11-26-2002 04:41 AM - edited 02-21-2020 12:11 PM
We have a PIX 506E to which I am trying to connect (from home) using Cisco VPN software (3000). The problem I'm having, like alot I've seen around here, is that once authenticated, I cannot ping anything on the remote network, other than the outside IP of the PIX.
I turned on the ICMP trace on the PIX and tried to ping an IP inside VTI. This is what I got (which ain't much):
1: Inbound ICMP echo request (len 32 id 2 seq 36352) 10.10.10.10 > 192.168.1.3 > 192.168.1.3
2: Inbound ICMP echo request (len 32 id 2 seq 36608) 10.10.10.10 > 192.168.1.3 > 192.168.1.3
3: Inbound ICMP echo request (len 32 id 2 seq 36864) 10.10.10.10 > 192.168.1.3 > 192.168.1.3
4: Inbound ICMP echo request (len 32 id 2 seq 37120) 10.10.10.10 > 192.168.1.3 > 192.168.1.3
This tells me that the PIX dumped the packets onto 192.168.1.0 and got nothing from the local host in reply. (Is this the right diagnosis?)
When I then tried to ping the live IP of the PIX, this is what I got:
5: ICMP echo request (len 32 id 2 seq 37376) 10.10.10.10 > 66.255.117.125
6: ICMP echo reply (len 32 id 2 seq 37376) 66.255.117.125 > 10.10.10.10
7: ICMP echo request (len 32 id 2 seq 37632) 10.10.10.10 > 66.255.117.125
8: ICMP echo reply (len 32 id 2 seq 37632) 66.255.117.125 > 10.10.10.10
9: ICMP echo request (len 32 id 2 seq 37888) 10.10.10.10 > 66.255.117.125
10: ICMP echo reply (len 32 id 2 seq 37888) 66.255.117.125 > 10.10.10.10
11: ICMP echo request (len 32 id 2 seq 38144) 10.10.10.10 > 66.255.117.125
12: ICMP echo reply (len 32 id 2 seq 38144) 66.255.117.125 > 10.10.10.10
So, the IPSec tunnel is there, up to the outside interface on the PIX. Looks like it's not making it through the internal interface PIX. Duh.
Also, when I've got the IPSec tunnel going and I SSH to the PIX and do a SHOW CRYPTO IPSEC SA, it tells me that it's getting the packets from the client (10.10.10.10) and decrypting them. However, the totals for packets encrypted and sent to the client are both 0.
PIX Config:
PIX Version 6.1(4)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
(DELETED)
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sip 5060
fixup protocol skinny 2000
no fixup protocol sqlnet 1521
names
access-list 101 permit ip 192.168.1.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list 101 permit ip 10.10.10.0 255.255.255.0 192.168.1.0 255.255.255.0
pager lines 24
interface ethernet0 auto
interface ethernet1 auto
mtu outside 1500
mtu inside 1500
ip address outside 66.255.117.125 255.255.255.240
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool VPNPool 10.10.10.10-10.10.10.50
pdm history enable
arp timeout 14400
global (outside) 1 66.255.117.113-66.255.117.120 netmask 255.255.255.240
global (outside) 1 66.255.117.124
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 66.255.117.123 172.16.1.10 netmask 255.255.255.255 0 0
route outside 0.0.0.0 0.0.0.0 66.255.117.126 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
isakmp enable outside
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 1
isakmp policy 20 lifetime 86400
vpngroup vacuumtech address-pool VPNPool
vpngroup vacuumtech dns-server 192.168.1.5
vpngroup vacuumtech wins-server 192.168.1.5
vpngroup vacuumtech default-domain vacuumtechnology.com
vpngroup vacuumtech split-tunnel 101
vpngroup vacuumtech idle-time 1800
vpngroup vacuumtech password ********
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 192.168.1.0 255.255.255.0 inside
ssh 192.168.2.0 255.255.255.0 inside
ssh timeout 5
terminal width 80
Thank you in advance.
11-26-2002 08:29 AM
You'll need to fix your access-list 101 that you are using for no nat. Change from:
access-list 101 permit ip 192.168.1.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list 101 permit ip 10.10.10.0 255.255.255.0 192.168.1.0 255.255.255.0
to only:
access-list 101 permit ip 192.168.1.0 255.255.255.0 10.10.10.0 255.255.255.0
Make sure that after you do this your "nat (inside) 0" is still there. If you remove access-list 101 altogether, this will disappear. Oh, I see what your doing there as well. You have a split tunnel assigned to the same access-list which is causing some problems. The above should fix that issue as well.
Kurtis Durrett
11-26-2002 04:29 PM
I made the change that you suggested and made a little progress.
My access list is now :
access-list 101 permit ip 192.168.1.0 255.255.255.0 10.10.10.0 255.255.255.0
and I still have the "nat (inside) 0 access-list 101" line.
However, I cannot ping anything inside the 192.168.1.0 network. I can ping the outside ip of the PIX and get decrypts back....
SHOW CRYPTO IPSEC SA:
interface: outside
Crypto map tag: mymap, local addr. 66.255.117.125
local ident (addr/mask/prot/port): (66.255.117.125/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (10.10.10.10/255.255.255.255/0/0)
current_peer: 66.222.20.243
dynamic allocated peer ip: 10.10.10.10
PERMIT, flags={}
#pkts encaps: 132, #pkts encrypt: 132, #pkts digest 132
#pkts decaps: 133, #pkts decrypt: 133, #pkts verify 133
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 66.255.117.125, remote crypto endpt.: 66.222.20.243
path mtu 1300, ipsec overhead 56, media mtu 1300
current outbound spi: 344780e4
inbound esp sas:
spi: 0xa2a78d54(2728889684)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 4, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4607989/27342)
IV size: 8 bytes
replay detection support: Y
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x344780e4(877101284)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 3, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4607991/27329)
IV size: 8 bytes
replay detection support: Y
outbound ah sas:
outbound pcp sas:
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.10.10.10/255.255.255.255/0/0)
current_peer: 66.222.20.243
dynamic allocated peer ip: 10.10.10.10
PERMIT, flags={}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 12, #pkts decrypt: 12, #pkts verify 12
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 66.255.117.125, remote crypto endpt.: 66.222.20.243
path mtu 1300, ipsec overhead 56, media mtu 1300
current outbound spi: 5f291bc
inbound esp sas:
spi: 0x619b396a(1637562730)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 2, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4607998/27482)
IV size: 8 bytes
replay detection support: Y
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x5f291bc(99783100)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 1, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4608000/27455)
IV size: 8 bytes
replay detection support: Y
outbound ah sas:
outbound pcp sas:
HELP!!!!
11-26-2002 06:25 PM
Does whatever you're pinging have a route to the 10.10.10.0 network pointing back to the PIX? As you've guessed, your encrypted packets are reaching the PIX and being unencrpyted and forwarded on internally. The PIX then receives nothing back (or was NAT'ing them but that should be fixed up now thanks to Kurtis's suggestion), that's why you don't see any encrypts.
Also, you're not trying to ping the PIX's internal interface, are you? You won't be able to do that, so don't try.
11-27-2002 07:04 AM
Thanks for the input. To answer your question, I am pinging Win2k boxes internal to the remote network (192.168.1.x). These boxes have the internal IP of the PIX as their default gateway.
I was under the assumption that the
access-list 101 permit ip 192.168.1.0 255.255.255.0 10.10.10.0 255.255.255.0
nat (inside) 0 access-list 101
ip local pool VPNPool 10.10.10.10-10.10.10.50
took care of the routing and NAT'ing (or lack thereof). Is there something else I need to do other than these access list, NAT 0, and pool lines?
Thanks in advance!
11-27-2002 07:41 AM
So you're connecting but traffic isn't being enrypted back out. So there is a problem still on the pix side, but not necessarily the pix. Do you have multiple nics on those win2k servers? Did you reboot your servers? How about a "route print" from one of the servers. Do a clear xlate, wr mem and a reload of the pix and test again. Post your new pix config if you can.
Kurtis
11-27-2002 08:04 AM
ROUTE PRINT (from in house DNS):
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...DELETED...... Intel(R) PRO Adapter
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.5 1
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
169.254.46.150 255.255.255.255 192.168.1.5 192.168.1.5 1
192.168.1.0 255.255.255.0 192.168.1.5 192.168.1.5 1
192.168.1.5 255.255.255.255 127.0.0.1 127.0.0.1 1
192.168.1.255 255.255.255.255 192.168.1.5 192.168.1.5 1
224.0.0.0 224.0.0.0 192.168.1.5 192.168.1.5 1
255.255.255.255 255.255.255.255 192.168.1.5 192.168.1.5 1
Default Gateway: 192.168.1.1
===========================================================================
Persistent Routes:
Network Address Netmask Gateway Address Metric
169.254.46.150 255.255.255.255 192.168.1.5 1
PIX CONFIG (Note I Added PPTP group as alternative. Same problem there. Can connect, authenticate,etc. Can't ping, browse or anything else after that.:
PIX Version 6.1(4)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password DELETED encrypted
passwd DELETED encrypted
hostname DELETED
domain-name DELETED
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sip 5060
fixup protocol skinny 2000
no fixup protocol sqlnet 1521
names
access-list 101 permit ip 192.168.1.0 255.255.255.0 10.10.10.0 255.255.255.0
pager lines 24
logging host inside DELETED
interface ethernet0 auto
interface ethernet1 auto
mtu outside 1300
mtu inside 1300
ip address outside DELETED
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool VPNPool 10.10.10.10-10.10.10.50
pdm history enable
arp timeout 14400
global (outside) 1 66.255.117.113-66.255.117.120 netmask 255.255.255.240
global (outside) 1 66.255.117.124
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 66.255.117.123 172.16.1.10 netmask 255.255.255.255 0 0
route outside 0.0.0.0 0.0.0.0 66.255.117.126 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host 192.168.1.x DELETED timeout 60
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
no sysopt route dnat
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap client configuration address initiate
crypto map mymap client configuration address respond
crypto map mymap interface outside
isakmp enable outside
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup vacuumtech address-pool VPNPool
vpngroup vacuumtech dns-server 192.168.1.5
vpngroup vacuumtech wins-server 192.168.1.5
vpngroup vacuumtech default-domain vacuumtechnology.com
vpngroup vacuumtech split-tunnel 101
vpngroup vacuumtech idle-time 1800
vpngroup vacuumtech password ********
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 192.168.1.0 255.255.255.0 inside
ssh 10.10.10.0 255.255.255.0 inside
ssh timeout 15
vpdn group 1 accept dialin pptp
vpdn group 1 ppp authentication mschap
vpdn group 1 ppp encryption mppe 40
vpdn group 1 client configuration address local VPNPool
vpdn group 1 client configuration dns 192.168.1.5 66.255.85.8
vpdn group 1 client configuration wins 192.168.1.5
vpdn group 1 client authentication aaa RADIUS
vpdn group 1 pptp echo 60
vpdn enable outside
terminal width 80
11-27-2002 08:33 AM
Looks right, did you do the clear xlate, wr mem and reload on the pix as well as reloading the server? Can you even ping the server from the pix? Any software firewalls on the 2000 servers?
Kurtis
11-27-2002 09:11 AM
I did the clear xlate, wr mem, and reload, but I haven't tried the VPN connection yet. I SSH to the PIX and from there I can ping said servers (I'm inside the 192.168.1.0 network since I'm at the office now). No software firewalls on the server(s).
11-27-2002 10:39 AM
I had a friend at another location VPN to our network and, LO and BEHOLD, pinging of 192.168.1.x addresses now works.
Also had him FTP to an "internal" FTP site and he could connect to it as well, so it looks like we've got a full TCP stack. As a side note, when he logged into the FTP site, the FTP server logged him as 10.10.10.10 (the first addr from the local pool).
I'll see about more "Windows-y" things like browsing networks and so forth later on. (A quick cursory check from the above site resulted in the local domain not being listed.)
11-27-2002 11:08 AM
Good job. Start a new conversation if you end up having problems with browsing, its another monster :>)
Kurtis
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: