Re: PIX url-server

gmcmanus93 · ‎12-02-2005

I have a n2h2 server at headquarters. I want remote offices to query this server when making web requests. HQ has PIX 515e and remote office 501. Works no problem in HQ but remote offices log 110001. No route. Each of the remote office have VPN tunnel back to HQ. I can browse to the n2h2 to/from remote office. Connect to the port, ping, etc. So I know I can get from a <-> b.

global (outside) 1 interface

nat (inside) 0 access-list 120

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

route outside 0.0.0.0 0.0.0.0 22.22.22.22 1

URL Server Status:

------------------

10.10.10.10 DOWN

Log indicates No route {n2h2 IP} from {pix inside IP}

I am just missing something obvious. I have tried configuring the url-server on the inside and outside. same result.

Any info is greatly appreciated.

nkhawaja · ‎12-03-2005

it seems to me that you need to define the interesting traffic for vpn connectivity for the URL server IP address.

interesting traffic should source from pix and destine to URL server.

can you ping the URL server from the remote pix? i guess not, due to the fact that interesting traffic is between LANs and not from PIX to LAn

thanks

Nadeem

jackko · ‎12-04-2005

as mentioned from the previous post, i guess the remote pix 501 needs to be included as part of the crypto traffic.

e.g. the existing acl should look like

access-list no_nat permit ip

access-list vpnl2l permit ip

on the remote office pix, add:

access-list vpnl2l permit ip host

on the head office pix, add:

access-list vpnl2l permit ip host

gmcmanus93 · ‎12-04-2005

Replied by: nkhawaja - CCIE - Dec 3, 2005, 9:23pm PST

Yes, I can ping the server. I can also browse to it and telnet to the port. All traffic from remote office has no issues getting from the remote subnet to the HQ thru normal means, such as mapped drives, browsing etc.

Replied by: jackko - Security and Network Consultant, Trilogy Computer Systems Pty Ltd, Australia - Dec 4, 2005, 2:12am PST

Yes, there is a tunnel setup between the remote and HQ. I have tried setting the url-server both inside and outside, same error.

No route to {websense server IP in HQ} from {inside IP of remote PIX}

Remote office is configured as a split tunnel. It appears to be a routing issue but just not sure what line would correct it since I can get to the server by simply browing, telneting to the port the app uses, etc.

I know this. The web request is never making it outside the pix to HQ from the remote since i do not see any connections from pix but I do see a connection when i telnet to the port. So i know i can get from server (remote) to server (hq).

Current Access-list(remote)

access-list 120 permit ip 192.168.0.0 255.255.0.0 10.10.0.0 255.255.0.0

conduit permit ip 10.10.0.0 255.255.0.0 192.168.0.0 255.255.0.0

Current Access-list (HQ)

access-list nonat permit ip 10.0.0.0 255.0.0.0 192.168.0.0 255.255.0.0

nkhawaja · ‎12-04-2005

yes we understand you can ping from network to network. what we want to know is that you can ping the server from the remote PIX?

gmcmanus93 · ‎12-04-2005

No reponse received

I went ahead and added icmp permit any {interfaces}

no change.

icmp trace log.

22: ICMP echo request (len 32 id 9233 seq 0) pix-public-IP > HQserver-IP

HQserver-IP NO response received -- 1000ms

send a ping from HQ pix and remote pix logs:

36: ICMP echo-request from outside:vpn-interface-IP to remote-pix-inside-ip ID=4388 seq=2 length=40

nkhawaja · ‎12-04-2005

you need to Modify your interesting traffic on HQ and remote PIX so that remote PIX can ping to the server.

see the earlier email on a sample config

gmcmanus93 · ‎12-04-2005

I have used this example:

e.g. the existing acl should look like

access-list no_nat permit ip

access-list vpnl2l permit ip

on the remote office pix, add:

access-list vpnl2l permit ip host

on the head office pix, add:

access-list vpnl2l permit ip host

..but still unable to get a ping.

Log:

No route to url-server-ip from inside-pix-ip

jackko · ‎12-04-2005

please post the config with public ip masked.

gmcmanus93 · ‎12-04-2005

I really appreciate your assistance and advice with this. Here are the configs prior to any changes. Thanks.

<<<<<>>>>>>

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 vpn security75

access-list nonat permit ip 10.0.0.0 255.0.0.0 192.168.0.0 255.255.0.0

mtu outside 1500

mtu inside 1500

mtu vpn 1500

ip address outside public-ip 255.255.255.224

ip address inside 10.10.10.2 255.255.255.0

ip address vpn 192.168.1.1 255.255.255.0

ip local pool vpn_pool 172.16.254.1-172.16.254.250

arp timeout 14400

global (outside) 1 interface

global (vpn) 1 192.168.1.254

nat (inside) 0 access-list nonat

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

nat (vpn) 0 access-list nonat

static (inside,outside) public-ip 10.10.10.20 netmask 255.255.255.255 1000 500

conduit permit icmp any any

conduit permit ip 10.36.0.0 255.255.0.0 192.168.0.0 255.255.0.0

route outside 0.0.0.0 0.0.0.0 public-ip 1

route inside 10.0.0.0 255.0.0.0 10.10.10.1 1

route vpn 192.168.0.0 255.255.0.0 192.168.1.2 1

url-server (inside) vendor n2h2 host n2h2-inside-ip port 4005 timeout 10 protocol TCP

url-cache src_dst 128KB

filter url http host-ip 255.255.255.255 0.0.0.0 0.0.0.0 allow

floodguard enable

isakmp identity address

url-block block 128

<<<<<>>>>>>>

access-list 120 permit ip 192.168.15.0 255.255.255.0 10.36.0.0 255.255.0.0

access-list 120 permit ip 192.168.15.0 255.255.255.0 192.168.1.0 255.255.255.0

pager lines 24

logging on

icmp permit any outside

icmp permit any inside

mtu outside 1500

mtu inside 1500

ip address outside public-ip.26 255.255.255.248

ip address inside 192.168.15.1 255.255.255.0

global (outside) 1 interface

nat (inside) 0 access-list 120

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

conduit permit icmp any any

conduit permit esp any any

conduit permit ip 10.36.0.0 255.255.0.0 192.168.15.0 255.255.255.0

conduit permit ip 192.168.1.0 255.255.255.0 192.168.15.0 255.255.255.0

route outside 0.0.0.0 0.0.0.0 public-ip.25 1

url-server (inside) vendor n2h2 host n2h2-inside-ip port 4005 timeout 10 protocol TCP

filter url http host-ip 255.255.255.255 0.0.0.0 0.0.0.0 allow

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set name esp-des esp-md5-hmac

crypto map name 10 ipsec-isakmp

crypto map name 10 match address 120

crypto map name 10 set peer public-concentrator-ip

crypto map name 10 set transform-set name

crypto map name 10 set security-association lifetime seconds 3600 kilobytes 4608000

crypto map name interface outside

isakmp enable outside

isakmp key * address public-concentrator-ip netmask 255.255.255.255

isakmp identity address

isakmp keepalive 10 5

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 14400

url-block block 128

jackko · ‎12-04-2005

on the hq pix,

access-list nonat permit ip 10.0.0.0 255.0.0.0 192.168.0.0 255.255.0.0

access-list nonat permit ip 10.0.0.0 255.0.0.0 host public-ip.26

on the remote pix,

access-list 120 permit ip 192.168.15.0 255.255.255.0 10.36.0.0 255.255.0.0

access-list 120 permit ip 192.168.15.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list 120 permit ip host public-ip.26 10.36.0.0 255.255.0.0

access-list 120 permit ip host public-ip.26 192.168.1.0 255.255.255.0

further, the "url-server" command on the remote pix should be "url-server (outside)" rather than "url-server (inside)".

gmcmanus93 · ‎12-04-2005

I have tried these settings and it still doesnt work. I had tried setting the url-server "inside" and "outside" but same result.

304008: LEAVING ALLOW mode, URL Server is up

110001: No route to 10.36.81.9 from 192.168.15.1

304006: URL Server 10.36.81.9 not responding

110001: No route to 10.36.81.9 from 192.168.15.1

gmcmanus93 · ‎12-05-2005

Further log.

I see this event in the concentrator.

2207 12/05/2005 14:02:54.940 SEV=5 IKE/34 RPT=5872 public-ip.26

Group [public-ip.26]

Received local IP Proxy Subnet data in ID Payload:

Address 10.36.0.0, Mask 255.255.0.0, Protocol 0, Port 0

22210 12/05/2005 14:02:54.940 SEV=4 IKE/61 RPT=18700 public-ip.26

Group [public-ip.26]

Tunnel rejected: Policy not found for Src:public-ip.26, Dst: 10.36.0.0!

22212 12/05/2005 14:02:54.940 SEV=4 IKEDBG/97 RPT=44758 public-ip.26

Group [public-ip.26]

QM FSM error (P2 struct &0x1d5c3ec, mess id 0x7a2386f9)!

gmcmanus93 · ‎12-21-2005

Hello Jakko. Thanks for the response. I had all the access-list in correctly. The resolve was simply setting up management interface inside.

pix> man i

and setting the "url-server" back to inside.

Thanks for the response.