Cisco VPN client - PIX 315 - users connect but cannot ping or communic 1

[robinrowe]

I have configured a PIX 315 to allow VPN connections and authenticate users through Active Directory. Users can authenticate, but cannot go anywhere once they are connected. They are receiving an ip address from the ip pool on the PIX, which is part of the 192.168.169.0 network.

The local area network has two VLANs: 192.168.169.0 and 192.168.170.0. Users cannot get to any devices on either network.

Any help you can provide would be MOST APPRECIATED!

access-list INET_IN permit icmp any any echo-reply
access-list INET_IN permit icmp any any time-exceeded
access-list INET_IN permit tcp any host x.x.x.x eq www
access-list INET_IN permit tcp any host x.x.x.x eq https
access-list INET_IN permit tcp any host x.x.x.x eq ftp
access-list INET_IN permit tcp host x.x.x.x host x.x.x.x eq 3389
access-list INET_IN deny tcp any host x.x.x.x eq 41794
access-list INET_IN deny tcp any host x.x.x.x eq 41795
access-list INET_IN permit tcp any host x.x.x.x eq h323
access-list INET_IN permit tcp any host x.x.x.x eq 3230
access-list INET_IN permit tcp any host x.x.x.x eq 3231
access-list INET_IN permit tcp any host x.x.x.x eq 3232
access-list INET_IN permit tcp any host x.x.x.x eq 3233
access-list INET_IN permit tcp any host x.x.x.x eq 3234
access-list INET_IN permit tcp any host x.x.x.x eq 3235
access-list INET_IN permit udp any host x.x.x.x eq 3235
access-list INET_IN permit udp any host x.x.x.x eq 3236
access-list INET_IN permit udp any host x.x.x.x eq 3237
access-list INET_IN permit udp any host x.x.x.x eq 3238
access-list INET_IN permit udp any host x.x.x.x eq 3239
access-list INET_IN permit udp any host x.x.x.x eq 3240
access-list INET_IN permit udp any host x.x.x.x eq 3241
access-list INET_IN permit udp any host x.x.x.x eq 3242
access-list INET_IN permit udp any host x.x.x.x eq 3243
access-list INET_IN permit udp any host x.x.x.x eq 3244
access-list INET_IN permit udp any host x.x.x.x eq 3245
access-list INET_IN permit udp any host x.x.x.x eq 3246
access-list INET_IN permit udp any host x.x.x.x eq 3247
access-list INET_IN permit udp any host x.x.x.x eq 3248
access-list INET_IN permit udp any host x.x.x.x eq 3249
access-list INET_IN permit udp any host x.x.x.x eq 3250
access-list INET_IN permit udp any host x.x.x.x eq 3251
access-list INET_IN permit udp any host x.x.x.x eq 3252
access-list INET_IN permit udp any host x.x.x.x eq 3253
access-list INET_IN permit udp any host x.x.x.x eq 3254
access-list INET_IN permit udp any host x.x.x.x eq 3255
access-list INET_IN permit udp any host x.x.x.x eq 3256
access-list INET_IN permit udp any host x.x.x.x eq 3257
access-list INET_IN permit udp any host x.x.x.x eq 3258

access-list inside_outbound_nat0_acl permit ip any 192.168.169.208 255.255.255.240

access-list outside_cryptomap_dyn_20 permit ip any 192.168.169.208 255.255.255.240

access-list 101 permit ip 192.168.169.0 255.255.255.0 192.168.168.0 255.255.255.0

access-list 101 permit ip 192.168.170.0 255.255.255.0 192.168.168.0 255.255.255.0

access-list 101 permit ip 192.168.168.0 255.255.255.0 192.168.169.0 255.255.255.0

access-list 101 permit ip 192.168.168.0 255.255.255.0 192.168.170.0 255.255.255.0

access-list split_tunnel_acl permit ip any any

ip address outside x.x.x.18 255.255.255.248

ip address inside 192.168.169.22 255.255.255.0

ip local pool VPN 192.168.169.210-192.168.169.219 mask 255.255.255.0

global (outside) 1 x.x.x.19

nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 2 access-list 101 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) x.x.x.x LAB1-Server netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.x 192.168.169.210 netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.x Polycom_VS4000 dns netmask 255.255.255.255 0 0

access-group INET_IN in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.17 1

route inside 192.168.0.0 255.255.0.0 192.168.169.21 1

aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa-server partnerauth protocol radius
aaa-server partnerauth max-failed-attempts 3
aaa-server partnerauth deadtime 10
aaa-server partnerauth (inside) host LAB2-Server <shared pw> timeout 5

sysopt connection permit-ipsec
sysopt connection permit-l2tp
crypto ipsec transform-set TRANS_ESP_DES_MD5 esp-des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_DES_MD5 mode transport
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20

crypto dynamic-map outside_dyn_map 20 set transform-set TRANS_ESP_DES_MD5

crypto dynamic-map dynmap 10 set transform-set myset
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap client authentication partnerauth

crypto map mymap interface outside
isakmp enable outside

isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400

vpngroup vpn3000 address-pool VPN
vpngroup vpn3000 dns-server LAB2-Server
vpngroup vpn3000 wins-server LAB1-Server
vpngroup vpn3000 default-domain <domain-name>
vpngroup vpn3000 split-tunnel split_tunnel_acl
vpngroup vpn3000 idle-time 1800
vpngroup vpn3000 password ********

 

[brianinms]

Change the VPN Pool and then change your no nat access-list. You should use a different subnet for your VPNs then you use internally.

 

[robinrowe]

Are you referring to ACL 101?

Are these the changes you would recommend?

access-list 101 permit ip 192.168.168.0 255.255.255.0 192.168.169.0 255.255.255.0
access-list 101 permit ip 192.168.168.0 255.255.255.0 192.168.170.0 255.255.255.0
access-list 101 permit ip 192.168.169.0 255.255.255.0 192.168.168.0 255.255.255.0
access-list 101 permit ip 192.168.170.0 255.255.255.0 192.168.168.0 255.255.255.0


ip local pool VPN 192.168.168.2-192.168.168.100 mask 255.255.255.0

 

[brianinms]

Yes I would change your pool, but you will have to change


access-list inside_outbound_nat0_acl permit ip any 192.168.169.208 255.255.255.240

To the new subnet you chose

 

[robinrowe]

I think that was a line that was added to give functionality for something else (unfortunately I inherited this responsibility from another tech that is no longer around):

access-list inside_outbound_nat0_acl permit ip any 192.168.169.208 255.255.255.240

I should just be able to add another line to this ACL to give access to that network, correct? The IPs I am assigning for the VPN are from the 192.168.168.0 /24 network.

So I should be able to add this to the ACL and it should work, correct?
access-list inside_outbound_nat0_acl permit ip any 192.168.168.0 255.255.255.0

Do I need access-list 101? I was following someone else's example, so I want to be sure I am not configuring more than necessary.

 

[brianinms]

Nope, you don't need 101. And yes your change to the no nat acl is correct

 

[robinrowe]

I will test this at the site next week - all I can say is THANK YOU SO MUCH for your help thus far. I'll let you know how it turns out.

 

[robinrowe]

Your suggestions worked perfectly. I just had to change the split tunnel acl to be more specific after I was able to navigate the network. THANK YOU VERY MUCH!