VPN Terminates at the PIX. The problem ended up being that a few internal hosts did not have thier gateway setup...also...the mail server was a Team Internet ( appliance )...and it refused to see any other gateway other than itself...hmmm. Anyway....we are providing a work around for the remote user to get his mail....but after adding a gateway ip and static route to the novell server...it works. And the adtran TSU had no gateway also...
Thanks for your input though.. Cheers ""Albert Lu"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Hi, > > You mentioned that you were doing static nat on the router, this could > effect it if the vpn client terminates on the router. The ip addresses that > you have statics for is translated to the global IP address, and doesn't go > through your vpn, since the access-list in your crypto map doesn't identify > it as traffic needing to be encrypted. > > Albert > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of > Dain Deutschman > Sent: Saturday, February 08, 2003 3:49 AM > To: [EMAIL PROTECTED] > Subject: VPN Partial Connectivity [7:62639] > > > Hi, > > When connecting a vpn via VPN Client 3.x I am able to ping only certain > addresses... > 192.168.1.180 Server > 192.168.1.10 LAN Station > > But Not Others... > 192.168.1.1 Inside Interface Of PIX > 192.168.1.2 Mail Server > 192.168.1.3 CSU/DSU management address > > I have a vpn setup as follows: > > Vpn Client--INTERNET--1721Router--PIX--LAN > > *The 1721 router is doing static nat to the outside interface of the pix. > The vpn terminates at the pix. > > *I'm using vpngroup to assign ip info to the client. > > * The LAN ip scheme is 192.168.1.0/24 where the first 9 addresses are left > out of the local dhcp pool > > *The vpn client is getting assigned from local-pool range 192.168.2.1-50 > > *I have a route on the pix "route inside 192.168.2.0 255.255.255.0 > 192.168.1.1 > > *The inside interface of the pix is 192.168.1.1 > > Here is my config... > > PIX(config)# wr t > Building configuration... > : Saved > : > PIX Version 6.2(2) > nameif ethernet0 outside security0 > nameif ethernet1 inside security100 > enable password encrypted > passwd encrypted > hostname PIX > fixup protocol ftp 21 > fixup protocol http 80 > fixup protocol h323 h225 1720 > fixup protocol h323 ras 1718-1719 > fixup protocol ils 389 > fixup protocol rsh 514 > fixup protocol rtsp 554 > fixup protocol smtp 25 > fixup protocol sqlnet 1521 > fixup protocol sip 5060 > fixup protocol skinny 2000 > names > access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 > 255.255.255.0 > pager lines 24 > interface ethernet0 10baset > interface ethernet1 10baset > mtu outside 1500 > mtu inside 1500 > ip address outside 172.16.2.2 255.255.255.240 > ip address inside 192.168.1.1 255.255.255.0 > ip audit info action alarm > ip audit attack action alarm > ip local pool NEWMEX 192.168.2.1-192.168.2.50 > pdm history enable > arp timeout 14400 > global (outside) 1 172.16.2.3 > nat (inside) 0 access-list 101 > nat (inside) 1 0.0.0.0 0.0.0.0 0 0 > conduit permit icmp any any echo-reply > conduit permit icmp any any echo > route outside 0.0.0.0 0.0.0.0 172.16.2.1 1 > route inside 192.168.2.0 255.255.255.0 192.168.1.1 1 > timeout xlate 3:00:00 > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 > 0:05:00 si > p 0:30:00 sip_media 0:02:00 > timeout uauth 0:05:00 absolute > aaa-server TACACS+ protocol tacacs+ > aaa-server RADIUS protocol radius > aaa-server LOCAL protocol local > no snmp-server location > no snmp-server contact > snmp-server community public > no snmp-server enable traps > floodguard enable > sysopt connection permit-ipsec > no sysopt route dnat > crypto ipsec transform-set myset esp-3des esp-sha-hmac > crypto dynamic-map dynmap 10 set transform-set myset > crypto map mymap 1 ipsec-isakmp dynamic dynmap > crypto map mymap interface outside > isakmp enable outside > isakmp identity address > isakmp policy 10 authentication pre-share > isakmp policy 10 encryption 3des > isakmp policy 10 hash sha > isakmp policy 10 group 2 > isakmp policy 10 lifetime 86400 > vpngroup vpn address-pool NEWMEX > vpngroup vpn dns-server x.x.x.y x.x.x.z > vpngroup vpn default-domain domain.com > vpngroup vpn split-tunnel 101 > vpngroup vpn idle-time 1800 > vpngroup vpn password > telnet timeout 5 > ssh timeout 5 > dhcpd address 192.168.1.10-192.168.1.42 inside > dhcpd lease 3600 > dhcpd ping_timeout 750 > dhcpd enable inside > terminal width 80 > Cryptochecksum:a71ebfc24ae > > Any ideas?? I'm sort of stumped at this point. Thanks! > > -- > Dain Deutschman > CCNP, CSS-1, CCNA, MCP, CNA > Data Communications Manager Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=62773&t=62639 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
