Passing whole remote office teraffic through site-to-stie VPN (Pix 501)

Unanswered Question
Jun 7th, 2008
User Badges:

I have set up a sit-to-site VPN by two PIX 501 firewall which are connected to public internet by two PPPOE account. As of now the VPN tunnel works fine and main and remote office can reach each other private network perfectly. Also PIX firewall on each side routes the internet traffic through the PPPOE connection of their own.


I have been asked to add a feature to this configuration to have all traffic of Remote Office to pass through the VPN tunnel, whether or not the teraffic destination is the private network of the main office. In case the traffic destination is not private network of the main office, the PIX on main office side should route the request to internet (through its own PPPOE connection).


I have included the main part of two PIX configuration here for your review. Although the two sites are getting connected to internet through PPPOE, but it is arranged by ISPs to offer static IP address to both PPPOE accounts.


Here is the main office configuration:


access-list 101 permit ip 192.168.6.0 255.255.255.0 192.168.1.0 255.255.255.0

ip address outside pppoe setroute

ip address inside 192.168.6.1 255.255.255.0

global (outside) 1 interface

nat (inside) 0 access-list 101

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

sysopt connection permit-ipsec

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto map outside_map 20 ipsec-isakmp

crypto map outside_map 20 match address 101

crypto map outside_map 20 set peer 10.0.1.10

crypto map outside_map 20 set transform-set ESP-3DES-MD5

crypto map outside_map interface outside

isakmp enable outside

isakmp key ******** address 10.0.1.10 netmask 255.255.255.255

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption 3des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

vpdn group pppoe_group request dialout pppoe

vpdn group pppoe_group localname MAIN_OFFCE_PPPOE_USERNAME

vpdn group pppoe_group ppp authentication pap

vpdn username MAIN_OFFCE_PPPOE_USERNAME password ********* store-local


and this is the remote office configuration:


access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.6.0 255.255.255.0

ip address outside pppoe setroute

ip address inside 192.168.1.1 255.255.255.0

global (outside) 1 interface

nat (inside) 0 access-list 101

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

sysopt connection permit-ipsec

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto map outside_map 20 ipsec-isakmp

crypto map outside_map 20 match address 101

crypto map outside_map 20 set peer 10.0.2.50

crypto map outside_map 20 set transform-set ESP-3DES-MD5

crypto map outside_map interface outside

isakmp enable outside

isakmp key ******** address 10.0.2.50 netmask 255.255.255.255

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption 3des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

vpdn group pppoe_group request dialout pppoe

vpdn group pppoe_group localname REMOTE_OFFCE_PPPOE_USERNAME

vpdn group pppoe_group ppp authentication chap

vpdn username REMOTE_OFFCE_PPPOE_USERNAME password *********


It is really appreciated if you can help me to add this feature to my PIXs configuration. Please note that our remote office also uses VoIP from Vonage that I need to have its traffic passed through VPN and routed to Vonage server from main office PIX.


Looking forward for your comment,

Thanks!




  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Farrukh Haroon Sat, 06/07/2008 - 12:50
User Badges:
  • Red, 2250 points or more

This seems to be a PIX 6.x configuration. Please note hair-pinning support was added in ASA/PIX 7.x. Please have a look at the following link.


This configuration is not supported on 6.x.


http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00805734ae.shtml


http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008046f307.shtml


Regards


Farrukh





peyman_nabati Sun, 06/08/2008 - 13:09
User Badges:

Hi Farrukh,


Thanks for your note. Now that I know I do not have a chance to pass through my Remote office traffic thorugh PIX, Is there a chance I set up a PPTP server on Main Office and use PPTP client on Remote side to connect through the tunnel of VPN. This will be a PPTP tunnel inside the already VPN tunnel constructed by the config files I attached before. I have added fixup protocol PPTP 1723 to both side PIX configurations to support the PPTP. Then I set up a PPTP server in main office on a windows XP system (192.168.6.201) and tried to connect from remote office by windows XP PPTP client (192.168.1.2). I was hoping if the PPTP tunnel can be stablished, it would let my remote office system to pass its whole traffic through this new second level tunnel. But unfortunately the PPTP tunnel could not be stablished. PPTP client fails after exchanging username and password. It just simply stays in verify username password screen for a while and gives me a disconnect message at the end indicating now answer heard back from server.


Can you kindly tell me if it is ever possible to set up the second tunnel inside the first one and if that possible why the one I am trying fails.


Thanks very much,

Peyman

peyman_nabati Sun, 06/08/2008 - 21:59
User Badges:

Hi Farrukh,


Thanks again for your kind comment. The link you asked me to visit does cover this topic ("Allow L2TP Over IPsec Through PIX/ASA 7.x and Above") but again it is for PIX 7.0 and above. Mine is PIX 6.3. It seems I am not lucky to have this working with these 6.3 PIX.


Many Thanks,

Peyman

peyman_nabati Mon, 06/09/2008 - 05:27
User Badges:

Dear farrukh,


As I said, my PIX lets me connect to a PPTP client from inside local network to a PPTP server outside in public internet as it is detailed out in the document you referred me to by havign this lines in my PIX config:


label of section in the document: "Commands to Add for Version 6.3"


pixfirewall(config)#fixup protocol pptp 1723

pixfirewall(config)#nat (inside) 1 0.0.0.0 0.0.0.0 0 0

pixfirewall(config)#global (outside) 1 interface


I have these command in my PIX config and it works for me to connect to outside PPTP server.


But what I am really interested to achieve is the section labeled as "Allow L2TP Over IPsec Through PIX/ASA 7.x and Above" in the same documents. Unfortunately my PIX are 6.3 and does not work with the instructions of this section.


Honestly I am thinking to give up on this idea and pursue a PPTP server outside my VPN network.


Thanks again,

Peyman

Farrukh Haroon Mon, 06/09/2008 - 05:56
User Badges:
  • Red, 2250 points or more

You are confusing the L2TP part with the PPTP part. On the PIX behind which the PPTP server is located, you need something similar to this:


http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094a5a.shtml#addcomm


On the PIX firewall behind which are the PPTP clients, you need to do something like this:


http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094a5a.shtml#ver63


Regards


Farrukh

peyman_nabati Tue, 06/10/2008 - 12:41
User Badges:

Hi farrukh,


Thank for keeping up with my questions. I got your points how to use the example configuration you sent me. But in that example on server side, one public IP address were assigned to router outside interface and another public IP address were used as PPTP server address for outsider which mapped to an inside server by PIX router through static statement.


As you have seen my starting configuration, I am using PPPOE on both PIX to get the outside public address and I did not have any extra public valid IP address on PPPTP server side (main office). Just to confirm with the configuration in the mentioned example, I have asked my ISP on server side, to change the account and assign me two public IP addresses for the PPPOE account. Let me assume ISP will give me two valid IP addresses: 192.168.201.1 to be used by PIX on outside interface and also give me the extra public IP address of 192.168.201.5 to be used by PPTP server (exactly like the example configuration). With this assumption do you think I can use a carbon copy of the commands in the example for my server side PIX? What I mean is this set of command assuming PPPTP client has IP address of 192.168.201.25:


access-list acl-out permit gre host 192.168.201.25 host 192.168.201.5

access-list acl-out permit tcp host 192.168.201.25 host 192.168.201.5 eq 1723

static (inside,outside) 192.168.201.5 10.48.66.106 netmask 255.255.255.255 0 0

access-group acl-out in interface outside


Honestly I can understand how this commands manage routing the request for PPTp connection to 192.168.201.5 to inside server at 10.48.66.106 . What I could not find by asking the technical people of my ISP is, if PPPOE assigns 192.168.201.1 to my outside interface of PIX, how internet request for 192.168.201.5 will be forwarded to PIX on its outside interface to be redirected later on to an inside server.


Beside adding PPTP service to my PIX configs, I have another concern which I appreciate if you can help me with. I have activated logging on my PIX router and have seen the 106017: Deny IP due to land attack from x.x.x.x to x.x.x.x which x.x.x.x is my PIX outside public IP address. I tried to search cisco website and also internet on this regard and have not found anything helpful yet. Some people have said this could be a real indication somebody is trying to hack in and it should be addressed to ISP to analyze it. But when I talked to my ISP technical they refused taking this responsibility. I have had two incident of this messages in my PIX log today. In each incident the message has been repeated for a short time interval of roughly 10 seconds. Do you think this could be because of a real attack and my security is in danger?


Thank you in advance,

Peyman

Actions

This Discussion