Questions

VPN connects but no access to the LAN.

Tags:
+
0 Votes
Locked

VPN connects but no access to the LAN.

dryflies
I have a pix 506e configured with inside as 192.168.1.0/24 I want to configure an ipsec vpn to use 192.168.1.192 and up and have assigned that pool to the vpn. DHCP is not provided by the Pix but by a win2k3 dhcp server. locally everything works fine. when I connect using the cisco VPN client I connect fine, everything says I am connected, but I have no access to internal LAN resources.
the ipsec pool is delivering an ip of 192.168.1.192/26 which to me seems to say that I am no allowed to view resources below 192 in the 192.168.1.* ip space. Any suggestions?
  • +
    0 Votes
    jpeoples

    If you're connecting to the PIX using the Cisco client then you really don't have the option to use an internal server for DHCP. The "Pool" must be a seperate subnet from the internal. Use the [nat] command to control nating from the pool to the internal network and [vpnpool] to control the options assigned to your clients. Hope that steers you in the right direction. If you need more help let me know.

    +
    0 Votes

    ok,

    dryflies

    so i should set my pool to be in the 192.168.2.0/26 network and then set up nat to map that set of addresses to 192.168.1.192-254? that actually sounds reasonable. I'll give it a try

    on another network I have a /24 network and the pool is a range within that /24 and it works. the only difference I can see is the hardware. one is a 515e and the other is a 506e. that is why it was so confusing.

    Thanks!

    +
    0 Votes
    jpeoples

    All the PIX's use pretty much the same IOS. Your /24 & /26 were probably both using .0 for broadcast so you may have just gotten lucky.

    You should review your IP addressing tutorials. IP uses the first and last address of a subnet for broadcast traffic. Basically it's how machines advertise their presence to the network. If you are using an address of Z.Y.X.193/26 your broadcast addresses are .192 & .255. The same address (Z.Y.X.193) with a /24 mask uses .0 & .255 as broadcasts. A machine looking for traffic on .0 will not hear or respond to traffic found on .192 and vice versa. You can't overlap addresses between subnets and all machines within a subnet have to use the same net mask.

    The action of attaching to the PIX with the Cisco client is your DHCP. All clients are issued an address when they attach. The PIX will handle the routing of the traffic from the clients to your secure interface dynamically. You just need to authorize it to pass through. The [vpnpool] command I told you about will allow you to give the clients the information you would normally hand out as DHCP options.

    Let me know if you have any more problems.

    +
    0 Votes
    dryflies

    I have a fairly good knowledge of the OSI model. What I have trouble with is the cryptic terminology and language in the IOS.

    here is my config with some changes to protect the guilty.

    Result of firewall command: "show running config"

    : Saved
    :
    PIX Version 6.3(5)
    interface ethernet0 auto
    interface ethernet1 auto
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password QrrAFH/qLpPIurMi encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    hostname sapix
    domain-name changed.for.security
    clock timezone GAMT -9
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    access-list inside_cryptomap_dyn_20 permit ip any 192.168.2.192 255.255.255.224
    access-list outside_access_in deny tcp any any
    pager lines 24
    mtu outside 1500
    mtu inside 1500
    ip address outside dhcp setroute
    ip address inside 192.168.1.1 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool vpnpool 192.168.2.192-192.168.2.208
    pdm location 10.10.11.117 255.255.255.255 outside
    pdm location 192.168.1.192 255.255.255.192 outside
    pdm location 192.168.2.192 255.255.255.255 outside
    pdm logging informational 100
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    static (outside,inside) 192.168.1.192 192.168.2.192 netmask 255.255.255.255 0 0
    static (outside,inside) 192.168.1.231 10.10.11.117 netmask 255.255.255.255 0 0
    access-group outside_access_in in interface outside
    timeout xlate 0:05:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout sip-disconnect 0:02:00 sip-invite 0:03:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local
    http server enable
    http 10.10.11.117 255.255.255.255 outside
    http 192.168.1.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
    crypto dynamic-map inside_dyn_map 20 match address inside_cryptomap_dyn_20
    crypto dynamic-map inside_dyn_map 20 set transform-set ESP-3DES-MD5
    crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
    crypto map outside_map client authentication LOCAL
    crypto map outside_map interface outside
    crypto map inside_map 65535 ipsec-isakmp dynamic inside_dyn_map
    crypto map inside_map interface inside
    isakmp enable outside
    isakmp policy 20 authentication pre-share
    isakmp policy 20 encryption 3des
    isakmp policy 20 hash md5
    isakmp policy 20 group 2
    isakmp policy 20 lifetime 86400
    vpngroup hortcrops address-pool vpnpool
    vpngroup hortcrops dns-server 192.168.1.5
    vpngroup hortcrops wins-server 192.168.1.5
    vpngroup hortcrops default-domain changed.for.security.edu
    vpngroup hortcrops idle-time 1800
    vpngroup hortcrops password ********
    vpngroup mygroup address-pool vpnpool
    vpngroup mygroup dns-server 192.168.1.5
    vpngroup mygroup wins-server 192.168.1.5
    vpngroup mygroup default-domain changed.for.security.edu
    vpngroup mygroup idle-time 1800
    vpngroup mygroup password ********
    telnet timeout 5
    ssh 10.10.11.117 255.255.255.255 outside
    ssh timeout 5
    console timeout 30
    dhcpd dns 192.168.1.4 10.10.10.223
    dhcpd lease 3600
    dhcpd ping_timeout 750
    dhcpd domain changed.for.security.edu
    dhcpd auto_config outside
    username lovedayt password lJe4UrSXzrzmUBZH encrypted privilege 15
    username jlee password FeNEm9MQlHrBRw6H encrypted privilege 15
    username kshellie password YcQuTm/eVd30RGv4 encrypted privilege 15
    terminal width 80
    Cryptochecksum:c1ede2f296b8ed38de38f1be620e8271
    : end

    thanks!

    +
    0 Votes
    sgt_shultz

    could this be that one where you need to check the box that says 'use gateway on remote lan?'

  • +
    0 Votes
    jpeoples

    If you're connecting to the PIX using the Cisco client then you really don't have the option to use an internal server for DHCP. The "Pool" must be a seperate subnet from the internal. Use the [nat] command to control nating from the pool to the internal network and [vpnpool] to control the options assigned to your clients. Hope that steers you in the right direction. If you need more help let me know.

    +
    0 Votes

    ok,

    dryflies

    so i should set my pool to be in the 192.168.2.0/26 network and then set up nat to map that set of addresses to 192.168.1.192-254? that actually sounds reasonable. I'll give it a try

    on another network I have a /24 network and the pool is a range within that /24 and it works. the only difference I can see is the hardware. one is a 515e and the other is a 506e. that is why it was so confusing.

    Thanks!

    +
    0 Votes
    jpeoples

    All the PIX's use pretty much the same IOS. Your /24 & /26 were probably both using .0 for broadcast so you may have just gotten lucky.

    You should review your IP addressing tutorials. IP uses the first and last address of a subnet for broadcast traffic. Basically it's how machines advertise their presence to the network. If you are using an address of Z.Y.X.193/26 your broadcast addresses are .192 & .255. The same address (Z.Y.X.193) with a /24 mask uses .0 & .255 as broadcasts. A machine looking for traffic on .0 will not hear or respond to traffic found on .192 and vice versa. You can't overlap addresses between subnets and all machines within a subnet have to use the same net mask.

    The action of attaching to the PIX with the Cisco client is your DHCP. All clients are issued an address when they attach. The PIX will handle the routing of the traffic from the clients to your secure interface dynamically. You just need to authorize it to pass through. The [vpnpool] command I told you about will allow you to give the clients the information you would normally hand out as DHCP options.

    Let me know if you have any more problems.

    +
    0 Votes
    dryflies

    I have a fairly good knowledge of the OSI model. What I have trouble with is the cryptic terminology and language in the IOS.

    here is my config with some changes to protect the guilty.

    Result of firewall command: "show running config"

    : Saved
    :
    PIX Version 6.3(5)
    interface ethernet0 auto
    interface ethernet1 auto
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password QrrAFH/qLpPIurMi encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    hostname sapix
    domain-name changed.for.security
    clock timezone GAMT -9
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    access-list inside_cryptomap_dyn_20 permit ip any 192.168.2.192 255.255.255.224
    access-list outside_access_in deny tcp any any
    pager lines 24
    mtu outside 1500
    mtu inside 1500
    ip address outside dhcp setroute
    ip address inside 192.168.1.1 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool vpnpool 192.168.2.192-192.168.2.208
    pdm location 10.10.11.117 255.255.255.255 outside
    pdm location 192.168.1.192 255.255.255.192 outside
    pdm location 192.168.2.192 255.255.255.255 outside
    pdm logging informational 100
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    static (outside,inside) 192.168.1.192 192.168.2.192 netmask 255.255.255.255 0 0
    static (outside,inside) 192.168.1.231 10.10.11.117 netmask 255.255.255.255 0 0
    access-group outside_access_in in interface outside
    timeout xlate 0:05:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout sip-disconnect 0:02:00 sip-invite 0:03:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local
    http server enable
    http 10.10.11.117 255.255.255.255 outside
    http 192.168.1.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
    crypto dynamic-map inside_dyn_map 20 match address inside_cryptomap_dyn_20
    crypto dynamic-map inside_dyn_map 20 set transform-set ESP-3DES-MD5
    crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
    crypto map outside_map client authentication LOCAL
    crypto map outside_map interface outside
    crypto map inside_map 65535 ipsec-isakmp dynamic inside_dyn_map
    crypto map inside_map interface inside
    isakmp enable outside
    isakmp policy 20 authentication pre-share
    isakmp policy 20 encryption 3des
    isakmp policy 20 hash md5
    isakmp policy 20 group 2
    isakmp policy 20 lifetime 86400
    vpngroup hortcrops address-pool vpnpool
    vpngroup hortcrops dns-server 192.168.1.5
    vpngroup hortcrops wins-server 192.168.1.5
    vpngroup hortcrops default-domain changed.for.security.edu
    vpngroup hortcrops idle-time 1800
    vpngroup hortcrops password ********
    vpngroup mygroup address-pool vpnpool
    vpngroup mygroup dns-server 192.168.1.5
    vpngroup mygroup wins-server 192.168.1.5
    vpngroup mygroup default-domain changed.for.security.edu
    vpngroup mygroup idle-time 1800
    vpngroup mygroup password ********
    telnet timeout 5
    ssh 10.10.11.117 255.255.255.255 outside
    ssh timeout 5
    console timeout 30
    dhcpd dns 192.168.1.4 10.10.10.223
    dhcpd lease 3600
    dhcpd ping_timeout 750
    dhcpd domain changed.for.security.edu
    dhcpd auto_config outside
    username lovedayt password lJe4UrSXzrzmUBZH encrypted privilege 15
    username jlee password FeNEm9MQlHrBRw6H encrypted privilege 15
    username kshellie password YcQuTm/eVd30RGv4 encrypted privilege 15
    terminal width 80
    Cryptochecksum:c1ede2f296b8ed38de38f1be620e8271
    : end

    thanks!

    +
    0 Votes
    sgt_shultz

    could this be that one where you need to check the box that says 'use gateway on remote lan?'