I'm setting up a PIX515e with v4.0.1 remote clients. The connection establishes, but apparently the PIX is not properly using the tunnel. The result is the client cannot access resources on the trusted LAN.
Results of sh crypto sa:
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 2084, #pkts decrypt: 2084, #pkts verify 2084
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
Traffic is not being properly routed through the tunnel. If I ping the remote client from a host on the trusted LAN, I see the ICMP packets on the wire on my WAN interface.
11 packets captured
13:43:46.663539 x.x.55.37 > x.x.193.235: icmp: echo request
13:43:51.454703 x.x.193.235 > x.x.193.226: ip-proto-50, length 132
13:43:51.864594 x.x.55.37 > x.x.193.235: icmp: echo request
13:43:52.790608 x.x.193.235.500 > x.x.193.226.500: udp 84
13:43:52.790928 x.x.193.226.500 > x.x.193.235.500: udp 84
13:43:52.956829 x.x.193.235 > x.x.193.226: ip-proto-50, length 132
13:43:54.459158 x.x.193.235 > x.x.193.226: ip-proto-50, length 132
13:43:56.870575 x.x.55.37 > x.x.193.235: icmp: echo request
13:44:01.876556 x.x.55.37 > x.x.193.235: icmp: echo request
13:44:02.805546 x.x.193.235.500 > x.x.193.226.500: udp 84
13:44:02.805897 x.x.193.226.500 > x.x.193.235.500: udp 84
11 packets shown
FYI...x.x.193.226 is the PIX WAN port.
Several interesting things here.
1) PIX is placing the ping echo request on the wire unexcrypted. Why isn't the traffic using the established tunnel?
2) The client is setup for UDP transparent tunneling. So why the protocol 50 traffic? I thought that was the point of transparent tunneling, to get past the ISPs like earthlink who block protocol 50 traffic.
I'm using a dynamic crypto map, but I don't see how the dynamic ACL that is created with the SA is applied to the traffic. If I sh access-lists, I see the dynamic ACL:
access-list dynacl9 line 1 permit ip any host 192.168.17.1 (hitcnt=0)
192.168.17.1 is the virtual address assigned to the client.
If I sh crypto dynamic-map, I see:
Crypto Map: "WANMAP" interfaces: { WAN }
client authentication RADIUS
Crypto Map "WANMAP" 65535 ipsec-isakmp
Dynamic map template tag: DYNMAP
Crypto Map "WANMAP" 65540 ipsec-isakmp
Peer = x.x.193.235
access-list dynacl9; 1 elements
access-list dynacl9 line 1 permit ip any host 192.168.17.1 (hitcnt=0)
dynamic (created from dynamic map DYNMAP/20)
Current peer: x.x.193.235
Security association lifetime: 4608000 kilobytes/28800 seconds
PFS (Y/N): N
Transform sets={ ENCRYPT, }
Here's my config:
ip local pool vpnclients x.x.17.1-x.x.17.254
access-list INSIDE permit ip x.x.55.0 255.255.255.0 any
access-list INSIDE permit icmp x.x.55.0 255.255.255.0 any
access-list OUTSIDE permit ip any x.x.55.0 255.255.255.0
access-list OUTSIDE permit ip any host x.x.193.226
access-list OUTSIDE permit icmp any x.x.55.0 255.255.255.0
access-list OUTSIDE permit icmp any host x.x.193.226
access-list VPN-NAT permit ip any x.x.17.0 255.255.255.0
ip address WAN x.x.193.226 255.255.255.248
ip address WIN-LAN x.x.55.1 255.255.255.0
nat (inside) 0 access-list VPN-NAT
nat (inside) 0 x.x.55.0 255.255.255.0 0 0
access-group OUTSIDE in interface outside
access-group INSIDE in interface inside
sysopt connection permit-ipsec
crypto ipsec transform-set ENCRYPT esp-des esp-md5-hmac
crypto dynamic-map DYNMAP 20 set transform-set ENCRYPT
crypto map WANMAP 65535 ipsec-isakmp dynamic DYNMAP
crypto map WANMAP client authentication RADIUS
crypto map WANMAP interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup vpngroup address-pool vpnclients
vpngroup vpngroup dns-server [ip of nameserver]
vpngroup vpngroup wins-server [ip of wins server]
vpngroup vpngroup default-domain mydomain.com
vpngroup vpngroup idle-time 1800
vpngroup vpngroup password ********
Can anyone shed any light onthis?
Thanks.
