07-09-2007 12:47 PM - edited 03-11-2019 03:42 AM
I have a client who has a PIX 501 in his office. He has a server at a co-location facility, which also has a PIX. When the client wants to access his server, he creates a Cisco client VPN connection (not a PIX to PIX VPN). However, once the VPN is up, he can't access the server. If any other router is put in place of his local office PIX, he can then create the client VPN and access his server using RDP with no problem.
Does anyone have any idea how he can access his server at the co-location facility without removing his office PIX?
Tony
07-09-2007 12:49 PM
Does he have any access to the remote network when the pix is in place? Or is it specifically rdp?
07-09-2007 12:58 PM
>>Does he have any access to the remote network when the pix is in place?
No, he has no access. We tried to ping the server and do a tracert. Nothing. If the client removes his local PIX and installs a simple router like Linksys, everything works fine.
07-09-2007 01:59 PM
Any chance of getting the config from the remote pix? Seems more like a nat-traversal issue than a blocking issue on the local pix.
07-09-2007 02:28 PM
>>Any chance of getting the config from the remote pix?
No, but I have the local PIX from where the RDP connection is attempting to be made. Outside and inside IP's have been changed.
nameif ethernet0 outside security0
nameif ethernet1 inside security100
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.25.0 VPNclient
name 1.1.1.10 web_ftp-outside
name 192.168.23.6 web_ftp-inside
name 1.1.1.115 email_RDP-outside
name 192.168.23.5 email_RDP-inside
access-list 101 permit icmp any any
access-list 101 remark VPN Access Policy
access-list 101 permit ip VPNclient 255.255.255.0 192.168.23.0 255.255.255.0
access-list 101 permit tcp any host email_RDP-outside eq smtp
access-list 101 permit tcp any host email_RDP-outside eq pop3
access-list 101 permit tcp any host email_RDP-outside eq 3389
access-list 101 permit tcp any host web_ftp-outside eq ftp-data
access-list 101 permit tcp any host web_ftp-outside eq ftp
access-list 101 permit tcp any host web_ftp-outside eq www
access-list 101 permit tcp any host web_ftp-outside eq https
access-list outside_cryptomap_dyn_30 permit ip any VPNclient 255.255.255.0
access-list sasco_splitTunnelAcl permit ip 192.168.23.0 255.255.255.0 any
access-list inside_outbound_nat0_acl permit ip 192.168.23.0 255.255.255.0 VPNclient 255.255.255.0
pager lines 24
ip address outside 1.1.1.20 255.255.255.248
ip address inside 192.168.23.1 255.255.255.0
ip verify reverse-path interface outside
ip audit info action alarm
ip audit attack action alarm
ip local pool sascoVPNpool 192.168.25.51-192.168.25.60 mask 255.255.255.0
pdm location email_RDP-outside 255.255.255.255 outside
pdm location web_ftp-inside 255.255.255.255 inside
pdm location email_RDP-inside 255.255.255.255 inside
pdm location VPNclient 255.255.255.0 outside
pdm location web_ftp-outside 255.255.255.255 outside
pdm history enable
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) email_RDP-outside email_RDP-inside netmask 255.255.255.255 0 0
static (inside,outside) web_ftp-outside web_ftp-inside netmask 255.255.255.255 0 0
access-group 101 in interface outside
route outside 0.0.0.0 0.0.0.0 1.1.1.17 1
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-l2tp
auth-prompt prompt Enter login authorization
auth-prompt accept Thank you. Access granted.
auth-prompt reject Either get it right or stop trying to hack your way in.
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 10 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 30 match address outside_cryptomap_dyn_30
crypto dynamic-map outside_dyn_map 30 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication LOCAL
crypto map outside_map interface outside
isakmp enable outside
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup sasco address-pool sascoVPNpool
vpngroup sasco dns-server email_RDP-inside 65.32.1.70
vpngroup sasco wins-server email_RDP-inside
vpngroup sasco default-domain sasco.local
vpngroup sasco split-tunnel sasco_splitTunnelAcl
vpngroup sasco split-dns sasco.local sasco.lcl
07-09-2007 04:19 PM
Where is the tunnel connection to? Your 501? Have your friend enabl logging on his PIX if he hast already
logging buffe 6
logging on
Have him try to connect and get a sh log from the PIX.
07-10-2007 03:59 AM
The remote end point for the Cisco client to PIX VPN is the remote PIX not the local. The local PIX is in a passive role here. There is no PIX to PIX VPN. The owner of the remote PIX will not allow a PIX to PIX VPN.
I will get the log and post it late Tuesday.
Thank you for your help.
07-10-2007 05:17 AM
Check that the remote pix has "isakmp nat-traversal" in the config.
07-11-2007 02:51 AM
Dont think "isakmp nat-traversal" is relevant here since the tunnel is not terminating on the remote PIX.
You could also have him do a capture:
07-11-2007 04:35 AM
JBDanford2002, I think you are mistaken.
From a few posts above-
"The remote end point for the Cisco client to PIX VPN is the remote PIX not the local."
07-12-2007 08:06 AM
>>I think you are mistaken
That is always a possiblity. Mistaken about what? The client VPN end point?
07-12-2007 08:08 AM
TXLombardi, I was referring to JBDanford2002's comment above.
He said your vpn client was not terminating on the remote pix.
07-12-2007 03:39 PM
Ah, ok. I re-read the first post. I think you are possibly right acomiskey. The option would be to enable "fixup protocol esp-ike". The downer is that you wont be able to terminate any VPNs on your PIX. NAT-T is definitely the way to go. Definitly take a look at the logs to see if you are dropping on IP 50.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: