02-17-2003 07:45 PM - edited 02-20-2020 10:33 PM
I have a Pix with 2 VPN connection plus 1 remote client connection.
Meanwhile, I would like to allow my vendor to access one of my file server (internal IP 192.168.0.2). I tried to do a static bind with 202.174.143.45. And modify access-list accordingly. But still my vendor can't access the file server neither the server can go out to internet. What could be wrong?
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password KX/2yDvEiODIteF/ encrypted
passwd ggXVcePzJwQfhvVL encrypted
hostname Mitsui
domain-name Mitsuisoko.com
clock timezone MYT 8
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
object-group service Internet_access tcp
port-object eq ftp
port-object eq pop3
port-object eq ftp-data
port-object eq https
port-object eq www
port-object eq smtp
port-object eq uucp
port-object eq pcanywhere-data
port-object range 1433 1433
port-object range 9000 9002
object-group network VPN_users
description This group included all the addresses of remote VPN site as well a
s VPN dial-up clients. 192.168.1.0 (Pasir Gudang), 192.168.2.0 (Melaka), 192.168
.3.0 (Dial-up VPN clients)
network-object 192.168.1.0 255.255.255.0
network-object 192.168.2.0 255.255.255.0
network-object 192.168.3.0 255.255.255.0
object-group network Servers
network-object 192.168.0.1 255.255.255.255
network-object 192.168.0.100 255.255.255.255
network-object 192.168.0.33 255.255.255.255
access-list inside_access_in permit ip host 192.168.0.2 any
access-list inside_access_in permit tcp 192.168.0.0 255.255.255.0 any eq domain
access-list inside_access_in permit udp 192.168.0.0 255.255.255.0 any eq domain
access-list inside_access_in permit tcp 192.168.0.0 255.255.255.0 any object-group Internet_access
access-list inside_access_in permit icmp any any
access-list inside_outbound_nat0_acl permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 192.168.0.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list outside_cryptomap_60 permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list outside_cryptomap_40 permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list outside_access_in permit ip any host 202.174.143.45
access-list outside_access_in permit icmp any any
access-list split permit ip 192.168.0.0 255.255.255.0 192.168.3.0 255.255.255.0
pager lines 24
logging on
logging timestamp
logging monitor errors
logging trap debugging
logging host inside 192.168.0.2
interface ethernet0 auto
interface ethernet1 auto
mtu outside 1500
mtu inside 1500
ip address outside 202.174.143.42 255.255.255.248
ip address inside 192.168.0.25 255.255.255.0
ip verify reverse-path interface outside
ip audit name Custom_attack attack action alarm drop reset
ip audit name Custom_infor info action alarm
ip audit info action alarm
ip audit attack action alarm drop reset
ip local pool msoko_client 192.168.3.1-192.168.3.254
pdm location 192.168.0.2 255.255.255.255 inside
pdm location 202.187.49.106 255.255.255.255 outside
pdm location 192.168.0.100 255.255.255.255 inside
pdm location 192.168.0.249 255.255.255.255 inside
pdm location 192.168.0.248 255.255.255.248 outside
pdm location 192.168.2.0 255.255.255.0 outside
pdm location 192.168.1.0 255.255.255.0 outside
pdm location 192.168.0.1 255.255.255.255 inside
pdm location 202.9.101.56 255.255.255.255 outside
pdm location 192.168.0.33 255.255.255.255 inside
pdm location 219.93.68.178 255.255.255.255 outside
pdm location 219.93.68.130 255.255.255.255 outside
pdm location 192.168.3.1 255.255.255.255 outside
pdm location 192.168.3.1 255.255.255.255 inside
pdm location 192.168.0.0 255.255.255.248 inside
pdm location 202.174.143.44 255.255.255.255 outside
pdm location 202.174.143.45 255.255.255.255 outside
pdm group VPN_users outside
pdm group Servers inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 10 192.168.0.0 255.255.255.0 0 0
static (outside,inside) 192.168.0.2 202.174.143.45 netmask 255.255.255.255 0 0
static (inside,outside) 202.174.143.45 192.168.0.2 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 202.174.143.41 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 202.187.49.106 255.255.255.255 outside
http 192.168.0.2 255.255.255.255 inside
http 192.168.0.100 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt noproxyarp outside
sysopt noproxyarp inside
no sysopt route dnat
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto dynamic-map dymanic 10 set transform-set ESP-DES-MD5
crypto map outside_map 40 ipsec-isakmp
crypto map outside_map 40 match address outside_cryptomap_40
crypto map outside_map 40 set peer 219.93.68.178
crypto map outside_map 40 set transform-set ESP-DES-MD5
crypto map outside_map 40 set security-association lifetime seconds 3600 kilobytes 4608000
crypto map outside_map 60 ipsec-isakmp
crypto map outside_map 60 match address outside_cryptomap_60
crypto map outside_map 60 set peer 219.93.68.130
crypto map outside_map 60 set transform-set ESP-DES-MD5
crypto map outside_map 60 set security-association lifetime seconds 3600 kilobytes 4608000
crypto map outside_map 80 ipsec-isakmp dynamic dymanic
crypto map outside_map client configuration address initiate
crypto map outside_map client configuration address respond
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 219.93.68.178 netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address 219.93.68.130 netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp identity address
isakmp client configuration address-pool local msoko_client outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 600
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption des
isakmp policy 30 hash md5
isakmp policy 30 group 1
isakmp policy 30 lifetime 600
vpngroup msoko address-pool msoko_client
vpngroup msoko wins-server 192.168.1.1 192.168.1.2
vpngroup msoko default-domain mitsuisoko
vpngroup msoko idle-time 1800
vpngroup msoko password ********
telnet 192.168.0.2 255.255.255.255 inside
telnet 192.168.0.100 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
terminal width 80
02-24-2003 11:26 AM
I am not sure, but just checkout by increasing the telnet timeout from 5 seconds to 10 or 15.
02-24-2003 11:31 AM
You do not need to create a static mapping for both directions. I would remove the "static (outside,inside) 192.168.0.2 202.174.143.45 netmask 255.255.255.255 0 0" line and keep the other static mapping. They are both doing the same thing and may be confusing things. The ACL's look okay.
02-24-2003 05:43 PM
Thank for your advice. Now think getting more weird. Even with the following config I still suffering the same issue. Wondering anything to do after I establish the site-to-site VPN or VPN client. What do you think?
I did a show xlate and the static map is there. However, the server that hold static map can't even surf the net! :P
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password KX/2yDvEiODIteF/ encrypted
passwd ggXVcePzJwQfhvVL encrypted
hostname Mitsui
domain-name Mitsuisoko.com
clock timezone MYT 8
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
object-group service Internet_access tcp
port-object eq ftp
port-object eq pop3
port-object eq ftp-data
port-object eq https
port-object eq www
port-object eq smtp
port-object eq uucp
port-object eq pcanywhere-data
port-object range 1433 1433
port-object range 9000 9002
object-group network VPN_users
description This group included all the addresses of remote VPN site as well a
s VPN dial-up clients. 192.168.1.0 (Pasir Gudang), 192.168.2.0 (Melaka), 192.168
.3.0 (Dial-up VPN clients)
network-object 192.168.1.0 255.255.255.0
network-object 192.168.2.0 255.255.255.0
network-object 192.168.3.0 255.255.255.0
object-group network Servers
network-object 192.168.0.1 255.255.255.255
network-object 192.168.0.100 255.255.255.255
network-object 192.168.0.33 255.255.255.255
access-list inside_access_in permit ip host 192.168.0.2 any
access-list inside_access_in permit tcp 192.168.0.0 255.255.255.0 any eq domain
access-list inside_access_in permit udp 192.168.0.0 255.255.255.0 any eq domain
access-list inside_access_in permit tcp 192.168.0.0 255.255.255.0 any object-group Internet_access
access-list inside_access_in permit icmp any any
access-list inside_outbound_nat0_acl permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 192.168.0.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list outside_cryptomap_60 permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list outside_cryptomap_40 permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list outside_access_in permit ip any host 202.174.143.45
access-list outside_access_in permit icmp any any
access-list split permit ip 192.168.0.0 255.255.255.0 192.168.3.0 255.255.255.0
pager lines 24
logging on
logging timestamp
logging monitor errors
logging trap debugging
logging host inside 192.168.0.2
interface ethernet0 auto
interface ethernet1 auto
mtu outside 1500
mtu inside 1500
ip address outside 202.174.143.42 255.255.255.248
ip address inside 192.168.0.25 255.255.255.0
ip verify reverse-path interface outside
ip audit name Custom_attack attack action alarm drop reset
ip audit name Custom_infor info action alarm
ip audit info action alarm
ip audit attack action alarm drop reset
ip local pool msoko_client 192.168.3.1-192.168.3.254
pdm location 192.168.0.2 255.255.255.255 inside
pdm location 202.187.49.106 255.255.255.255 outside
pdm location 192.168.0.100 255.255.255.255 inside
pdm location 192.168.0.249 255.255.255.255 inside
pdm location 192.168.0.248 255.255.255.248 outside
pdm location 192.168.2.0 255.255.255.0 outside
pdm location 192.168.1.0 255.255.255.0 outside
pdm location 192.168.0.1 255.255.255.255 inside
pdm location 202.9.101.56 255.255.255.255 outside
pdm location 192.168.0.33 255.255.255.255 inside
pdm location 219.93.68.178 255.255.255.255 outside
pdm location 219.93.68.130 255.255.255.255 outside
pdm location 192.168.3.1 255.255.255.255 outside
pdm location 192.168.3.1 255.255.255.255 inside
pdm location 192.168.0.0 255.255.255.248 inside
pdm location 202.174.143.44 255.255.255.255 outside
pdm location 202.174.143.45 255.255.255.255 outside
pdm group VPN_users outside
pdm group Servers inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 10 192.168.0.0 255.255.255.0 0 0
static (inside,outside) 202.174.143.45 192.168.0.2 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 202.174.143.41 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 202.187.49.106 255.255.255.255 outside
http 192.168.0.2 255.255.255.255 inside
http 192.168.0.100 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt noproxyarp outside
sysopt noproxyarp inside
no sysopt route dnat
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto dynamic-map dymanic 10 set transform-set ESP-DES-MD5
crypto map outside_map 40 ipsec-isakmp
crypto map outside_map 40 match address outside_cryptomap_40
crypto map outside_map 40 set peer 219.93.68.178
crypto map outside_map 40 set transform-set ESP-DES-MD5
crypto map outside_map 40 set security-association lifetime seconds 3600 kilobytes 4608000
crypto map outside_map 60 ipsec-isakmp
crypto map outside_map 60 match address outside_cryptomap_60
crypto map outside_map 60 set peer 219.93.68.130
crypto map outside_map 60 set transform-set ESP-DES-MD5
crypto map outside_map 60 set security-association lifetime seconds 3600 kilobytes 4608000
crypto map outside_map 80 ipsec-isakmp dynamic dymanic
crypto map outside_map client configuration address initiate
crypto map outside_map client configuration address respond
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 219.93.68.178 netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address 219.93.68.130 netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp identity address
isakmp client configuration address-pool local msoko_client outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 600
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption des
isakmp policy 30 hash md5
isakmp policy 30 group 1
isakmp policy 30 lifetime 600
vpngroup msoko address-pool msoko_client
vpngroup msoko wins-server 192.168.1.1 192.168.1.2
vpngroup msoko default-domain mitsuisoko
vpngroup msoko idle-time 1800
vpngroup msoko password ********
telnet 192.168.0.2 255.255.255.255 inside
telnet 192.168.0.100 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
terminal width 80
02-25-2003 04:07 AM
I have run into this a few times with PIX Static mappings. What I have ended up doing in the past is reboot the PIX and the ISP router at the same time. I think it has something to do with the MAC Address mappings on the ISP router. Rebooting the PIX may not be necessary, but I figure it won't hurt while the ISP router is reloading. If you have a DMZ, you may just want to enter clear xlate as the ISP router reloads.
02-25-2003 05:33 PM
Wolfrikk,
I 'll try that. Will let u know the result. thank.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide