In your config below the vpn client is being assigned an address that is on a different subnet than the inside interface of the pix and there is no sign of a router on that subnet (no default inside route to a router).
BTW, you may want to get rid of the conduit permit any any! Chris ""Anh Lam"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Can someone in this group help me with this problem? > > I am trying to setup VPN connections for remote users (people > who use laptops on the road or when people to who are on their > own corporate network) to connect to my home network using > IPSec. I am using a PIX515-UR Firewall at my home network. > The external IP address (outside) of the PIX is 66.61.46.240 > while the internal IP address (inside) of the PIX is 172.16.1.254. > > On the PIX, I also setup an IP pool so that the PIX will assign > IP address to remote clients when they connect to my home > network. This ip pool has ip range of 172.16.2.1-172.16.2.254. > > On the clients side, everyone is running Cisco VPN client > software version 3.0.6.rel2-k9 which I download from Cisco > website. The clients are running either WinNT 4.0 workstation, > or Win2k Professional or RedHat Linux 7.1 with kernel 2.4.10. > > When a client attempts to make a VPN connection to the PIX > (66.61.46.240), the connection is successfully and the client is > also assigned an IP address of 172.16.2.1. So what is the problem > you ask? Well, even though the client is successfully authenticated > to my home network, he/she can NOT ping any of the devices in the > 172.16.1.0/24 network. From the client, I can see the packet gets > encrypted before sending out but nothing coming back (the counter > on the packet decrypted on the client is zero). Rebooting the PIX > several times didnot resolve the situation either. > > At this point, I decided to replace the PIX515 with a PIX520 > with the exact configuration. With the PIX520, everything WORKS. > Client can access devices on the 172.16.1.0/24 network. > I am running the same PIX IOS code on both the 515 and 520. Am > I missing something in the PIX515? I thought since I am running the > Un-Restricted(UR) license, VPN is supported. Below is the > configuration of the PIX515. Please help. > > Thanks. > Anh > > ciscopix#sh ver > > Cisco PIX Firewall Version 6.1(1) > Cisco PIX Device Manager Version 1.0(2) > > Compiled on Tue 11-Sep-01 07:45 by morlee > > ciscopix up 9 hours 37 mins > > Hardware: PIX-515, 96 MB RAM, CPU Pentium 200 MHz > Flash i28F640J5 @ 0x300, 16MB > BIOS Flash AT29C257 @ 0xfffd8000, 32KB > > 0: ethernet0: address is 0050.54ff.7a24, irq 10 > 1: ethernet1: address is 0050.54ff.7a25, irq 7 > 2: ethernet2: address is 00aa.00bc.ba87, irq 11 > > Licensed Features: > Failover: Enabled > VPN-DES: Enabled > VPN-3DES: Disabled > Maximum Interfaces: 6 > Cut-through Proxy: Enabled > Guards: Enabled > Websense: Enabled > Inside Hosts: Unlimited > Throughput: Unlimited > ISAKMP peers: Unlimited > > ciscopix# wr t > Building configuration... > : Saved > : > PIX Version 6.1(1) > nameif ethernet0 outside security0 > nameif ethernet1 inside security100 > nameif ethernet2 dmz security99 > enable password xxxxxxx encrypted > passwd xxxxxxxxx encrypted > hostname ciscopix > domain-name micronet.com > fixup protocol ftp 21 > fixup protocol http 80 > fixup protocol h323 1720 > fixup protocol rsh 514 > fixup protocol rtsp 554 > fixup protocol smtp 25 > fixup protocol sqlnet 1521 > fixup protocol sip 5060 > fixup protocol skinny 2000 > no names > access-list 101 permit ip 172.16.1.0 255.255.255.0 172.16.2.0 255.255.255.0 > access-list 101 permit ip host 66.61.46.240 172.16.2.0 255.255.255.0 > access-list 80 permit ip 172.16.1.0 255.255.255.0 172.16.2.0 255.255.255.0 > pager lines 24 > interface ethernet0 auto > interface ethernet1 auto > interface ethernet2 100full shutdown > mtu outside 1500 > mtu inside 1500 > mtu dmz 1500 > ip address outside 66.61.46.240 255.255.248.0 > ip address inside 172.16.1.254 255.255.255.0 > ip address dmz 127.0.0.1 255.255.255.0 > ip audit info action alarm > ip audit attack action alarm > ip local pool ippool 172.16.2.1-172.16.2.254 > no failover > failover timeout 0:00:00 > failover poll 15 > failover ip address outside 0.0.0.0 > failover ip address inside 0.0.0.0 > failover ip address dmz 0.0.0.0 > pdm location 164.109.0.0 255.255.0.0 outside > pdm location 172.16.1.0 255.255.255.0 inside > pdm history enable > arp timeout 14400 > nat (inside) 0 access-list 101 > conduit permit ip any any > route outside 0.0.0.0 0.0.0.0 66.61.40.1 1 > timeout xlate 3:00:00 > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 > h323 0:05:00 sip 0:30:00 sip_media 0:02:00 > timeout uauth 0:05:00 absolute > aaa-server TACACS+ protocol tacacs+ > aaa-server RADIUS protocol radius > http 172.16.1.0 255.255.255.0 inside > http 172.16.1.0 255.255.255.0 dmz > no snmp-server location > no snmp-server contact > snmp-server community public > no snmp-server enable traps > floodguard enable > sysopt connection permit-ipsec > no sysopt route dnat > auth-prompt prompt prompt > crypto ipsec transform-set myset esp-des esp-md5-hmac > crypto dynamic-map dynmap 10 set transform-set myset > crypto map mymap 10 ipsec-isakmp dynamic dynmap > crypto map mymap interface outside > isakmp enable outside > isakmp identity address > isakmp policy 10 authentication pre-share > isakmp policy 10 encryption des > isakmp policy 10 hash md5 > isakmp policy 10 group 2 > isakmp policy 10 lifetime 86400 > isakmp policy 20 authentication pre-share > isakmp policy 20 encryption des > isakmp policy 20 hash md5 > isakmp policy 20 group 1 > isakmp policy 20 lifetime 86400 > vpngroup vpn3000 address-pool ippool > vpngroup vpn3000 dns-server 24.28.192.64 > vpngroup vpn3000 default-domain micronet.com > vpngroup vpn3000 split-tunnel 80 > vpngroup vpn3000 idle-time 18000 > vpngroup vpn3000 password ******** > telnet 172.16.1.0 255.255.255.0 inside > telnet timeout 5 > ssh 206.173.0.0 255.255.0.0 outside > ssh 172.16.1.0 255.255.255.0 dmz > ssh timeout 5 > terminal width 80 > Cryptochecksum:3def8b1379394ad2a3ef1b3909576fea > : end > [OK] > > > > _________________________________________________________________ > Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=23738&t=23695 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
