|
|
|
|
|||||
|
|
|
|
|
|
|||
| Welcome
to Tech Support Forum home to more then 136,000 problems solved. Issues
have included: Spyware, Malware, Virus Issues, Windows, Microsoft,
Linux, Networking, Security, Hardware, and Gaming Getting your
problem solved is as easy as: 1. Registering for a free account 2. Asking your question 3. Receiving an answer Registered members: * See fewer ads. * And much more..
|
| Want to know how to post a question? click here | Having problems with spyware and pop-ups? First Steps |
|
|||||||
| Security and Firewalls Protecting you against unwanted people and programs |
 |
|
|
Thread Tools |
04-07-2008, 07:15 PM
|
#1 (permalink) |
|
Registered User
Join Date: Nov 2007
Posts: 7
OS: OSX
|
PIX 515 Remote Access VPN Connectivity
Hello,
I am running a PIX 515 and I am having trouble getting the remote access VPN to work properly. I can connect to the PIX from an external source but... Problems: 1. I notice the gateway or routes assigned to the VPN client do not exist. -How can I set this or make it work properly? 2. I am unable to browse any internal network and the only way I can access the internet is with Split-Tunneling enabled which is not what I want as it just uses the remote clients internet. What I want the VPN to do: Allow VPN users full access to all internal network resources and have the VPN remote access client make use of the firewalls internet as apposed to its own. Below I have posted my configuration for the PIX and route's that I see on the client side. I will also note I am using OBSD SSH as a test for access from the VPN. Normally without the VPN access works fine. PIX CONFIGURATION: Code:
: PIX Version 7.2(1) ! hostname firewall domain-name firewall.com enable password hjhVds8qp9x?q9hg4876 encrypted names ! interface Ethernet0 nameif OUTSIDE security-level 0 pppoe client vpdn group internet ip address pppoe setroute ! interface Ethernet1 nameif inside security-level 100 ip address 192.168.35.2 255.255.255.0 ! interface Ethernet2 shutdown no nameif no security-level no ip address ! passwd 76henbdgr7,376oNARE encrypted ftp mode passive clock timezone EST -5 clock summer-time EDT recurring 2 Sun Mar 2:00 1 Sun Nov 2:00 dns server-group DefaultDNS domain-name firewall.com access-list OUTSIDE_access_in remark SSH TO OBSD STARTED access-list OUTSIDE_access_in extended permit tcp any interface OUTSIDE eq www log notifications access-list VPN_splitTunnelAcl standard permit 192.168.35.0 255.255.255.0 access-list VPN_splitTunnelAcl standard permit 10.200.50.0 255.255.255.0 access-list VPN_splitTunnelAcl standard permit 10.200.51.0 255.255.255.0 access-list VPN_splitTunnelAcl standard permit 10.200.52.0 255.255.255.0 access-list inside_nat0_outbound extended permit ip 192.168.35.0 255.255.255.0 10.200.53.0 255.255.255.224 access-list inside_nat0_outbound extended permit ip 10.200.50.0 255.255.255.0 10.200.53.0 255.255.255.224 access-list inside_nat0_outbound extended permit ip 10.200.51.0 255.255.255.0 10.200.53.0 255.255.255.224 access-list inside_nat0_outbound extended permit ip 10.200.52.0 255.255.255.0 10.200.53.0 255.255.255.224 pager lines 24 logging enable logging asdm informational mtu OUTSIDE 1500 mtu inside 1500 ip local pool VPNPOOL 10.200.53.10-10.200.53.20 mask 255.255.255.0 asdm image flash:/asdm-522.bin no asdm history enable arp timeout 14400 nat-control global (OUTSIDE) 101 interface nat (inside) 0 access-list inside_nat0_outbound nat (inside) 101 0.0.0.0 0.0.0.0 static (inside,OUTSIDE) tcp interface www 192.168.35.1 ssh netmask 255.255.255.255 access-group OUTSIDE_access_in in interface OUTSIDE route inside 10.200.50.0 255.255.255.0 192.168.35.1 1 route inside 10.200.51.0 255.255.255.0 192.168.35.1 1 route inside 10.200.52.0 255.255.255.0 192.168.35.1 1 route inside 172.16.25.0 255.255.255.0 192.168.35.1 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout uauth 0:05:00 absolute group-policy VPN internal group-policy VPN attributes dns-server value 199.35.32.11 vpn-tunnel-protocol IPSec split-tunnel-policy tunnelspecified split-tunnel-network-list none username user1 password HwKK8FJf7kptiidf87 encrypted privilege 0 username user1 attributes vpn-group-policy VPN http server enable http 192.168.35.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto dynamic-map OUTSIDE_dyn_map 20 set pfs crypto dynamic-map OUTSIDE_dyn_map 20 set transform-set ESP-3DES-SHA crypto dynamic-map OUTSIDE_dyn_map 20 set reverse-route crypto map OUTSIDE_map 65535 ipsec-isakmp dynamic OUTSIDE_dyn_map crypto map OUTSIDE_map interface OUTSIDE crypto isakmp enable OUTSIDE crypto isakmp policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 tunnel-group VPN type ipsec-ra tunnel-group VPN general-attributes address-pool VPNPOOL default-group-policy VPN tunnel-group VPN ipsec-attributes pre-shared-key **** vpn-sessiondb max-session-limit 2 telnet timeout 5 ssh timeout 5 console timeout 0 vpdn group internet request dialout pppoe vpdn group internet localname *************** vpdn group internet ppp authentication pap vpdn username ************ password ********* dhcpd address 192.168.35.3-192.168.35.254 inside ! ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp ! service-policy global_policy global prompt hostname context Cryptochecksum:42c5fd53f3fa15czze43933h0aucc9743 : end VPN CLIENT INFO Code:
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.200.53.1 10.200.53.10 1
10.200.53.0 255.255.255.0 10.200.53.10 10.200.53.10 20
10.200.53.10 255.255.255.255 127.0.0.1 127.0.0.1 20
10.255.255.255 255.255.255.255 10.200.53.10 10.200.53.10 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
172.16.25.0 255.255.255.0 172.16.25.30 172.16.25.30 20
172.16.25.0 255.255.255.0 10.200.53.1 10.200.53.10 20
172.16.25.2 255.255.255.255 172.16.25.30 172.16.25.30 1
172.16.25.30 255.255.255.255 127.0.0.1 127.0.0.1 20
172.16.255.255 255.255.255.255 172.16.25.30 172.16.25.30 20
199.10.20.12 255.255.255.255 172.16.25.2 172.16.25.30 1
224.0.0.0 240.0.0.0 10.200.53.10 10.200.53.10 20
224.0.0.0 240.0.0.0 172.16.25.30 172.16.25.30 20
255.255.255.255 255.255.255.255 10.200.53.10 2 1
255.255.255.255 255.255.255.255 10.200.53.10 10.200.53.10 1
255.255.255.255 255.255.255.255 172.16.25.30 172.16.25.30 1
Default Gateway: 10.200.53.1
===========================================================================
Code:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Cisco Systems VPN Adapter
Physical Address. . . . . . . . . : 00-05-9A-3C-78-00
Dhcp Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 10.200.53.10
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.200.53.1
DNS Servers . . . . . . . . . . . : 199.35.32.11
Anyway your help would be greatly appreciated. :) Thanks! Last edited by qwaven : 04-07-2008 at 07:24 PM. |
|
     
|
|
04-08-2008, 06:51 PM
|
#2 (permalink) |
|
Registered User
Join Date: Apr 2008
Location: San Diego County
Posts: 29
OS: Win XP SP2
 |
Re: PIX 515 Remote Access VPN Connectivity
If you have "Use Default Gateway On Remote Network" unchecked on the client side, your easiest solution will be to create a HOSTS file with the appropriate server IPs and instll on the client side.
|
|
|
|
|
04-09-2008, 04:33 PM
|
#3 (permalink) |
|
Registered User
Join Date: Nov 2007
Posts: 7
OS: OSX
|
Re: PIX 515 Remote Access VPN Connectivity
Hi thanks for replying.
I am not sure what you mean by this "If you have "Use Default Gateway On Remote Network" unchecked" I see no option. Surely there is a way I can get the VPN to provide all necessary information rather than a HOSTS file. I don't want to have to rely on that should I not be connecting from the same PC or something. Please let me know :) Thanks |
|
|
|
|
04-10-2008, 09:21 AM
|
#4 (permalink) |
|
Registered User
Join Date: Apr 2008
Location: San Diego County
Posts: 29
OS: Win XP SP2
|
Re: PIX 515 Remote Access VPN Connectivity
Actually, in your case you need to make sure the Gateway Box is checked. Also, make sure that you are using DHCP and the computer is registered in the server DNS after the connection is established.
http://www.ithelpp.com/freesupport/vpn_gateway.htm |
|
|
|
|
04-11-2008, 09:43 PM
|
#5 (permalink) |
|
Registered User
Join Date: Nov 2007
Posts: 7
OS: OSX
|
Re: PIX 515 Remote Access VPN Connectivity
Hi,
I'm using Cisco VPN not Windows. Also isnt there a way I can setup the PIX to not require an internal DNS server? Surely there is a way to specify the gateway...etc? Is there any step by step guide relevant to my situation? Anyway please let me know. Thanks |
|
|
|
|
| Thread Tools | |
|
|
