10-08-2007 05:47 PM - edited 03-11-2019 04:22 AM
Greetings,
I have a PC on my LAN which I sometimes use to establish a VPN tunnel with a remote network via Cisco VPN Client. I use a Cisco router as my gateway router via broadband to gain access to the Internet and employ PAT for address translation. I upgraded the IOS to 12.2(15)T16 to support NAT Transparency, I was able to establish the tunnel with this configuration.
I recently aquired a Cisco 506E PIX Firewall (Version 6.3(4)) to aid in my CCSP studies and integrated it into my network infrastructure. I inserted the PIX in-between my router and cable modem and offloaded the PAT from the router to the PIX. I setup the firewall with a basic configuration and I was able to access the Internet perfectly but I could not establish the VPN tunnel via the Cisco VPN Client. Other than removing the PAT commands on the router, it's configuration remained the same. I tried several configurations including enabling ISAKMP on both interfaces and activating ISAKMP NAT-Traversal but none worked. I finally was able to get the tunnel to establish by issueing the following command: fixup protocol esp-ike, and creating an inbound ACL on the outside interface allowing ESP from the remote system in.
My question is, is there a better way to do this without using the inbound access-list on the outside interface. Doesn't the PIX have a built-in NAT-Transparency system like the routers? Here is a sanatized version of the PIX configuration.
Thank you for your time!
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 10full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname pixfirewall
fixup protocol dns maximum-length 512
fixup protocol esp-ike
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list TEST permit ip 10.0.0.0 255.255.252.0 any
access-list TEST permit esp 10.0.0.0 255.255.252.0 any
access-list VPN_CLIENT permit esp host 1.2.3.4 any
pager lines 24
logging on
logging buffered debugging
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 172.16.0.1 255.255.255.252
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 10.0.0.0 255.255.252.0 0 0
access-group VPN_CLIENT in interface outside
access-group TEST in interface inside
route inside 10.0.0.0 255.255.252.0 172.16.0.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
10-09-2007 03:37 PM
Bump
10-09-2007 05:34 PM
It's not clear in your post what the device is you are peering to. That device is what should have nat-t enabled. The fact you had to enable fixup esp-ike means nat-t was not working.
Also, you should be able to remove "access-list VPN_CLIENT permit esp host 1.2.3.4 any" and apply "sysopt connection permit-ipsec".
10-20-2007 06:38 AM
Thank you for the responce.
When I remove the outside interface's ACL and apply "sysopt connection permit-ipsec", the connection fails.
Included is some of the log file with ISAKMP debugging on:
302015: Built outbound UDP connection 25163 for outside:3.3.3.3/500 (3.3.3.3/500) to inside:1.1.1.1/500 (2.2.2.2/500)
305011: Built dynamic UDP translation from inside:1.1.1.1/1117 to outside:2.2.2.2/2147
305011: Built dynamic UDP translation from inside:1.1.1.1/123 to outside:2.2.2.2/50
302015: Built outbound UDP connection 25165 for outside:207.46.130.100/123 (207.46.130.100/123) to inside:1.1.1.1/123 (2.2.2.2/50)
106010: Deny inbound protocol 50 src outside:3.3.3.3 dst inside:2.2.2.2
106010: Deny inbound protocol 50 src outside:3.3.3.3 dst inside:2.2.2.2
106010: Deny inbound protocol 50 src outside:3.3.3.3 dst inside:2.2.2.2
106010: Deny inbound protocol 50 src outside:3.3.3.3 dst inside:2.2.2.2
106010: Deny inbound protocol 50 src outside:3.3.3.3 dst inside:2.2.2.2
305012: Teardown dynamic UDP translation from inside:1.1.1.1/1117 to outside:2.2.2.2/2147 duration 0:00:31
305011: Built dynamic UDP translation from inside:1.1.1.1/1117 to outside:2.2.2.2/2148
For reference:
1.1.1.1 - PC with VPN Client
2.2.2.2 - PIX Outside Address
3.3.3.3 - Remote Concentrator
The remote concentrator has NAT-T enable but I do not have access to it.
Before I implemented the PIX, my router with NAT-T support worked fine without any special configuration.
Thank you.
10-20-2007 09:51 AM
Can you try with IPSec over TCP?
10-20-2007 10:59 AM
Unfourtunatly, I do not have access to the remote concentrator. I have only been notified that it should work with NAT-T, IPSEC over TCP/UDP is not configured.
This configuration worked earlier with a router with a NAT-T enabled IOS so it must be a configuration parameter with the PIX.
Thanks again for the replies.
10-28-2007 05:58 PM
No ideas...
This is a strange problem; looking at the debug I listed above, it shows it is denying inbound protocol 50(ESP) which makes sense since the VPN client operates correctly once I put an inbound ACL on the outside interface permitting ESP.
Now it can't use statful inspection since there is no initiating ESP traffic on the inbound interface.
Does this sound correct? Maybe I have no choice but to keep the inbound ACL in place on the inbound interface.
Is ESP stateful?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: