Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Pix 501 VPN 6.3.1

I have a few questions regarding this VPN setup:

The pix Norspik-Nor is a Pix 501 at the main site. Local adresses are 192.168.1.0/24

The pix Norspik-Hbg is a pix 501 at the branch site. Local adresses are 192.168.10.0/24

Both Pixes are running 6.3.1

The Norspik-Nor has a static Ip on outside interface and should allow incoming vpn-tunnels from VPN dialer clients as well as the Norspik-Hbg (which has dynamic IP on outside interface).

As far as I can see the tunnels seems to work just fine. The problem is the "management-access inside" that doesnt work. No matter what I try to do I cant remotely administer the devices (i e from the local Norspik-Hbg LAN I cant https to Norspik-Nor inside IP, from VPN Dialer client on internet I cant telnet to Norspik-Nor inside IP and so on...)

Am I missing something? Is there something else that should be done to get this working?

Another question: I have heard that with 6.3.1 it is possible for a vpn dialer client to connect to the pix using TCP (port 10000?) instead of UDP, to make the traffic pass thru firewalls/NAT:s easier. In the release notes for 6.3.1 it says something that this is automatically handled in the pix, but when I try to change my client to TCP I will get no contact at all with the pix. Are there some magic commands in the pix to enable this feature?

Thanks for your help!

Regards

Jimmy

Norspik-Nor# wr t

Building configuration...

: Saved

:

PIX Version 6.3(1)

interface ethernet0 10baset

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password h/4fnFHQj9685eIP encrypted

passwd h/4fnFHQj9685eIP encrypted

hostname Norspik-Nor

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

names

access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0

access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside 193.215.36.193 255.255.255.0

ip address inside 192.168.1.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool clientpool 192.168.1.200-192.168.1.210

pdm location 192.168.1.0 255.255.255.0 inside

pdm location 192.168.2.0 255.255.255.0 inside

pdm location 192.168.10.0 255.255.255.0 inside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

conduit permit icmp any any

route outside 0.0.0.0 0.0.0.0 193.215.36.199 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 192.168.1.0 255.255.255.0 inside

http 192.168.10.0 255.255.255.0 inside

http 192.168.2.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

sysopt ipsec pl-compatible

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto dynamic-map ciscomap 1 set transform-set myset

crypto map dyn-map 20 ipsec-isakmp dynamic ciscomap

crypto map dyn-map interface outside

isakmp enable outside

isakmp key ******** address 0.0.0.0 netmask 0.0.0.0

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 1

isakmp policy 10 lifetime 1000

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption des

isakmp policy 20 hash sha

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

vpngroup unityclient address-pool clientpool

vpngroup unityclient dns-server 192.168.1.10

vpngroup unityclient wins-server 192.168.1.10

vpngroup unityclient default-domain xxxxx.no

vpngroup unityclient idle-time 1800

vpngroup unityclient password ********

telnet 192.168.1.0 255.255.255.0 inside

telnet 192.168.10.0 255.255.255.0 inside

telnet 192.168.2.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

management-access inside

console timeout 0

dhcpd address 192.168.1.2-192.168.1.129 inside

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

dhcpd enable inside

terminal width 80

Cryptochecksum:b43d682bfb3ec45acd07683d1bbd265c

: end

[OK]

Norspik-Nor#

Norspik-Hbg# wr t

Building configuration...

: Saved

:

PIX Version 6.3(1)

interface ethernet0 10baset

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password h/4fnFHQj9685eIP encrypted

passwd h/4fnFHQj9685eIP encrypted

hostname Norspik-Hbg

domain-name ciscopix.com

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

names

access-list nonat permit ip 192.168.10.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list vpntunnel permit ip 192.168.10.0 255.255.255.0 192.168.1.0 255.255.255.0

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside 193.215.36.199 255.255.255.0

ip address inside 192.168.10.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm location 192.168.1.0 255.255.255.0 inside

pdm location 192.168.10.0 255.255.255.0 inside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

conduit permit icmp any any

route outside 0.0.0.0 0.0.0.0 193.215.36.193 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 192.168.1.0 255.255.255.0 inside

http 192.168.0.10 255.255.255.255 inside

http 192.168.10.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto map mymap 10 ipsec-isakmp

crypto map mymap 10 match address vpntunnel

crypto map mymap 10 set peer 193.215.36.193

crypto map mymap 10 set transform-set myset

crypto map mymap interface outside

isakmp enable outside

isakmp key ******** address 193.215.36.193 netmask 255.255.255.255

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 1

isakmp policy 10 lifetime 86400

telnet 192.168.1.0 255.255.255.0 inside

telnet 192.168.10.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

management-access inside

console timeout 0

dhcpd address 192.168.10.100-192.168.10.110 inside

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

dhcpd enable inside

terminal width 80

Cryptochecksum:a51290ceef1d8adcd3a9d5f2cc596235

: end

[OK]

Norspik-Hbg#

1 REPLY
Cisco Employee

Re: Pix 501 VPN 6.3.1

Try removing the "telnet 192.168.10.0 inside" command and the one for http also, I don't believe you need these when using the management-access command. They may be confusing the PIX thinking that it should be receiving these packets on the inside interface, when in effect they're coming in from the outside interface.

Failing that, what does the syslog show when you try and connect? That'll give you a good indication of what's going on.

As for your IPSec question, the PIX doesn't support TCP or UDP encapsulation in port 10000, that's still only (and always will be) a VPN concentrator function. PIX 6.3 code supports a new standard called NAT-T which encapsulates IPSec packets into UDP port 4500 for transmission through NAT/PAT devices. The VPN client from 3.6 onwards, and the PIX will automatically negotiate this at startup and encapsulate if necessary, you don't need to configure anything on the client. On the PIX configure the command:

> isakmp nat-traversal

to enable it. See http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/gl.htm#1027312 for details.

91
Views
0
Helpful
1
Replies
CreatePlease login to create content