Cisco PIX VPN config

Tags:
Cabling
Cisco PIX
Routers
Switches
VPN
VPN configuration
Hi, I'm trying to configure a Cisco PIX 501 firewall to accept inbound VPN client connections and route secured traffic to a subnet behind this PIX. I've managed to configure the PIX to accept the VPN client connections, but I can't get the traffic to route correctly to the subnet that is behind the PIX. This may be easier if I can show you a Visio diagram of my test network. To try an explain how things are configured: I have a border router which is attached to the PIX, the PIX is then attached to a 3548 L3 switch and then there is another 2912 switch attached to the 3548. The host I'm trying to connect to hangs off of the 2912 switch. The host has an IP of 172.31.3.100/24 and the internal interface of the PIX has an IP of 10.250.10.1 When I'm connected to the VPN using the Cisco VPN client, I can ping the inside interface of the PIX, but it just times out when I try pinging 172.31.3.100 The VPN config on the PIX is configured for split tunnelling. I know I'm not explaining this particularly well, but please let me know if you need more information. I'm quite happy to share the configs of the PIX and switches, so you can see what is going on. I also have a Visio of the network layout, which might make it easier to understand, I just didn't want to make this post the longest post in the world by pasting in all the configs. I can email the configs if necessary, unless anyone knows a way I can share them on this site? Please help, as I'm trying to learn more about this stuff but I'm struggling a bit here. Many thanks in advance. Kind Regards, Greg.

Answer Wiki

Thanks. We'll let you know when a new response is added.

The internal interface of the PIX and the destination IP address do not appear to be on the same network. If you are using VLANs then your PIX must be able to understand VLANs (I am not sure the 501 does) or your L3 switch must be able to route between vlans and you would need to add some type of route statement to the pix. If your not using VLANs then you need to change the ip address of either the destination host or the internal interface of the PIX.

Thats my $.02

HTH
Gary

Discuss This Question: 7  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • GregNottage
    Thanks Gary ;-) I am using VLANs on the switches but they appear to be just VLAN1. There are different subnets and the PIX is in the 10.250.10.0/24 range which is different from the host I'm trying to connect to whilst on the VPN. I'm pretty sure that the 3548 has a Layer 3 image on it, so I guess it will be on that switch that I need to setup some routing? Here's the config from that switch: --------------------------------------- disw1.zen#sh run Building configuration... Current configuration : 3360 bytes ! ! Last configuration change at 10:03:51 UTC Fri Nov 3 2006 ! NVRAM config last updated at 10:03:53 UTC Fri Nov 3 2006 ! version 12.1 no service single-slot-reload-enable no service pad service timestamps debug uptime service timestamps log uptime service password-encryption ! hostname disw1.zen ! no logging console enable secret 5 $1$PUrq$VeR4PhzcaSo8gLyi85NBK/ ! clock summer-time GMT recurring ip subnet-zero ip routing ip name-server 1.1.1.1 ! ! spanning-tree extend system-id ! ! interface FastEthernet0/1 no ip address ! interface FastEthernet0/2 no ip address ! interface FastEthernet0/3 no ip address ! interface FastEthernet0/4 no ip address ! interface FastEthernet0/5 no ip address ! interface FastEthernet0/6 no ip address ! interface FastEthernet0/7 no ip address ! interface FastEthernet0/8 no ip address ! interface FastEthernet0/9 no ip address ! interface FastEthernet0/10 no ip address ! interface FastEthernet0/11 no ip address ! interface FastEthernet0/12 no ip address ! interface FastEthernet0/13 no ip address ! interface FastEthernet0/14 no ip address ! interface FastEthernet0/15 no ip address ! interface FastEthernet0/16 no ip address ! interface FastEthernet0/17 no ip address ! interface FastEthernet0/18 no ip address ! interface FastEthernet0/19 no ip address ! interface FastEthernet0/20 no ip address ! interface FastEthernet0/21 no ip address ! interface FastEthernet0/22 no ip address ! interface FastEthernet0/23 no ip address ! interface FastEthernet0/24 no ip address ! interface FastEthernet0/25 no ip address ! interface FastEthernet0/26 no ip address ! interface FastEthernet0/27 no ip address ! interface FastEthernet0/28 no ip address ! interface FastEthernet0/29 no ip address ! interface FastEthernet0/30 no ip address ! interface FastEthernet0/31 no ip address ! interface FastEthernet0/32 no ip address ! interface FastEthernet0/33 no ip address ! interface FastEthernet0/34 no ip address ! interface FastEthernet0/35 no ip address ! interface FastEthernet0/36 no ip address ! interface FastEthernet0/37 no ip address ! interface FastEthernet0/38 no ip address ! interface FastEthernet0/39 no ip address ! interface FastEthernet0/40 no ip address ! interface FastEthernet0/41 no ip address ! interface FastEthernet0/42 no ip address ! interface FastEthernet0/43 no ip address ! interface FastEthernet0/44 no ip address ! interface FastEthernet0/45 no ip address ! interface FastEthernet0/46 description Link to pix.zen Inside no switchport ip address 10.250.10.2 255.255.255.0 ! interface FastEthernet0/47 no ip address ! interface FastEthernet0/48 description Link to labsw1.zen switchport trunk encapsulation isl switchport mode access no ip address duplex full speed 100 ! interface GigabitEthernet0/1 no ip address ! interface GigabitEthernet0/2 no ip address ! interface Vlan1 ip address 172.31.3.1 255.255.255.0 ! interface Vlan60 no ip address ! ip default-gateway 10.250.10.1 ip classless ip route 0.0.0.0 0.0.0.0 10.250.10.1 no ip http server ! ! ! line con 0 line vty 0 exec-timeout 0 0 password 7 06371E3B561F5A4B1C19434A login line vty 1 4 password 7 0237154111575C7355405858 login line vty 5 15 login ! ntp authenticate ntp clock-period 17180211 ntp server 1.1.1.1 ntp server 82.68.126.114 ntp server 81.187.65.110 end ------------------------------------- Thanks, Greg.
    0 pointsBadges:
    report
  • Ghigbee
    Can anyone else on the 10. subnet (in the LAN) ping the address you are trying to reach?
    0 pointsBadges:
    report
  • Astronomer
    Greg: Does your pix have a route statement telling it the 172.31.3.x network is behind 10.259.10.2? Try pinging the server from the pix to verify reachability. rt
    15 pointsBadges:
    report
  • Delebute2004
    On your PIX config you should have an IP Pool for the vpn clients that is not on the same subnet that the internal or LAN side of the PIX is on. Once that is setup you then need to setup an access list to allow access from the ip pool address to work with the LAN side. Let me know if this helps or you need more info. David
    0 pointsBadges:
    report
  • GregNottage
    Thanks guys ;-) I must admit I'm a total newbie when it comes to this stuff, which is one of the reasons for setting up this testlab ;-) Most of the config has been pieced together from bits I've found on the net or using the PIX Device Manager web based tool. Therefore, I'm not sure what I need to change on the access lists, so if you could spell it out for me in a "PIX for dummies" style that would really help me. I thought it might be easiest if I just post my PIX running config, then hopefully you might be able to tell me what I need to change. So here goes: ------------------------------------------------ pix01.zen# sh run : Saved : PIX Version 6.3(5) interface ethernet0 auto interface ethernet1 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password EvmHn2BdSFlpYtqI encrypted passwd 2KFQnbNIdI.2KYOU encrypted hostname pix01.zen domain-name vmceuro.com clock summer-time GMT recurring fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 no fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names access-list 102 permit ip 10.250.10.0 255.255.255.0 192.168.253.0 255.255.255.0 access-list 102 permit ip 172.31.3.0 255.255.255.0 192.168.253.0 255.255.255.0 access-list zentl_splitTunnelAcl permit ip 172.31.3.0 255.255.255.0 any access-list zentl_splitTunnelAcl permit ip 10.250.10.0 255.255.255.0 any access-list outside_nat0_inbound permit ip any any access-list outside_access_in permit tcp host 1.1.1.1 host 3.3.3.3 eq 3389 access-list outside_access_in permit tcp host 2.2.2.2 host 3.3.3.3 eq 3389 access-list outside_access_in deny ip any any pager lines 24 logging on logging monitor debugging icmp permit host 2.2.2.2 outside icmp permit host 1.1.1.1 outside mtu outside 1500 mtu inside 1500 ip address outside 3.3.3.3 255.255.255.248 ip address inside 10.250.10.1 255.255.255.0 ip verify reverse-path interface outside ip audit info action alarm ip audit attack action alarm drop ip local pool ZENTLPool1 192.168.253.1-192.168.253.254 pdm location 172.31.3.0 255.255.255.0 inside pdm location 172.31.3.100 255.255.255.255 inside pdm location 1.1.1.1 255.255.255.255 outside pdm location 2.2.2.2 255.255.255.255 outside pdm logging informational 100 pdm history enable arp timeout 14400 global (outside) 1 interface nat (outside) 0 access-list outside_nat0_inbound outside nat (inside) 0 access-list 102 nat (inside) 1 0.0.0.0 0.0.0.0 0 0 static (inside,outside) tcp interface smtp 172.31.3.100 smtp netmask 255.255.255.255 0 0 static (inside,outside) tcp interface ftp 172.31.3.100 ftp netmask 255.255.255.255 0 0 static (inside,outside) tcp interface 3389 172.31.3.100 3389 netmask 255.255.255.255 0 0 access-group outside_access_in in interface outside route outside 0.0.0.0 0.0.0.0 3.3.3.4 1 route inside 172.31.3.0 255.255.255.0 172.31.3.1 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout sip-disconnect 0:02:00 sip-invite 0:03:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local aaa authentication http console LOCAL aaa authentication ssh console LOCAL ntp server 172.31.3.1 source inside http server enable http 172.31.3.100 255.255.255.255 inside http 0.0.0.0 0.0.0.0 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec crypto ipsec transform-set trmset1 esp-aes-256 esp-sha-hmac crypto dynamic-map map2 10 set transform-set trmset1 crypto map map1 10 ipsec-isakmp dynamic map2 crypto map map1 interface outside isakmp enable outside isakmp identity address isakmp policy 10 authentication pre-share isakmp policy 10 encryption aes-256 isakmp policy 10 hash sha isakmp policy 10 group 2 isakmp policy 10 lifetime 86400 vpngroup zentl address-pool ZENTLPool1 vpngroup zentl dns-server 4.4.4.4 vpngroup zentl split-tunnel zentl_splitTunnelAcl vpngroup zentl pfs vpngroup zentl idle-time 1800 vpngroup zentl password ******** telnet timeout 1 ssh 0.0.0.0 0.0.0.0 inside ssh timeout 60 management-access inside console timeout 0 dhcpd address 10.250.10.100-10.250.10.131 inside dhcpd dns 4.4.4.4 5.5.5.5 dhcpd lease 3600 dhcpd ping_timeout 750 dhcpd auto_config outside dhcpd enable inside username user password encrypted privilege 15 terminal width 80 Cryptochecksum:2cec3b596d9d543d4aa7d9bf88b62814 : end ------------------------------------------------ Thanks, Greg.
    0 pointsBadges:
    report
  • Astronomer
    Greg: Take a look at your route statements. Here is your internal route: route inside 172.31.3.0 255.255.255.0 172.31.3.1 1 Note that it uses a gateway address on the destination network instead of an address on a network it's directly connected to. On my pix the corresponding configuration is: interface Ethernet1 nameif inside security-level 100 ip address xxx.yyy.208.65 255.255.255.192 route inside 172.16.1.0 255.255.255.0 xxx.yyy.208.126 1 The 208.126 interface on the router is hooked to the same switch as the 208.65 interface on the pix. Incidentally, I suggest when you post configurations containing passwords or public addresses, change the encrypted code and first two bytes of the IPs to something else so you don't give a head start to a cracker. Let me know if you need more detailed information. rt
    15 pointsBadges:
    report
  • GregNottage
    [...] get the ... exec-timeout 0 0 password 7 06371E3B561F5A4B1C19434A login line vty 1 4 password 7 ...http://itknowledgeexchange.techtarget.com/itanswers/cisco-pix-vpn-config/The Sample of PIX VPN Confiugrationtimeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 [...]
    0 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following