deadline approaching need help with PIX501e

cworsham80 · ‎12-04-2008

I am able from an external pc, successfully connect and authenticate locally with my PIX using the Cisco VPN Client software, shows that everything is connected. I am assigned a local IP address of 192.168.0.130 which is the first in my vpn pool. the internal ip of the pix is 192.168.0.1, I also have a pc behind the firewall with an ip of 192.168.0.40, first in its pool. I cannot, however, ping from 192.168.0.130 to 192.168.0.40 nor 192.168.0.1. I can however ping in a single hop the outside IP address of the PIX. From behind the pix i can only ping the inside ip but not outside or to the vpn'd machine. please help.

ajagadee · ‎12-04-2008

Chris,

I thought I answered this in the other thread, I guess it did not get posted.

Anyways, it is my understanding the above set up will not work because the VPN Client Local subnet is the same as the remote subnet that you are trying to access through the IPSEC Tunnel. If you look at the routing table on the OS, the subnet shows as a local route and the packets will not be sent across the tunnel.

Regards,

Arul

cworsham80 · ‎12-05-2008

thnx, I reset the PIX to factory defaults and started over on this thing changed my inside addressing to 192.168.2.0 255.255.255.0 i have put back in all the line items i could make sense of. here's what i have so far, i can connect to the vpn, authenticate locally but unable to flow traffic from a pc behind the pix to/from a pc that vpns in. i really need to get this thing up today if at all possible. right now its starting to look like its gonna be a long day

cworsham80 · ‎12-05-2008

Result of firewall command: "show run"

: Saved

:

PIX Version 6.3(1)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

hostname catalystpix

domain-name catalystdemo.com

clock timezone EST -5

clock summer-time EDT recurring

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol pptp 47

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

names

object-group service VPN tcp-udp

port-object eq pim-auto-rp

port-object eq echo

port-object eq kerberos

port-object eq discard

port-object eq sunrpc

port-object eq domain

port-object eq tacacs

port-object eq talk

object-group network VPN1

description IP Addresses of VPN user

network-object 192.168.2.0 255.255.255.0

object-group network Everyone

network-object 192.168.2.0 255.255.255.0

access-list inside_outbound_nat0_acl permit ip any 192.168.2.0 255.255.255.0

access-list outside_cryptomap_dyn_20 permit ip any 192.168.2.0 255.255.255.0

access-list 101 permit tcp any host 206.248.243.98 eq pptp

access-list 101 permit tcp any host 206.248.243.98 eq netbios-ssn

access-list 101 permit udp any host 206.248.243.98 eq netbios-ns

access-list 101 permit udp any host 206.248.243.98 eq netbios-dgm

access-list 101 permit gre any host 206.248.243.98

access-list 101 permit tcp any eq www any eq www

access-list outside_access_in permit icmp any any echo-reply

access-list outside_access_in permit icmp any any unreachable

access-list outside_access_in permit icmp any any time-exceeded

access-list outside_cryptomap_dyn_40 permit ip any 192.168.2.0 255.255.255.0

pager lines 24

logging timestamp

mtu outside 1500

mtu inside 1500

ip address outside 206.248.243.98 255.255.255.0

ip address inside 192.168.2.1 255.255.255.0

ip verify reverse-path interface outside

ip audit info action alarm

ip audit attack action alarm

ip local pool vpn 192.168.2.100-192.168.2.149

pdm location 192.168.2.0 255.255.255.0 outside

pdm location 192.168.2.0 255.255.255.0 inside

pdm location 206.248.243.0 255.255.255.0 outside

pdm location 206.248.243.0 255.255.255.0 inside

pdm location 206.145.84.0 255.255.255.0 inside

pdm location 206.145.84.0 255.255.255.0 outside

pdm location 216.12.23.0 255.255.255.0 outside

pdm location 216.12.23.0 255.255.255.0 inside

pdm group VPN1 outside

pdm group Everyone outside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 206.248.243.97 1

cworsham80 · ‎12-05-2008

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

aaa-server VPN protocol tacacs+

http server enable

http 192.168.2.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

sysopt connection permit-pptp

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5

crypto dynamic-map outside_dyn_map 40 match address outside_cryptomap_dyn_40

crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map client authentication LOCAL

crypto map outside_map interface outside

isakmp enable outside

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption 3des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

vpngroup demo address-pool vpn

vpngroup demo dns-server 192.168.2.1 216.12.23.231

vpngroup demo default-domain catalystdemo.com

vpngroup demo idle-time 1800

vpngroup demo password ********

telnet timeout 5

ssh timeout 5

console timeout 0

vpdn group demo ppp authentication mschap

vpdn group demo ppp encryption mppe 40

vpdn group demo client configuration dns 192.168.0.1 216.12.23.231

vpdn group demo client accounting VPN

vpdn group demo client authentication local

vpdn group demp pptp echo 60

vpdn username demo password *********

vpdn enable outside

vpdn enable inside

dhcpd address 192.168.2.50-192.168.2.99 inside

dhcpd dns 216.12.23.231 209.145.84.131

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

dhcpd enable inside

username demo password XjFBA5DVYjFLLcDW encrypted privilege 15

terminal width 80

Cryptochecksum:308a765936f2fbee500769cd247dd333

: end

ajagadee · ‎12-05-2008

Chris,

Enable this command on the pix"

isakmp nat-traversal

and try testing again. If still have issues, do post the output of "show crypto isakmp sa" and "show crypto ipsec sa" along with the IP Address that you are trying ping.

Regards,

Arul

*Pls rate if it helps*

cworsham80 · ‎12-05-2008

same thing. from outside coming into the pix i get assigned ip 192.168.2.100. Behind the firewall I have a PC with addy 192.168.2.60. I cannot ping in either direction one to another. from .2.60 i can ping .2.1 from 2.100 i cannot. I havea attached the results from the commands as well as a recent show run

JORGE RODRIGUEZ · ‎12-05-2008

Hi Chris,

Is there any reason why you are using RA vpn pool network the same as your inside LAN network?

I would first start suggesting to use different vpn POOL network from that of your inside net 192.168.2.0/24, even if you break down it just opens up for problems, I have seen issues using same network inside and RA network in remote access vpns, it is just cumbersome to troubleshoot and most of the time it just don't work.

from 2.60 you can ping 2.1 fw inside interface thats normal, from 2.100 to ping 2.1 you need management-access inside statement but to be honest you have nat-t enabled if you cannot reach 2.60 either 2.60 has a firewall turned of its own or this may not work.

Probably u would spend less time with a clean RA vpn pool and move on with proper RA config.

1- Create new network for RA demo tunnel , pick different net something like 10.20.20.0/24 and create new pool

b- update your nat exempt access list to allow the traffic from new vpn pool network to your LAN networks 192.168.2.0/24

Try above suggestion and post results

Rgds

Jorge

Jorge Rodriguez

ajagadee · ‎12-05-2008

Chris,

I dont see anything wrong with the VPN Configuration on the Pix that will block traffic to the 192.168.2.x/24 subnet.

Couple of quick questions:

1. On your vpn client settings for the vpngroup demo, under the tab "Transport", can you make sure that you checked "Enable IPSEC Transparent Tunneling" enabled and IPSEC over UDP option is checked.

2. Also, how are you connecting to the Pix. Are you behind another Pix firewall. If the local PIX is doing PAT/NAT. One option is to configure

fixup protocol esp-ike

Please see the PIX 6.3(x) release notes for more info. as below,

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/63rnotes/pixrn63.htm

#67762

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/df.htm#wp1067

379

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/63rnotes/pixrn63.htm

#65230

Please note that if you use this "fixup protocol esp-ike" command on the local PIX, then this PIX can only pass a single vpn tunnel outbound and you cannot configure any vpn on this local router at all. For example, you cannot configure the command,

isakmp enable outside

Regards,

Arul

cworsham80 · ‎12-09-2008

changed my vpn pool to a 10.10.10.x and that seemed to fix it. thanks to all for your help

JORGE RODRIGUEZ · ‎12-09-2008

Glad my suggestion worked for you, please rate post as resolved, so that others with similar issues can reference from.

Bst Regads

Jorge

Jorge Rodriguez