|
Question : PIX VPN Question
|
|
Ok here's my issue.
I have a 501 PIX and I can connect to VPN fine, once conencted though I cannot ping or access anything.
I see this issue here at work only. I can access everything fine at home. Any ideas why? The network I am VPNing into is 192.168.8.x.
Is there something on our work PIX (which is a 515E) that I need to change. Here is the config on the work PIX:
PIX Version 6.3(1) interface ethernet0 auto interface ethernet1 auto interface ethernet2 auto nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 dmz security4 enable password RCKl7uz0B0c5dSMd encrypted passwd RCKl7uz0B0c5dSMd encrypted hostname Firewall domain-name clock timezone CST -6 clock summer-time CDT recurring fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol ils 389 fixup protocol pptp 1723 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 names name x.x.x.x WebServer name x.x.x.x FTPServer name x.x.x.x MailServer object-group service FTP tcp port-object eq ftp port-object eq ftp-data access-list outside_access_in permit tcp any interface outside eq www access-list outside_access_in permit tcp any interface outside eq https access-list outside_access_in permit tcp any interface outside object-group FTP access-list outside_access_in permit tcp any interface outside eq smtp access-list outside_access_in permit icmp any any access-list inside_outbound_nat0_acl permit ip any 10.10.31.0 255.255.255.128 access-list inside_outbound_nat0_acl permit ip any host FTPServer access-list outside_cryptomap_dyn_40 permit ip any 10.10.31.0 255.255.255.128 pager lines 24 mtu outside 1500 mtu inside 1500 mtu dmz 1500 ip address outside x.x.x.x 255.255.255.248 ip address inside 10.10.11.15 255.255.0.0 ip address dmz 10.254.1.2 255.255.0.0 ip audit info action alarm ip audit attack action alarm ip local pool vpn-pool 10.10.31.30-10.10.31.79 pdm location 10.10.11.1 255.255.255.255 inside pdm location WebServer 255.255.255.255 inside pdm location MailServer 255.255.255.255 inside pdm location FTPServer 255.255.255.255 dmz pdm location 10.30.0.0 255.255.0.0 inside pdm location 10.40.0.0 255.255.0.0 inside pdm location 10.50.0.0 255.255.0.0 inside pdm location 10.10.0.0 255.255.0.0 outside pdm location 10.10.11.192 255.255.255.192 outside pdm location FTPServer 255.255.255.255 inside pdm history enable arp timeout 14400 global (outside) 10 interface nat (inside) 0 access-list inside_outbound_nat0_acl nat (inside) 10 0.0.0.0 0.0.0.0 0 0 static (inside,outside) tcp interface www WebServer www netmask 255.255.255.255 0 0 static (inside,outside) tcp interface https WebServer https netmask 255.255.255.255 0 0 static (inside,outside) tcp interface smtp MailServer smtp netmask 255.255.255.255 0 0 static (dmz,outside) tcp interface ftp FTPServer ftp netmask 255.255.255.255 0 0 access-group outside_access_in in interface outside route outside 0.0.0.0 0.0.0.0 x.x.x.x 1 route inside 10.30.0.0 255.255.0.0 10.10.1.1 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server LOCAL protocol local http server enable http 10.10.0.0 255.255.0.0 outside http 10.10.0.0 255.255.0.0 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec sysopt connection permit-pptp crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5 crypto dynamic-map outside_dyn_map 40 match address outside_cryptomap_dyn_40 crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-MD5 crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map crypto map outside_map interface outside isakmp enable outside isakmp policy 20 authentication pre-share isakmp policy 20 encryption 3des isakmp policy 20 hash md5 isakmp policy 20 group 2 isakmp policy 20 lifetime 86400 vpngroup vpn-group address-pool vpn-pool vpngroup vpn-group dns-server 10.10.11.3 vpngroup vpn-group wins-server 10.10.11.2 10.10.11.5 vpngroup vpn-group default-domain vpngroup vpn-group idle-time 1800 vpngroup vpn-group password telnet 10.10.0.0 255.255.0.0 inside telnet timeout 5 ssh timeout 5 management-access inside console timeout 0 terminal width 80 Cryptochecksum:41f5cf6e1693bc5993bb50f9126e6e8d : end Firewall#
Thanks
|
Answer : PIX VPN Question
|
|
If clear xlate did not fix your problem, then reboot the pix. If that does not fix it, then upgrade and reboot again.
If that does not fix it, do you have another external IP address that you can use for a static NAT?
|
|
|
|