Questions

Cisco PIX 501 Remote VPN Problem

Tags:
+
0 Votes
Locked

Cisco PIX 501 Remote VPN Problem

brady711
I've been searching for days for the solution to this problem. A lot of people seem to have the problem, but no one has posted a solution, i.e., exact commands to solve the problem.

I have a Cisco PIX 501 and am trying to create a VPN that would allow employees to remote in from home. Employees can remote in using Windows but cannot access any LAN resources. The problem seems to be that I am not writing the NAT correctly from the remote IP pool to the LAN IP pool. Each pool has a different internal scheme and different subnets.

Here's the "sh run":

Result of firewall command: "sh run"

: Saved
:
PIX Version 6.3(5)
interface ethernet0 100full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxxxxxxxx encrypted
passwd xxxxxxxxxxx encrypted
hostname GMP-Hawaii
domain-name ciscopix.com
clock timezone HST -10
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
no names
access-list inside_outbound_nat0_acl permit ip 192.9.200.0 255.255.255.0 192.9.210.0 255.255.255.224
access-list outside_access_in deny ip any any
access-list inside permit udp any any eq domain
access-list inside permit tcp any any eq www
access-list inside permit tcp any any eq https
access-list inside permit tcp any any eq smtp
access-list inside permit tcp any any eq pop3
access-list inside permit tcp any any eq domain
access-list inside permit tcp any any eq 465
access-list inside permit tcp any any eq 995
access-list inside permit tcp any any eq ftp
access-list inside permit tcp any any eq 3389
access-list inside permit tcp any any eq aol
access-list inside deny ip any any
pager lines 24
logging on
logging timestamp
icmp permit host 205.172.3.14 outside
icmp permit 192.9.200.0 255.255.255.0 outside
icmp permit 192.9.200.0 255.255.255.0 inside
icmp permit host 192.9.200.2 inside
mtu outside 1500
mtu inside 1500
ip address outside 64.129.12.246 255.255.255.0
ip address inside 192.9.200.28 255.255.255.0
ip verify reverse-path interface outside
ip audit name Attach attack action alarm drop reset
ip audit interface outside Attach
ip audit info action alarm
ip audit attack action alarm
ip local pool Remote 192.9.210.1-192.9.210.25 mask 255.255.255.0
pdm location 205.172.3.14 255.255.255.255 outside
pdm location 192.9.210.0 255.255.255.224 outside
pdm location 192.9.200.222 255.255.255.255 outside
pdm location 64.129.12.246 255.255.255.255 outside
pdm location 192.9.200.222 255.255.255.255 inside
pdm location 64.129.0.0 255.255.255.0 inside
pdm location 64.129.0.0 255.255.0.0 inside
pdm location 64.129.0.0 255.255.255.255 inside
pdm location 192.9.200.0 255.255.255.0 outside
pdm logging debugging 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 3389 192.9.200.222 3389 netmask 255.255.255.255 0 0
static (inside,outside) 64.129.0.0 64.129.0.0 netmask 255.255.255.255 0 0
route outside 0.0.0.0 0.0.0.0 64.129.12.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 0.0.0.0 0.0.0.0 outside
http 192.9.200.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-pptp
telnet timeout 5
ssh timeout 5
management-access inside
console timeout 0
vpdn group PPTP-VPDN-GROUP accept dialin pptp
vpdn group PPTP-VPDN-GROUP ppp authentication mschap
vpdn group PPTP-VPDN-GROUP ppp encryption mppe auto
vpdn group PPTP-VPDN-GROUP client configuration address local Remote
vpdn group PPTP-VPDN-GROUP client configuration dns 216.136.95.2 64.132.94.250
vpdn group PPTP-VPDN-GROUP pptp echo 60
vpdn group PPTP-VPDN-GROUP client authentication local
vpdn username xxxxxxx password *********
vpdn username xxx password *********
vpdn enable outside
vpdn enable inside
username xxxxxxxx password xxxxxxxxxx encrypted privilege 2
vpnclient server 64.129.12.246
vpnclient mode client-mode
vpnclient vpngroup xxxxxx password ********
vpnclient username xxxxxx password ********
terminal width 80
Cryptochecksum:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
: end

The line in question is "access-list inside_outbound_nat0_acl permit ip 192.9.200.0 255.255.255.0 192.9.210.0 255.255.255.224," where 192.9.210.0 255.255.255.224 is the VPN pool and 192.9.200.0 255.255.255.0 is the LAN pool.

Any help on this would save me. I've called a Cisco expert in on this but to no avail.
Thanks.
  • +
    0 Votes
    george.rabidin

    I have the same problem. I've been able to make the VPN connection, but hereafter I cannot ping or connect to my inside lan.

    I think, but I've not been able to correct the problem, that it's cause by the following 2 lines in your configuration

    nat (inside) 0 access-list inside_outbound_nat0_acl
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0

    Try to change
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    into
    nat (inside) 1 192.9.200.0 255.255.255.0 0 0

    I think the pix is trying to nat your VPN pool into the outside address before it's natting the vpn pool into an inside address. And outside to inside is not permitted.

    As stated before, I've not been able to correct my problem, but I will inform you if my problem is solved due this change.

  • +
    0 Votes
    george.rabidin

    I have the same problem. I've been able to make the VPN connection, but hereafter I cannot ping or connect to my inside lan.

    I think, but I've not been able to correct the problem, that it's cause by the following 2 lines in your configuration

    nat (inside) 0 access-list inside_outbound_nat0_acl
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0

    Try to change
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    into
    nat (inside) 1 192.9.200.0 255.255.255.0 0 0

    I think the pix is trying to nat your VPN pool into the outside address before it's natting the vpn pool into an inside address. And outside to inside is not permitted.

    As stated before, I've not been able to correct my problem, but I will inform you if my problem is solved due this change.