Firewall Wizards mailing list archives
(no subject)
From: "Spearman, William CONT (FISC YOKO)" <William_W_Spearman () yoko fisc navy mil>
Date: Fri, 8 Jul 2005 08:15:04 +0900
Wizards, Sorry about the last post. Here it is (I hope) in plain text: (Thanks again Paul!) I have a laptop running the subject VPN Client I have a PIX 515E running in stateful failover mode with a VAC I attempted to replace the VAC with a VAC+, and not having a brain in my head on a late Saturday night, I just pulled open the PIX and switched the cards. The remote access users then began to call. I've been working on this problem for a week and am at my wits end. I do keep good notes, and so reconfigured the VPN with exactly the same command set I had used originally with no success. Here is a copy of the (sanitized) relevant portions of the PIX configuration: ip address outside 12.34.56.78 255.255.255.X ip address inside 34.45.56.67 255.255.255.X #Note: The IP networks for access-list "split" and access-list "nonat_inside" are the same access-list split permit ip 192.168.XX.0 255.255.255.0 192.168.X1.0 255.255.255.0 access-list nonat_inside permit ip 192.168.XX.0 255.255.255.0 192.168.X1.0 255.255.255.0 Note: Local pool "vpnpool1" includes addresses from the same subnet as configured in the access-lists above ip local pool vpnpool1 192.168.X1.X-192.168.X1.X nat (inside) 0 access-list nonat_inside route outside 0.0.0.0 0.0.0.0 12.34.56.79 1 Many routing statements ....... route inside 192.168.X1.X 255.255.X.X 34.45.56.68 1 More Routing Statements ......... sysopt connection permit-ipsec crypto ipsec transform-set standard esp-3des esp-md5-hmac crypto dynamic-map clientvpn 10 set transform-set standard crypto map map1 10 ipsec-isakmp dynamic clientvpn crypto map map1 client authentication LOCAL crypto map map1 interface outside isakmp enable outside isakmp identity address isakmp nat-traversal 20 isakmp policy 10 authentication pre-share isakmp policy 10 encryption 3des isakmp policy 10 hash md5 isakmp policy 10 group 2 isakmp policy 10 lifetime 5000 vpngroup GroupName address-pool vpnpool1 vpngroup GroupName dns-server domain-controller vpngroup GroupName wins-server domain-controller vpngroup GroupName default-domain domain.name vpngroup GroupName split-tunnel split vpngroup GroupName idle-time 1800 vpngroup GroupName password ******** username someuser password somepassword encrypted privilege 2 I get good ISAKMP packet trades, good DPD packets, actually a good connection to the VPN from the remote (as seen in the debug crypto ipsec and isakmp output on the PIX). All indications from the client log are that everything is copasetic. Then I look at the syslog output and see: %PIX-6-302013: Built inbound TCP connection 3062304 for outside:192.168.X1.X/2728 (192.168.X1.X/2728) to inside:192.168.X2.X/22 (192.168.X2.X/22) Jul 8 08:08:57 172.16.1.1 Jul 08 2005 08:08:57 boukap : %PIX-3-106011: Deny inbound (No xlate) tcp src outside:192.168.X2.X/22 dst outside:192.168.X1.X/2728 The first packet is the SYN, the second says "no xlate tcp src outside dst outside"??? The first ip is the internal address and the second is the VPN Client address. I looks like the VPN is initialized, but the packets from the client are being sent OUTSIDE the pipe! AAAHHHHH! What am I missing here? Thoughts, suggestions, more info required? Arigato Gozaimasu _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- (no subject) Spearman, William CONT (FISC YOKO) (Jul 07)
- RE: (no subject) Ben Nagy (Jul 08)