06-15-2007 06:52 AM - edited 03-11-2019 03:31 AM
I have a cisco VPN client connecting to my PIX, it's getting an IP address from the PIX, and I see debug messages indicating that it has connected. However, I cannot seem to do anything on the VPN network - can't ping, can't "net view", can't http to the web server that's on my server network. I will post my firewall configs.
My network is:
client - switch - PIX - switch - PIX - switch - server
I'm using 2 PIX to simulate a firewalled remote site as well as the VPN.
Here's my VPN Client ipconfig output after connection:
Ethernet adapter Local Area Connection:
Connection-specific...:
IP Address...: 192.168.3.13
Subnet Mask...:255.255.255.0
Default Gateway...:192.168.3.254
(this is the cisco vpn client below)
Ethernet adapter Local Area Connection 2:
Connection-specific...:
IP Address... : 192.168.2.101
Subnet Mask...:255.255.255.0
Default Gateway...:192.168.2.101
06-15-2007 06:53 AM
Client side PIX config:
-----------------------
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxx encrypted
passwd xxx encrypted
hostname pixfirewall1
domain-name my-turn.org
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside permit icmp any any
access-list outside permit tcp any any
access-list outside permit udp any any
access-list outside permit ip any any
pager lines 40
icmp deny host 200.1.1.2 outside
icmp deny host 200.1.1.1 outside
mtu outside 1500
mtu inside 1500
ip address outside 200.1.1.1 255.255.255.0
ip address inside 192.168.3.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.3.0 255.255.255.0 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group outside in interface outside
route outside 0.0.0.0 0.0.0.0 200.1.1.2 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication telnet console LOCAL
aaa authentication http console LOCAL
http server enable
http 192.168.3.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt noproxyarp outside
telnet 192.168.3.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
username administrator password xxx encrypted privilege 15
terminal width 80
Cryptochecksum:xxx
: end
06-15-2007 06:54 AM
Server Side PIX Config:
------------------------
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxx encrypted
passwd xxx encrypted
hostname pixfirewall2
domain-name my-turn.org
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list inbound permit tcp any host 200.1.1.2 eq www
access-list 102 permit tcp any host 200.1.1.2 eq www
access-list 102 permit icmp any any echo-reply
access-list 102 permit tcp 200.1.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 102 permit udp 200.1.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 102 permit ip 200.1.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list nonat permit ip 200.1.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list nonat permit ip 192.168.2.0 255.255.255.0 192.168.2.0 255.255.255.0
pager lines 24
logging buffered errors
logging trap notifications
mtu outside 1500
mtu inside 1500
ip address outside 200.1.1.2 255.255.255.0
ip address inside 192.168.2.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool internetpool 200.1.1.101-200.1.1.120
ip local pool test 192.168.2.101-192.168.2.199
pdm location 192.168.2.0 255.255.255.0 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface www 192.168.2.1 www netmask 255.255.255.255 0 0
access-group 102 in interface outside
route outside 0.0.0.0 0.0.0.0 200.1.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication telnet console LOCAL
aaa authentication http console LOCAL
http server enable
http 192.168.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map cisco 1 set transform-set myset
crypto map dyn-map 20 ipsec-isakmp dynamic cisco
crypto map dyn-map interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0 no-xauth
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup vpn3000 address-pool test
vpngroup vpn3000 default-domain MyTurnTest.local
vpngroup vpn3000 idle-time 1800
vpngroup vpn3000 password ********
telnet 192.168.2.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 10
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
username administrator password xxx encrypted privilege 15
terminal width 80
Cryptochecksum:xxx
: end
06-15-2007 08:52 AM
Hi
On you server side pix add the following
pix(config t)# isakmp nat-traversal
The problem is client side pix is doing PAT and this will break the IPSEC.
Alternatively you could exempt your client from being natted on the client pix.
HTH
Jon
06-15-2007 10:37 AM
Thanks Jon, that worked great. I'm moving on to my next phase, which is to get it working with IPSec/TCP on tcp port 80. This is how I'm hoping to scoot through the firewalls that most of my outlying offices are behind. I've found the setting on the client, now I have to figure out the settings on the firewall. Any help?
Thanks,
JP
06-18-2007 11:59 AM
Thanks Jon,
I had to leave for the night and I thought this was working yesterday, but now I've changed a few things and I'm wondering if you have any thoughts on this. Again, I am connecting, I am seeing the isakmp approvals and I'm getting an IP address from the VPN pool.
Problems:
1) I'm getting a default gateway equal to my own vpn address - is this correct?
2) I'm unable to get a web page from the web server on the 192.168.2.0 network, I can't ping the web server from the vpn client, I can't telnet to 192.168.2.254 from the vpn client. Any idea why? Is it a routing problem?
Thanks, I'm still reading up.
JP
06-18-2007 12:04 PM
1. Yes
2. The vpn client pool should never be the same subnet as any other network inside the pix.
06-19-2007 04:12 AM
OK, thanks - I changed the pool to be:
ip local pool bettertest 192.168.4.101-192.168.4.199
and my vpngroup address-pool statement:
vpngroup vpn3000 address-pool bettertest
and I removed the vpngroup vpn3000 address-pool test and ip local pool test statements.
I'm assuming there's a route I need to add now, I'll take any suggestions anyone has on that.
Thanks,
JP
06-19-2007 04:41 AM
Did you change your nonat acl to reflect the change in your vpn pool?
Just noticed your nonat acl is backwards anyway, it should be...
access-list nonat permit ip 192.168.2.0 255.255.255.0 192.168.4.0 255.255.255.0
06-19-2007 04:46 AM
Thanks!
I have to reapply some of the config I listed, because I didn't write mem yesterday. I'll make the change you suggested.
JP
06-19-2007 05:10 AM
That got me exactly where I wanted to be - I can now ping the web server and load pages from it. Thanks!
Now I'm going to try to do it with port 80 from the VPN client, I'll update this when I know if that's working.
06-19-2007 05:27 AM
OK,
I changed the client to use IPSec/TCP using port 80. There is a static route on the server PIX, designed to allow access to the web server, and I think it's going to have to go away for now.
If there is a static:
static (inside,outside) tcp interface 80 192.168.2.1 80 netmask 255.255.255.255 0 0
then the vpn client initiates TCP but loops while "Contacting the security gateway at 200.1.1.2".
This makes sense, because the port 80 tcp traffic is being routed to the web server, which is not a security gateway.
If there is no static, then the vpn client cannot initiate a tcp session. It stalls at "Initiating TCP to 200.1.1.2".
I don't understand why it can't initiate tcp?
So more reading.
Thansk,
JP
06-19-2007 05:45 AM
OK,
I changed the client to use IPSec/TCP using port 80. There is a static route on the server PIX, designed to allow access to the web server, and I think it's going to have to go away for now.
If there is a static:
static (inside,outside) tcp interface 80 192.168.2.1 80 netmask 255.255.255.255 0 0
then the vpn client initiates TCP but loops while "Contacting the security gateway at 200.1.1.2".
This makes sense, because the port 80 tcp traffic is being routed to the web server, which is not a security gateway.
If there is no static, then the vpn client cannot initiate a tcp session. It stalls at "Initiating TCP to 200.1.1.2".
I don't understand why it can't initiate tcp?
So more reading.
Thansk,
JP
06-19-2007 06:38 AM
OK,
I can reliably get IPSec/UDP to work now that I've learned a little bit about how this all works. What I want to do now is set up hte PIX to accept IPSec/TCP connections on port 80. If I get that working, I can then take a little breather. I'm seeing that you can do it easily on a concentrator, but I haven't found the PIX 506e commands for it yet (running PIX Version 6.3(5)).
Thanks for your help!
JP
06-19-2007 06:45 AM
Version 6 does not support ipsec over tcp. You need version 7.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: