group PPTP-VPDN-GROUP pptp echo 60
vpdn group PPTP-VPDN-GROUP client authentication local
vpdn username xxxxxxx password *********
vpdn username xxx password *********
vpdn enable outside
vpdn enable inside
username xxxxxxxx password xxxxxxxxxx encrypted privilege 2
vpnclient server 64.129.12.246
vpnclient mode client-mode
vpnclient vpngroup xxxxxx password ********
vpnclient username xxxxxx password ********
terminal width 80
Cryptochecksum:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
: end

The line in question is "access-list inside_outbound_nat0_acl permit ip 192.9.200.0 255.255.255.0 192.9.210.0 255.255.255.224," where 192.9.210.0 255.255.255.224 is the VPN pool and 192.9.200.0 255.255.255.0 is the LAN pool.

Any help on this would save me. I've called a Cisco expert in on this but to no avail.
Thanks.
  • +
    0 Votes

    You'll stand a much better chance of getting an informed response if you'll repost this as a
    "Question", not as a "Discussion". The Discussions forum is more opinion-oriented, while the Questions forum is more about solutions to technical problems. While there are TR members who hang out in both groups, there are many who frequent only the Questions forum.

    +
    0 Votes
    brady711

    i'll post as a question.

    +
    0 Votes
    jfo9661

    How are the users trying to access resources? windows shares etc?
    Can a remote user ping across the vpn to the internal network?
    assuming they can ping, are they using corporate computers?
    My experience is as follows: most of the time the failure to access resources over vpn is usually the result of trying to use "names".
    If they can ping accross the tunnel and want to use mapped drives etc which are mapped by name, then you must change your dns settings in vpdn group PPTP-VPDN-GROUP client configuration dns 216.136.95.2 64.132.94.250.
    I see your acl and nat 0 in place.
    Please post back if still need assistance.

    +
    0 Votes
    roppong

    Hi Brady

    Did you get a solution to this issue?

    +
    0 Votes
    jfo9661

    How are the users trying to access resources? windows shares etc?
    Can a remote user ping across the vpn to the internal network?
    assuming they can ping, are they using corporate computers?
    My experience is as follows: most of the time the failure to access resources over vpn is usually the result of trying to use "names".
    If they can ping accross the tunnel and want to use mapped drives etc which are mapped by name, then you must change your dns settings in vpdn group PPTP-VPDN-GROUP client configuration dns 216.136.95.2 64.132.94.250.
    I see your acl and nat 0 in place.
    Please post back if still need assistance.

    +
    0 Votes
    roppong

    Hi Brady

    Did you get a solution to this issue?

  • +
    0 Votes

    You'll stand a much better chance of getting an informed response if you'll repost this as a
    "Question", not as a "Discussion". The Discussions forum is more opinion-oriented, while the Questions forum is more about solutions to technical problems. While there are TR members who hang out in both groups, there are many who frequent only the Questions forum.

    +
    0 Votes
    brady711

    i'll post as a question.

    +
    0 Votes
    jfo9661

    How are the users trying to access resources? windows shares etc?
    Can a remote user ping across the vpn to the internal network?
    assuming they can ping, are they using corporate computers?
    My experience is as follows: most of the time the failure to access resources over vpn is usually the result of trying to use "names".
    If they can ping accross the tunnel and want to use mapped drives etc which are mapped by name, then you must change your dns settings in vpdn group PPTP-VPDN-GROUP client configuration dns 216.136.95.2 64.132.94.250.
    I see your acl and nat 0 in place.
    Please post back if still need assistance.

    +
    0 Votes
    roppong

    Hi Brady

    Did you get a solution to this issue?

    +
    0 Votes
    jfo9661

    How are the users trying to access resources? windows shares etc?
    Can a remote user ping across the vpn to the internal network?
    assuming they can ping, are they using corporate computers?
    My experience is as follows: most of the time the failure to access resources over vpn is usually the result of trying to use "names".
    If they can ping accross the tunnel and want to use mapped drives etc which are mapped by name, then you must change your dns settings in vpdn group PPTP-VPDN-GROUP client configuration dns 216.136.95.2 64.132.94.250.
    I see your acl and nat 0 in place.
    Please post back if still need assistance.

    +
    0 Votes
    roppong

    Hi Brady

    Did you get a solution to this issue?