cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
430
Views
0
Helpful
10
Replies

PIX 506E VPN connectivity issues with Client

vactech
Level 1
Level 1

We have a PIX 506E to which I am trying to connect (from home) using Cisco VPN software (3000). The problem I'm having, like alot I've seen around here, is that once authenticated, I cannot ping anything on the remote network, other than the outside IP of the PIX.

I turned on the ICMP trace on the PIX and tried to ping an IP inside VTI. This is what I got (which ain't much):

1: Inbound ICMP echo request (len 32 id 2 seq 36352) 10.10.10.10 > 192.168.1.3 > 192.168.1.3

2: Inbound ICMP echo request (len 32 id 2 seq 36608) 10.10.10.10 > 192.168.1.3 > 192.168.1.3

3: Inbound ICMP echo request (len 32 id 2 seq 36864) 10.10.10.10 > 192.168.1.3 > 192.168.1.3

4: Inbound ICMP echo request (len 32 id 2 seq 37120) 10.10.10.10 > 192.168.1.3 > 192.168.1.3

This tells me that the PIX dumped the packets onto 192.168.1.0 and got nothing from the local host in reply. (Is this the right diagnosis?)

When I then tried to ping the live IP of the PIX, this is what I got:

5: ICMP echo request (len 32 id 2 seq 37376) 10.10.10.10 > 66.255.117.125

6: ICMP echo reply (len 32 id 2 seq 37376) 66.255.117.125 > 10.10.10.10

7: ICMP echo request (len 32 id 2 seq 37632) 10.10.10.10 > 66.255.117.125

8: ICMP echo reply (len 32 id 2 seq 37632) 66.255.117.125 > 10.10.10.10

9: ICMP echo request (len 32 id 2 seq 37888) 10.10.10.10 > 66.255.117.125

10: ICMP echo reply (len 32 id 2 seq 37888) 66.255.117.125 > 10.10.10.10

11: ICMP echo request (len 32 id 2 seq 38144) 10.10.10.10 > 66.255.117.125

12: ICMP echo reply (len 32 id 2 seq 38144) 66.255.117.125 > 10.10.10.10

So, the IPSec tunnel is there, up to the outside interface on the PIX. Looks like it's not making it through the internal interface PIX. Duh.

Also, when I've got the IPSec tunnel going and I SSH to the PIX and do a SHOW CRYPTO IPSEC SA, it tells me that it's getting the packets from the client (10.10.10.10) and decrypting them. However, the totals for packets encrypted and sent to the client are both 0.

PIX Config:

PIX Version 6.1(4)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

(DELETED)

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sip 5060

fixup protocol skinny 2000

no fixup protocol sqlnet 1521

names

access-list 101 permit ip 192.168.1.0 255.255.255.0 10.10.10.0 255.255.255.0

access-list 101 permit ip 10.10.10.0 255.255.255.0 192.168.1.0 255.255.255.0

pager lines 24

interface ethernet0 auto

interface ethernet1 auto

mtu outside 1500

mtu inside 1500

ip address outside 66.255.117.125 255.255.255.240

ip address inside 192.168.1.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool VPNPool 10.10.10.10-10.10.10.50

pdm history enable

arp timeout 14400

global (outside) 1 66.255.117.113-66.255.117.120 netmask 255.255.255.240

global (outside) 1 66.255.117.124

nat (inside) 0 access-list 101

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) 66.255.117.123 172.16.1.10 netmask 255.255.255.255 0 0

route outside 0.0.0.0 0.0.0.0 66.255.117.126 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto dynamic-map dynmap 10 set transform-set myset

crypto map mymap 10 ipsec-isakmp dynamic dynmap

crypto map mymap interface outside

isakmp enable outside

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption des

isakmp policy 20 hash md5

isakmp policy 20 group 1

isakmp policy 20 lifetime 86400

vpngroup vacuumtech address-pool VPNPool

vpngroup vacuumtech dns-server 192.168.1.5

vpngroup vacuumtech wins-server 192.168.1.5

vpngroup vacuumtech default-domain vacuumtechnology.com

vpngroup vacuumtech split-tunnel 101

vpngroup vacuumtech idle-time 1800

vpngroup vacuumtech password ********

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 outside

ssh 192.168.1.0 255.255.255.0 inside

ssh 192.168.2.0 255.255.255.0 inside

ssh timeout 5

terminal width 80

Thank you in advance.

10 Replies 10

kdurrett
Level 3
Level 3

You'll need to fix your access-list 101 that you are using for no nat. Change from:

access-list 101 permit ip 192.168.1.0 255.255.255.0 10.10.10.0 255.255.255.0

access-list 101 permit ip 10.10.10.0 255.255.255.0 192.168.1.0 255.255.255.0

to only:

access-list 101 permit ip 192.168.1.0 255.255.255.0 10.10.10.0 255.255.255.0

Make sure that after you do this your "nat (inside) 0" is still there. If you remove access-list 101 altogether, this will disappear. Oh, I see what your doing there as well. You have a split tunnel assigned to the same access-list which is causing some problems. The above should fix that issue as well.

Kurtis Durrett

I made the change that you suggested and made a little progress.

My access list is now :

access-list 101 permit ip 192.168.1.0 255.255.255.0 10.10.10.0 255.255.255.0

and I still have the "nat (inside) 0 access-list 101" line.

However, I cannot ping anything inside the 192.168.1.0 network. I can ping the outside ip of the PIX and get decrypts back....

SHOW CRYPTO IPSEC SA:

interface: outside

Crypto map tag: mymap, local addr. 66.255.117.125

local ident (addr/mask/prot/port): (66.255.117.125/255.255.255.255/0/0)

remote ident (addr/mask/prot/port): (10.10.10.10/255.255.255.255/0/0)

current_peer: 66.222.20.243

dynamic allocated peer ip: 10.10.10.10

PERMIT, flags={}

#pkts encaps: 132, #pkts encrypt: 132, #pkts digest 132

#pkts decaps: 133, #pkts decrypt: 133, #pkts verify 133

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: 66.255.117.125, remote crypto endpt.: 66.222.20.243

path mtu 1300, ipsec overhead 56, media mtu 1300

current outbound spi: 344780e4

inbound esp sas:

spi: 0xa2a78d54(2728889684)

transform: esp-des esp-md5-hmac ,

in use settings ={Tunnel, }

slot: 0, conn id: 4, crypto map: mymap

sa timing: remaining key lifetime (k/sec): (4607989/27342)

IV size: 8 bytes

replay detection support: Y

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0x344780e4(877101284)

transform: esp-des esp-md5-hmac ,

in use settings ={Tunnel, }

slot: 0, conn id: 3, crypto map: mymap

sa timing: remaining key lifetime (k/sec): (4607991/27329)

IV size: 8 bytes

replay detection support: Y

outbound ah sas:

outbound pcp sas:

local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (10.10.10.10/255.255.255.255/0/0)

current_peer: 66.222.20.243

dynamic allocated peer ip: 10.10.10.10

PERMIT, flags={}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0

#pkts decaps: 12, #pkts decrypt: 12, #pkts verify 12

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: 66.255.117.125, remote crypto endpt.: 66.222.20.243

path mtu 1300, ipsec overhead 56, media mtu 1300

current outbound spi: 5f291bc

inbound esp sas:

spi: 0x619b396a(1637562730)

transform: esp-des esp-md5-hmac ,

in use settings ={Tunnel, }

slot: 0, conn id: 2, crypto map: mymap

sa timing: remaining key lifetime (k/sec): (4607998/27482)

IV size: 8 bytes

replay detection support: Y

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0x5f291bc(99783100)

transform: esp-des esp-md5-hmac ,

in use settings ={Tunnel, }

slot: 0, conn id: 1, crypto map: mymap

sa timing: remaining key lifetime (k/sec): (4608000/27455)

IV size: 8 bytes

replay detection support: Y

outbound ah sas:

outbound pcp sas:

HELP!!!!

Does whatever you're pinging have a route to the 10.10.10.0 network pointing back to the PIX? As you've guessed, your encrypted packets are reaching the PIX and being unencrpyted and forwarded on internally. The PIX then receives nothing back (or was NAT'ing them but that should be fixed up now thanks to Kurtis's suggestion), that's why you don't see any encrypts.

Also, you're not trying to ping the PIX's internal interface, are you? You won't be able to do that, so don't try.

Thanks for the input. To answer your question, I am pinging Win2k boxes internal to the remote network (192.168.1.x). These boxes have the internal IP of the PIX as their default gateway.

I was under the assumption that the

access-list 101 permit ip 192.168.1.0 255.255.255.0 10.10.10.0 255.255.255.0

nat (inside) 0 access-list 101

ip local pool VPNPool 10.10.10.10-10.10.10.50

took care of the routing and NAT'ing (or lack thereof). Is there something else I need to do other than these access list, NAT 0, and pool lines?

Thanks in advance!

So you're connecting but traffic isn't being enrypted back out. So there is a problem still on the pix side, but not necessarily the pix. Do you have multiple nics on those win2k servers? Did you reboot your servers? How about a "route print" from one of the servers. Do a clear xlate, wr mem and a reload of the pix and test again. Post your new pix config if you can.

Kurtis

ROUTE PRINT (from in house DNS):

===========================================================================

Interface List

0x1 ........................... MS TCP Loopback interface

0x2 ...DELETED...... Intel(R) PRO Adapter

===========================================================================

===========================================================================

Active Routes:

Network Destination Netmask Gateway Interface Metric

0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.5 1

127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1

169.254.46.150 255.255.255.255 192.168.1.5 192.168.1.5 1

192.168.1.0 255.255.255.0 192.168.1.5 192.168.1.5 1

192.168.1.5 255.255.255.255 127.0.0.1 127.0.0.1 1

192.168.1.255 255.255.255.255 192.168.1.5 192.168.1.5 1

224.0.0.0 224.0.0.0 192.168.1.5 192.168.1.5 1

255.255.255.255 255.255.255.255 192.168.1.5 192.168.1.5 1

Default Gateway: 192.168.1.1

===========================================================================

Persistent Routes:

Network Address Netmask Gateway Address Metric

169.254.46.150 255.255.255.255 192.168.1.5 1

PIX CONFIG (Note I Added PPTP group as alternative. Same problem there. Can connect, authenticate,etc. Can't ping, browse or anything else after that.:

PIX Version 6.1(4)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password DELETED encrypted

passwd DELETED encrypted

hostname DELETED

domain-name DELETED

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sip 5060

fixup protocol skinny 2000

no fixup protocol sqlnet 1521

names

access-list 101 permit ip 192.168.1.0 255.255.255.0 10.10.10.0 255.255.255.0

pager lines 24

logging host inside DELETED

interface ethernet0 auto

interface ethernet1 auto

mtu outside 1300

mtu inside 1300

ip address outside DELETED

ip address inside 192.168.1.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool VPNPool 10.10.10.10-10.10.10.50

pdm history enable

arp timeout 14400

global (outside) 1 66.255.117.113-66.255.117.120 netmask 255.255.255.240

global (outside) 1 66.255.117.124

nat (inside) 0 access-list 101

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) 66.255.117.123 172.16.1.10 netmask 255.255.255.255 0 0

route outside 0.0.0.0 0.0.0.0 66.255.117.126 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server RADIUS (inside) host 192.168.1.x DELETED timeout 60

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

sysopt connection permit-pptp

no sysopt route dnat

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto dynamic-map dynmap 10 set transform-set myset

crypto map mymap 10 ipsec-isakmp dynamic dynmap

crypto map mymap client configuration address initiate

crypto map mymap client configuration address respond

crypto map mymap interface outside

isakmp enable outside

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 1

isakmp policy 10 lifetime 86400

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

vpngroup vacuumtech address-pool VPNPool

vpngroup vacuumtech dns-server 192.168.1.5

vpngroup vacuumtech wins-server 192.168.1.5

vpngroup vacuumtech default-domain vacuumtechnology.com

vpngroup vacuumtech split-tunnel 101

vpngroup vacuumtech idle-time 1800

vpngroup vacuumtech password ********

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 outside

ssh 192.168.1.0 255.255.255.0 inside

ssh 10.10.10.0 255.255.255.0 inside

ssh timeout 15

vpdn group 1 accept dialin pptp

vpdn group 1 ppp authentication mschap

vpdn group 1 ppp encryption mppe 40

vpdn group 1 client configuration address local VPNPool

vpdn group 1 client configuration dns 192.168.1.5 66.255.85.8

vpdn group 1 client configuration wins 192.168.1.5

vpdn group 1 client authentication aaa RADIUS

vpdn group 1 pptp echo 60

vpdn enable outside

terminal width 80

Looks right, did you do the clear xlate, wr mem and reload on the pix as well as reloading the server? Can you even ping the server from the pix? Any software firewalls on the 2000 servers?

Kurtis

I did the clear xlate, wr mem, and reload, but I haven't tried the VPN connection yet. I SSH to the PIX and from there I can ping said servers (I'm inside the 192.168.1.0 network since I'm at the office now). No software firewalls on the server(s).

I had a friend at another location VPN to our network and, LO and BEHOLD, pinging of 192.168.1.x addresses now works.

Also had him FTP to an "internal" FTP site and he could connect to it as well, so it looks like we've got a full TCP stack. As a side note, when he logged into the FTP site, the FTP server logged him as 10.10.10.10 (the first addr from the local pool).

I'll see about more "Windows-y" things like browsing networks and so forth later on. (A quick cursory check from the above site resulted in the local domain not being listed.)

Good job. Start a new conversation if you end up having problems with browsing, its another monster :>)

Kurtis

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: