VPN Clients get IPSEC-spoof error when accessing internal resources

Unanswered Question
Apr 1st, 2010

I am having a vexing issue.  I have a PIX 525 with PIXOS 8.04.  I have setup an IPSec VPN group and the client can connect to VPN just fine with the Cisco VPN client.  Yet, when they try to access an internal resource in one of the DMZs, they are unable to.  When I run the packet-tracer utility specifying the exact traffic type from that IP BEFORE a client connects, the traffic flows through just fine.  After a client connectsnects, they are unable to access the resources and the packet-tracer utility gives at the last stage an IPSEC-spoof error.  I have looked at other posts on here regarding this issue and tried a couple things such as enabling IPSec over TCP, using NAT-T, but nothing sems to work.  I'm at wit's end with this.  Any suggestions are very much welcome.  Below is a scrubbed config.  I edited it to only inlude the DMZ that we are trying to access via VPN, DMZ-CM.  Just in case the packet-tracer is throwing off an erroneous result, we have tried it with real traffic, but the result is the same, no good.



PIX Version 8.0(4)
!
hostname pix
domain-name rcserveny.com
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0
nameif outside
security-level 0
ip address xx.xx.xx.174 255.255.255.248
!
interface Ethernet1
nameif DMZ1
security-level 50
ip address 192.168.30.1 255.255.255.248
!
interface Ethernet2
speed 100
duplex full
nameif DMZ-ESX
security-level 80
ip address 192.168.50.1 255.255.255.248
!            
interface Ethernet3
speed 100   
duplex full 
nameif DMZ-IBM
security-level 60
ip address 192.168.10.1 255.255.255.240
!            
interface Ethernet4
description to CAT-3550,vlan600,int2
speed 100   
duplex full 
nameif DMZ-CM
security-level 70
ip address 172.16.0.1 255.255.0.0
!            
interface Ethernet5
speed 100   
duplex full 
nameif inside
security-level 100
ip address 10.1.1.1 255.255.255.0
!            
ftp mode passive
dns server-group DefaultDNS
domain-name rcserveny.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list INSIDE_IN extended permit ip 10.0.0.0 255.0.0.0 any
access-list INSIDE_IN extended permit ip 10.1.1.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list INSIDE_IN extended permit ip 10.1.1.0 255.255.255.0 192.168.10.0 255.255.255.240
access-list INSIDE_IN extended permit ip 10.2.2.0 255.255.255.0 172.16.0.0 255.255.255.0
access-list OUTSIDE_IN extended permit ip any any
access-list OUTSIDE_IN extended deny ip 0.0.0.0 255.0.0.0 any
access-list OUTSIDE_IN extended deny ip 127.0.0.0 255.0.0.0 any
access-list OUTSIDE_IN extended deny ip 172.16.0.0 255.240.0.0 any
access-list OUTSIDE_IN extended deny ip 224.0.0.0 224.0.0.0 any
access-list OUTSIDE_IN extended permit tcp 10.0.0.0 255.0.0.0 host 172.16.0.2 eq https
access-list OUTSIDE_IN extended permit udp 10.0.0.0 255.0.0.0 host 172.16.0.2 eq tftp
access-list OUTSIDE_IN extended permit tcp 10.1.1.0 255.255.255.0 host 172.16.0.2 eq 8443
access-list OUTSIDE_IN extended permit udp 10.1.1.0 255.255.255.0 host 172.16.0.2 eq tftp
access-list OUTSIDE_IN extended permit tcp 10.2.2.0 255.255.255.0 host 172.16.0.2 eq 8443
access-list OUTSIDE_IN extended permit udp 10.2.2.0 255.255.255.0 host 172.16.0.2 eq tftp
access-list OUTSIDE_IN extended permit tcp 10.2.2.0 255.255.255.0 host 172.16.0.4 eq 8443
access-list OUTSIDE_IN extended permit tcp 10.2.2.0 255.255.255.0 host 172.16.0.4 eq https
access-list OUTSIDE_IN extended permit tcp 10.2.2.0 255.255.255.0 host 172.16.0.2 eq https
access-list outside_in extended permit tcp any host 96.56.78.171 eq lotusnotes
access-list vpn2_splitTunnelAcl standard permit host 10.1.1.1
access-list WENLU_SPLIT extended permit ip 10.0.0.0 255.0.0.0 192.168.112.0 255.255.252.0
access-list WenluG_splitTunnelAcl standard permit 192.168.30.0 255.255.255.248
access-list WenluG_splitTunnelAcl standard permit 10.1.1.0 255.255.255.0
access-list DMZ1_nat0_outbound extended permit ip 192.168.30.0 255.255.255.248 10.1.1.0 255.255.255.192
access-list DefaultRAGroup_splitTunnelAcl standard permit 10.1.1.0 255.255.255.0
access-list abramowitz01_splitTunnelAcl standard permit 10.1.1.0 255.255.255.0
access-list abramowitz01_splitTunnelAcl_1 standard permit 10.1.1.0 255.255.255.0
access-list DMZ-CM_IN extended permit ip any any
access-list DMZ-CM_IN extended permit udp any any
access-list DMZ-CM_IN extended permit tcp host 172.16.0.2 host 172.16.0.254 eq h323
access-list DMZ-CM_IN extended permit icmp host 172.16.0.2 any
access-list RonanM_splitTunnelAcl standard permit 172.16.0.0 255.255.0.0
access-list RonanM_splitTunnelAcl standard permit 192.168.50.0 255.255.255.248
access-list RonanM_splitTunnelAcl standard permit 192.168.10.0 255.255.255.240
access-list RonanM_splitTunnelAcl standard permit 192.168.30.0 255.255.255.248
access-list RonanM_splitTunnelAcl standard permit 10.1.1.0 255.255.255.0
access-list RonanM2_splitTunnelAcl standard permit 10.1.1.0 255.255.255.0
access-list RonanM2_splitTunnelAcl standard permit 192.168.10.0 255.255.255.240
access-list RonanM2_splitTunnelAcl standard permit 192.168.50.0 255.255.255.248
access-list RonanM2_splitTunnelAcl standard permit 172.16.0.0 255.255.0.0
access-list DMZ-CM_nat0_outbound extended permit ip 10.1.1.0 255.255.255.0 10.1.1.0 255.255.255.192
access-list DMZ-CM_nat0_outbound extended permit ip 192.168.10.0 255.255.255.240 10.1.1.0 255.255.255.192
access-list DMZ-CM_nat0_outbound extended permit ip 192.168.50.0 255.255.255.248 10.1.1.0 255.255.255.192
access-list DMZ-CM_nat0_outbound extended permit ip 172.16.0.0 255.255.0.0 10.1.1.0 255.255.255.192
access-list DMZ-CM_nat0_outbound extended permit ip 172.16.0.0 255.255.0.0 10.2.2.0 255.255.255.240
access-list DMZ-CM_nat0_outbound extended permit ip 10.2.2.0 255.255.255.0 172.16.0.0 255.255.255.0
access-list abramowitz_splitTunnelAcl standard permit 172.16.0.0 255.255.0.0
access-list abramowitz_splitTunnelAcl standard permit 10.1.1.0 255.255.255.0
access-list DMZ-IBM extended permit tcp host 192.168.10.2 any eq ftp
access-list dmarsh_splitTunnelAcl standard permit 172.16.0.0 255.255.0.0
access-list Wenlu_splitTunnelAcl standard permit 172.16.0.0 255.255.0.0
access-list Wenlu_splitTunnelAcl standard permit 10.1.1.0 255.255.255.0
access-list wenlu1_splitTunnelAcl standard permit 172.16.0.0 255.255.0.0
access-list wenlu1_splitTunnelAcl standard permit 10.1.1.0 255.255.255.0
access-list wenlu1_splitTunnelAcl standard permit 192.168.50.0 255.255.255.248
access-list DMZ-ESX_nat0_outbound extended permit ip 172.16.0.0 255.255.0.0 10.2.2.0 255.255.255.240
access-list DMZ-ESX_nat0_outbound extended permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.240
access-list DMZ-ESX_nat0_outbound extended permit ip 192.168.50.0 255.255.255.248 10.2.2.0 255.255.255.240
access-list wenlu2_splitTunnelAcl standard permit 172.16.0.0 255.255.0.0
access-list wenlu2_splitTunnelAcl standard permit 10.1.1.0 255.255.255.0
pager lines 24
logging enable
logging monitor emergencies
logging asdm informational
logging host inside 10.1.1.101 format emblem
mtu inside 1500
mtu outside 1500
mtu DMZ1 1500
mtu DMZ-ESX 1500
mtu DMZ-IBM 1500
mtu DMZ-CM 1500
ip local pool internal 10.1.1.31-10.1.1.40 mask 255.255.255.0
ip local pool CUCM-Enable 10.2.2.1-10.2.2.10 mask 255.255.255.0
ip local pool CUCM-2 10.2.2.11-10.2.2.20 mask 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface DMZ-IBM
no failover  
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm-61551.bin
no asdm history enable
arp timeout 14400
global (outside) 101 interface
global (DMZ-CM) 102 interface
nat (inside) 0 access-list nonnat_inside_DMZ1
nat (inside) 101 0.0.0.0 0.0.0.0
nat (DMZ1) 0 access-list DMZ1_nat0_outbound
nat (DMZ-ESX) 0 access-list DMZ-ESX_nat0_outbound
nat (DMZ-IBM) 101 192.168.10.0 255.255.255.248
nat (DMZ-CM) 0 access-list DMZ-CM_nat0_outbound
static (inside,DMZ-CM) 10.1.1.0 10.1.1.0 netmask 255.255.255.0
access-group INSIDE_IN in interface inside
access-group OUTSIDE_IN in interface outside
access-group DMZ1_IN in interface DMZ1
access-group DMZ-ESX_IN in interface DMZ-ESX
access-group DMZ-IBM_IN in interface DMZ-IBM
access-group DMZ-CM_IN in interface DMZ-CM
route outside 0.0.0.0 0.0.0.0 96.56.78.169 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 10.1.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha    
group 2     
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha    
group 2     
lifetime 86400
crypto isakmp ipsec-over-tcp port 10000
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
dhcpd address 10.1.1.101-10.1.1.200 inside
dhcpd dns 167.206.112.138 167.206.7.4 interface inside
dhcpd domain rcserveny.com interface inside
dhcpd enable inside
!            
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
vpn-tunnel-protocol l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl
group-policy WenluG internal
group-policy WenluG attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value WenluG_splitTunnelAcl
group-policy wenlu internal
group-policy wenlu attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value WENLU_SPLIT
default-domain value rcserveny.com
group-policy Wenlu internal
group-policy Wenlu attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Wenlu_splitTunnelAcl
group-policy wenlu2 internal
group-policy wenlu2 attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value wenlu2_splitTunnelAcl
group-policy wenlu1 internal
group-policy wenlu1 attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value wenlu1_splitTunnelAcl
group-policy abramowitz01 internal
group-policy abramowitz01 attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value abramowitz01_splitTunnelAcl
group-policy abramowitz01_1 internal
group-policy abramowitz01_1 attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value abramowitz01_splitTunnelAcl_1
group-policy abramowitz internal
group-policy abramowitz attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value abramowitz_splitTunnelAcl
group-policy vpn2 internal
group-policy vpn2 attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpn2_splitTunnelAcl
group-policy dmarsh internal
group-policy dmarsh attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value dmarsh_splitTunnelAcl
group-policy RonanM internal
group-policy RonanM attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value RonanM_splitTunnelAcl
group-policy RonanM2 internal
group-policy RonanM2 attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value RonanM2_splitTunnelAcl
username wenlu password STohd936GaX5zs9O encrypted privilege 0
username wenlu attributes
vpn-group-policy wenlu
username abramowitz password U1jUC5vY4weD8M4k encrypted privilege 1
username dmarsh password 08AXDrYE01/dFvaW encrypted privilege 0
username dmarsh attributes
vpn-group-policy dmarsh
username ronan password Tj9bK7nWP28muiZR encrypted privilege 15
tunnel-group DefaultRAGroup general-attributes
address-pool internal
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
tunnel-group DefaultRAGroup ppp-attributes
authentication pap
authentication ms-chap-v2
tunnel-group Wenlu type remote-access
tunnel-group Wenlu general-attributes
address-pool internal
address-pool CUCM-Enable
default-group-policy Wenlu
tunnel-group Wenlu ipsec-attributes
pre-shared-key *
tunnel-group abramowitz type remote-access
tunnel-group abramowitz general-attributes
address-pool CUCM-Enable
default-group-policy abramowitz
tunnel-group abramowitz ipsec-attributes
pre-shared-key *
tunnel-group wenlu1 type remote-access
tunnel-group wenlu1 general-attributes
address-pool CUCM-Enable
default-group-policy wenlu1
tunnel-group wenlu1 ipsec-attributes
pre-shared-key *
tunnel-group dmarsh type remote-access
tunnel-group dmarsh general-attributes
address-pool CUCM-Enable
default-group-policy dmarsh
tunnel-group dmarsh ipsec-attributes
pre-shared-key *
tunnel-group RonanM type remote-access
tunnel-group RonanM general-attributes
address-pool CUCM-Enable
default-group-policy RonanM
tunnel-group RonanM ipsec-attributes
pre-shared-key *
tunnel-group RonanM2 type remote-access
tunnel-group RonanM2 general-attributes
address-pool internal
default-group-policy RonanM2
tunnel-group RonanM2 ipsec-attributes
pre-shared-key *
tunnel-group wenlu type remote-access
tunnel-group wenlu general-attributes
address-pool CUCM-2
default-group-policy wenlu
tunnel-group wenlu ipsec-attributes
pre-shared-key *
tunnel-group vpn2 type remote-access
tunnel-group vpn2 general-attributes
address-pool internal
default-group-policy vpn2
tunnel-group vpn2 ipsec-attributes
pre-shared-key *
tunnel-group WenluG type remote-access
tunnel-group WenluG general-attributes
address-pool CUCM-Enable
default-group-policy WenluG
tunnel-group WenluG ipsec-attributes
pre-shared-key *
tunnel-group abramowitz01 type remote-access
tunnel-group abramowitz01 general-attributes
address-pool CUCM-Enable
default-group-policy abramowitz01_1
tunnel-group abramowitz01 ipsec-attributes
pre-shared-key *
tunnel-group wenlu2 type remote-access
tunnel-group wenlu2 general-attributes
address-pool CUCM-Enable
default-group-policy wenlu2
tunnel-group wenlu2 ipsec-attributes
pre-shared-key *
!            
class-map inspection_default
match default-inspection-traffic
!            
!            
policy-map type inspect dns preset_dns_map
parameters  
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny 
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip 
  inspect xdmcp
  inspect esmtp
!            
service-policy global_policy global
prompt hostname context

: end   

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jennifer Halim Fri, 04/02/2010 - 00:27

Which tunnel-group and group-policy are you connecting to with your VPN Client?

Actions

This Discussion