Pix 506E VPN and Remote Access

peteb41976 · ‎12-10-2008

I keep revisiting setting up rdp over VPN with a pix 506e. It works, then fails, I give up, try again, etc... Anyway, I am able to establish the vpn. However, I can't consistently connect to one of the machines on the inside. Here is my config and I would appreciate any help.

interface ethernet0 auto

interface ethernet1 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list inside_outbound_nat0_acl permit ip any 192.168.2.0 255.255.255.224

access-list outside_cryptomap_dyn_20 permit ip any 192.168.2.0 255.255.255.224

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside X.X.X.X 255.255.255.0

ip address inside 10.1.1.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool ippool 192.168.2.1-192.168.2.29

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

route outside 0.0.0.0 0.0.0.0 X.X.X.1 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http 10.1.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

isakmp enable outside

isakmp identity address

isakmp nat-traversal 20

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup vpn3009 address-pool ippool

vpngroup vpn3009 dns-server X.X.X.X X.X.X.X

vpngroup vpn3009 idle-time 1800

vpngroup vpn3009 password **********

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 10.1.1.2-10.1.1.254 inside

dhcpd dns X.X.X.X X.X.X.X

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

dhcpd enable inside

terminal width 80

John Blakley · ‎12-10-2008

Where is the terminal server? Is it on the opposite side of the VPN or on this side? If it's on this side, is it on the same subnet as the pix inside interface, or is there another device that's routing for you in between?

HTH,

John

HTH, John *** Please rate all useful posts ***

peteb41976 · ‎12-11-2008

Terminal Server is on the inside - 10.1.1.2 directly attached to the pix. There is another nic on the server - 192.168.1.95 - which is attached to my internal network subnet.

ajagadee · ‎12-10-2008

Hi,

Is this happening for all Remote VPN Clients or specific users. Have you checked the MTU Settings on the Client side. Try lowering the MTU to 1300 or below and see if the problem goes away.

Regards,

Arul

*Pls rate if it helps*

peteb41976 · ‎12-11-2008

Happens for all connections.

ajagadee · ‎12-11-2008

Check the IP Address of Routing on the server. I see that you are assigning IP Address via DHCP to the clients behind the Pix and this includes the 10.1.1.2 address. DHCP is not the best/optimal way to assign ip address to a server, because we dont know if the server will get the same ip address every time. So, I would recommend that you hardcode the IP Address on the Server and also remove the 10.1.1.2 from the range of DHCP Address.

Also, If you configure a static address on the server, make sure the default gateway is pointing to the Pix or a route for the VPN Pool of IP Addresses is added on the server.

Regards,

Arul

*Pls rate if it helps*

ajagadee · ‎12-11-2008

Thanks for the info. As per my previous post, check the routing first and then if you still run into any issues, post the updated configuration along with show crypto isakmp sa and show crypto ipsec sa and we will investigate the issue further.

Regards,

Arul

*Pls rate if it helps*

peteb41976 · ‎12-12-2008

Here is the new config.

interface ethernet0 auto

interface ethernet1 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list inside_outbound_nat0_acl permit ip any 192.168.2.0 255.255.255.224

access-list outside_cryptomap_dyn_20 permit ip any 192.168.2.0 255.255.255.224

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside X.X.X.X 255.255.255.0

ip address inside 10.1.1.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool ippool 192.168.2.1-192.168.2.29

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

route outside 0.0.0.0 0.0.0.0 X.X.X.X 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http 10.1.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

isakmp enable outside

isakmp identity address

isakmp nat-traversal 20

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup vpn3009 address-pool ippool

vpngroup vpn3009 dns-server 10.1.1.1 X.X.X.X

vpngroup vpn3009 idle-time 1800

vpngroup vpn3009 password *************

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

terminal width 80

ajagadee · ‎12-17-2008

Are you still having issues connecting to the server. Can you post the output of "show cry is sa" and "show cry ips sa" when the vpn client is connected and trying to ping the server.

What about the routing on the server? Is it configured correctly to route the packets for the VPN pool of ip addresses back to the Pix.

Regards,

Arul

*Pls rate all helpful posts*