Re: OT: VPN woes

From: john matijevic (john.matijevic@gmail.com)
Date: Tue May 10 2005 - 08:27:52 GMT-3

Hello Mark,
Please post full configs of client and server side with IP addresses not
#####. Also place debug crypto isakmp and debug crypto ipsec on the client,
and post output from that as well.
Sincerely,
John

 On 5/10/05, Mark Rushby <mark@tisolutions.biz> wrote:
>
> Hi all
>
> Sorry for the off topic.
>
> I'm having problems with a Pix 506 and a client to site vpn. There is a
> working site to site vpn which is fine. The vpn client connects ok but
> is unable to ping or connect to any internal device. Any advice would
> be much appreciated. Please find config below.
>
> TIA
>
> Mark
>
> PIX Version 6.3(1)
> interface ethernet0 auto
> interface ethernet1 auto
> nameif ethernet0 outside security0
> nameif ethernet1 inside security100
> enable password ghnuIzhxZqWTi3u8 encrypted
> passwd 2KFQnbNIdI.2KYOU encrypted
> hostname W5-pix
> domain-name w5online.co.uk <http://w5online.co.uk>
> fixup protocol ftp 21
> fixup protocol h323 h225 1720
> fixup protocol h323 ras 1718-1719
> fixup protocol http 80
> fixup protocol ils 389
> fixup protocol rsh 514
> fixup protocol rtsp 554
> fixup protocol sip 5060
> fixup protocol sip udp 5060
> fixup protocol skinny 2000
> fixup protocol smtp 25
> fixup protocol sqlnet 1521
>
> access-list remote_access_splitTunnelAcl permit ip
192.168.1.0<http://192.168.1.0>
> 255.255.255.0 <http://255.255.255.0> any
> access-list inside_outbound_nat0_acl permit ip
192.168.1.0<http://192.168.1.0>
> 255.255.255.0 <http://255.255.255.0>
> TIS-net 255.255.0.0 <http://255.255.0.0>
> access-list inside_outbound_nat0_acl permit ip
192.168.1.0<http://192.168.1.0>
> 255.255.255.0 <http://255.255.255.0>
> 172.16.1.0 <http://172.16.1.0> 255.255.255.0 <http://255.255.255.0>
> access-list outside_cryptomap_dyn_20 permit ip any
172.16.1.0<http://172.16.1.0>
> 255.255.255.0 <http://255.255.255.0>
> access-list outside_cryptomap_20 permit ip 192.168.1.0<http://192.168.1.0>
> 255.255.255.0 <http://255.255.255.0>
> TIS-net 255.255.0.0 <http://255.255.0.0>
> pager lines 24
> logging standby
> mtu outside 1500
> mtu inside 1500
> ip address outside ############### 255.255.255.240<http://255.255.255.240>
> ip address inside 192.168.1.254 <http://192.168.1.254>
255.255.255.0<http://255.255.255.0>
> ip audit info action alarm
> ip audit attack action alarm
> ip local pool remote_access 172.16.1.0-172.16.1.254
>
> arp timeout 14400
> global (outside) 1 interface
> nat (inside) 0 access-list inside_outbound_nat0_acl
> nat (inside) 1 0.0.0.0 <http://0.0.0.0> 0.0.0.0 <http://0.0.0.0> 0 0
> static (inside,outside) ############# Mailsweeper netmask
> 255.255.255.255 <http://255.255.255.255> 0 0
> static (inside,outside) ############# Exchange netmask
255.255.255.255<http://255.255.255.255>0
> 0
> static (inside,outside) ############# IBM_Exhibit_Int netmask
> 255.255.255.255 <http://255.255.255.255> 0 0
> conduit permit tcp host ############# eq smtp any
> conduit permit icmp any any
> conduit permit tcp host ############# eq www any
> conduit permit tcp host ############# object-group IBM_EXHIBIT_Ports
> object-group IBM_Ex
> hibit
> outbound 1 permit 192.168.1.0 <http://192.168.1.0>
255.255.255.0<http://255.255.255.0>80 tcp
> outbound 1 permit 192.168.1.0 <http://192.168.1.0>
255.255.255.0<http://255.255.255.0>443 tcp
> outbound 1 permit 192.168.1.0 <http://192.168.1.0>
255.255.255.0<http://255.255.255.0>21 tcp
> outbound 1 permit 192.168.1.0 <http://192.168.1.0>
255.255.255.0<http://255.255.255.0>20 tcp
> outbound 1 permit 192.168.1.0 <http://192.168.1.0>
255.255.255.0<http://255.255.255.0>53 tcp
> outbound 1 permit Mailsweeper 255.255.255.255 <http://255.255.255.255> 25
> tcp
> outbound 1 deny 0.0.0.0 <http://0.0.0.0> 0.0.0.0 <http://0.0.0.0> 0 tcp
> outbound 1 permit IBM_Exhibit_Int 255.255.255.255
<http://255.255.255.255>10000 tcp
> outbound 1 permit IBM_Exhibit_Int 255.255.255.255
<http://255.255.255.255>10149 tcp
> apply (inside) 1 outgoing_src
> route outside 0.0.0.0 <http://0.0.0.0> 0.0.0.0 <http://0.0.0.0>#############
1
> timeout xlate 0:05:00
> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
> 1:00:00
> timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
> timeout uauth 0:05:00 absolute
> aaa-server TACACS+ protocol tacacs+
> aaa-server RADIUS protocol radius
> aaa-server LOCAL protocol local
> aaa authentication enable console LOCAL
> aaa authentication ssh console LOCAL
> aaa authentication telnet console LOCAL
>
> no snmp-server location
> no snmp-server contact
> snmp-server community public
> no snmp-server enable traps
> floodguard enable
> sysopt connection permit-ipsec
> crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
> crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
> crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
> crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
> crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
> crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
> crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
> crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
> crypto dynamic-map outside_dyn_map 20 match address
> outside_cryptomap_dyn_20
> crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
> crypto map outside_map 20 ipsec-isakmp
> crypto map outside_map 20 match address outside_cryptomap_20
> crypto map outside_map 20 set peer 62.253.227.65 <http://62.253.227.65>
> crypto map outside_map 20 set transform-set ESP-3DES-MD5
> crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
> crypto map outside_map client authentication LOCAL
> crypto map outside_map interface outside
> isakmp enable outside
> isakmp enable inside
> isakmp key ******** address ############# netmask
255.255.255.255<http://255.255.255.255>
> no-xauth no-config-mode
> isakmp key ******** address 0.0.0.0 <http://0.0.0.0> netmask
0.0.0.0<http://0.0.0.0>
> isakmp identity address
> isakmp policy 20 authentication pre-share
> isakmp policy 20 encryption 3des
> isakmp policy 20 hash md5
> isakmp policy 20 group 2
> isakmp policy 20 lifetime 86400
> vpngroup remote_access address-pool remote_access
> vpngroup remote_access dns-server 192.168.1.72 <http://192.168.1.72>
> vpngroup remote_access default-domain w5online.co.uk<http://w5online.co.uk>
> vpngroup remote_access split-tunnel remote_access_splitTunnelAcl
> vpngroup remote_access idle-time 1800
> vpngroup remote_access password ********
>
> terminal width 80
> banner motd THIS DEVICE IS PART OF A
> banner motd ------------------------
> banner motd PRIVATE NETWORK
> banner motd ---------------
> banner motd ************************************************
> banner motd * Unauthorised access or use of this equipment *
> banner motd * is prohibited and constitutes an offence *
> banner motd * under the Computer Misuse Act 1990. *
> banner motd * If you are not authorised to use this *
> banner motd * system, terminate this session now. *
> banner motd ************************************************
> Cryptochecksum:c06f17b20812050730e517a90fb1c839
> : end
> W5-pix#
>
> ___________________________________________________________
> This email is confidential, may be legally privileged and is for the
> intended recipient only. Access, disclosure, copying, distribution or
> reliance on any information it contains is prohibited and may be a
> criminal
> offence. Please delete if received in error and email confirmation to
> sender.
> This email has been swept by MIMEsweeper for the presence of computer
> viruses.
> ____________________________________________________________
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
> 

--
John Matijevic, CCIE #13254
U.S. Installation Group
Senior Network Engineer
954-969-7160 ext. 1147 (office)
305-321-6232 (cell)

This archive was generated by hypermail 2.1.4 : Fri Jun 03 2005 - 10:11:57 GMT-3