Allowed VPN Local Acces Trouble
Hi ,i have a trouble for acces for resources of my Local Lan 10.100.200.x/24 in my office,when i conected with my VPN Cisco Client its assigned (10.10.1.0/24) ,i have access a vnc,icmp,shared carpet only 10.100.200.0/24 network,but i dont have full access for others networks that acces in my local lan (172.25.100.0/24,10.102.45.0/24 and 10.102.15.0/24) and dont have internet too, my configure on cisco pix 515 is :
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 NET-IN security90
enable password vqjYph25oj.XmTB8 encrypted
passwd YSRcoQvm412BFvu2 encrypted
hostname pixbbp
domain-name bbp.net
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 100 deny ip host 10.100.200.15 host 10.150.150.3
access-list 100 permit ip 10.100.200.0 255.255.255.0 10.150.150.0 255.255.255.0
access-list 100 permit ip 192.168.0.0 255.255.254.0 10.150.150.0 255.255.255.0
access-list 130 permit ip 10.100.200.0 255.255.255.0 192.168.200.0 255.255.255.0
access-list 130 permit ip 192.168.0.0 255.255.254.0 192.168.200.0 255.255.255.0
access-list 110 permit ip 10.100.200.0 255.255.255.0 10.0.8.0 255.255.255.0
access-list 110 permit ip 192.168.0.0 255.255.254.0 10.0.8.0 255.255.255.0
access-list 110 permit ip 192.168.0.0 255.255.254.0 192.168.100.0 255.255.252.0
access-list 110 permit ip 192.168.0.0 255.255.254.0 192.168.104.0 255.255.255.0
access-list 110 permit ip 192.168.0.0 255.255.254.0 192.168.10.0 255.255.255.0
access-list 120 permit ip 10.100.200.0 255.255.255.0 10.150.151.0 255.255.255.0
access-list 120 permit ip 192.168.0.0 255.255.254.0 10.150.151.0 255.255.255.0
access-list 150 permit ip 10.100.200.0 255.255.255.0 192.168.48.0 255.255.240.0
access-list 150 permit ip 192.168.0.0 255.255.254.0 192.168.48.0 255.255.240.0
access-list entrante permit icmp any any
access-list entrante permit tcp any host 200.45.137.3
access-list entrante permit udp any host 200.45.137.3
access-list entrante permit tcp any host 200.45.137.8 eq www
access-list entrante permit tcp any host 200.45.137.17 eq ftp
access-list entrante permit udp host 200.13.185.172 host 200.45.137.8 eq snmp
access-list entrante permit tcp host 200.13.185.172 host 200.45.137.8 eq 5666
access-list entrante permit ip any host 200.45.137.11
access-list entrante permit tcp any host 200.45.137.9 eq www
access-list BBP_splitTunnelAcl remark VPN client BBP_splitTunnelAcl
access-list BBP_splitTunnelAcl permit 10.100.200.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip any 10.10.1.0 255.255.255.0
access-list outside_cryptomap_dyn_80 permit ip any 10.10.1.0 255.255.255.0
access-list Local_LAN_Access remark VPN client Local_LAN_Access
access-list Local_LAN_Access permit host 0.0.0.0
pager lines 24
logging on
logging facility 23
icmp permit any echo-reply outside
icmp permit 10.100.200.0 255.255.255.0 outside
icmp permit any unreachable outside
mtu outside 1500
mtu inside 1500
mtu AMNETIN 1500
ip address outside 200.45.137.7 255.255.255.224
ip address inside 10.100.200.100 255.255.255.0
ip address NET-IN 192.168.0.1 255.255.254.0
ip audit info action alarm
ip audit attack action alarm
ip local pool BBP 10.10.1.1-10.10.1.254
pdm location 10.100.200.142 255.255.255.255 inside
pdm location 10.30.30.0 255.255.255.224 outside
pdm location 10.100.200.111 255.255.255.255 inside
pdm location 10.100.200.17 255.255.255.255 inside
pdm location 10.100.200.31 255.255.255.255 inside
pdm location 10.100.200.50 255.255.255.255 inside
pdm location 10.100.200.51 255.255.255.255 inside
pdm location 10.100.200.80 255.255.255.255 inside
pdm location 10.100.200.90 255.255.255.255 inside
pdm location 10.100.200.163 255.255.255.255 inside
pdm location 10.0.8.0 255.255.255.0 outside
pdm location 10.150.150.3 255.255.255.255 outside
pdm location 10.150.150.0 255.255.255.0 outside
pdm location 10.150.151.0 255.255.255.0 outside
pdm location 192.168.10.0 255.255.255.0 outside
pdm location 192.168.48.0 255.255.240.0 outside
pdm location 192.168.100.0 255.255.252.0 outside
pdm location 192.168.104.0 255.255.255.0 outside
pdm location 192.168.200.0 255.255.255.0 outside
pdm location 200.13.185.172 255.255.255.255 outside
pdm location 200.45.144.3 255.255.255.255 outside
pdm location 200.45.144.5 255.255.255.255 outside
pdm location 10.103.15.0 255.255.255.0 outside
pdm location 10.103.45.0 255.255.255.0 outside
pdm location 172.21.253.0 255.255.255.0 outside
pdm location 172.21.254.0 255.255.255.0 outside
pdm location 172.21.255.0 255.255.255.0 outside
pdm history enable
arp timeout 600
global (outside) 1 200.45.137.14
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 200.45.137.3 10.100.200.51 netmask 255.255.255.255 0 0
static (inside,outside) 200.45.137.10 10.100.200.50 netmask 255.255.255.255 0 0
static (inside,outside) 200.45.137.2 10.100.200.17 netmask 255.255.255.255 0 0
static (inside,outside) 200.45.137.8 10.100.200.31 netmask 255.255.255.255 0 0
static (inside,outside) 200.45.137.17 10.100.200.80 netmask 255.255.255.255 0 0
static (inside,outside) 200.45.137.11 10.100.200.163 netmask 255.255.255.255 0 0
static (inside,outside) 200.45.137.9 10.100.200.90 netmask 255.255.255.255 0 0
access-group entrante in interface outside
route outside 0.0.0.0 0.0.0.0 200.45.137.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 10.100.200.142 255.255.255.255 inside
http 10.100.200.111 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community nwtgurcv
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt ipsec pl-compatible
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map outside_dyn_map 80 match address outside_cryptomap_dyn_80
crypto dynamic-map outside_dyn_map 80 set transform-set myset
crypto map newmap 20 ipsec-isakmp
crypto map newmap 20 match address 100
crypto map newmap 20 set peer 200.45.155.178
crypto map newmap 20 set transform-set myset
crypto map newmap 30 ipsec-isakmp
crypto map newmap 30 match address 130
crypto map newmap 30 set peer 200.45.128.17
crypto map newmap 30 set transform-set myset
crypto map newmap 40 ipsec-isakmp
crypto map newmap 40 match address 110
crypto map newmap 40 set peer 200.45.153.135
crypto map newmap 40 set transform-set myset
crypto map newmap 50 ipsec-isakmp
crypto map newmap 50 match address 150
crypto map newmap 50 set peer 200.45.154.2
crypto map newmap 50 set transform-set myset
crypto map newmap 60 ipsec-isakmp
crypto map newmap 60 match address 120
crypto map newmap 60 set peer 200.45.129.14
crypto map newmap 60 set transform-set myset
crypto map newmap 70 ipsec-isakmp dynamic outside_dyn_map
crypto map newmap client authentication LOCAL
crypto map newmap interface outside
isakmp enable outside
isakmp key ******** address 200.45.128.17 netmask 255.255.255.255
isakmp key ******** address 200.45.153.135 netmask 255.255.255.255
isakmp key ******** address 200.45.154.2 netmask 255.255.255.255
isakmp key ******** address 200.45.129.14 netmask 255.255.255.255
isakmp key ******** address 200.45.156.210 netmask 255.255.255.255
isakmp key ******** address 200.45.155.178 netmask 255.255.255.255
isakmp client configuration address-pool local BBP outside
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption des
isakmp policy 30 hash md5
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400
vpngroup BBP address-pool BBP
vpngroup BBP dns-server 10.100.200.30 200.45.137.4
vpngroup BBP wins-server 10.100.200.31
vpngroup BBP default-domain bbp.net
vpngroup BBP split-tunnel BBP_splitTunnelAcl
vpngroup BBP idle-time 1800
vpngroup BBP password ********
telnet 10.100.200.0 255.255.255.0 inside
telnet timeout 5
ssh 200.45.144.3 255.255.255.255 outside
ssh 200.45.144.5 255.255.255.255 outside
ssh timeout 60
console timeout 0
username jdakota password DD7swrpRwoLhqa1h encrypted privilege 15
username r.tretat password 6dxYt.HACC.RsGRC encrypted privilege 2
terminal width 80
Cryptochecksum:23a16fa4bc9ba1c30415ee36f531b547
: end
My VPN Client Cisco send the next error :
Cisco Systems VPN Client Version 4.8.02.0010
Copyright (C) 1998-2006 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.1.2600 Service Pack 2
Config file directory: C:\Program Files\Cisco Systems\VPN Client\
1 07:09:10.843 10/26/08 Sev=Warning/2 CVPND/0xE3400013
AddRoute failed to add a route: code 87
Destination 192.168.1.255
Netmask 255.255.255.255
Gateway 10.0.0.1
Interface 10.10.1.6
2 07:09:10.843 10/26/08 Sev=Warning/2 CM/0xA3100024
Unable to add route. Network: c0a801ff, Netmask: ffffffff, Interface: a0a0106, Gateway: a000001.
3 07:16:06.828 10/26/08 Sev=Warning/2 IKE/0xA3000067
Received an IPC message during invalid state (IKE_MAIN:507)
i wait your help my friends ,thank you!!!!
|
Linear Mode
