Problems with Cisco VPN Client though a PIX Firewall.

lrm001c474 · ‎10-08-2007

Greetings,

I have a PC on my LAN which I sometimes use to establish a VPN tunnel with a remote network via Cisco VPN Client. I use a Cisco router as my gateway router via broadband to gain access to the Internet and employ PAT for address translation. I upgraded the IOS to 12.2(15)T16 to support NAT Transparency, I was able to establish the tunnel with this configuration.

I recently aquired a Cisco 506E PIX Firewall (Version 6.3(4)) to aid in my CCSP studies and integrated it into my network infrastructure. I inserted the PIX in-between my router and cable modem and offloaded the PAT from the router to the PIX. I setup the firewall with a basic configuration and I was able to access the Internet perfectly but I could not establish the VPN tunnel via the Cisco VPN Client. Other than removing the PAT commands on the router, it's configuration remained the same. I tried several configurations including enabling ISAKMP on both interfaces and activating ISAKMP NAT-Traversal but none worked. I finally was able to get the tunnel to establish by issueing the following command: fixup protocol esp-ike, and creating an inbound ACL on the outside interface allowing ESP from the remote system in.

My question is, is there a better way to do this without using the inbound access-list on the outside interface. Doesn't the PIX have a built-in NAT-Transparency system like the routers? Here is a sanatized version of the PIX configuration.

Thank you for your time!

PIX Version 6.3(4)

interface ethernet0 auto

interface ethernet1 10full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

hostname pixfirewall

fixup protocol dns maximum-length 512

fixup protocol esp-ike

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list TEST permit ip 10.0.0.0 255.255.252.0 any

access-list TEST permit esp 10.0.0.0 255.255.252.0 any

access-list VPN_CLIENT permit esp host 1.2.3.4 any

pager lines 24

logging on

logging buffered debugging

mtu outside 1500

mtu inside 1500

ip address outside dhcp setroute

ip address inside 172.16.0.1 255.255.255.252

ip audit info action alarm

ip audit attack action alarm

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 10.0.0.0 255.255.252.0 0 0

access-group VPN_CLIENT in interface outside

access-group TEST in interface inside

route inside 10.0.0.0 255.255.252.0 172.16.0.2 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet timeout 5

ssh timeout 5

console timeout 0

terminal width 80

lrm001c474 · ‎10-09-2007

Bump

acomiskey · ‎10-09-2007

It's not clear in your post what the device is you are peering to. That device is what should have nat-t enabled. The fact you had to enable fixup esp-ike means nat-t was not working.

Also, you should be able to remove "access-list VPN_CLIENT permit esp host 1.2.3.4 any" and apply "sysopt connection permit-ipsec".

lrm001c474 · ‎10-20-2007

Thank you for the responce.

When I remove the outside interface's ACL and apply "sysopt connection permit-ipsec", the connection fails.

Included is some of the log file with ISAKMP debugging on:

302015: Built outbound UDP connection 25163 for outside:3.3.3.3/500 (3.3.3.3/500) to inside:1.1.1.1/500 (2.2.2.2/500)

305011: Built dynamic UDP translation from inside:1.1.1.1/1117 to outside:2.2.2.2/2147

305011: Built dynamic UDP translation from inside:1.1.1.1/123 to outside:2.2.2.2/50

302015: Built outbound UDP connection 25165 for outside:207.46.130.100/123 (207.46.130.100/123) to inside:1.1.1.1/123 (2.2.2.2/50)

106010: Deny inbound protocol 50 src outside:3.3.3.3 dst inside:2.2.2.2

305012: Teardown dynamic UDP translation from inside:1.1.1.1/1117 to outside:2.2.2.2/2147 duration 0:00:31

305011: Built dynamic UDP translation from inside:1.1.1.1/1117 to outside:2.2.2.2/2148

For reference:

1.1.1.1 - PC with VPN Client

2.2.2.2 - PIX Outside Address

3.3.3.3 - Remote Concentrator

The remote concentrator has NAT-T enable but I do not have access to it.

Before I implemented the PIX, my router with NAT-T support worked fine without any special configuration.

Thank you.

andrea.meconi · ‎10-20-2007

Can you try with IPSec over TCP?

lrm001c474 · ‎10-20-2007

Unfourtunatly, I do not have access to the remote concentrator. I have only been notified that it should work with NAT-T, IPSEC over TCP/UDP is not configured.

This configuration worked earlier with a router with a NAT-T enabled IOS so it must be a configuration parameter with the PIX.

Thanks again for the replies.

lrm001c474 · ‎10-28-2007

No ideas...

This is a strange problem; looking at the debug I listed above, it shows it is denying inbound protocol 50(ESP) which makes sense since the VPN client operates correctly once I put an inbound ACL on the outside interface permitting ESP.

Now it can't use statful inspection since there is no initiating ESP traffic on the inbound interface.

Does this sound correct? Maybe I have no choice but to keep the inbound ACL in place on the inbound interface.

Is ESP stateful?