Cisco PIX help

BDillon21 · Post by **BDillon21** » Sun Feb 15, 2004 1:28 pm

Hello all,

I have a Cisco PIX 501 firewall with 3DES set up at a location that I VPN to via Cisco VPN Client 3.5.1.
I can connect to the site just fine, even remotely control desktops via pcAnywhere, but what I can't do is use the Internet from the VPN client machine.
First, let me tell you about my skill level......basically I have none. I've never been to a Cisco class, never read a Cisco book, nothing. I have somehow managed to set up a site to site VPN and a Site to VPN Client VPN fairly easily. I have been use the PDM (integrated web server) interface from day one. At this point I don't care to learn the CLI interface at all. I sometimes support this thing over the phone (the pix is about 1.5 hours away from me now) and have found that the PDM is hands down the easiest way to walk someone through troubleshooting. anyway, the reason I bring this up is so you all will understand I'm trying my best to make this work. So just keep in mind that when you give advice that I'm still a newbie

With that said, here is a screenshot of my error log:

It looks like the damn thing is not letting my DNS requests through. The 10.0.0.0 IP pool is my VPN pool and the other IPs you see are my external DNS severs (there are no internal servers on this network). It's boggling my mind because I used the VPN wizard to set this up. One would figure it would automatically configre the thing to allow that sort of traffic (and yes, I did give the IPs of the DNS servers when it asked for them)

Anyone have any ideas? I can post more info or screenshots if needed.

Thanks in advance.

Addict · Post by **Addict** » Wed Feb 18, 2004 6:47 am

Sorry for the late reply. Can you post up a config? Make sure you smudge out the password part. Even though its "encrypted", it can still be cracked.

File->Show Running Config in New Window
Copy & paste that

BDillon21 · Post by **BDillon21** » Sun Feb 22, 2004 10:07 pm

Sorry it took so long. Here is a copy of my config:

PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable (deleted for security reasons)
passwd (deleted for security reasons)
hostname cuid
domain-name ciscopix.com
clock timezone PST -8
clock summer-time PDT recurring
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
name 172.16.2.0 ESP_Tunnel
access-list inside_outbound_nat0_acl permit ip any 10.0.0.0 255.255.255.224
access-list inside_outbound_nat0_acl permit ip 172.16.58.0 255.255.255.0 ESP_Tunnel 255.255.255.0
access-list outside_cryptomap_dyn_10 permit ip any 10.0.0.0 255.255.255.224
access-list outside_access_in permit ip 10.0.0.0 255.255.255.224 any
access-list outside_cryptomap_50 permit ip 172.16.58.0 255.255.255.0 ESP_Tunnel 255.255.255.0
access-list inside_access_in permit ip 172.16.58.0 255.255.255.0 ESP_Tunnel 255.255.255.0
access-list inside_access_in permit ip any any
pager lines 24
logging on
logging trap warnings
logging host (outside ip deleted for security)
interface ethernet0 10baset
interface ethernet1 10full
icmp deny any outside
mtu outside 1500
mtu inside 1500
ip address outside (ip deleted for security) 255.255.255.0
ip address inside 172.16.58.251 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip audit info action alarm
ip audit attack action alarm
ip local pool oifcu_pool 10.0.0.1-10.0.0.25
pdm location 172.16.58.0 255.255.255.0 inside
pdm location (ip deleted for security) 255.255.255.0 outside
pdm location 10.0.0.0 255.255.255.0 outside
pdm location 10.0.0.0 255.0.0.0 outside
pdm location ESP_Tunnel 255.255.255.0 outside
pdm location (ip deleted for security) 255.255.255.255 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 (ip deleted for security) 1
route outside 10.0.0.0 255.255.255.0 64.65.143.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http (ip deleted for security) 255.255.255.0 outside
http 10.0.0.0 255.255.255.0 outside
http 172.16.58.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
no sysopt route dnat
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set fireesp esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 10 match address outside_cryptomap_dyn_10
crypto dynamic-map outside_dyn_map 10 set transform-set ESP-3DES-SHA
crypto map outside_map 50 ipsec-isakmp
crypto map outside_map 50 match address outside_cryptomap_50
crypto map outside_map 50 set peer (ip deleted for security)
crypto map outside_map 50 set transform-set fireesp
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto map oimainmap 10 ipsec-isakmp
isakmp enable outside
isakmp key ******** address (IP deleted)
netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp keepalive 60 60
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
isakmp policy 50 authentication pre-share
isakmp policy 50 encryption 3des
isakmp policy 50 hash sha
isakmp policy 50 group 1
isakmp policy 50 lifetime 1000
isakmp policy 70 authentication pre-share
isakmp policy 70 encryption 3des
isakmp policy 70 hash md5
isakmp policy 70 group 1
isakmp policy 70 lifetime 86400
vpngroup oifcu address-pool oifcu_pool
vpngroup oifcu dns-server (DNS IPs deleted)
vpngroup oifcu split-tunnel outside_cryptomap_dyn_10
vpngroup oifcu idle-time 1800
vpngroup oifcu password ********
telnet 10.0.0.0 255.0.0.0 outside
telnet 10.0.0.0 255.255.255.0 outside
telnet 172.16.58.0 255.255.255.0 inside
telnet timeout 5
ssh 10.0.0.0 255.255.255.0 outside
ssh 10.0.0.0 255.0.0.0 outside
ssh timeout 5
vpdn group PPTP-VPDN-GROUP accept dialin pptp
vpdn group PPTP-VPDN-GROUP ppp authentication pap
vpdn group PPTP-VPDN-GROUP ppp authentication chap
vpdn group PPTP-VPDN-GROUP ppp authentication mschap
vpdn group PPTP-VPDN-GROUP ppp encryption mppe auto
vpdn group PPTP-VPDN-GROUP client configuration address local oifcu_pool
vpdn group PPTP-VPDN-GROUP client configuration dns (VPN DNS IPs deleted)
vpdn group PPTP-VPDN-GROUP pptp echo 60
vpdn group PPTP-VPDN-GROUP client authentication local
vpdn username brendan password ********
vpdn enable outside
dhcpd address 172.16.58.30-172.16.58.40 inside
dhcpd dns (DHCP DNS IPs deleted)
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80

Any ideas?

DaFonTe · Post by **DaFonTe** » Tue Feb 24, 2004 10:08 pm

You already have what you need to do this, it should already work:

access-list outside_cryptomap_dyn_10 permit ip any 10.0.0.0 255.255.255.224

vpngroup oifcu split-tunnel outside_cryptomap_dyn_10