I have problem with the PIX Firewall 515 running 6.3(1). I can not use the VPN Client behind any NAT or PAT firewall. I make a connection but can not pass any traffic to my private addresses. I am using the command :
Still no sucess, everything works great when I use a public address. For example a dial up connection.
I have included my configuration file. Any help would be appreciated.
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
clock timezone PST -8
clock summer-time PDT recurring
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol icmp error
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
no fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
object-group service Exchange tcp
port-object eq 135
port-object range 1096 1098
port-object eq smtp
port-object eq www
object-group service RadiusServer udp
description Radius Authentication Server
port-object eq radius
port-object eq radius-acct
access-list shjc_outbound_nat0_acl permit ip 10.0.0.0 255.0.0.0 192.168.101.0 25
access-list calprov_splitTunnelAcl permit ip 10.0.0.0 255.0.0.0 any
access-list outside_access_in permit ip 192.168.101.0 255.255.255.0 any
access-list outside_access_in deny ip PrivateNetwork 255.255.0.0 any log
access-list outside_access_in permit icmp any any unreachable
access-list outside_access_in permit icmp any any time-exceeded
access-list outside_access_in permit icmp any any source-quench
access-list outside_access_in permit icmp any any echo
access-list outside_access_in permit esp any any
access-list outside_access_in permit udp any any eq 4500
access-list outside_access_in permit tcp any host cpsj-exchange-1P object-group
access-list outside_access_in permit tcp any host WWWP eq www
access-list outside_access_in permit tcp any host cpsj-server-1 eq 1099
access-list outside_access_in permit ip host Router any
access-list outside_access_in permit udp host QwestDNS eq domain any
access-list inside_nat0_outbound permit ip any 192.168.101.0 255.255.255.0
pager lines 24
logging monitor debugging
logging trap debugging
logging facility 7
logging host inside 10.1.0.66 6/1468
mtu outside 1500
mtu inside 1500
mtu test 1500
ip address outside xxx xxx
ip address inside 10.1.0.1 255.0.0.0
ip audit info action alarm
ip audit attack action alarm
ip local pool calprov-vpn 192.168.101.1-192.168.101.254
pdm history enable
arp timeout 14400
global (outside) 1 xxx.xxx.xxx.xxx-xxx.xxx.xxx.xxx
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 10.0.0.0 255.0.0.0 0 0
static (inside,outside) cpsj-exchange-1P 10.1.0.20 netmask 255.255.255.255 0 0
static (inside,outside) WWWP 10.1.0.22 netmask 255.255.255.255 0 0
static (inside,outside) cpsj-server-1 10.1.0.10 netmask 255.255.255.255 0 0
static (inside,outside) cpsj-server-2P 10.1.0.11 netmask 255.255.255.255 0 0
static (inside,outside) cpsj-server-3P 10.1.0.12 netmask 255.255.255.255 0 0
static (inside,outside) cpsj-server-4P 10.1.0.13 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 Router 1
timeout xlate 1:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa-server AuthInbound protocol radius
aaa-server AuthInbound (inside) host
aaa authentication telnet console AuthInbound
aaa authentication http console AuthInbound
ntp server Router source outside prefer
http server enable
http 10.0.0.0 255.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication AuthInbound
crypto map outside_map interface outside
isakmp enable outside
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup calprov address-pool calprov-vpn
vpngroup calprov dns-server 10.1.0.10
vpngroup calprov default-domain xxx
vpngroup calprov split-tunnel calprov_splitTunnelAcl
vpngroup calprov idle-time 1800
vpngroup calprov password
telnet 10.0.0.0 255.0.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Config looks OK. what version of teh VPN client are you using, NAT-T was only introduced in the 3.6 release so make sure it's something after that. After the tunnel is built, ensure that they've negotiated NAT-T by double-clicking on th epadlock icon and it should show something about encapsulation (can't remember exactly what it is). In fact, make sure the client has Enable Transparent Tunnelling checked.
If they do show as running over UDP 4500 then you need to check the stats on both the client and the PIX to see where the packet is being dropped. Check outbound packets on the client, Pkts Decaps on the PIX, then Pkts Encaps on the PIX and inbound packets on the client. You should be able to figure out where the packets are dropped by checking these.
Could be that your ISP is blocking NAT-T packets, but doubtful.
Thank you for your response. I am currently using VPN Client 3.6.4. When I connect it does show tunnel port UDP 4500. No packets will pass to the network. Everything shows up as Packets Bypassed. This same configuration works as long as I am not behind NAT. Anything more help would be appreciated.
Please double check that if your "Packets encrypted" counter stays at Zero, if yes, you can try changing the split tunnel list to :
access-list calprov_splitTunnelAcl permit ip 10.0.0.0 255.0.0.0 192.168.101.0 255.255.255.0
If it doesn't stay at Zero, and you do see packet encrypted increasing with the bypass counter increasing as well(which is normall)... then make sure that NAT-T (UDP 4500) is not being blocked anywhere inside your network (client/pix side).
let us know.
Yes Packets do start encrypting but do not ever decrypt. I have look at each side client/pix and both sides start encrypting but never decrypt. I do not have anything else blocked on the network for UDP 4500, except what I have put on the PIX Firewall. If I can give you any more information please let me know.
which OS are you using on the client side?
I had a problem similar to yours with Windows XP. If you're using Windows Xp, ensure that the Internet Connection Firewall is not enabled on your REmote access connection or Local Area Network Connection.
Hope it helps.
If both sides are sending out UDP 4500 packets (you mention they're both encrypting), but neither side is receiving them (you mention neither side is decrypting), then it looks like UDP 4500 is being blocked somewhere in between your client and the PIX. How is your client connected to the Internet, can you verify that your ISP is not blocking anything. What about the router outside the PIX, does it have any ACL's on it?
I have used UDP 4500 through my ISP on a router with Nat-T. I am pretty sure it can not be the ISP. The router on it does have an access list. Even when i remove the access list it still does not work. I do not know where this could be being blocked if that is what is wrong.
I just found some new information. If I ping from the PIX side of network to the VPN Client, the stats say they are decrypting on the client but no ping replys on th PIX side of the network. It is almost like the PIX is the only one that is not decrypting the packets. I hope this helps.
I am having the exact same problem. It wasn't solved by 6.3(2) for the pix .Could it be a bug?
Please someone help us on that.
with regard to the problem that you are having, I have configured a few VPN Client to PIX scenarios that work. I must be doing something right, or just good luck on my part.
the original configuration lists two different acaa-lists that are used for the nat0 and the split tunneling.
The following lines have been taken from one of my working configs. I only use one access-list for both purposes.
name 192.168.0.0 inside-network
access-list 110 permit ip inside-network 255.255.255.0 172.16.1.0 255.255.255.0
ip local pool home 172.16.1.1-172.16.1.20
nat (inside) 0 access-list 110
vpngroup pix506 address-pool home
vpngroup pix506 split-tunnel 110
Please try the above scenario on your PIX, with the addresses applicable for your network.
the two different access-lists that are listed in the configuration have the source and destination networks reversed.
Sorry forgot to say that for me it is Pix to cisco router conf (And I am aware af the thing with different access-lists for nat 0 and for the vpn).