cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3315
Views
0
Helpful
20
Replies

PIX 501 config - access to internal network not working from remote VPN users - everything on the inside is OK

NewtoPIX111
Level 1
Level 1

One other thing - I had a problem with the key pairing so I rebuilt the rsa 1024 and the unit started working. Unfortunately I reloaded without the config in place and now I cannot get it to work again. Any help will be greatly apprecaited although I did review a dozen other posts of people having similar problems and for some reason there is never any conclusion as to the solution and I am not sure why.           

Some other info from the client end:

I just ran the stats on the client and packets are being encrypted BUT none are decrypted.

Also Tunnel received 0 and sent 115119

Encryption is 168-bit 3-DES

Authentication is HMAC-SHA1

also even though the allow LAN is selected in the Cisco VPN client it states the local LAN is disabled in the client stats

also Transparent tunneling is selcted but in the stats it states it is inactive

          

I am connecting with the Cisco VPN Client Ver 5.0.07.0440

This config works. It is on the internal net 192.168..40.x and all users obtain dhcp and surf the web. It has required ports opened.The problem is that you can connect remotely via the VPN and you receive an IP address from the remote-vpn pool but you cannot see any machines on the internal network. The pix is at 40.2 and you cannot ping the pix and the pix from the remote PC connecting via the VPN and youcannot ping the remote PC from the PIX console when the remote is connected and receives the first IP address in the VPN pool of 192.168.40.25


I need to  see the internal network and map network drives. I have another friend that is running the same config and it works but his computer is on a linksys wireless and has an IP of 192.168.1.x and the IP he receives from the VPN pool is 192.168.1.25 so I do not know if the same network is allowing this config to work even if there is an error in the config. In my present case I obtain the ip of 192.168.40.25 from the VPN pool and my connecting pc on 192.168.1.x    I really am not sure how the VPN virtual adapter works. I am assuming it routes all traffic from your connecting PC to and from the virtual adapater but I really do not know for sure.

Other people have had similar issues with accessing the internal network from the VPN. One solution was the split-tunnel, another was the natting and another had to do with the encrption where there and an issue with the encrypt and ecrypt which was stopping the communicaton via the VPN.

I still cannot seem to find the issue with this config and any help will be greatly appreciated.

This is the config

********************************************************


interface ethernet0 100full

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password somepassword

hostname hostname

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

object-group network internal_trusted_net

  network-object 192.168.40.0 255.255.255.0

object-group icmp-type icmp_outside

  icmp-object echo-reply

  icmp-object unreachable

  icmp-object time-exceeded

  icmp-object source-quench


access-list OutToIn permit icmp any xxx.xxx.xxx.0 255.255.255.248 object-group icmp_outside

access-list no_nat_inside permit ip 192.168.40.0 255.255.255.0 192.168.40.0 255.255.255.0

access-list split_tunnel permit ip 192.168.40.0 255.255.255.0 192.168.40.0 255.255.255.0


access-list OutToIn permit ip any any

access-list outbound permit ip any any

(NOTE: I had many more entries in the access list but removed them. Even with the above two allowing everything it does not work)

pager lines 24

mtu outside 1500

mtu inside 1500


ip address outside xxx.xxx.xxx.xxx 255.255.255.248

ip address inside 192.168.40.2 255.255.255.0


ip audit info action alarm

ip audit attack action alarm


ip local pool vpn_client_pool 192.168.40.25-192.168.40.30


pdm history enable

arp timeout 14400


global (outside) 1 interface

I had this statement missing from the previous posted config but even with the nat (inside) 0 access-list no_nat_inside  it still does not work.

nat (inside) 0 access-list no_nat_inside

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

access-group acl_outside_in in interface outside

access-group outbound in interface inside

route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1


timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 192.168.40.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community $XXXXXX$

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set 3des_strong esp-3des esp-sha-hmac

crypto dynamic-map clientmap 50 set transform-set 3des_strong

crypto map vpn 50 ipsec-isakmp dynamic clientmap

crypto map vpn client configuration address initiate

crypto map vpn client configuration address respond

crypto map vpn client authentication LOCAL

crypto map vpn interface outside

isakmp enable outside

isakmp identity address

isakmp client configuration address-pool local vpn_client_pool outside

isakmp nat-traversal 20

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup remote-vpn split-tunnel split_tunnel

vpngroup remote-vpn idle-time 10800

vpngroup remote-vpn password ANOTHER PASSWORD

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 outside

ssh 192.168.40.0 255.255.255.0 inside

ssh timeout 30

console timeout 60

dhcpd address 192.168.40.100-192.168.40.131 inside

dhcpd dns xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd enable inside

username AUSER password PASSWORD privilege 15

terminal width 80


****************** End of config

I have been searching docs and other people's postings trying to obtain the info to make this work. It appears pretty much boiler plate but I believe my problem is in the natting. I am using a range in the internal network for the VPN pool and I have tried switching this to other networks but this has not helped. Unfortunately I have been unable to get the PDM to work and I believe this is a PC config thing and I did not want to waste the time on it. I read a post where a person using the PDM interface with the same problem (not being able to access the internal network)  was able to go to a section in the VPN wizard and set the Address Exeption Translation. They said they originally set the VPN subnet when they did not have to. Many of the other blogs I read also stated that if the natting is not proper  for the VPN pool- that it will not work but I am confused by the examples. They show as I do the complete range for an access-list called no_nat_inside but I believe it should only have the VPN pool IP range and not the entire network since the others do require natting - not sure if my thought process is correct here. Any help will be greatly apprecaited. Also this morning I just tried a boiler plate example from CISCO and it also did not do what I need for it to do. And I also connect a PC to obtain an IP to see if I can see it - no good. The PC can ping the PIX and viceversa but no one can ping the remote PC that connects via the CISCO Remote VPN client even though it receive an address from the vpnpool. Also include LAN is checked off on the client. This was mentioned in anther post.

Thank you once again.

20 Replies 20

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

Have you applied the NAT0 ACL at any point? In the above configuration it is not applied to the ASA so its not used

You have this ACL

access-list no_nat_inside permit ip 192.168.40.0 255.255.255.0 192.168.40.0 255.255.255.0

To use it as a NAT0 ACL you would have to add

nat (inside) 0 access-list no_nat_inside

Naturally I would suggest changing the VPN Pool to something else than the internal network and changing the above NAT0 ACL to reflect that change

- Jouni

Sorry I was experimenting with this and posted the config with the line you suggested missing.

Even with the nat (inside) 0 access-list no_nat_inside  it still does not work.

Can I please trouble you to review this and let me know any thoughts you have concerning it.

I have been experimenting on and off for days and just cant get it.

Thank you.

Hi,

Did you change the VPN Pool used? This would mean changing the NAT0 ACL and Split Tunnel ACL too.

If you do those changes and they dont work after that could you then provide us with screenshots from the VPN Client computer from the Statistics section of the VPN Client software. Check for a tab that lists routes and also show us the tab with the data counters so we can see how the situation looks on the client side.

To be honest its been a long time since I have configured a PIX with the old 6.x series software so I am not sure if there is any VPN related configurations missing.

But I would start changing the VPN Pool to something else than the LAN network and testing connectivity through the VPN to the LAN with different services like ICMP. You could even install VNC server on some host and try to connect to it from the client computer.

- Jouni

I did try a different internal network and changed  the no_nat and split_tunnel but it still did not work. Just to clean it up I will try it again today. Unfortunately I had it running yesterday but I thought for sure it had to do with the RSA private key pairing. When I rebuilt the RSA it worked. After a reset I was back to the same problem. I also noticed on these devices that when you do not have a good private key in place that the commands act very erratic. I also read on some posts that some people would enter CLI statements that make no sense at all but the unit starts operating properly afterwards.  I have a few of these units I have been testing and a 6.3(4) version was giving a few errors (route, access-list and subnet mask, etc errors)when I pasted a known working config minus my VPN problem. After I rebuilt the RSA everything went back to normal so I am wondering if these units and their OS are a little unstable and if the commands must be entered and saved in a certain order ( aside from the access-lists) for the unit to operate properly. I will try a new config and post it later. I did find many posts concerning similar problems but no one listed a working config after they reported they solved the problem. Some people discuss crypto, isakmp nat-traversal, default routes, as the problem and since I was able to get it to work with a RSA rebuild I am wondering if it is a decryption issue. Thank you for responding. 

Hi,

If I have understood your problem correctly then you are able to connect with the VPN but you are not able to form connections to the LAN through that VPN connection. That is why I asked  to see some screenshots so we could confirm if the Client is truly forwarding any traffic to the VPN to beging with and if its routing table is ok according to the VPN Client software.

If possible you can also check the output of this command on the PIX when the VPN Client connection is on and being tested

show crypto ipsec sa

It should show you if packets are flowing to both directions.

- Jouni

Hi,

I just finished changing the config and I changed the following:

access-list OutToIn permit icmp any any

access-list OutToIn permit IP any any


access-list outbound permit icmp any any

access-list outbound permit IP any any

access-list split_tunnel permit  ip 192.168.40.0 255.255.255.0 10.10.10.0 255.255.255.0

access-list no_nat_inside permit ip 192.168.40.0 255.255.255.0 10.10.10.0 255.255.255.0

ip local pool vpn_client_pool 10.10.10.1-10.10.10.10

Before I did this, with the pool the same as the network there was always traffic being encrypted via the client but no decrypts coming back. Now I only see a encrypt from the client maching when I try to ping another machine on the network or the PIX itself.  So there are encrypts but no decrypts which is the same problem I had before - also the transparent tunneling is inactive and when I had this running before it was active with udp and some value.

I am going crazy with this config. Yesterday I had it running and I could ping computers on the network and the encrypts and decrypts counters were both increasing. I wish I would have stopped at that point but I was certain it had to do with rebuilding the RSA and I wanted to be able to confirm this.  Thank you for responding.

Hi,

You should probably keep the Transparent Tunneling enabled in the connection profile configured on the actual VPN Client software to avoid possible problems.

If you are seeing traffic flow to the VPN but not getting anything back then the problem might usually be NAT on the central device. In this case it doesnt seem to apply though. It could naturally be that the actual hosts just arent replying to the ICMP but even in this case you have pointed out that they have replied before.

One common problem related to ICMP is missing the ICMP Inspection or the Fixup ICMP in the case of your older software. I am not sure its a problem in the case of VPN but could always try

fixup protocol icmp

fixup protocol icmp error

- Jouni

Hi,

I put in the fixup protocol icmp error (the other command did not work) and now the transparent tunneling is active on udp port 4500 which it was not before. But still no decrypts. I tried also isakmp nat-transversal and crypto for the same.I am worried that these device are a little screwy. I have the same config on another pix without DHCP and it works fine and yet when you copy the config to another it does not. Do you  know if the PIX501 is a reliable device?

OK just double checked everything and on the client side - packets sent none received.

Packets are encrypted none decrypted.

When I try to ping the PIX or a PC on the network the packets sent and encrypted counter increases

When I try to ping from the PIX to the VPN_client that is attached, no packets received on the client and timeout on the PIX.

Another person said the problem was the default route. My external network has a route to the gateway 0.0.0.0 0.0.0.0 gateway

is it possible the external VPN IP_Pool is responding to this gateway and not the PC connected via the VPN?

This would explain what packets are sent and ecrypted by the client and yet nothing it received back.

Any thoughts? Once again thank you for your time.

I just ran the command you requested

show crypto ipsec sa

Results:

Cyprto map tag: vpn, local addr, My External/public IP address on the PIX external interface

nothing else.

Hi,

PIX501 is a very very old Cisco firewall that has not been sold for a long time to my understanding. It also doesnt support even close to new software levels.

If you wanted to replace the PIX501 the corresponding model nowadays would be ASA5505 which is the smallest Cisco ASA firewall with 8 switch port module. There is already a new ASA5500-X Series (while ASA5505 is of the original ASA 5500 Series) but they have not yet introduced a replacing model for this model nor have they stopped selling this unit. I have a couple of them at home. Though naturally they are more expensive than your usual consumer firewalls.

But if you wanted to replace your PIX firewall then I would probably suggest ASA5505. Naturally you could get some other models too but the cost naturally rises even more. I am not sure at what price these are sold as used.

I used some PIX501 firewalls at the start of my career but have not used them in ages since ASA5505 is pretty much the firewall model we use when we need a firewall/vpn device for a smaller network/branch site.

Here is a PDF of the original ASA5500 Series.

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/prod_brochure0900aecd80285492.pdf

Here is a PDF of the new ASA5500-X Series

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/at_a_glance_c45-701635.pdf

I am afraid that its very hard for me atleast to troubleshoot this especially since I have not seen any outputs yet. Also the very old CLI and lack of GUI (?) make it harder to see what the problem is.

Could you provide the requested outputs?

From the PIX after connection test

show crypto ipsec sa

Screen captures of the VPN Client routing and statistics sections.

- Jouni

I just ran the command you requested (I rant this before and update my last post).

show crypto ipsec sa

Results:

Cyprto map tag: vpn, local addr, My External/public IP address on the PIX external interface

This is the only output, nothing else.

CLIENT STATS:

Bytes                             Crypto

Received  0                     Encryption   168-bit-3-DES

Sent 15268                     Authrntication  HMAC-SHA1

Packets                                                                         Transport

Encrypted  155                                                               Transport Tunneling Active on UPD port 4500

Decrypted      0                                                               Local Lan Disabled

Discarded  4                                                                   Compression: No

Bypassed  1769

Hi,

You should see more than that in the output.

You should see something like this

local  ident (addr/mask/prot/port): (/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (/255.255.255.255/0/0)

And a lot more like counters of encapsulated/decapsulated and encrypted/decrypted packets.

If you dont see that I doubt it can work. But seems wierd to me that the VPN would even be connected if you didnt see anything in the output of that command.

- Jouni

Hi,

I really want to thank you for taking your time to help.

I am not certain of the Crypto commands but I did look at some of the results and there does not appear to be anything going on. Based on the config can you see what may be missing?? The device works internally with no problem and you can connect externally but that is as far as you can go. Is there a different encryption method I can try to test with that you can recommend. Can I send the unit to you?? I am using it with one PC connected to the switch port which obtains IP from DHCP on the unit and I connect to the WAN port from my PC where I set the IP address to another public IP on the same subnet as the external address of the PIX. Then I also run a hyperterminal session on the serial port to make config changes and run some diags. I think I have tried this every way possible. Any thoughts on the ecryption and once again thank you for your time.

Hi,

I vaguely remember having problems while labing some VPN Client setup when I was connected directly to the firewalls external connected network. I added a router in between the firewall and the client the connection worked just fine.

Is this PIX actually connected to the public network? If not then I would suggest trying to add some router/l3switch in between and connect the VPN Client PC to its own subnet and then try the connections again. If you have the PIX connected to public network then I would test the VPN from behind another Internet connection rather than from the directly connected public network.

I dont know if you sending the unit to me would really help the situation I don't work for Cisco and Cisco doesnt even offer any support for the PIX firewalls anymore (to my understanding atleast) since they are very old models.

If the PIX is connected to public network then I could always try to check the configurations remotely and test the VPN Client connection at the same time.

But as I said, if you are just testing this setup as a lab them I would suggest adding a router between the Client and PIX and testing again.

- Jouni

OK I got to work and thanks to you! The FIXUP Protocol ICMP error seems to have solved the problem however I still

need the following:

access-list outbound permit IP any any

and this is tied to the internal interface.

I am going to try to make it specific for the external network. Any thoughts? I read if you set up an access list outbound on the internal interface then the same is set for the external coming in - is this true?. If this is so, I am not worried about what people access from the inside going out, just want people can access from the Internet to hack the system coming in.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: