Thread: PIX 515 Remote Access VPN Connectivity
View Single Post
Old 04-07-2008, 07:15 PM   #1 (permalink)
qwaven
Registered User
 
Join Date: Nov 2007
Posts: 7
OS: OSX


Question PIX 515 Remote Access VPN Connectivity
Hello,

I am running a PIX 515 and I am having trouble getting the remote access VPN to work properly.

I can connect to the PIX from an external source but...

Problems:

1. I notice the gateway or routes assigned to the VPN client do not exist. -How can I set this or make it work properly?

2. I am unable to browse any internal network and the only way I can access the internet is with Split-Tunneling enabled which is not what I want as it just uses the remote clients internet.


What I want the VPN to do:

Allow VPN users full access to all internal network resources and have the VPN remote access client make use of the firewalls internet as apposed to its own.

Below I have posted my configuration for the PIX and route's that I see on the client side.

I will also note I am using OBSD SSH as a test for access from the VPN. Normally without the VPN access works fine.

PIX CONFIGURATION:

Code:
:
PIX Version 7.2(1) 
!
hostname firewall
domain-name firewall.com
enable password hjhVds8qp9x?q9hg4876 encrypted
names
!
interface Ethernet0
 nameif OUTSIDE
 security-level 0
 pppoe client vpdn group internet
 ip address pppoe setroute 
!
interface Ethernet1
 nameif inside
 security-level 100
 ip address 192.168.35.2 255.255.255.0 
!
interface Ethernet2
 shutdown
 no nameif
 no security-level
 no ip address
!
passwd 76henbdgr7,376oNARE encrypted
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring 2 Sun Mar 2:00 1 Sun Nov 2:00
dns server-group DefaultDNS
 domain-name firewall.com
access-list OUTSIDE_access_in remark SSH TO OBSD STARTED
access-list OUTSIDE_access_in extended permit tcp any interface OUTSIDE eq www log notifications 
access-list VPN_splitTunnelAcl standard permit 192.168.35.0 255.255.255.0 
access-list VPN_splitTunnelAcl standard permit 10.200.50.0 255.255.255.0 
access-list VPN_splitTunnelAcl standard permit 10.200.51.0 255.255.255.0 
access-list VPN_splitTunnelAcl standard permit 10.200.52.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 192.168.35.0 255.255.255.0 10.200.53.0 255.255.255.224 
access-list inside_nat0_outbound extended permit ip 10.200.50.0 255.255.255.0 10.200.53.0 255.255.255.224 
access-list inside_nat0_outbound extended permit ip 10.200.51.0 255.255.255.0 10.200.53.0 255.255.255.224 
access-list inside_nat0_outbound extended permit ip 10.200.52.0 255.255.255.0 10.200.53.0 255.255.255.224 
pager lines 24
logging enable
logging asdm informational
mtu OUTSIDE 1500
mtu inside 1500
ip local pool VPNPOOL 10.200.53.10-10.200.53.20 mask 255.255.255.0
asdm image flash:/asdm-522.bin
no asdm history enable
arp timeout 14400
nat-control
global (OUTSIDE) 101 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101 0.0.0.0 0.0.0.0
static (inside,OUTSIDE) tcp interface www 192.168.35.1 ssh netmask 255.255.255.255 
access-group OUTSIDE_access_in in interface OUTSIDE
route inside 10.200.50.0 255.255.255.0 192.168.35.1 1
route inside 10.200.51.0 255.255.255.0 192.168.35.1 1
route inside 10.200.52.0 255.255.255.0 192.168.35.1 1
route inside 172.16.25.0 255.255.255.0 192.168.35.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy VPN internal
group-policy VPN attributes
 dns-server value 199.35.32.11
 vpn-tunnel-protocol IPSec 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list none
username user1 password HwKK8FJf7kptiidf87 encrypted privilege 0
username user1 attributes
 vpn-group-policy VPN
http server enable
http 192.168.35.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto dynamic-map OUTSIDE_dyn_map 20 set pfs 
crypto dynamic-map OUTSIDE_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map OUTSIDE_dyn_map 20 set reverse-route
crypto map OUTSIDE_map 65535 ipsec-isakmp dynamic OUTSIDE_dyn_map
crypto map OUTSIDE_map interface OUTSIDE
crypto isakmp enable OUTSIDE
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
tunnel-group VPN type ipsec-ra
tunnel-group VPN general-attributes
 address-pool VPNPOOL
 default-group-policy VPN
tunnel-group VPN ipsec-attributes
 pre-shared-key ****
vpn-sessiondb max-session-limit 2
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group internet request dialout pppoe
vpdn group internet localname ***************
vpdn group internet ppp authentication pap
vpdn username ************ password ********* 
dhcpd address 192.168.35.3-192.168.35.254 inside
!
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny 
  inspect sunrpc 
  inspect xdmcp 
  inspect sip 
  inspect netbios 
  inspect tftp 
!
service-policy global_policy global
prompt hostname context 
Cryptochecksum:42c5fd53f3fa15czze43933h0aucc9743
: end

VPN CLIENT INFO

Code:
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      10.200.53.1    10.200.53.10	  1
      10.200.53.0    255.255.255.0     10.200.53.10    10.200.53.10	  20
     10.200.53.10  255.255.255.255        127.0.0.1       127.0.0.1	  20
   10.255.255.255  255.255.255.255     10.200.53.10    10.200.53.10	  20
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1	  1
      172.16.25.0    255.255.255.0     172.16.25.30    172.16.25.30	  20
      172.16.25.0    255.255.255.0      10.200.53.1    10.200.53.10	  20
      172.16.25.2  255.255.255.255     172.16.25.30    172.16.25.30	  1
     172.16.25.30  255.255.255.255        127.0.0.1       127.0.0.1	  20
   172.16.255.255  255.255.255.255     172.16.25.30    172.16.25.30	  20
   199.10.20.12  255.255.255.255      172.16.25.2    172.16.25.30	  1
        224.0.0.0        240.0.0.0     10.200.53.10    10.200.53.10	  20
        224.0.0.0        240.0.0.0     172.16.25.30    172.16.25.30	  20
  255.255.255.255  255.255.255.255     10.200.53.10               2	  1
  255.255.255.255  255.255.255.255     10.200.53.10    10.200.53.10	  1
  255.255.255.255  255.255.255.255     172.16.25.30    172.16.25.30	  1
Default Gateway:       10.200.53.1
===========================================================================

Code:
        Connection-specific DNS Suffix  . : 

        Description . . . . . . . . . . . : Cisco Systems VPN Adapter

        Physical Address. . . . . . . . . : 00-05-9A-3C-78-00

        Dhcp Enabled. . . . . . . . . . . : No

        IP Address. . . . . . . . . . . . : 10.200.53.10

        Subnet Mask . . . . . . . . . . . : 255.255.255.0

        Default Gateway . . . . . . . . . : 10.200.53.1

        DNS Servers . . . . . . . . . . . : 199.35.32.11
I would prefer to be able to use the GUI/web access but I can also input CLI if needed.

Anyway your help would be greatly appreciated. :)

Thanks!
Last edited by qwaven : 04-07-2008 at 07:24 PM.
qwaven is offline   Reply With Quote