Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations bkrike on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Unable to contact inside net after VPN

Status
Not open for further replies.
speedingwolf

speedingwolf

IS-IT--Management
Jan 23, 2003
65
US
Greetings all,

I'm trying to vpn into the corpnet using the Cisco Client version 4.x. I can establish a tunnel; however, I can't seem to access any inside machine. Please point some lights. Here is the config. I have a feeling it is access-list issues or outbound restriction. Thanks


PIX Version 6.1(4)


fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
names

'Notes: Access-list 102 is outbound

access-list 102 permit tcp any any eq www
access-list 102 permit tcp any any eq smtp
access-list 102 permit tcp any any eq pop3
access-list 102 permit tcp any any eq 1494
access-list 102 permit tcp any any eq 3389
access-list 102 permit tcp any any eq ftp
access-list 102 permit tcp any any eq nntp
access-list 102 permit tcp host 192.168.100.130 any eq domain
access-list 102 permit udp host 192.168.100.130 any eq domain
access-list 102 permit tcp host 192.168.100.130 any eq telnet
access-list 102 permit tcp host 192.168.100.250 any eq telnet
access-list 102 permit gre any any
access-list 102 permit tcp any any eq 1723
access-list 102 permit tcp any any eq 990
access-list 102 permit tcp any any eq 443
access-list 102 permit tcp any any range 8880 8910
access-list 102 permit tcp any any eq 5900
access-list 102 permit tcp any any eq 5800
access-list 102 permit tcp host 192.168.100.172 any eq domain
access-list 102 permit udp host 192.168.100.172 any eq domain
access-list 102 permit tcp host 192.168.100.172 any eq telnet
access-list 102 permit udp any host 192.168.100.106 eq domain
access-list 102 permit tcp any host 192.168.100.106 eq domain
access-list 102 permit tcp host 192.168.100.131 any
access-list 102 permit ip host 192.168.100.118 any

access-list 103 permit ip 192.168.103.0 255.255.255.0 192.168.100.0 255.255.255.0

interface ethernet0 10baset
interface ethernet1 100basetx
interface ethernet2 100basetx
mtu outside 1500
mtu dmz 1500
mtu inside 1500

ip address outside x.x.x.x

ip address dmz 192.168.1.2 255.255.255.0
ip address inside 192.168.100.1 255.255.255.0

ip verify reverse-path interface outside
ip audit name attackout info action alarm
ip audit name attackin info action alarm
ip audit interface outside attackout
ip audit interface inside attackin
ip audit info action alarm
ip audit attack action alarm
ip local pool IPPOOL 192.168.103.200-192.168.103.210

global (outside) 1 x.x.x.x-x.x.x.x
global (outside) 1 x.x.x.x

nat (inside) 0 access-list 103
nat (inside) 1 192.168.100.0 255.255.255.0 0 0
nat (inside) 1 192.168.200.0 255.255.255.0 0 0

access-group 101 in interface outside
access-group 102 in interface inside

route outside 0.0.0.0 0.0.0.0 x.x.x.x

route inside 192.168.103.0 255.255.255.0 192.168.100.1 1
route inside 192.168.200.0 255.255.255.0 192.168.100.210 1

snmp-server enable traps
floodguard enable
sysopt security fragguard
sysopt connection permit-ipsec
sysopt route dnat

crypto ipsec transform-set SET esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set SET
crypto map MAP 10 ipsec-isakmp dynamic dynmap
crypto map MAP client configuration address initiate
crypto map MAP client configuration address respond
crypto map MAP interface outside

isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp identity address
isakmp client configuration address-pool local IPPOOL outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400

vpngroup IVPN address-pool IPPOOL
vpngroup VPN dns-server 192.168.100.172
vpngroup VPN default-domain password
vpngroup VPN split-tunnel 103
vpngroup VPN idle-time 1800
vpngroup VPN password ********
 
Sort by date Sort by votes
is your domain called password?

This would definately cause you not to be able to connect to devices.

vpngroup VPN default-domain password


sysopt connection permit-ipsec

This line causes your VPN to bypass ACLs, so you don't need to worry there.

PIX Version 6.1(4)

Kind of an old version here.. should at least think about upgrading to a newer version due to bugs and such.

Computer/Network Technician
CCNA
 
Upvote 0 Downvote
Thanks for responding Lloyd.

I have a different pix with 6.3.4 and domain is called password and I can connect to internal machine via IP addresss. I just used the default from Cisco doc. In my opinion, I don't think it should not matter because I try to connect to the server using its IP address \\192.168.x.x

The PIX OS is kind of old and we're in the process of getting the image to 6.3.4.

Thanks,

 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
1K
Sameer258
Sameer258
Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
808
Johnkite
Johnkite
intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
842
intel233
intel233
ISDPCMAN
  • Locked
  • Question
RDP fails over VPN
Replies
1
Views
354
gkittelson
gkittelson
Shmid
  • Locked
  • Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
999
Shmid
Shmid

Part and Inventory Search

Sponsor

Back
Top