Re: second IPSec tunnel into the office passing through PIX

blin · ‎12-22-2003

I am helping one company to setup a DI-804HV router configured to support a second encrypted IPSec tunnel into the office passing through the PIX firewall. The DI-804HV is using public IP 68.46.61.8. When we tested it using w2k, we get error 678. Do we need to open some ports for that and this is routing issue? If we need open the ports, which ports and what are the command lines?

here are the configuration.

PIX Version 6.3(1)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

hostname Firewall

domain-name methownet.com

clock timezone PST -8

clock summer-time PDT recurring

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

names

access-list inside permit ip any any

access-list inside permit icmp any any

access-list inside permit icmp any any unreachable

access-list inside permit icmp any any time-exceeded

access-list outside permit ip any any

access-list outside permit icmp any any unreachable

access-list outside permit icmp any any time-exceeded

access-list outside permit icmp any any

access-list inside_outbound_nat0_acl permit ip any 10.10.98.0 255.255.255.0

pager lines 120

logging on

logging buffered critical

icmp permit any unreachable outside

icmp deny any outside

mtu outside 1500

mtu inside 1500

ip address outside 69.19.7.4 255.255.255.252

ip address inside 10.10.22.2 255.255.255.252

ip audit info action alarm

ip audit attack action alarm

ip local pool p3 192.168.7.1-192.168.7.10

pdm location 68.46.61.0 255.255.255.0 inside

pdm location 192.168.0.0 255.255.255.0 inside

pdm location 10.10.22.1 255.255.255.255 inside

pdm location 10.10.250.0 255.255.255.0 inside

pdm location 10.0.0.0 255.0.0.0 inside

pdm location 0.0.0.0 255.255.255.255 outside

pdm location 255.255.255.255 255.255.255.255 outside

pdm location 199.181.165.9 255.255.255.255 outside

pdm location 10.10.1.208 255.255.255.240 outside

pdm location 10.10.98.0 255.255.255.0 outside

pdm location 68.46.61.8 255.255.255.255 inside

pdm location 4.2.63.38 255.255.255.255 outside

pdm location 68.46.61.6 255.255.255.248 inside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 0 68.46.61.0 255.255.255.0 0 0

nat (inside) 1 10.0.0.0 255.0.0.0 0 0

static (inside,outside) 68.46.61.0 68.46.61.0 netmask 255.255.255.0 0 0

access-group outside in interface outside

access-group inside in interface inside

route outside 0.0.0.0 0.0.0.0 69.19.7.3 1

route inside 10.0.0.0 255.0.0.0 10.10.22.1 1

route inside 68.46.61.0 255.255.255.0 10.10.22.1 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 99.81.65.9 255.255.255.255 outside

http 4.2.63.38 255.255.255.255 outside

http 10.0.0.0 255.0.0.0 inside

http 68.46.61.6 255.255.255.248 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

sysopt connection permit-pptp

crypto ipsec transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set TRANS_ESP_3DES_MD5 mode transport

isakmp keepalive 60 30

telnet 0.0.0.0 255.255.255.255 outside

telnet 255.255.255.255 255.255.255.255 outside

telnet 10.10.250.0 255.255.255.0 inside

telnet 10.10.22.0 255.255.255.252 inside

telnet 10.0.0.0 255.0.0.0 inside

telnet timeout 5

ssh 99.81.65.9 255.255.255.255 outside

ssh timeout 5

console timeout 0

vpdn group pigtest accept dialin pptp

vpdn group pigtest ppp authentication mschap

vpdn group pigtest ppp encryption mppe auto required

vpdn group pigtest client configuration address local p3

vpdn group pigtest client configuration dns 69.19.92.1 69.19.92.9

vpdn group pigtest pptp echo 60

vpdn group pigtest client authentication local

vpdn username EnoFang password *********

vpdn username test password *********

vpdn enable outside

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

terminal width 80

mostiguy · ‎12-23-2003

Are the tunnels terminating on the pix? It doesn't look like it. What is the other router trying to make a tunnel with?

blin · ‎12-23-2003

seems like terminating on the pix because it works if we test the DI-804HV inside. Questions are:

1. Do we need to add "access-list acl-out permit esp host 68.46.61.58 any", and "access-list acl-out permit udp host 68.46.61.58 any eq isakmp'? Or "crypto ipsec transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac",

"crypto ipsec transform-set TRANS_ESP_3DES_MD5 mode transport"

"isakmp keepalive 60 30" are good enough?

2. How can we know if there is a settings issue on DI-804HV or PIX? How do we test it?

mostiguy · ‎12-23-2003

You appear to be using PPTP. crypto ipsec statements only impact people using IPSec.

blin · ‎12-23-2003

As mentioned this is "second encrypted IPSec tunnel into the office passing through the PIX firewall". We are trying to setup di-804hv to another di-804hv. it must be ipsec. What's wrong with cryto ipsec statement?

mostiguy · ‎12-23-2003

You don't need crypto ipsec statements unless the tunnels are terminating on the PIX itself. SO you have a di-804hv outside of the pix, and you have one behind the pix, and you want to create a tunnel between them?

blin · ‎12-23-2003

Yes, one behind the pix and another is outside.

mostiguy · ‎12-23-2003

The "sysopt connection permit-ipsec" line allows all ipsec in and out to flow thru the pix. You probably will need to statically address the DI-xxx behind the PIX, and set up a static statement on the PIX for it, dedicating an external IP address to it. Configure the remote DI-XXX to attempt to make a tunnel to that external IP used in the static statement on the Pix

blin · ‎12-23-2003

Last night we added

access-list acl-out udp host 68.46.61.8 any eq isakmp

access-list acl-out esp host 68.46.61.8 any

We still got error 734. Should we add the home DI-804 ip as the following command lines?

access-list acl-out udp host x.x.x.x host 68.46.61.8 any eq isakmp

access-list acl-out esp host x.x.x.x host 68.46.61.8 any

here x.x.x.x is the home DI-804HV ip.

mostiguy · ‎12-23-2003

You need to disable nat for communication to the ip local pool address space. Right now you are only excluding nat for the 10.10.98.0/24 netblock.

jasobrown · ‎12-23-2003

I think before sending you on a wild goose chase with all of these comments it would be best for you to describe exactly what you are trying to do. We see that the Pix is terminating PPTP clients but not IPSEC Clients (from your config).

Question 1 what is the PPTP Client terminating to the PIX?

Question 2 what are the IPSEC Clients? And where are the Remote IPSEC clients located compared to the PPTP Clients?

blin · ‎12-23-2003

As mentioned I tried to help some one to set second VP to VPN. Assuming, all regular users use PPTP and an Administrator uses DI-804HV from home to another DI-804HV behind PIX.

jasobrown · ‎12-23-2003

Ok .. so you users using PPTP to access the Pix... Working fine

Then you have an administrator that has a DI-804HV at home and you have a DI-804HV inside your network.

If this is the case then you need to create a static One-to-One NAT for the internal DI-804HV on the inside and then allow ISAKMP and IPSEC to that DI-804HV through the access-list on the outside interface of your Pix.

blin · ‎12-23-2003