Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations wOOdy-Soft on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

VPN routing issue

Status
Not open for further replies.
WhippingBoy

WhippingBoy

MIS
Mar 22, 2002
29
US
I have a pix 515. I have used the wizard in the ASDM to configure VPN access. The VPN client connects, authenticates, however, no internal or external routing. Here is my current config. Thanks in advance.

PIX Version 8.0(2)
!
hostname pix
domain-name protectedvehicles.local
enable password SiMRN9isDr6SJA.Y encrypted
names
name 199.72.176.49 Mail description Mail
name 204.116.77.211 Mail_T1 description Mail T1
name 192.168.100.1 SBS1 description Small Bus Server
name 192.168.100.9 SIPX description Inside SIPX
name 204.116.77.212 SIPX_OUTSIDE description Outside SIPX server
name 192.168.100.5 SRV2 description Server 2
name 192.168.100.0 Inside description PVI LAN
name 192.168.120.0 WiFi_LAN description Wireless Network
name 207.59.183.222 Outside_fast description Outside World
dns-guard
!
interface Ethernet0
nameif outside
security-level 0
ip address Outside_fast 255.255.255.252
ospf cost 10
!
interface Ethernet0.200
vlan 200
nameif Outside204
security-level 0
ip address 204.116.77.210 255.255.255.248
ospf cost 10
!
interface Ethernet1
nameif inside
security-level 100
ip address 192.168.100.254 255.255.252.0
ospf cost 10
!
interface Ethernet1.1
description Wireless Lan gateway
vlan 20
nameif Wifi_LAN
security-level 40
ip address 192.168.120.1 255.255.255.0
ospf cost 10
!
interface Ethernet2
shutdown
no nameif
no security-level
no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup outside
dns domain-lookup inside
dns server-group DefaultDNS
name-server SRV2
domain-name protectedvehicles.local
same-security-traffic permit inter-interface
object-group service VNC
service-object tcp eq 65000
access-list Outside204_access_in extended permit tcp any host Mail_T1 eq smtp
access-list outside_access_in extended permit tcp any host Mail
access-list vpnclient_splitTunnelAcl standard permit any
access-list inside_nat0_outbound extended permit ip Inside 255.255.252.0 192.168.110.0 255.255.255.192
access-list PVIVPN_splitTunnelAcl standard permit Inside 255.255.252.0
access-list PVIVPN_splitTunnelAcl_1 standard permit Inside 255.255.252.0
access-list PVIMSVPN_splitTunnelAcl standard permit Inside 255.255.252.0
access-list dfltRAGroup_splitTunnelAcl standard permit Inside 255.255.252.0
access-list PVIVPN_splitTunnelAcl_2 standard permit Inside 255.255.252.0
access-list PVIVPN_splitTunnelAcl_3 standard permit any
pager lines 24
mtu outside 1500
mtu Outside204 1500
mtu inside 1500
mtu Wifi_LAN 1500
ip local pool ippool 192.168.110.10-192.168.110.60 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm-603.bin
no asdm history enable
arp timeout 14400
global (outside) 101 interface
global (inside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101 0.0.0.0 0.0.0.0
nat (Wifi_LAN) 101 0.0.0.0 0.0.0.0
static (Outside204,inside) SRV2 Mail_T1 netmask 255.255.255.255
static (outside,outside) SRV2 Mail netmask 255.255.255.255
static (inside,Outside204) Mail_T1 SRV2 netmask 255.255.255.255
static (inside,outside) Mail SRV2 netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group Outside204_access_in in interface Outside204
route outside 0.0.0.0 0.0.0.0 207.59.183.221 1
route Outside204 0.0.0.0 0.0.0.0 204.116.77.209 2
route outside 64.104.200.112 255.255.255.255 207.59.183.221 1
route inside 192.168.69.0 255.255.255.0 192.168.100.100 1
route outside 192.168.116.0 255.255.255.128 207.59.183.221 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server PVI protocol radius
aaa-server PVI host SRV2
timeout 5
key Pvi1360TruxtunAvenue
http server enable
http 0.0.0.0 0.0.0.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_DES_MD5 esp-des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_DES_MD5 mode transport
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-DES-SHA ESP-DES-MD5 TRANS_ESP_DES_MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto isakmp enable outside
crypto isakmp enable inside
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
crypto isakmp policy 50
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 70
authentication crack
encryption des
hash md5
group 2
lifetime 86400
no crypto isakmp nat-traversal
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0
dhcpd address 192.168.120.10-192.168.120.99 Wifi_LAN
dhcpd dns 206.74.254.2 206.116.57.2 interface Wifi_LAN
dhcpd ping_timeout 750 interface Wifi_LAN
dhcpd enable Wifi_LAN
!
threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
group-policy DfltGrpPolicy attributes
banner value You are accessing a private network owned by
banner value Protected Vehicles, Inc.
banner value All unauthorized access is expressly forbidden.
banner value You are accessing a private network owned by
banner value Protected Vehicles, Inc.
banner value All unauthorized access is expressly forbidden
wins-server value 192.168.100.5
dns-server value 192.168.100.5
ipsec-udp enable
split-tunnel-network-list value PVIVPN_splitTunnelAcl_3
default-domain value protectedvehicles.local
split-dns value protectedvehicles.local
address-pools value ippool
group-policy PVIVPN internal
group-policy PVIVPN attributes
wins-server value 192.168.100.5 192.168.100.5
dns-server value 192.168.100.5 192.168.100.5
vpn-tunnel-protocol IPSec l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value PVIVPN_splitTunnelAcl_3
default-domain value protectedvehicles.local
group-policy Inside internal
group-policy Inside attributes
wins-server value 192.168.100.5
dns-server value 192.168.100.5
vpn-tunnel-protocol IPSec l2tp-ipsec
split-tunnel-policy tunnelall
split-tunnel-network-list value vpnclient_splitTunnelAcl
default-domain value protectedvehicles.local
client-firewall none
username Jack password xSmr6DZpICCbQuE4 encrypted privilege 0
username Jack attributes
vpn-group-policy DfltGrpPolicy
username Rich password gDp8Ng9LXnBVQa9p encrypted
username Rich attributes
vpn-group-policy DfltGrpPolicy
vpn-tunnel-protocol IPSec l2tp-ipsec
tunnel-group DefaultRAGroup general-attributes
address-pool ippool
authorization-server-group LOCAL
dhcp-server 192.168.100.254
authorization-required
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
no authentication ms-chap-v1
authentication ms-chap-v2
tunnel-group Inside type remote-access
tunnel-group Inside general-attributes
address-pool ippool
default-group-policy Inside
dhcp-server 192.168.100.254
tunnel-group Inside ipsec-attributes
pre-shared-key *
tunnel-group PVIVPN type remote-access
tunnel-group PVIVPN general-attributes
address-pool ippool
default-group-policy PVIVPN
dhcp-server 192.168.100.254
tunnel-group PVIVPN ipsec-attributes
pre-shared-key *
prompt hostname context
Cryptochecksum:ff36a3f4b96fe4358c6d15d662ad2c84
: end
asdm image flash:/asdm-603.bin
asdm location SBS1 255.255.255.255 inside
asdm location SRV2 255.255.255.255 inside
asdm location SIPX 255.255.255.255 inside
asdm location Mail 255.255.255.255 inside
asdm location Mail_T1 255.255.255.255 inside
asdm location SIPX_OUTSIDE 255.255.255.255 inside
no asdm history enable
 
Sort by date Sort by votes
There is so much going on here that it is really difficult to read. I suggest you go back to a saved config before you tried any VPN config and try it again. I don't use the wizard much and prefer the CLI. Here are the guides for each.


Read through it a few times (especially the CLI) and understand what each step is doing. That way you'll be able to spot errors when they come up. Be sure to enable the logging

logging enable
logging timestamp
logging buffered debugging
logging history debugging
logging buffer-size 40960

to see what's going on with the VPN check these commands
show crypto isakmp sa
show crypto ipsec sa
show access-l
sho logg


My only suggestion is to make the VPN pool a different subnet than the internal network. I have had it work sometimes and not work others. Plus it allows you to better control traffic is you choose to limit the VPN user's access.



Brent
Systems Engineer / Consultant
CCNP, CCSP
 
Upvote 0 Downvote
Thank you. I cleaned up my configuration. I believe I left a nat statement out but I am not sure.
My VPN client will connect and authenicate. However I get the following from the client log:

23 11:27:05.528 07/30/08 Sev=Warning/2 CM/0xA3100024
Unable to add route. Network: c0a865ff, Netmask: ffffffff, Interface: c0a86e0a, Gateway: c0a86e0a.

24 11:29:51.590 07/30/08 Sev=Warning/2 IKE/0xE300008C
Split-DNS requires Split Tunneling and a primary DNS server

25 11:29:52.137 07/30/08 Sev=Warning/2 CVPND/0xE3400013
AddRoute failed to add a route: code 87
Destination 192.168.101.255
Netmask 255.255.255.255
Gateway 192.168.200.10
Interface 192.168.200.10

26 11:29:52.137 07/30/08 Sev=Warning/2 CM/0xA3100024
Unable to add route. Network: c0a865ff, Netmask: ffffffff, Interface: c0a8c80a, Gateway: c0a8c80a.

Below is my current running config:

PIX Version 8.0(2)
!
hostname pix
domain-name protectedvehicles.local
enable password SiMRN9isDr6SJA.Y encrypted
names
name 199.72.176.49 Mail description Mail
name 204.116.77.211 Mail_T1 description Mail T1
name 192.168.100.1 SBS1 description Small Bus Server
name 192.168.100.9 SIPX description Inside SIPX
name 204.116.77.212 SIPX_OUTSIDE description Outside SIPX server
name 192.168.100.5 SRV2 description Server 2
name 192.168.100.0 Inside description PVI LAN
name 192.168.120.0 WiFi_LAN description Wireless Network
name 207.59.183.222 Outside_fast description Outside World
dns-guard
!
interface Ethernet0
nameif outside
security-level 0
ip address Outside_fast 255.255.255.252
ospf cost 10
!
interface Ethernet0.200
vlan 200
nameif Outside204
security-level 0
ip address 204.116.77.210 255.255.255.248
ospf cost 10
!
interface Ethernet1
nameif inside
security-level 100
ip address 192.168.100.254 255.255.252.0
ospf cost 10
!
interface Ethernet1.1
description Wireless Lan gateway
vlan 20
nameif Wifi_LAN
security-level 40
ip address 192.168.120.1 255.255.255.0
ospf cost 10
!
interface Ethernet2
shutdown
no nameif
no security-level
no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup outside
dns domain-lookup inside
dns server-group DefaultDNS
name-server SRV2
domain-name protectedvehicles.local
same-security-traffic permit inter-interface
object-group service VNC
service-object tcp eq 65000
object-group service VUZE tcp
port-object eq 46201
access-list Outside204_access_in extended permit tcp any host Mail_T1 eq smtp
access-list outside_access_in extended permit tcp any host Mail
access-list outside_access_in extended permit tcp any any
access-list dfltRAGroup_splitTunnelAcl standard permit Inside 255.255.252.0
access-list PVIVPN_splitTunnelAcl_3 standard permit any
pager lines 24
mtu outside 1500
mtu Outside204 1500
mtu inside 1500
mtu Wifi_LAN 1500
ip local pool vpnpool 192.168.200.10-192.168.200.19 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm-603.bin
no asdm history enable
arp timeout 14400
global (outside) 101 interface
global (inside) 1 interface
nat (inside) 101 0.0.0.0 0.0.0.0
nat (Wifi_LAN) 101 0.0.0.0 0.0.0.0
static (Outside204,inside) SRV2 Mail_T1 netmask 255.255.255.255
static (outside,outside) SRV2 Mail netmask 255.255.255.255
static (inside,Outside204) Mail_T1 SRV2 netmask 255.255.255.255
static (inside,outside) Mail SRV2 netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group Outside204_access_in in interface Outside204
route outside 0.0.0.0 0.0.0.0 207.59.183.221 1
route Outside204 0.0.0.0 0.0.0.0 204.116.77.209 2
route outside 64.104.200.112 255.255.255.255 207.59.183.221 1
route inside 192.168.69.0 255.255.255.0 192.168.100.100 1
route outside 192.168.116.0 255.255.255.128 207.59.183.221 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server PVI protocol radius
aaa-server PVI host SRV2
timeout 5
key
http server enable
http 0.0.0.0 0.0.0.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-DES-SHA ESP-DES-MD5
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto isakmp enable inside
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
no crypto isakmp nat-traversal
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0
dhcpd address 192.168.120.10-192.168.120.99 Wifi_LAN
dhcpd dns 206.74.254.2 206.116.57.2 interface Wifi_LAN
dhcpd ping_timeout 750 interface Wifi_LAN
dhcpd enable Wifi_LAN
!
threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
group-policy DfltGrpPolicy attributes
banner value You are accessing a private network owned by
banner value Protected Vehicles, Inc.
banner value All unauthorized access is expressly forbidden.
banner value You are accessing a private network owned by
banner value Protected Vehicles, Inc.
banner value All unauthorized access is expressly forbidden
wins-server value 192.168.100.5
dns-server value 192.168.100.5
ipsec-udp enable
split-tunnel-network-list value PVIVPN_splitTunnelAcl_3
default-domain value protectedvehicles.local
split-dns value protectedvehicles.local
address-pools value vpnpool
group-policy Inside internal
group-policy Inside attributes
wins-server value 192.168.100.5 192.168.100.5
dns-server value 192.168.100.5 192.168.100.5
vpn-tunnel-protocol IPSec
default-domain value protectedvehicles.local
address-pools value vpnpool
username Jack password xSmr6DZpICCbQuE4 encrypted privilege 0
username Jack attributes
vpn-group-policy DfltGrpPolicy
username Rich password gDp8Ng9LXnBVQa9p encrypted
username Rich attributes
vpn-group-policy DfltGrpPolicy
vpn-tunnel-protocol IPSec l2tp-ipsec
tunnel-group DefaultRAGroup general-attributes
address-pool vpnpool
authorization-server-group LOCAL
dhcp-server 192.168.100.254
authorization-required
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
no authentication ms-chap-v1
authentication ms-chap-v2
tunnel-group Inside type remote-access
tunnel-group Inside general-attributes
address-pool vpnpool
default-group-policy Inside
dhcp-server 192.168.100.254
tunnel-group Inside ipsec-attributes
pre-shared-key *
prompt hostname context
Cryptochecksum:74c966be0ae96e7ddc5741725f5a7243
: end
asdm image flash:/asdm-603.bin
asdm location SBS1 255.255.255.255 inside
asdm location SRV2 255.255.255.255 inside
asdm location SIPX 255.255.255.255 inside
asdm location Mail 255.255.255.255 inside
asdm location Mail_T1 255.255.255.255 inside
asdm location SIPX_OUTSIDE 255.255.255.255 inside
no asdm history enable
 
Upvote 0 Downvote
Ok, It's still confusing. Are you trying to VPN from the inside out?
"crypto map inside_map interface inside"
Do you want IPSEC or PPTP? (IPSEC is the better choice.)

Get everything working that you want before you add the VPN. Then start small and add features once you have a running VPN. Start with barebones - no split tunnel, no local LAN access, nothing. Once that is up and functional then add the features.




Brent
Systems Engineer / Consultant
CCNP, CCSP
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
833
intel233
intel233
ISDPCMAN
  • Locked
  • Question
RDP fails over VPN
Replies
1
Views
345
gkittelson
gkittelson
Shmid
  • Locked
  • Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
988
Shmid
Shmid
WhosYourDiffie
  • Locked
  • Question
Cisco ASA 5506 VPN for Avaya Phones
Replies
0
Views
273
WhosYourDiffie
WhosYourDiffie
Tommy_T
  • Locked
  • Question
Sonic wall - Have an issue remotely connectioning VNC and SMB (and AFP) to one of the 2 ISP circuits
Replies
1
Views
751
nnaarrnn
nnaarrnn

Part and Inventory Search

Sponsor

Back
Top