01-26-2007 06:18 AM
Hello,
i am facing very strange (for me) problem.
I configure remote access to our LAN.
With this topology:
client - internet - router - router - LAN
remote access working properly. Between routers there was no NAT configured.
When i change topology:
client - internet - router - PIX - router - LAN
problem arise. There is also no NAT between router - pix - router .... i configure nat exemption on PIX.
But i am not able to connect to VPN.
I open every traffic through PIX but connection progress is stopped after phase 1 is successfuly established.
I don't know what to do. Please could you help me with this?
Thank you very much!
01-29-2007 12:54 AM
What you want is certainly possible. There must be a mistake in your PIX configuration.
Regards,
Leo
01-29-2007 01:05 AM
Hi,
please could you take a look on my configuration. I spend a lot of time and maybe i am blind :(
interface Ethernet0
speed 10
duplex full
nameif outside
security-level 0
ip address 215.118.108.220 255.255.255.240
!
interface Ethernet2.90
vlan 90
nameif dmz-hp
security-level 12
ip address 215.118.108.137 255.255.255.252
!
access-list acl_outside extended permit udp any host 215.118.108.138 eq isakmp
access-list acl_outside extended permit esp any host 215.118.108.138
access-list acl_outside extended permit ah any host 215.118.108.138
access-list acl_outside extended permit ip any host 215.118.108.138
access-list acl_outside extended deny ip any any
!
access-list acl_hp extended permit esp any any
access-list acl_hp extended permit udp any any eq isakmp
access-list acl_hp extended permit icmp any any access-list acl_hp extended permit ip any any
!
access-list acl_bypass_hp extended permit ip any any
!
nat (dmz-hp) 0 access-list acl_bypass_hp
!
access-group acl_outside in interface outside
!
access-group acl_hp in interface dmz-hp
!
isakmp enable outside
isakmp enable dmz-hp
!
Please i really need help with this.
Thank you in advance.
01-29-2007 02:33 AM
It looks as if you are still trying to terminate the vpn on the router. A more preferrable option would be to terminate on the pix instead. Please check the URL below for a configuration example:
Regards,
Leo
01-29-2007 03:59 AM
Yes you are right!
I try to terminate remote access from VPN clients on router. But i need to "insert" PIX between router and clients. I can't terminate VPN on that PIX.
I think that VPN is configured properly on router, because it was ok ... until i insert that PIX between routers.
This is configuration of terminating router:
!
username ikvc_remote password 0 raIKVC
no aaa new-model
!
crypto isakmp policy 21
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key 0 3812.xA2i address 221.12.52.130
crypto isakmp client configuration address-pool local ippool
crypto isakmp client configuration group clientIKVC
key 0 ikvcRA
pool ippool
acl 199
crypto isakmp profile ikvc
match identity group clientIKVC
client authentication list clientIKVC
isakmp authorization list clientIKVC
client configuration address respond
!
crypto ipsec transform-set alfa esp-3des esp-md5-hmac
!
crypto dynamic-map dynmap 10
set transform-set alfa
set isakmp-profile ikvc
!
crypto map ikvc 20 ipsec-isakmp
set peer 221.12.52.130
set transform-set alfa
match address 103
crypto map ikvc 30 ipsec-isakmp dynamic dynmap
!
interface Ethernet0
description $FW_INSIDE$$ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-Ethernet 10/100$
ip address 192.168.12.1 255.255.255.0
ip nat inside
!
interface Ethernet1
description $FW_OUTSIDE$$ETH-LAN$
ip address 215.118.108.138 255.255.255.252
ip nat outside
duplex auto
crypto map ikvc
!
!
ip local pool ippool 192.168.13.1 192.168.13.254
ip nat inside source list nat interface Ethernet1 overload
!
ip access-list extended nat
deny ip 192.168.12.0 0.0.0.255 10.20.0.0 0.0.255.255
deny ip 192.168.12.0 0.0.0.255 192.168.13.0 0.0.0.255
permit ip any any
!
access-list 199 deny ip 192.168.12.0 0.0.0.255 192.168.13.0 0.0.0.255
access-list 199 permit ip 192.168.12.0 0.0.0.255 any
!
Thank for your effort
01-29-2007 04:52 AM
You may have a routing issue. Are you certain that the 215.118.108.136 /30-subnet is routed to your PIX?
The normal configuration would be to use a static translation between DMZ and outside. This implies that you change the peer ip adress for the remote router to an ip adress in the outside-subnet.
For the rest I would start simplifying the ACL's by permitting everything between the VPN peers. If that is working you can re-apply the security settings to make it as tight as possible.
Regards,
Leo
01-29-2007 06:49 AM
Hi Leo!
I am happy now :)
Remote access is finnaly done. I change "nat 0" to "static" and i rewrite access list ....
But i cant understatand why it don't work before.
If you take a look on PIX configuration, you can see, that everythink was permited :).
I don't know ... maybe somethink like ghost.
Thank you for your support!
Tomas
01-29-2007 06:56 AM
Thank you for rating my post!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: