11-28-2008 08:04 PM - edited 03-11-2019 07:19 AM
I have been trying to setup remote access for a client and I'm running in to a traffic flowing one way.
When I ping from the client (10.10.100.1 to a computer behind the PIX (10.10.11.2) I can see the client sending packets through the tunnel but nothing is receives back. When I do a "show crypto ipsec sa" on the PIX I do NOT see any encrypts or decrypts. Below is my config.
THANKS!
-----------
CParkPIX(config)# sh run
: Saved
:
domain-name example.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
object-group icmp-type ICMP_Types
icmp-object source-quench
icmp-object time-exceeded
icmp-object unreachable
icmp-object echo-reply
access-list outside permit icmp any any object-group ICMP_Types
access-list 1 permit ip 10.10.11.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list 2 permit ip 10.10.11.0 255.255.255.0 10.10.12.0 255.255.255.0
access-list clientvpn permit ip any any
access-list VPN_Client_NONAT permit ip 10.10.12.0 255.255.255.0 10.10.101.0 255.255.255.0
pager lines 24
logging on
logging timestamp
logging buffered warnings
mtu outside 1500
mtu inside 1500
ip address outside x.x.x.x 255.255.255.248
ip address inside 10.10.11.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool VPNPool 10.10.101.1-10.10.101.5 mask 255.255.255.0
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group outside in interface outside
route outside 0.0.0.0 0.0.0.0 96.10.27.49 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
ntp server 192.5.41.41 source outside
ntp server 192.5.41.40 source outside prefer
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt ipsec pl-compatible
crypto ipsec transform-set J&F esp-3des esp-md5-hmac
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map J&F_VPN 10 ipsec-isakmp
crypto map J&F_VPN 10 match address 1
crypto map J&F_VPN 10 set peer x.x.x.x
crypto map J&F_VPN 10 set transform-set J&F
crypto map J&F_VPN 20 ipsec-isakmp
crypto map J&F_VPN 20 match address 2
crypto map J&F_VPN 20 set peer x.x.x.x
crypto map J&F_VPN 20 set transform-set J&F
crypto map J&F_VPN 30 ipsec-isakmp dynamic dynmap
crypto map J&F_VPN client configuration address initiate
crypto map J&F_VPN client configuration address respond
crypto map J&F_VPN client authentication LOCAL
crypto map J&F_VPN interface outside
isakmp enable outside
isakmp key ******** address x.x.x.x netmask 255.255.255.255
isakmp key ******** address x.x.x.x netmask 255.255.255.255
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption aes-256
isakmp policy 1 hash sha
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400
vpngroup CaryPark address-pool VPNPool
vpngroup CaryPark dns-server 208.67.222.222 208.67.220.220
vpngroup CPark default-domain example.com
vpngroup CPark split-tunnel clientvpn
vpngroup CPark idle-time 1800
vpngroup CPark password ********
management-access inside
username tony password ipMhl3WOdHCMyFxg encrypted privilege 2
Solved! Go to Solution.
11-29-2008 12:15 PM
Hi,
Show output really helps. OK, the IPSEC packets are not even making to the Pix Firewall.
Can you enable this command "isakmp nat-traversal" on the Pix and then test it again. Also, if the VPN Client is behind a Firewall, make sure that UDP Port 4500 is opened for NAT Traversal to work.
Regards,
Arul
*Pls rate if it helps*
11-28-2008 10:54 PM
Hi,
I do not see "nat (inside) 0" configured to bypass NAT for IPSEC Traffic. Can you configure this and retest the connectivity through your VPN client.
Example:
access-list 100 permit ip 10.10.11.0 255.255.255.0 10.10.101.0 255.255.255.0
nat (inside) 0 access-list 100
Please refer the below URL for additional details.
Regards,
Arul
*Pls rate if it helps*
11-29-2008 05:01 AM
Thanks for your help!!!
That did not seem to fix the issue.
Here is what I added....
access-list VPN_Client_NONAT permit ip 10.10.11.0 255.255.255.0 10.10.101.0 255.255.255.0
nat (inside) 0 access-list VPN_Client_NONAT
I'm still seeing the client sending but I"m not getting anything back. I also am still not seeing any encaps or decaps when using "show crypto ipsec sa".
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (10.10.101.1/255.255.255.255/0/0)
current_peer: 196.12.221.4:1025
dynamic allocated peer ip: 10.10.101.1
PERMIT, flags={}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 96.10.27.50, remote crypto endpt.: 96.10.241.4
path mtu 1500, ipsec overhead 56, media mtu 1500
current outbound spi: ffd97d4c
inbound esp sas:
spi: 0x5da6fcfa(1571224826)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 1, crypto map: J&F_VPN
sa timing: remaining key lifetime (k/sec): (4608000/28703)
IV size: 8 bytes
replay detection support: Y
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xffd97d4c(4292443468)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 2, crypto map: J&F_VPN
sa timing: remaining key lifetime (k/sec): (4608000/28703)
IV size: 8 bytes
replay detection support: Y
outbound ah sas:
outbound pcp sas:
11-29-2008 09:07 AM
have you tried clearing the isa/ips sa's?
kindy issue these commands
clear crypto isa sa
clear crypto ips sa
clear xlate
clear arp
clear local
if you still encountering same issues then
try to remove these 2 lines
crypto map J&F_VPN client configuration address initiate
crypto map J&F_VPN client configuration address respond
11-29-2008 12:15 PM
Hi,
Show output really helps. OK, the IPSEC packets are not even making to the Pix Firewall.
Can you enable this command "isakmp nat-traversal" on the Pix and then test it again. Also, if the VPN Client is behind a Firewall, make sure that UDP Port 4500 is opened for NAT Traversal to work.
Regards,
Arul
*Pls rate if it helps*
11-30-2008 07:01 PM
Thanks for all your help everyone!
None of the commands you guys recomended have worked. After adding the command "isakmp nat-traversal 20" I am now seeing decaps with the "show crypto ipsec sa" command (see below). I have also noticed when the VPN tunnel is activated on my laptop I can still surf the Internet even though the VPN client shows me as routing "0.0.0.0 0.0.0.0". Any more ideas?
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (10.10.101.1/255.255.255.255/0/0)
current_peer: 61.35.228.23:27126
dynamic allocated peer ip: 10.10.101.1
PERMIT, flags={transport_parent,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 204, #pkts decrypt: 204, #pkts verify 204
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 96.10.27.50, remote crypto endpt.: 71.65.238.243
path mtu 1500, ipsec overhead 64, media mtu 1500
current outbound spi: bc23166b
inbound esp sas:
spi: 0xa3a5b81f(2745546783)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel UDP-Encaps, }
slot: 0, conn id: 2, crypto map: J&F_VPN
sa timing: remaining key lifetime (k/sec): (4607971/28136)
IV size: 8 bytes
replay detection support: Y
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xbc23166b(3156416107)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel UDP-Encaps, }
slot: 0, conn id: 1, crypto map: J&F_VPN
sa timing: remaining key lifetime (k/sec): (4608000/28138)
IV size: 8 bytes
replay detection support: Y
outbound ah sas:
outbound pcp sas:
11-30-2008 08:22 PM
Hi,
Since you are seeing decrypts, we are definitely making progress after the ISAKMP NAT Traversal command. The packets are making to the Pix Firewall.
What is the IP Address that you are trying to access through the tunnel. Does this host know that it needs to send the packets back to the Pix firewall for the VPN Pool of IP Addresses. If the end host's default route is pointing back to the pix, then there is no need for any additional routing.
Next thing, do you have the NAT 0 command that I had asked you to configure in the pix.
Can you post the current configuration from the Pix, if you have already checked the above two and still have issues with VPN Client connectivity.
Regards,
Arul
*Pls rate if it helps*
11-30-2008 08:51 PM
Ok, this is weird. I am able to connect via my Windows XP and Vista machine but I can only succesfuly ping a device behind the PIX using the XP machine. I have disabled my local firewall on the Vista machine thinking that might be causing the issue but that did not work. The XP machine fails when I try to go to the internet because my VPN group "CPark" tunnels everything (0.0.0.0 0.0.0.0). The Vist machine is able to browse the Internet even when it is connected via the same group (CPark). Sounds like a Vista issue, any thoughts?
hostname CParkPIX
domain-name example.com
object-group icmp-type ICMP_Types
icmp-object source-quench
icmp-object time-exceeded
icmp-object unreachable
icmp-object echo-reply
access-list outside permit icmp any any object-group ICMP_Types
access-list outside permit ip host x.x.x.x host x.x.x.x
access-list 1 permit ip 10.10.11.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list 2 permit ip 10.10.11.0 255.255.255.0 10.10.12.0 255.255.255.0
access-list clientvpn permit ip any any
access-list VPN_Client_NONAT permit ip 10.10.11.0 255.255.255.0 10.10.101.0 255.255.255.0
pager lines 24
logging on
logging timestamp
logging buffered warnings
mtu outside 1500
mtu inside 1500
ip address outside x.x.x.x 255.255.255.248
ip address inside 10.10.11.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool VPNPool 10.10.101.1-10.10.101.5 mask 255.255.255.0
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list VPN_Client_NONAT
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 3389 10.10.11.2 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 3390 10.10.11.3 3390 netmask 255.255.255.255 0 0
access-group outside in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
ntp server 192.5.41.41 source outside
ntp server 192.5.41.40 source outside prefer
floodguard enable
sysopt connection permit-ipsec
sysopt ipsec pl-compatible
crypto ipsec transform-set J&F esp-3des esp-md5-hmac
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map J&F_VPN 10 ipsec-isakmp
crypto map J&F_VPN 10 match address 1
crypto map J&F_VPN 10 set peer x.x.x.x
crypto map J&F_VPN 10 set transform-set J&F
crypto map J&F_VPN 20 ipsec-isakmp
crypto map J&F_VPN 20 match address 2
crypto map J&F_VPN 20 set peer x.x.x.x
crypto map J&F_VPN 20 set transform-set J&F
crypto map J&F_VPN 30 ipsec-isakmp dynamic dynmap
crypto map J&F_VPN client configuration address initiate
crypto map J&F_VPN client configuration address respond
crypto map J&F_VPN client authentication LOCAL
crypto map J&F_VPN interface outside
isakmp enable outside
isakmp key ******** address x.x.x.x netmask 255.255.255.255
isakmp key ******** address x.x.x.x netmask 255.255.255.255
isakmp nat-traversal 20
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption aes-256
isakmp policy 1 hash sha
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400
vpngroup CPark address-pool VPNPool
vpngroup CPark dns-server 208.67.222.222 208.67.220.220
vpngroup CPark default-domain example.com
vpngroup CPark split-tunnel clientvpn
vpngroup CPark idle-time 1800
vpngroup CPark password ********
management-access inside
username tony password ipMhl3WOdHCMyFxg
11-30-2008 09:34 PM
This is taken from another post and if FIXED my issue with Vista.
-------
I've had a similar problem. My issue is that I CAN browse the internet when my vpn is active (not allowed as vpn profile is not configured for local LAN access) and CANNOT ping or access any network resources.
I tried the route delete method and this does work, however in my case when I disconnect the VPN I have to disable and re-enable my wireless connection to re-create the other route was deleted.
I found an alternative solution. In my case when I ran "route print" from a command line after being connected to the VPN, the two routes for 0.0.0.0 were listed in reverse in respect to the METRIC value. I opened the connection properties of both the Cisco VPN Adapter and my wireless connection and modified the metric value in the TCPIP v4 advanced properties. This way, when my vpn is active the VPN Adapter has a lower metric value than the wireless adapter.
I have experienced this issue on all of our vista clients so far. I can't tell whether this is a issue with Vista or the client. XP works great and never had a problem. It would be nice if an engineer could shed some light on why this happens.
12-01-2008 05:11 AM
Thanks for all the help ajagadee and acsalangad!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: