[VPN] PIX 501 VPN problem

Siddhartha Jain losttoy2000 at yahoo.co.uk
Fri Feb 6 00:54:22 EST 2004


For MS Networking to work on a IPSec tunnel you need
to enable NetBIOS over TCP/IP on your remote clients,
setup a WINS server and point your remote VPN clients
to this WINS server. 

"Internet is not available" is ambiguous. Do you mean
your inside users cannot access the internet or the
remote VON client cannot access the internet once they
have established a VPN tunnel with the PIX. In case of
latter, that is the expected behaviour. Once a remote
client is connected to the VPN box, all traffic
originating from the remote client goes to the PIX
box. For the remote client to talk to the VPN tunnel
and access the internet, both at the same time, you
need to configure split tunneling (has to be supported
by the VPN client and the PIX).

HTH,

Siddhartha
 

--- "rob \"i\"" <rob.i at iname.com> wrote: > I just
spent 8 hours without a break trying to get
> the
> VPN setup working, re-configuring the VPN from
> scratch three times. I found that the PDM is really
> dumb when it comes to VPN settings. The wizard will
> not properly edit the current settings.
> 
> The Cisco documentation is not helpful, and is not
> very logical in order, and offers few good examples.
> I've been reading Cisco docs for days now.
> 
> So, I've got the firewall working just fine. The
> Cisco 
> VPN client will connect, too. However, while I can
> ping
> LAN equipment, I cannot do anything with Microsoft
> services (such as doing a "net view") or browsing
> the Internet with IE. 
> 
> >From the LAN itself, everything works great. That
> is, standard LAN clients work just fine.
> 
> I spent a lot of time trying to figure out why the
> VPN wasn't working, and I even tried to add rules
> to allow traffic, though that didn't work because,
> according to the PDM, there are two "VPNpool01"
> pools.
> 
> I finally re-ran the VPN wizard again, which added
> some additional commands. The results were the same.
> The VPN connects, TCP/IP works, but I can't browse
> Microsoft networking and the Internet is not
> available.
> 
> I am looking at the PDM, and it shows three implicit
> rules for the IPsec rules.
> 
> The config is becoming a mess and I don't know what
> to change now to get it all to work.
> 
> If somone could take a look at my config, I would 
> *really* appreciate it. If the problem can't be 
> resolved, then I'll have to give up on this.
> 
> If anyone could offer some insights, I would be 
> eternally grateful!!
> 
> 
> -- Rob --
> 
> 
> 
> ------------------ show running-config
> ------------------
> 
> : Saved
> :
> PIX Version 6.3(1)
> interface ethernet0 auto
> interface ethernet1 100full
> nameif ethernet0 outside security0
> nameif ethernet1 inside security100
> enable password xxxxx/xxxxxxxxxx encrypted
> passwd xxxxx/xxxxxxxxxx encrypted
> hostname tollbooth
> domain-name mydomain.com
> fixup protocol ftp 21
> fixup protocol h323 h225 1720
> fixup protocol h323 ras 1718-1719
> fixup protocol http 80
> fixup protocol ils 389
> fixup protocol rsh 514
> fixup protocol rtsp 554
> fixup protocol sip 5060
> fixup protocol sip udp 5060
> fixup protocol skinny 2000
> fixup protocol smtp 25
> no fixup protocol sqlnet 1521
> names
> access-list from-outside-coming-in permit ip
> 192.168.100.0 255.255.255.0 any
> access-list from-outside-coming-in permit icmp any
> any echo-reply
> access-list from-outside-coming-in permit icmp any
> any unreachable
> access-list from-outside-coming-in permit icmp any
> any time-exceeded
> access-list from-outside-coming-in deny tcp any any
> eq 135
> access-list from-outside-coming-in deny udp any any
> eq netbios-ns
> access-list from-outside-coming-in deny udp any any
> eq netbios-dgm
> access-list from-outside-coming-in deny tcp any any
> eq netbios-ssn
> access-list from-outside-coming-in deny tcp any any
> eq 445
> access-list from-outside-coming-in permit tcp any
> interface outside eq smtp
> access-list from-outside-coming-in permit tcp any
> interface outside eq www
> access-list from-inside-going-out permit ip
> 192.168.100.0 255.255.255.0 any
> access-list from-inside-going-out deny tcp any any
> eq 135
> access-list from-inside-going-out deny udp any any
> eq netbios-ns
> access-list from-inside-going-out deny udp any any
> eq netbios-dgm
> access-list from-inside-going-out deny tcp any any
> eq netbios-ssn
> access-list from-inside-going-out deny tcp any any
> eq 445
> access-list from-inside-going-out permit ip any any
> access-list outside_cryptomap_dyn_20 permit ip any
> 192.168.100.0 255.255.255.0
> access-list inside_cryptomap_dyn_20 permit ip any
> 192.168.100.0 255.255.255.0
> access-list inside_outbound_nat0_acl permit ip any
> 192.168.100.0 255.255.255.0
> access-list outside_cryptomap_dyn_40 permit ip any
> 192.168.100.0 255.255.255.0
> pager lines 24
> mtu outside 1500
> mtu inside 1500
> ip address outside xxx.yyy.182.137 255.255.255.0
> ip address inside 192.168.1.251 255.255.255.0
> ip audit info action alarm
> ip audit attack action alarm
> ip local pool VPNpool01
> 192.168.100.1-192.168.100.254
> pdm location 192.168.1.0 255.255.255.255 inside
> pdm location 192.168.100.0 255.255.255.0 outside
> pdm location 192.168.1.0 255.255.255.0 inside
> pdm location 192.168.1.2 255.255.255.255 inside
> pdm logging informational 100
> pdm history enable
> arp timeout 14400
> global (outside) 1 interface
> nat (inside) 0 access-list inside_outbound_nat0_acl
> nat (inside) 1 0.0.0.0 0.0.0.0 0 0
> static (inside,outside) tcp interface smtp
> 192.168.1.2 smtp netmask 255.255.255.255 0 0
> static (inside,outside) tcp interface www
> 192.168.1.2 www netmask 255.255.255.255 0 0
> access-group from-outside-coming-in in interface
> outside
> access-group from-inside-going-out in interface
> inside
> route outside 0.0.0.0 0.0.0.0 xxx.yyy.182.114 1
> timeout xlate 0:05:00
> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00
> rpc 0:10:00 h225 1:00:00
> timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00
> sip_media 0:02:00
> timeout uauth 0:05:00 absolute
> aaa-server TACACS+ protocol tacacs+
> aaa-server RADIUS protocol radius
> aaa-server LOCAL protocol local
> http server enable
> http 192.168.1.0 255.255.255.0 inside
> no snmp-server location
> no snmp-server contact
> snmp-server community public
> no snmp-server enable traps
> floodguard enable
> sysopt connection permit-ipsec
> crypto ipsec transform-set ESP-3DES-MD5 esp-3des
> esp-md5-hmac
> crypto dynamic-map outside_dyn_map 20 set
> transform-set ESP-3DES-MD5
> crypto dynamic-map outside_dyn_map 40 set
> transform-set ESP-3DES-MD5
> crypto dynamic-map inside_dyn_map 20 set
> transform-set ESP-3DES-MD5
> crypto map outside_map 65535 ipsec-isakmp dynamic
> outside_dyn_map
> crypto map outside_map interface outside
> crypto map inside_map 65535 ipsec-isakmp dynamic
> inside_dyn_map
> crypto map inside_map interface inside
> isakmp enable outside
> isakmp nat-traversal 20
> isakmp policy 20 authentication pre-share
> isakmp policy 20 encryption 3des
> isakmp policy 20 hash md5
> isakmp policy 20 group 2
> isakmp policy 20 lifetime 86400
> vpngroup PIXvpn01 address-pool VPNpool01
> vpngroup PIXvpn01 dns-server xxx.yyy.161.5
> xxx.yyy.162.5
> vpngroup PIXvpn01 wins-server 192.168.1.2
> 192.168.1.2
> vpngroup PIXvpn01 default-domain mydomain.com
> vpngroup PIXvpn01 idle-time 1800
> vpngroup PIXvpn01 password ********
> telnet 192.168.1.0 255.255.255.0 inside
> telnet timeout 5
> ssh 192.168.1.0 255.255.255.0 inside
> ssh timeout 5
> management-access inside
> 
=== message truncated === 


	
	
		
___________________________________________________________
BT Yahoo! Broadband - Free modem offer, sign up online today and save £80 http://btyahoo.yahoo.co.uk



More information about the VPN mailing list