Switches, Hubs, and Modems
cancel
Showing results for 
Search instead for 
Did you mean: 

PIX Firewall not passing traffic

Doug_85
Regular Advisor

PIX Firewall not passing traffic

Clients (Cisco VPN software) are able to establish a connection to the PIX (501 Version 6.3), but no traffic is passing from the client to the LAN behind the PIX or vise versa.

Parts of the running-config are listed below:

access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.240
access-list outside_cryptomap_dyn_20 permit ip any 192.168.2.0 255.255.255.240

ip local pool RemoteWorkers 192.168.2.1-192.168.2.10

global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0

sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication LOCAL
crypto map outside_map interface outside
isakmp enable outside
isakmp enable inside
isakmp identity address
isakmp nat-traversal 3600
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup TBCRemote address-pool RemoteWorkers
vpngroup TBCRemote dns-server 192.168.1.10 206.165.131.12
vpngroup TBCRemote wins-server 192.168.1.10
vpngroup TBCRemote default-domain corp.theboutetcompany.com
vpngroup TBCRemote idle-time 1800
vpngroup TBCRemote password ***********





Using the debug packet command, I can see encrypted packets are getting from the client to the PIX.



The Cisco client VPN software has a section for route details it recieves from the PIX, but it does not seem to receive any routing information.



The LAN behind the PIX is 192.168.1.0 while the VPN clients get IP’s on the 192.168.2.0 network.



The problem seems to be routing traffic from one network to the other…

Any suggestions,

Do
6 REPLIES
Jay Mia
Occasional Visitor

Re: PIX Firewall not passing traffic

Doug,

You need to take out the following from your pix config:

> isakmp enable inside

Let me know if this helps.

Jay Mia
Network Security Engineer.
Doug_85
Regular Advisor

Re: PIX Firewall not passing traffic

Jay,

I will go ahead and try your solution out this morning. I'll let you know if it solves my problem.

Thanks,
Doug
Doug_85
Regular Advisor

Re: PIX Firewall not passing traffic

Jay,

I took the line out, but it is still displaying the same symptoms.



Show route displays the following



outside 0.0.0.0 0.0.0.0 24.237.0.1 1 DHCP static

outside 24.237.0.0 255.255.240.0 24.237.13.196 1 CONNECT static

inside 192.168.1.0 255.255.255.0 192.168.1.1 1 CONNECT static



I have added no routing information to the running config, is that the problem?



The Cisco VPN client software shows it is sending out itâ s keep alive packets, but the client is not receiving anything.



Thanks,
D
Chip Barnett
Occasional Contributor

Re: PIX Firewall not passing traffic

Doug, what is the default gateway for the LAN behind the PIX? If it is not the PIX and there is a router or switch acting as the gateway there will need to be a route added for the VPN network (192.168.2.0) pointing to the PIX inside address.
Doug_85
Regular Advisor

Re: PIX Firewall not passing traffic

Jay,

The default gateway is 192.168.1.1.

Thanks,
Doug
Doug_85
Regular Advisor

Re: PIX Firewall not passing traffic

Jay,

Clarifications:



The RemoteWorkers ip pool has been modified to look like:



ip local pool RemoteWorkers 192.168.2.17-192.168.2.26 mask 255.255.255.240



All clients behind the PIX use a default gateway of 192.168.1.1 (the PIX inside address). The VPN client gets its own ip as the default gateway? This seems incorrect, but how do you change it?



Example from VPN client after a VPN connection established:



IP Address. . . . . . . . . . . . : 192.168.2.17

Subnet Mask . . . . . . . . . . . : 255.255.255.240

Default Gateway . . . . . . . . . : 192.168.2.17



When viewing the Statistics (Tunnel Details tab):

Bytes

Received: 0

Sent: Always growing



Packets

Encrypted: Always growing

Decrypted: 0

Discarded: Always growing

Bypassed: 0



Transport

Transparent Tunneling: Inactive



I hope this helps clarify what is going on.

Thanks,
Doug