Cisco Pix 506e VPN problem

Cabling-Design.com FREE cabling and networking Helpdesk
icon
 Question by Kim posted 19 Sep 2007
 Cisco Pix 506e VPN problem
I get a problem when I use cisco VPN client ver. 5.0.00.0340 to use VPN connect to 506e
after the client problem show it's connected, but can not view ,ping the internal network...please kind give me a hand, MANY thanks !!!
config here~
PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

hostname pix506e

no fixup protocol dns

no fixup protocol ftp 21

no fixup protocol h323 h225 1720

no fixup protocol h323 ras 1718-1719

fixup protocol http 80

no fixup protocol rsh 514

no fixup protocol rtsp 554

no fixup protocol sip 5060

no fixup protocol sip udp 5060

no fixup protocol skinny 2000

no fixup protocol smtp 25

no fixup protocol sqlnet 1521

no fixup protocol tftp 69

names

name 192.168.1.5 http

access-list inside_access_in permit ip any any

access-list inside_access_in permit gre any any

access-list inside_access_in permit tcp any any

access-list inside_access_in permit udp any any

access-list inside_access_in permit icmp any any

access-list inside_access_in permit tcp any host 10.0.3.248 eq www

access-list inside_access_in permit tcp any host 10.0.3.249 eq telnet

access-list outside_access_in permit icmp any any

access-list outside_access_in deny ip any any

access-list incisiveit_splitTunnelAcl permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list 100 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list 110 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

pager lines 24

logging on

logging history informational

icmp permit any outside

icmp permit any inside

mtu outside 1500

mtu inside 1500

ip address outside 10.0.3.249 255.255.255.0

ip address inside 192.168.1.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool vpnrange 192.168.2.2-192.168.2.50

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list incisiveit_splitTunnelAcl

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) 10.0.3.248 http netmask 255.255.255.255 0 0

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

route outside 0.0.0.0 0.0.0.0 10.0.3.1 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set esp-3des-md5 esp-3des esp-md5-hmac

crypto dynamic-map outside_dyn_map 20 set transform-set esp-3des-md5

crypto map newmap 10 ipsec-isakmp

crypto map newmap 10 match address 110

crypto map newmap 10 set peer 192.168.2.0

crypto map newmap 10 set transform-set esp-3des-md5

crypto map newmap 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map newmap interface outside

isakmp enable outside

isakmp identity address

isakmp nat-traversal 20

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup (other idle-time 1800

vpngroup (vpn3000) idle-time 1800

vpngroup vpn3000 address-pool vpnrange

vpngroup vpn3000 dns-server 10.0.3.2

vpngroup vpn3000 default-domain incisivemedia.com

vpngroup vpn3000 split-tunnel incisiveit_splitTunnelAcl

vpngroup vpn3000 idle-time 7200

vpngroup vpn3000 password ********

telnet 10.0.3.0 255.255.255.0 outside

telnet 192.168.1.0 255.255.255.0 inside

telnet timeout 5

ssh 192.168.1.0 255.255.255.0 inside

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 inside

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

dhcpd enable inside

terminal width 80

Cryptochecksum:60e3637f01e22ab055c76ba201ad2104

: end

[OK]
icon
 Answer by Dmitri Abaimov posted 19 Sep 2007
Dear Kim,

I am sorry, I can't provide a definitive answer. My guess would be that your access lists are not setup properly but after I guessed, I would hand it over to a Cisco specialist to pick the config apart and find the problem. We are only able to cover questions related to passive network infrastructure here, which is the specialty of this helpdesk and this site's in general.

That said though, I would submit this question into the Cisco newsgroup. With the amount of CCNEs hanging out there you have better chance at finding the answer.

Considering it's a PIX issue, you might also try the specialized networking firewall group here

Sincerely,
Dmitri Abaimov, RCDD

Click here to see the expert's profile
Back to the current page of questions | Back to all the questions
Back to Cabling-Design.com HELPDESK | Ask your question
Residential Cabling Guide

Home Cabling Guide

Finally, an instantly downloadable book that saves you thousands in home improvement dollars! Enjoy living in 21st century technology-advanced home while increasing its selling value and competitive advantage on the real estate market. Whether your cabling is for home office or high-tech leisure, you can wire your home yourself or learn "wirish" to speak with your cabling contractors in their language!

Learn more ...

Please rate this page

Rating: Average rating: Ratings
BadFineGoodVery GoodExcellent