cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1217
Views
0
Helpful
24
Replies

SSH Sentinel through pix 506 to Zyxel

sgozio
Level 1
Level 1

Hi all,

I have one PIX 506e, on inside lan there is one PC client, on this client there is SSH Sentinel VPN Client software for connect this PC to a Remote lan protected by Zyxel Router/firewall.

When I activate Sentinel software,

VPN Tunnel goes ON but the taffic doesn't work, for example is not possible to ping any host.

If I remove PIX 506 and I connect PC directly to the Router, VPN Tunnel goes ON and any host of remote Lan respond to Ping. Zyxel support suggest to verify Port 500 and port 68.

Cisco PIX log say:

305006: portmap translation creation failed for protocol 50 src inside:192.168.2.169 dst outside:88.xx.123.zz

24 Replies 24

sgozio
Level 1
Level 1

This is configuration on my PIX:

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

hostname PIX

domain-name intranet.luceat.it

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list outside_access_in permit icmp any any echo-reply

access-list nonat permit ip any 10.0.1.0 255.255.255.0

access-list nonat permit ip any 10.0.2.0 255.255.255.0

access-list nonat permit ip any 10.0.3.0 255.255.255.0

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside xx.xx.xx.xx 255.255.255.248

ip address inside 192.168.2.101 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool Networking 10.0.1.1-10.0.1.10

ip local pool Mobile 10.0.2.1-10.0.2.10

ip local pool Comm 10.0.3.1-10.0.3.10

pdm location 192.168.2.0 255.255.255.0 inside

pdm location 10.0.1.0 255.255.255.0 outside

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 xx.xx.xx.zz 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http 192.168.2.0 255.255.255.0 inside

http 10.0.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set TRSET esp-3des esp-sha-hmac

crypto dynamic-map dynmap 10 set transform-set TRSET

crypto map VPN 10 ipsec-isakmp dynamic dynmap

crypto map VPN interface outside

isakmp enable outside

isakmp identity address

isakmp nat-traversal 20

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup Networking address-pool ONE

vpngroup Networking dns-server 192.168.2.1

vpngroup Networking wins-server 192.168.2.1

vpngroup Networking default-domain intranet

vpngroup Networking idle-time 1800

vpngroup Networking password ZZZZZZZZZZZZZZZZZZZ

vpngroup Mobile address-pool TWO

vpngroup Mobile dns-server 192.168.2.2

vpngroup Mobile wins-server 192.168.2.2

vpngroup Mobile default-domain intranet

vpngroup Mobile idle-time 1800

vpngroup Mobile password XXXXXXXXXXXXXXXXXX

vpngroup Comm address-pool THREE

vpngroup Comm dns-server 192.168.2.2

vpngroup Comm wins-server 192.168.2.2

vpngroup Comm default-domain intranet

vpngroup Comm idle-time 1800

vpngroup Comm password WWWWWWWWWWW

telnet 192.168.2.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

management-access inside

console timeout 0

terminal width 80

Any idea or solution are welcome.

Thanks in advance to all.

Ensure the vpn client and remote endpoint support nat-traversal. If they do not, you must disable nat-t on your pix and enable fixup protocol esp-ike. This would allow for 1 connection and 1 connection only.

no isakmp nat-traversal

fixup protocol esp-ike

Thank you for answer,

the command: no isakmp nat-traversal

Works

wile the command: PIX(config)# fixup protocol esp-ike return this:

PAT for ESP cannot be enabled since ISAKMP is enabled. Please correct your configuration and re-issue the command!

Sorry, that is because of "isakmp enable outside". It appears you have existing vpn's terminating on the pix. no isakmp nat-traversal may have an ill effect on them as well. Fixup protocol esp-ike will also impact these connections. Did you check into NAT-T?

Thank you for patient and support...

I try the command: no isakmp nat-traversal, after this I try conection by Zyxel Remote Security Client but the problem is the same...

Yes, you would have to remove the isakmp command on the outside interface, then add the fixup protocol esp-ike command, but this would then break your remote vpn connections terminating on your pix. Hope that makes sense. If any of your remote vpn users are using nat-t then removing the nat-traversal command would break those connections.

Perhaps now I have understood:

1) Remove: isakmp enable outside command

2) Add: fixup protocol esp-ike command

3) Add: isakmp enable outside

Is right now?

Yes, but having "fixup protocol esp-ike" will only allow for 1 connection and you will no longer be able to terminate vpn's on your firewall.

Dear acomiskey thank you very much for your responses.

i'm Luigi, the owner of the pix 506e.

I don't want to lost my VPN connections because I need them.

But I need to resolve the problem with the connection with the zyxel firewall.

Is the "fixup protocol esp-ike" the only way that i have in order to connect to the zyxell firewall or there is another way?

In not possible to change the configuration of my 506 in order to have both (VPN clients connected and the connection with the zyxel)?

I can confirm you that the Zyxel firewall support the IPSEC NAT-Traversal (it's a p662H).

Is nat-t enabled on the client software?

Ok. there is not the option on the Zywall VPM client.

So i think that it's already set active (if the firewall has the option the official VPN client has to have the implicit option).

I want to add a new information.

Other companies with a Cisco firewall can connect to these Zyxel firewall with the same program and same settings.

Is the Pix 506e different from others pixs?

No, other than the version of the PIX IOS, they are not different.

Sorry, I'm not familiar with these vpn clients, which are you using exactly, ssh sentinel or zywall client?

If the devices were doing nat-t, the pix would not be complaining about protocol 50 (esp).

You could rule out nat-t as being the problem. Do you have any more public ip addresses available? You could NAT a client to one of these addresses so you were not using PAT, therefore not needing nat-t.

ok. I'm using both ssh sentinel and zywall client (with 2 diffeerents pc).

p.s. I've checked and they support the nat-t

Yes I have more pubblic ips. Natting a client would be that I have to put the client between the cisco firewall and my ADSL router?

I can't have PCs outside the firewall for security reasons.

Can you please explain?

You can create a static nat or a one-to-one mapping like this.

static (inside,outside) netmask 255.255.255.255

ex.

static (inside,outside) 64.1.1.1 192.168.1.10 netmask 255.255.255.255

therefore the client(192.168.1.10) will be translated to 64.1.1.1, this is not PAT/overloading which requires nat-t.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: