 |  Question by Kim posted 19 Sep 2007 | Cisco Pix 506e VPN problem | I get a problem when I use cisco VPN client ver. 5.0.00.0340 to use VPN connect to 506e after the client problem show it's connected, but can not view ,ping the internal network...please kind give me a hand, MANY thanks !!! config here~ PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pix506e
no fixup protocol dns
no fixup protocol ftp 21
no fixup protocol h323 h225 1720
no fixup protocol h323 ras 1718-1719
fixup protocol http 80
no fixup protocol rsh 514
no fixup protocol rtsp 554
no fixup protocol sip 5060
no fixup protocol sip udp 5060
no fixup protocol skinny 2000
no fixup protocol smtp 25
no fixup protocol sqlnet 1521
no fixup protocol tftp 69 names name 192.168.1.5 http
access-list inside_access_in permit ip any any
access-list inside_access_in permit gre any any
access-list inside_access_in permit tcp any any
access-list inside_access_in permit udp any any
access-list inside_access_in permit icmp any any
access-list inside_access_in permit tcp any host 10.0.3.248 eq www
access-list inside_access_in permit tcp any host 10.0.3.249 eq telnet
access-list outside_access_in permit icmp any any
access-list outside_access_in deny ip any any
access-list incisiveit_splitTunnelAcl permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 100 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 110 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
pager lines 24
logging on
logging history informational
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside 10.0.3.249 255.255.255.0
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm ip local pool vpnrange 192.168.2.2-192.168.2.50
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list incisiveit_splitTunnelAcl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 10.0.3.248 http netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 10.0.3.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set esp-3des-md5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set esp-3des-md5
crypto map newmap 10 ipsec-isakmp
crypto map newmap 10 match address 110
crypto map newmap 10 set peer 192.168.2.0
crypto map newmap 10 set transform-set esp-3des-md5
crypto map newmap 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map newmap interface outside
isakmp enable outside
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup (other idle-time 1800
vpngroup (vpn3000) idle-time 1800
vpngroup vpn3000 address-pool vpnrange
vpngroup vpn3000 dns-server 10.0.3.2
vpngroup vpn3000 default-domain incisivemedia.com
vpngroup vpn3000 split-tunnel incisiveit_splitTunnelAcl
vpngroup vpn3000 idle-time 7200
vpngroup vpn3000 password ********
telnet 10.0.3.0 255.255.255.0 outside
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:60e3637f01e22ab055c76ba201ad2104
: end
[OK]
|  |  Answer by Dmitri Abaimov posted 19 Sep 2007 | Dear Kim,
I am sorry, I can't provide a definitive answer. My guess would be that your access lists are not setup properly but after I guessed, I would hand it over to a Cisco specialist to pick the config apart and find the problem. We are only able to cover questions related to passive network infrastructure here, which is the specialty of this helpdesk and this site's in general.
That said though, I would submit this question into the Cisco newsgroup. With the amount of CCNEs hanging out there you have better chance at finding the answer.
Considering it's a PIX issue, you might also try the specialized networking firewall group here
Sincerely,
Dmitri Abaimov, RCDD
|  Click here to see the expert's profile |
|