06-27-2007 06:20 AM - edited 03-11-2019 03:36 AM
Hi,
I finally got the vpn working between a PIX and Netscreen. Client can hit the Citrix web server on port 80 on the remote side just fine. Can ping the web server, too.
However, when I actually try to launch the citrix.ica.asp file via a web browser, I get an error message that the remote citrix server is not responding. However when we test it from another remote site through a vpn tunnel, it works just fine.
I've applied sysopt permit ipsec.
When I clear the counters (clear ipsec sa counters) and run traffic through the tunnel, I don't see any errors on sh ipsec sa for that peer.
Any other hints?
Thanks,
Jeff
06-28-2007 10:04 AM
Follow up: I was able to resolve the issue by adding a permit ip host w.x.y.z host a.b.c.d to the acl applied to the dmz interface.
However, I thought that since I had applied the sysopt permit ipsec, that i wouldn't have to change any acl, anywhere??? =/
Any thoughts?
-Jeff
Here's the current dmz acl:
PIX# sh ru | g dmzholes
access-list dmzholes permit ip host A.B.C.50 host M.N.O.36
access-list dmzholes permit tcp A.B.C.0 255.255.255.0 any eq www
access-list dmzholes permit udp A.B.C.0 255.255.255.0 any eq domain
access-list dmzholes permit tcp A.B.C.0 255.255.255.0 any eq domain
access-list dmzholes permit tcp A.B.C.0 255.255.255.0 any eq 123
access-list dmzholes permit tcp A.B.C.0 255.255.255.0 any eq ftp
access-list dmzholes permit tcp A.B.C.0 255.255.255.0 any eq ssh
access-list dmzholes permit tcp A.B.C.0 255.255.255.0 any eq https
access-list dmzholes permit tcp any host W.X.Y.11 eq smtp
access-list dmzholes permit ip host A.B.C.5 host W.X.Y.49
access-list dmzholes permit tcp host A.B.C.5 host W.X.Y.11 eq 7205
access-list dmzholes permit tcp host A.B.C.5 host W.X.Y.7 eq https
access-list dmzholes permit tcp host A.B.C.5 host W.X.Y.7 eq citrix-ica
access-list dmzholes permit ip host A.B.C.5 host W.X.Y.50
access-list dmzholes permit ip host A.B.C.10 host W.X.Y.50
access-list dmzholes permit ip host A.B.C.5 host W.X.Y.10
access-list dmzholes permit tcp host A.B.C.5 host W.X.Y.7 eq 3389
access-list dmzholes permit icmp any any echo
access-list dmzholes permit icmp any any echo-reply
access-list dmzholes permit icmp any any source-quench
access-list dmzholes permit icmp any any unreachable
access-list dmzholes permit icmp any any time-exceeded
access-list dmzholes permit tcp any host W.X.Y.11 eq pop3
access-group dmzholes in interface dmz
06-28-2007 10:19 AM
If the traffic were originating from the dmz and the acl is applied into dmz interface, which it appears to be, then yes this traffic will need to be allowed.
Sysopt conn permit ipsec will allow ipsec encapsulated packets to bypass interface acls, but the traffic from a dmz host into the dmz interface is not yet part of the tunnel. Make sense?
06-28-2007 10:28 AM
Nope.
Why have I not had to do that on any of the other vpns I've set up? Were they all on the inside interface which allowed everything out by default?
06-28-2007 10:32 AM
"Were they all on the inside interface which allowed everything out by default?"
-They were your vpn's..I can't answer that :)
06-28-2007 10:37 AM
Yeah, they've all been on the inside interface.
Does that explain why I haven't had to change ACL's though? That either the inside interface didn't have an ACL applied, or that since it was going from the inside (sec lvl: 100) to a vpn, it didn't worry about the ACL.
06-28-2007 10:39 AM
Most likely it is because you did not have an acl applied into the inside interface. Therefore any traffic initiated from the inside would obviously be allowed over the tunnel.
06-28-2007 10:45 AM
So I can expect that if I implement aggressive egress filtering at a site that's using a site-site vpn, then I may "break" the vpn until I modify the egress ACL?
06-28-2007 10:57 AM
Yes, if you create an ingress acl on an interface, except for the interface where the vpn is terminating, you will have to allow the traffic as you did above.
note: I assume by egress, you mean out of the remote network, not out of an inteface.
06-28-2007 12:16 PM
correct assumption re egress
Just for clarification, "except for the interface where the vpn is terminating" means (in most if not all cases) the outside interface, as that is where all of my crypto maps get applied as well as my isakmp statements.
Is there a case where it wouldn't be applied to the outside interface?
06-28-2007 12:20 PM
You could apply it to another interface, but I just thought it was important to add that as adding an acl into the outside interface would not do anything as sysopt conn permit ipsec will allow that traffic. So I just wanted to be as particular as possible that's all.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: