Prev: Ip Route to NULL0?
Next: Etherchannel problem
From: paulscullion on 26 Apr 2006 05:27
I have a PIX 506e running in our office to allow remote users to
connect using the Cisco software VPN client. Users need to be able to
see machines in the office and in the ideal world have internet access
through this VPN (though that is not vital). What is odd is that if a
user connects in remotely and I am in the office, I can ping their
machine fine, however they cannot ping back the other way. A remote
user directly on the internet can connect in fine and pings can go
either way, however a remote user on a nat'd connection (using
192.168.0.XX) can establish the vpn connection, but can't ping or
connect to anything in the office. (though, again I can still see them
from within the office)

Below are the relevant bits from the config. I can only assume it is
something to do with them being nat'd. Any thoughts?

office runs on 192.168.50.xx, but has one machine running on
192.168.0.110, which it would be nice to get to if possible.

cheers

Paul

access-list NO-NAT permit ip 192.168.50.0 255.255.255.0 192.168.51.0
255.255.255.0
access-list FromREMOTE permit ip 192.168.50.0 255.255.255.0
192.168.51.0 255.255.255.0
access-list FromREMOTE permit ip 192.168.1.0 255.255.255.0 192.168.51.0
255.255.255.0
access-list FromREMOTE permit ip host 192.168.0.110 192.168.50.0
255.255.255.0

nat (inside) 0 access-list NO-NAT
nat (inside) 1 192.168.50.0 255.255.255.0 0 0
ip local pool VPN 192.168.51.1-192.168.51.20

vpngroup ***** address-pool VPN
vpngroup ***** dns-server 212.135.1.36
vpngroup ***** split-tunnel FromREMOTE
vpngroup ***** idle-time 1800
vpngroup ***** password ********

From: Martin Bilgrav on 26 Apr 2006 16:31

"paulscullion" <paulscullion(a)ntlworld.com> wrote in message
news:1146043639.053944.159730(a)t31g2000cwb.googlegroups.com...
> I have a PIX 506e running in our office to allow remote users to
> connect using the Cisco software VPN client. Users need to be able to
> see machines in the office and in the ideal world have internet access
> through this VPN (though that is not vital). What is odd is that if a
> user connects in remotely and I am in the office, I can ping their
> machine fine, however they cannot ping back the other way. A remote
> user directly on the internet can connect in fine and pings can go
> either way, however a remote user on a nat'd connection (using
> 192.168.0.XX) can establish the vpn connection, but can't ping or
> connect to anything in the office. (though, again I can still see them
> from within the office)
>
> Below are the relevant bits from the config. I can only assume it is
> something to do with them being nat'd. Any thoughts?
>
> office runs on 192.168.50.xx, but has one machine running on
> 192.168.0.110, which it would be nice to get to if possible.
>
> cheers
>
> Paul
>
> access-list NO-NAT permit ip 192.168.50.0 255.255.255.0 192.168.51.0
> 255.255.255.0
> access-list FromREMOTE permit ip 192.168.50.0 255.255.255.0
> 192.168.51.0 255.255.255.0
> access-list FromREMOTE permit ip 192.168.1.0 255.255.255.0 192.168.51.0
> 255.255.255.0
> access-list FromREMOTE permit ip host 192.168.0.110 192.168.50.0
> 255.255.255.0
>

you use the FromREMOTE ACL for tunnelsplit.... dont
besides it contains bogus, and the statement also should be in nonat ACL
Get rid of it for starters and maybe setup a proxy server that the clients
can use for internet access via the Cisco Client VPN.

> nat (inside) 0 access-list NO-NAT
> nat (inside) 1 192.168.50.0 255.255.255.0 0 0
> ip local pool VPN 192.168.51.1-192.168.51.20
>
> vpngroup ***** address-pool VPN
> vpngroup ***** dns-server 212.135.1.36
> vpngroup ***** split-tunnel FromREMOTE
> vpngroup ***** idle-time 1800
> vpngroup ***** password ********

You have not posted half you VPN config, but from what you say, you need to
add the PIXOS 6.3 command:
isakmp nat-t
to your config

HTH
Martin Bilgrav


>


From: paulscullion on 27 Apr 2006 13:30
Sorry didn't put the rest of the conf in. It is below. nat-t was in
there.

sysopt connection permit-ipsec
crypto ipsec transform-set REMOTE esp-aes esp-sha-hmac
crypto dynamic-map dynmap 10 set transform-set REMOTE
crypto map remote_map 20 ipsec-isakmp dynamic dynmap
crypto map remote_map interface outside
isakmp enable outside
isakmp identity address
isakmp client configuration address-pool local VPN outside
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 68400

I took the split-tunnel command and when VPN'd in, the remote user now
gets the IP address of 192.168.51.1 and a gateway of 192.168.51.1.
Surely this means that the remote user's machine does not know a route
out if the address it it trying to get to is outside of it's own
subnet? With split-tunneling on the remote machine doesn't get a
gateway at all.

I can live without having internet access through this - a niciety
rather than a requirement.

Many thanks for your help

Paul

From: Martin Bilgrav on 27 Apr 2006 16:59

"paulscullion" <paulscullion(a)ntlworld.com> wrote in message
> I took the split-tunnel command and when VPN'd in, the remote user now
> gets the IP address of 192.168.51.1 and a gateway of 192.168.51.1.
> Surely this means that the remote user's machine does not know a route
> out if the address it it trying to get to is outside of it's own
> subnet? With split-tunneling on the remote machine doesn't get a
> gateway at all.
>
> I can live without having internet access through this - a niciety
> rather than a requirement.

I have this running several places, so the feature does work ...

Try:

Have ONLY these lines in your VPN ACLs:
access-list NO-NAT permit ip 192.168.50.0 255.255.255.0 192.168.51.0
255.255.255.0
access-list FromREMOTE permit ip 192.168.50.0 255.255.255.0 192.168.51.0
255.255.255.0


remove this : isakmp client configuration address-pool local VPN outside
( no isakmp client configuration address-pool local VPN outside )
Add this: vpngroup ***** default-domain "YOURDOMAIN.COM"
Execute this: (config)# clear crypto ipsec sa

Check the VPN client: 'modify' - [Transport] - Check "Allow local LAN
access"
Connect the client.
verify in the VPN client, by hotkey CRTL+S, under [Route Details] - "secured
routes", whats in there (should read 192.168.50.0 255.255.255.0 in the right
panel and empty in the left panel)

What version on the VPN Client do you use ?

HTH
Martin



 | 
Pages: 1
Prev: Ip Route to NULL0?
Next: Etherchannel problem