Cisco Pix 501 Config Hell..p!

Philbert

Folks,

I simply need to config a Pix 501 to allow remote VPN connections with split tunnelling enabled so that the remote workes can still access their local LAN.

The problem is although I can create the VPN connection, I cannot ping remote machines and therefore cannot remote desktop to these machines. When i make a slight change to the config, i might be able to access the remote network, but not the local network. I really havent a clue what i am doing and i am going around in circles! I can use the PDM and the terminal. i tired the VPN wizard in the PDM and that is what i am working from.

Im sure I am missing something simple..

Please help me

PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list LVPN_splitTunnelAcl permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.192
access-list outside_cryptomap_dyn_20 permit ip any 10.1.1.0 255.255.255.192
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool VPNPOOL 10.1.1.1-10.1.1.50
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list LVPN_splitTunnelAcl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup LVPN address-pool VPNPOOL
vpngroup LVPN dns-server 10.0.0.20
vpngroup LVPN wins-server 10.0.0.20
vpngroup LVPN split-tunnel LVPN_splitTunnelAcl
vpngroup LVPN idle-time 1800
vpngroup LVPN password ********
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.33 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80

BaconZombie

Is your external host name really .CISCOPIX.COM ?

Philbert

BOFH_139 wrote: »

Is your external host name really .CISCOPIX.COM ?

Its not, but I didnt think that would make a difference?

BaconZombie

Philbert wrote: »

Its not, but I didnt think that would make a difference?

That the first thing you should change, do you have a DNS name or are you just justing an IP?

_CreeD_

First up split tunneling is a very bad idea if they are internet connected. You degrade your perimeter security to that of their PC rather than that nice corporate class firewall you're relying on. If you wouldn't trust their software firewall to gaurd your network then don't let them split-tunnel.
Don't worry about the hostname or domain, you should be using the IP on your clients anyway (having a DNS name registered besides being unnecessary is a security liability, the less info. you give away about your internet gateway the better).
You may have excluded these deliberately but I don't see any explicit routes defined. Your outside interface is taking it's default gateway and from DHCP, as is easiest, so if you haven't already you need to define static routes to your internal subnets (for example you have a WINS at 10.0.0.20). If you use an internal router make sure it has a route to 10.1.1.0/24 through your PIX.
Also enable your VPN clients to bypass your Outside access-list "sysopt connection permit-ipsec". If you don't then besides anything else the system will block any return ICMP traffic, you can define explicit access rules that could include remote access and safe ICMP return messages but with your experience level (no offense) that would be a bad idea.

Philbert

Creed,

Most of what you are telling me makes sense, especially the bit about my experience level .

However, to actually put that into the configuration of the Pix is simply beyond me, and I dont have the time to learn.

Which is why I have hired a freelance cisco guy to do it for me

Cheers for your input.