Remote access through PIX

janousek · ‎01-26-2007

Hello,

i am facing very strange (for me) problem.

I configure remote access to our LAN.

With this topology:

client - internet - router - router - LAN

remote access working properly. Between routers there was no NAT configured.

When i change topology:

client - internet - router - PIX - router - LAN

problem arise. There is also no NAT between router - pix - router .... i configure nat exemption on PIX.

But i am not able to connect to VPN.

I open every traffic through PIX but connection progress is stopped after phase 1 is successfuly established.

I don't know what to do. Please could you help me with this?

Thank you very much!

lgijssel · ‎01-29-2007

What you want is certainly possible. There must be a mistake in your PIX configuration.

Regards,

Leo

janousek · ‎01-29-2007

Hi,

please could you take a look on my configuration. I spend a lot of time and maybe i am blind :(

interface Ethernet0

speed 10

duplex full

nameif outside

security-level 0

ip address 215.118.108.220 255.255.255.240

!

interface Ethernet2.90

vlan 90

nameif dmz-hp

security-level 12

ip address 215.118.108.137 255.255.255.252

!

access-list acl_outside extended permit udp any host 215.118.108.138 eq isakmp

access-list acl_outside extended permit esp any host 215.118.108.138

access-list acl_outside extended permit ah any host 215.118.108.138

access-list acl_outside extended permit ip any host 215.118.108.138

access-list acl_outside extended deny ip any any

!

access-list acl_hp extended permit esp any any

access-list acl_hp extended permit udp any any eq isakmp

access-list acl_hp extended permit icmp any any access-list acl_hp extended permit ip any any

!

access-list acl_bypass_hp extended permit ip any any

!

nat (dmz-hp) 0 access-list acl_bypass_hp

!

access-group acl_outside in interface outside

!

access-group acl_hp in interface dmz-hp

!

isakmp enable outside

isakmp enable dmz-hp

!

Please i really need help with this.

Thank you in advance.

lgijssel · ‎01-29-2007

It looks as if you are still trying to terminate the vpn on the router. A more preferrable option would be to terminate on the pix instead. Please check the URL below for a configuration example:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094498.shtml

Regards,

Leo

janousek · ‎01-29-2007

Yes you are right!

I try to terminate remote access from VPN clients on router. But i need to "insert" PIX between router and clients. I can't terminate VPN on that PIX.

I think that VPN is configured properly on router, because it was ok ... until i insert that PIX between routers.

This is configuration of terminating router:

!

username ikvc_remote password 0 raIKVC

no aaa new-model

!

crypto isakmp policy 21

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key 0 3812.xA2i address 221.12.52.130

crypto isakmp client configuration address-pool local ippool

crypto isakmp client configuration group clientIKVC

key 0 ikvcRA

pool ippool

acl 199

crypto isakmp profile ikvc

match identity group clientIKVC

client authentication list clientIKVC

isakmp authorization list clientIKVC

client configuration address respond

!

crypto ipsec transform-set alfa esp-3des esp-md5-hmac

!

crypto dynamic-map dynmap 10

set transform-set alfa

set isakmp-profile ikvc

!

crypto map ikvc 20 ipsec-isakmp

set peer 221.12.52.130

set transform-set alfa

match address 103

crypto map ikvc 30 ipsec-isakmp dynamic dynmap

!

interface Ethernet0

description $FW_INSIDE$$ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-Ethernet 10/100$

ip address 192.168.12.1 255.255.255.0

ip nat inside

!

interface Ethernet1

description $FW_OUTSIDE$$ETH-LAN$

ip address 215.118.108.138 255.255.255.252

ip nat outside

duplex auto

crypto map ikvc

!

ip local pool ippool 192.168.13.1 192.168.13.254

ip nat inside source list nat interface Ethernet1 overload

!

ip access-list extended nat

deny ip 192.168.12.0 0.0.0.255 10.20.0.0 0.0.255.255

deny ip 192.168.12.0 0.0.0.255 192.168.13.0 0.0.0.255

permit ip any any

!

access-list 199 deny ip 192.168.12.0 0.0.0.255 192.168.13.0 0.0.0.255

access-list 199 permit ip 192.168.12.0 0.0.0.255 any

!

Thank for your effort

lgijssel · ‎01-29-2007

You may have a routing issue. Are you certain that the 215.118.108.136 /30-subnet is routed to your PIX?

The normal configuration would be to use a static translation between DMZ and outside. This implies that you change the peer ip adress for the remote router to an ip adress in the outside-subnet.

For the rest I would start simplifying the ACL's by permitting everything between the VPN peers. If that is working you can re-apply the security settings to make it as tight as possible.

Regards,

Leo

janousek · ‎01-29-2007

Hi Leo!

I am happy now :)

Remote access is finnaly done. I change "nat 0" to "static" and i rewrite access list ....

But i cant understatand why it don't work before.

If you take a look on PIX configuration, you can see, that everythink was permited :).

I don't know ... maybe somethink like ghost.

Thank you for your support!

Tomas

lgijssel · ‎01-29-2007

Thank you for rating my post!