Cisco PIX 501 - VPNC connections blocked from internal lan to externalend-point
in [Cisco]
|
Prev: Best way to do multiple NAT statements on ASA
Next: Cisco PIX 501 - VPNC connections blocked from internal lan toexternal end-point
From: ziikell101 on 26 Jun 2010 06:36 Hi, Support question here. I have a Cisco PIX 501 that won't let a VPNC connection past. It will allow the client to authenticate with an end-point, but won't actually pass the packets. I know this is the problem point, because I swapped the PIX out with a off the shelf Asus router and it worked without a hitch. Below is the version, configuration and the client VPNC configuration. I wonder if some one would kindly run their eyes over it and point out some VPN related mistakes: SH VERSION Cisco PIX Firewall Version 6.3(5) Cisco PIX Device Manager Version 3.0(1) Compiled on Thu 04-Aug-05 21:40 by morlee pixie up 2 mins 35 secs Hardware: PIX-501, 16 MB RAM, CPU Am5x86 133 MHz Flash E28F640J3 @ 0x3000000, 8MB BIOS Flash E28F640J3 @ 0xfffd8000, 128KB 0: ethernet0: address is 000e.847c.7e6d, irq 9 1: ethernet1: address is 000e.847c.7e6e, irq 10 Licensed Features: Failover: Disabled VPN-DES: Enabled VPN-3DES-AES: Enabled Maximum Physical Interfaces: 2 Maximum Interfaces: 2 Cut-through Proxy: Enabled Guards: Enabled URL-filtering: Enabled Inside Hosts: 50 Throughput: Unlimited IKE peers: 10 This PIX has a Restricted (R) license. SH RUNNING # sh run : Saved : PIX Version 6.3(5) interface ethernet0 auto interface ethernet1 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password REMOVED encrypted passwd REMOVED encrypted hostname REMOVED domain-name REMOVED.co.uk fixup protocol dns maximum-length 4096 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names access-list out2in deny ip 192.168.0.0 255.255.0.0 any access-list out2in deny ip 172.16.0.0 255.240.0.0 any access-list out2in deny ip 10.0.0.0 255.0.0.0 any access-list out2in deny ip 127.0.0.0 255.0.0.0 any access-list out2in permit icmp any any echo-reply access-list out2in permit icmp any any unreachable access-list out2in permit icmp any any time-exceeded pager lines 24 logging on logging timestamp logging console emergencies logging monitor debugging logging buffered debugging logging history debugging icmp permit any unreachable outside mtu outside 1500 mtu inside 1500 ip address outside dhcp setroute ip address inside 10.90.90.1 255.255.255.0 ip verify reverse-path interface outside ip verify reverse-path interface inside ip audit name attack_policy attack action alarm drop reset ip audit name info_policy info action alarm ip audit interface outside info_policy ip audit interface outside attack_policy ip audit info action alarm ip audit attack action alarm drop pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 1 10.90.90.0 255.255.255.0 0 0 access-group out2in in interface outside timeout xlate 1:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout sip-disconnect 0:02:00 sip-invite 0:03:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local ntp server 217.127.2.161 source outside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable fragment chain 1 outside telnet timeout 60 ssh 10.90.90.0 255.255.255.0 inside ssh timeout 60 console timeout 0 dhcpd address 10.90.90.100-10.90.90.200 inside dhcpd dns 10.90.80.1 4.2.2.3 dhcpd lease 28800 dhcpd ping_timeout 750 dhcpd domain blah.local dhcpd auto_config outside dhcpd enable inside terminal width 80 VPNC CLIENT PROFILE # cat /etc/vpnc/tt.conf IPSec gateway 62.12.12.12 # changed for obvious reasons IPSec ID VTL-VPN IPSec secret yadayadayada # changed for obvious reasons IKE Authmode psk Xauth username b-jones # changed for obvious reasons #Xauth password Domain ourad # changed for obvious reasons |