VPN and DHCP Clients on a PIX

Unanswered Question
Apr 11th, 2008

We are running a PIX 501 (6.3)

We have it set up as a firewall/vpn router on a DSL modem.

We have several computer on the inside interface, IP range 192.168.1.0

The PIX is set to give out DHCP address from 192.168.1.2 to .33

If the PIXs gives a computer an IP via DHCP outside VPN clients can contact it. If the computer self assigns its IP, either in the DHCP range or outside it, none of the VPN Clients can get to it.

This is Bad. I have several servers that need to be VPN accessible, and can not put them on DHCP and have their IPs change constantly.

Please help, I'm pulling my hair out.

Here is my config:

PIX Version 6.3(5)

interface ethernet0 100full

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password XXXXXXX encrypted

passwd XXXXXXX encrypted

hostname XXXX

domain-name xxxxx

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list nonat permit ip 192.168.1.0 255.255.255.224 192.100.1.0 255.255.255.0

access-list outside_cryptomap_dyn_20 permit icmp any any

access-list outside_cryptomap_dyn_20 permit ip 192.168.1.0 255.255.255.224 192.100.1.0 255.255.255.0

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside pppoe setroute

ip address inside 192.168.1.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool ippool 192.100.1.200-192.100.1.220

pdm location 192.168.1.0 255.255.255.224 inside

pdm location 192.100.1.0 255.255.255.0 outside

pdm location 0.0.0.0 255.255.255.255 inside

pdm location 192.168.1.0 255.255.255.255 inside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set ESP-3DES-sha esp-aes-256 esp-sha-hmac

crypto dynamic-map dynmap 20 set transform-set ESP-3DES-sha

crypto map outside_map 500 ipsec-isakmp dynamic dynmap

crypto map outside_map interface outside

isakmp enable outside

isakmp nat-traversal 20

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption aes-256

isakmp policy 20 hash sha

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

vpngroup maxhrvpn address-pool ippool

vpngroup maxhrvpn dns-server 67.69.184.199 67.69.184.7

vpngroup maxhrvpn split-tunnel outside_cryptomap_dyn_20

vpngroup maxhrvpn idle-time 1800

vpngroup maxhrvpn password ********

telnet 192.168.1.0 255.255.255.0 inside

telnet timeout 5

ssh 192.168.1.0 255.255.255.0 inside

ssh timeout 5

management-access inside

console timeout 0

vpdn group pppoex request dialout pppoe

vpdn group pppoex localname [email protected]

vpdn group pppoex ppp authentication pap

vpdn username xxxxxxx password *********

dhcpd address 192.168.1.2-192.168.1.33 inside

dhcpd dns 67.69.184.199 67.69.184.7

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

dhcpd enable inside

terminal width 80

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
sundar.palaniappan Fri, 04/11/2008 - 07:03

The problem is in your crypto ACL and no-nat ACL. Change the ACL configuration as follows. Use a static IP address for the servers in the range of 192.168.1.33 - 254. Do not use a static address in the DHCP range as that would cause duplicate addresses usage in the network.

access-list nonat permit ip 192.168.1.0 255.255.255.0 192.100.1.0 255.255.255.0

access-list outside_cryptomap_dyn_20 permit ip 192.168.1.0 255.255.255.0 192.100.1.0 255.255.255.0

HTH

Sundar

Actions

This Discussion