Microsoft
Software
Hardware
Network
Question : Cisco VPN Client cannot access anything in the internal network
Hello all,
I am able to establish an VPN connection with my 501Pix firewall, however, I can not access anything on the LAN. Here is a sample of my running config.
:
PIX Version 6.3(5)
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ security50
enable password NuLKvvWGg.x9HEKO encrypted
passwd NuLKvvWGg.x9HEKO encrypted
hostname 3di-HQ-Gateway
domain-name 3ditech.com
clock timezone gmt 4
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list solomon5_splitTunnelAcl permit ip 10.0.0.0 255.255.240.0 any
access-list outside_cryptomap_dyn_20 permit ip any 10.0.5.0 255.255.255.0
access-list inbound permit icmp any any echo
access-list inbound permit icmp any any unreachable
access-list inbound permit icmp any any echo-reply
access-list inbound permit icmp any any traceroute
access-list inbound permit tcp any host 63.88.80.94
access-list inbound permit tcp any host 66.36.209.99
access-list inbound deny ip any any
access-list outbound permit ip any any
access-list inside_outbound_nat0_acl permit ip 10.0.0.0 255.255.240.0 10.0.5.0 2
55.255.255.0
access-list WEB_TRAFFIC permit tcp any host 192.168.0.94 eq www
access-list solomon5_splitTunnelAcl_1 permit ip 10.0.10.0 255.255.255.0 any
pager lines 24
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
ip address outside 192.168.0.2 255.255.255.0
ip address inside 10.0.5.1 255.255.255.0
ip address DMZ 172.16.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool 3Ditech 10.0.10.200-10.0.10.250 mask 255.255.255.0
ip local pool VPN-Pool 10.0.5.100-10.0.5.200 mask 255.255.255.0
ip local pool Outside_VPN_Pool 10.0.6.3-10.0.6.254 mask 255.255.255.0
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address DMZ
pdm location 0.0.0.0 255.255.255.255 inside
pdm location 10.0.1.0 255.255.255.0 inside
pdm location 10.0.2.0 255.255.255.0 inside
pdm location 10.0.3.0 255.255.255.0 inside
pdm location 10.0.4.0 255.255.255.0 inside
pdm location 10.0.10.0 255.255.255.0 inside
pdm location 10.0.0.0 255.255.240.0 inside
pdm location 10.0.0.0 255.0.0.0 inside
pdm location 10.0.10.10 255.255.255.255 inside
pdm location 10.0.10.0 255.255.255.255 inside
pdm location 172.16.0.94 255.255.255.255 DMZ
pdm location 10.0.5.0 255.255.255.0 outside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 10.0.0.0 255.255.240.0 0 0
nat (DMZ) 1 172.16.0.0 255.255.255.0 0 0
static (DMZ,outside) 192.168.0.94 172.16.0.94 netmask 255.255.255.255 0 0
static (DMZ,inside) 10.0.5.94 172.16.0.94 netmask 255.255.255.255 0 0
access-group inbound in interface outside
access-group outbound in interface inside
route outside 0.0.0.0 0.0.0.0 192.168.0.1 1
route inside 10.0.1.0 255.255.255.0 10.0.5.2 1
route inside 10.0.2.0 255.255.255.0 10.0.5.2 1
route inside 10.0.3.0 255.255.255.0 10.0.5.2 1
route inside 10.0.4.0 255.255.255.0 10.0.5.2 1
route inside 10.0.10.0 255.255.255.0 10.0.5.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa-server 3Ditech protocol radius
aaa-server 3Ditech max-failed-attempts 3
aaa-server 3Ditech deadtime 10
aaa-server 3Ditech (inside) host 10.0.10.10 cisco123 timeout 10
aaa authentication enable console 3Ditech LOCAL
aaa authentication ssh console 3Ditech LOCAL
aaa authentication telnet console 3Ditech
ntp server 192.5.41.40 source outside
http server enable
http 10.0.10.0 255.255.255.0 inside
http 0.0.0.0 255.255.255.255 inside
http 10.0.0.0 255.0.0.0 inside
http 10.0.10.0 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication 3Ditech
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup solomon5 address-pool VPN-Pool
vpngroup solomon5 dns-server 10.0.10.10 198.6.1.1
vpngroup solomon5 wins-server 10.0.10.10
vpngroup solomon5 default-domain 3ditech.com
vpngroup solomon5 split-tunnel solomon5_splitTunnelAcl
vpngroup solomon5 idle-time 1800
vpngroup solomon5 password ********
telnet 0.0.0.0 0.0.0.0 outside
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 30
<--- More --->IPSEC(key_engine): got a queue event...
IPSEC(key_engine_delete_sa
s): rec'd delete notify from ISAKMP
IPSEC(key_engine_delete_sa
s): delete all SAs shared with 71.248.125.40
IPSEC(key_engine): got a queue event...
IPSEC(key_engine_delete_sa
s): rec'd delete notify from ISAKMP
IPSEC(key_engine_delete_sa
s): delete all SAs shared with 71.248.125.40
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 30
console timeout 0
username Aundre password XjMpq1IzMpxavwzr encrypted privilege 15
terminal width 80
Cryptochecksum:2c8e99b39cd
b600dc3ca3
fae4afcb56
1
: end.
Here is also a shot of my computers TCP IP Settings.
Any help is greatly apprectiated.
Any help is greatly appreciated
Answer : Cisco VPN Client cannot access anything in the internal network
And you should also make sure that on 10.0.5.2 a route back to 10.0.6.0 is configured, otherwise your authentication requests cannot reach the client.
Random Solutions
Missing Outlook 2003 Message-ID header
Internal IP not updating
Event ID 9791 - Exchange Server 2003 SP2
How to Reset Page Number in SQL Reporting Services for new grouping..
Reports hang during printing
Linked Mailbox & User Mailbox?
Relaying denied. IP name possibly forged. PLEASE HELP
Looking for SATA Driver for Gateway Laptop CX2608
Installing VMWare on 64bit Server 2008?
Textbox entry to retrieve associate table values
