Newbie PIX506E VPN partial success

jpenney · ‎06-15-2007

I have a cisco VPN client connecting to my PIX, it's getting an IP address from the PIX, and I see debug messages indicating that it has connected. However, I cannot seem to do anything on the VPN network - can't ping, can't "net view", can't http to the web server that's on my server network. I will post my firewall configs.

My network is:

client - switch - PIX - switch - PIX - switch - server

I'm using 2 PIX to simulate a firewalled remote site as well as the VPN.

Here's my VPN Client ipconfig output after connection:

Ethernet adapter Local Area Connection:

Connection-specific...:

IP Address...: 192.168.3.13

Subnet Mask...:255.255.255.0

Default Gateway...:192.168.3.254

(this is the cisco vpn client below)

Ethernet adapter Local Area Connection 2:

Connection-specific...:

IP Address... : 192.168.2.101

Subnet Mask...:255.255.255.0

Default Gateway...:192.168.2.101

jpenney · ‎06-15-2007

Client side PIX config:

-----------------------

PIX Version 6.3(4)

interface ethernet0 auto

interface ethernet1 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxx encrypted

passwd xxx encrypted

hostname pixfirewall1

domain-name my-turn.org

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list outside permit icmp any any

access-list outside permit tcp any any

access-list outside permit udp any any

access-list outside permit ip any any

pager lines 40

icmp deny host 200.1.1.2 outside

icmp deny host 200.1.1.1 outside

mtu outside 1500

mtu inside 1500

ip address outside 200.1.1.1 255.255.255.0

ip address inside 192.168.3.254 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm location 192.168.3.0 255.255.255.0 inside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

access-group outside in interface outside

route outside 0.0.0.0 0.0.0.0 200.1.1.2 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

aaa authentication telnet console LOCAL

aaa authentication http console LOCAL

http server enable

http 192.168.3.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt noproxyarp outside

telnet 192.168.3.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

username administrator password xxx encrypted privilege 15

terminal width 80

Cryptochecksum:xxx

: end

jpenney · ‎06-15-2007

Server Side PIX Config:

------------------------

interface ethernet0 auto

interface ethernet1 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxx encrypted

passwd xxx encrypted

hostname pixfirewall2

domain-name my-turn.org

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list inbound permit tcp any host 200.1.1.2 eq www

access-list 102 permit tcp any host 200.1.1.2 eq www

access-list 102 permit icmp any any echo-reply

access-list 102 permit tcp 200.1.1.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list 102 permit udp 200.1.1.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list 102 permit ip 200.1.1.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list nonat permit ip 200.1.1.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list nonat permit ip 192.168.2.0 255.255.255.0 192.168.2.0 255.255.255.0

pager lines 24

logging buffered errors

logging trap notifications

mtu outside 1500

mtu inside 1500

ip address outside 200.1.1.2 255.255.255.0

ip address inside 192.168.2.254 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool internetpool 200.1.1.101-200.1.1.120

ip local pool test 192.168.2.101-192.168.2.199

pdm location 192.168.2.0 255.255.255.0 inside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp interface www 192.168.2.1 www netmask 255.255.255.255 0 0

access-group 102 in interface outside

route outside 0.0.0.0 0.0.0.0 200.1.1.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

aaa authentication telnet console LOCAL

aaa authentication http console LOCAL

http server enable

http 192.168.2.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto dynamic-map cisco 1 set transform-set myset

crypto map dyn-map 20 ipsec-isakmp dynamic cisco

crypto map dyn-map interface outside

isakmp enable outside

isakmp key ******** address 0.0.0.0 netmask 0.0.0.0 no-xauth

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

vpngroup vpn3000 address-pool test

vpngroup vpn3000 default-domain MyTurnTest.local

vpngroup vpn3000 idle-time 1800

vpngroup vpn3000 password ********

telnet 192.168.2.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 10

console timeout 0

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

username administrator password xxx encrypted privilege 15

terminal width 80

Cryptochecksum:xxx

: end

Jon Marshall · ‎06-15-2007

Hi

On you server side pix add the following

pix(config t)# isakmp nat-traversal

The problem is client side pix is doing PAT and this will break the IPSEC.

Alternatively you could exempt your client from being natted on the client pix.

HTH

Jon

jpenney · ‎06-15-2007

Thanks Jon, that worked great. I'm moving on to my next phase, which is to get it working with IPSec/TCP on tcp port 80. This is how I'm hoping to scoot through the firewalls that most of my outlying offices are behind. I've found the setting on the client, now I have to figure out the settings on the firewall. Any help?

Thanks,

JP

jpenney · ‎06-18-2007

Thanks Jon,

I had to leave for the night and I thought this was working yesterday, but now I've changed a few things and I'm wondering if you have any thoughts on this. Again, I am connecting, I am seeing the isakmp approvals and I'm getting an IP address from the VPN pool.

Problems:

1) I'm getting a default gateway equal to my own vpn address - is this correct?

2) I'm unable to get a web page from the web server on the 192.168.2.0 network, I can't ping the web server from the vpn client, I can't telnet to 192.168.2.254 from the vpn client. Any idea why? Is it a routing problem?

Thanks, I'm still reading up.

JP

acomiskey · ‎06-18-2007

1. Yes

2. The vpn client pool should never be the same subnet as any other network inside the pix.

jpenney · ‎06-19-2007

OK, thanks - I changed the pool to be:

ip local pool bettertest 192.168.4.101-192.168.4.199

and my vpngroup address-pool statement:

vpngroup vpn3000 address-pool bettertest

and I removed the vpngroup vpn3000 address-pool test and ip local pool test statements.

I'm assuming there's a route I need to add now, I'll take any suggestions anyone has on that.

Thanks,

JP

acomiskey · ‎06-19-2007

Did you change your nonat acl to reflect the change in your vpn pool?

Just noticed your nonat acl is backwards anyway, it should be...

access-list nonat permit ip 192.168.2.0 255.255.255.0 192.168.4.0 255.255.255.0

jpenney · ‎06-19-2007

Thanks!

I have to reapply some of the config I listed, because I didn't write mem yesterday. I'll make the change you suggested.

JP

jpenney · ‎06-19-2007

That got me exactly where I wanted to be - I can now ping the web server and load pages from it. Thanks!

Now I'm going to try to do it with port 80 from the VPN client, I'll update this when I know if that's working.

jpenney · ‎06-19-2007

OK,

I changed the client to use IPSec/TCP using port 80. There is a static route on the server PIX, designed to allow access to the web server, and I think it's going to have to go away for now.

If there is a static:

static (inside,outside) tcp interface 80 192.168.2.1 80 netmask 255.255.255.255 0 0

then the vpn client initiates TCP but loops while "Contacting the security gateway at 200.1.1.2".

This makes sense, because the port 80 tcp traffic is being routed to the web server, which is not a security gateway.

If there is no static, then the vpn client cannot initiate a tcp session. It stalls at "Initiating TCP to 200.1.1.2".

I don't understand why it can't initiate tcp?

So more reading.

Thansk,

JP

jpenney · ‎06-19-2007

OK,