08-05-2003 08:52 AM - edited 02-21-2020 12:42 PM
Hy all,
This is my PIX configuration, VPN client work fine but when try by VPN Client the network browsing this is dropped by the firewall, in fact I obtain from PIX the deny message for UDP 138, UDP 137, 1056 and 1058.
What is the problem??
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list outside_access_in permit icmp any any echo-reply
access-list nonat permit ip any 10.0.1.0 255.255.255.0
pager lines 24
logging on
logging buffered notifications
logging trap notifications
logging host inside 192.168.1.120
mtu outside 1500
mtu inside 1500
ip address outside 200.200.XXX.XXX 255.255.255.248
ip address inside 192.168.1.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool Net 10.0.1.1-10.0.1.30
pdm location 192.168.1.0 255.255.255.0 inside
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 200.200.XXX.XXX 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.1.1 255.255.255.255 inside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set TRSET esp-3des esp-sha-hmac
crypto dynamic-map dynmap 10 set transform-set TRSET
crypto map VPN 10 ipsec-isakmp dynamic dynmap
crypto map VPN interface outside
isakmp enable outside
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup Net address-pool Net
vpngroup Net dns-server 192.168.1.1
vpngroup Net wins-server 192.168.1.1
vpngroup Net default-domain asasasas.com
vpngroup Net idle-time 1800
vpngroup Net password ********
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Tanks all.
08-05-2003 04:33 PM
NW browsing issues are rarely to do with the head-end termination device, so I'm confused you're actually seeing deny messages on the PIX (they may be unrelated and coming from internal devices though).
Please go through the following URL and make sure your clients are set up correctly:
08-06-2003 02:08 AM
I obtain deny message only when the VPN client try to search one inside computer by name (NET VIEW COMPUTER1).
Regards.
08-06-2003 02:23 AM
Hi -
What about by IP, does it work when it tries to search for the computer by Ip address only ??
Thanks -
08-06-2003 11:13 AM
Hi
This is the situation:
1)
The VPN Client send this command: NET VIEW COMPUTER1
The PIX log contain Deny UDP 138 - Deny UDP 137 - Deny UDP 1056 - Deny UDP 1058
The VPN Client obtain error to browse network.
2)
The VPN Client send this command: NET VIEW 192.168.1.20 (COMPUTER1 IP Address)
The VPN Client obtain the browse of shred resource
Regards.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: