PIX 501 (6.3.5) : Inbound IPSEC connections

sebastien.leclerc · ‎08-14-2006

Hello,

I have previously posted a message in the "Security / Firewalling" forum, but I had little responses... If someone here can help me, it would be very nice! Here is the content of my post :

I have a PIX 501 with an IPSec tunnel with a Linux host (openswan, net-to-net). The tunnel works fine, isakmp and ipsec sas are created and working. The problem is that I cannot start a connection from the Linux-side (outside interface on the pix) without first initiating a connection from the PIX side...

I disabled the NAT with those commands :

access-list nonat permit ip 0 0 0 0

nat (inside) 0 access-list nonat

nat (outside) 0 access-list nonat

I also tried this (IPs masked...), without result :

static (inside,outside) 10.10.10.0 10.10.10.0 netmask 255.255.255.0

nat (inside) 0 0 0

Is there another solution?

Thank you!

Replied by: m.sir - Aug 11, 2006, 7:33am PST

Can you check what is lifetime of ISAKMP... When initiating side has lifetime shorter than peer tunnel is not esthablished... When lifetime is longer than peers lifetime tunnel is esthablised

M.

Replied by: sebastien.leclerc - Aug 11, 2006, 7:59am PST

I changed the IKE lifetime (both 3600 secs, and pix=3600s / linux=4800s), but I still can't connect without first initiating a connection from the pix side...

Thanks for your help!

A little precision :

other connections initiated from outside the pix, but not in the ipsec tunnel are ok, I don't need to connect from inside first

Is there something in the PIX that prevents inbound connections from IPSec tunnels?

Another note : I don't use "sysopt connection permit-ipsec", I use access-lists items.

Thank you!

mpalardy · ‎08-14-2006

Hi Sebastien,

From what I see there might be 2 ways to solve your probleme.

First:

You may wish to check and modify this command on pix:

crypto map map-name client configuration address initiate | respond

Second: (This is a long shot but may work)

Remove pfs for this crypto-map

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/c.htm#wp1034654

Mike

sebastien.leclerc · ‎08-15-2006

Hi,

Thanks for your response

For PFS, there is no problem, it is not activated.

I may be wrong, but as far as I know, the other command is for giving IP adresses to vpn clients, but I use a lan-to-lan configuration...

Thank you!

mpalardy · ‎08-15-2006

Seb, instead of using nat-0 (inside) 0 0, could you just doing nat-0 only with your internal network eg.10.10.10.0/24 and give it a try.

You've mentionned the remote network cannot establish connection to your internal network. Could you check for any syslog related to this event.

sebastien.leclerc · ‎08-15-2006

I already tried this solution, without success...

There isn't any syslog message, it's just like there is no packet getting to destination, except that on the linux side, they are effectively transmitted.

I opened a case in the TAC, hope they will resolve the problem

Thank you very much for your help!

m.sir · ‎08-16-2006

Did you also check Access-list for traffic encryption are they mirrored???

mohbad1972 · ‎08-22-2006

Hi,

I think you have to add the global outside address of the PIX into the crypto acl on the UNIX box. I faced this senario using the ISA server with PIX.