Site to Site PIX cannot access Internet

ubergeek1 · ‎09-09-2012

We have a PIX 501 that is in a remote office and is connected to a PIX 515. The remote office can access all network resources without an issue. The PIX 501 however cannot access the Internet. We used to use a proxy server for Internet access on the 192.168.1.x subnet however that as been decommissioned and replaced with a different solution, so there is no longer a proxy server. Internet access works everywhere else on our network, the problem is any PIX FWs that are in remote offices and connected site to site to the 515 cannot access the Internet. We have several that have the same issue, Below is the configurations of one of the 501 and the 515:

PIX 501

PIX Version 6.3(4)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password k4HlcGX2lC1ypFOm encrypted

passwd y5Nu/Nt1/5dK8Iuf encrypted

hostname cpd

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 55

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list permit-in permit icmp any any echo-reply

access-list permit-in permit icmp any any echo

access-list encrypt permit ip 172.16.38.0 255.255.255.0 any

access-list no-encrypt permit ip 172.16.38.0 255.255.255.0 any

pager lines 24

logging console debugging

mtu outside 1500

mtu inside 1500

ip address outside 192.168.50.1 255.255.255.0

ip address inside 172.16.38.254 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list no-encrypt

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

access-group permit-in in interface outside

route outside 0.0.0.0 0.0.0.0 192.168.50.254 1

route outside 172.16.33.0 255.255.255.0 65.x.x.x 1

route outside 192.168.1.0 255.255.255.0 65.x.x.x 1

route outside 192.168.5.0 255.255.255.0 65.x.x.x 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

sysopt ipsec pl-compatible

crypto ipsec transform-set cpd-strong esp-3des esp-sha-hmac

crypto map cpd-vpn 10 ipsec-isakmp

crypto map cpd-vpn 10 match address encrypt

crypto map cpd-vpn 10 set peer 65.x.x.x

crypto map cpd-vpn 10 set transform-set cpd-strong

crypto map cpd-vpn interface outside

isakmp enable outside

isakmp key ******** address 65.x.x.x netmask 255.255.255.255

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption aes

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 172.16.38.1-172.16.38.20 inside

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

dhcpd enable inside

terminal width 80

Cryptochecksum:35fcceb4b56

cb82fe67f3

9e760a2ec1

c

: end

Here is the config from the PIX 515:

PIX Version 6.3(3)

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto shutdown

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 dmz security10

enable password k4HlcGX2lC1ypFOm encrypted

passwd y5Nu/Nt1/5dK8Iuf encrypted

hostname cpd-fw-bs

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list encrypt-co permit ip any 172.16.35.0 255.255.255.0

access-list no-encrypt permit ip any 172.16.35.0 255.255.255.0

access-list no-encrypt permit ip any 172.16.36.0 255.255.255.0

access-list no-encrypt permit ip any 172.16.38.0 255.255.255.0

access-list encrypt-bo permit ip any 172.16.36.0 255.255.255.0

access-list encrypt-sv permit ip any 172.16.38.0 255.255.255.0

pager lines 24

mtu outside 1500

mtu inside 1500

mtu dmz 1500

ip address outside 65.x.x.x 255.255.255.0

ip address inside 172.16.33.254

ip address dmz 127.0.0.1 255.255.255.255

ip audit info action alarm

ip audit attack action alarm

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list no-encrypt

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) 65.x.x.x 192.168.5.15 netmask 255.255.255.255 0 0

access-group permit-in in interface outside

route inside 0.0.0.0 0.0.0.0 172.16.33.253 1

route outside 65.x.x.x 255.255.255.255 65.x.x.x 1

route outside 168.x.x.x 255.255.255.255 65.x.x.x 1

route inside 172.16.0.0 255.255.0.0 172.16.33.253 1

route outside 172.16.35.0 255.255.255.0 65.x.x.x 1

route outside 172.16.36.0 255.255.255.0 65.x.x.x 1

route outside 172.16.38.0 255.255.255.0 65.x.x.x 1

route inside 192.168.1.0 255.255.255.0 172.16.33.253 1

route inside 192.168.5.0 255.255.255.0 172.16.33.253 1

route outside 216.x.x.x 255.255.255.255 65.x.x.x 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

sysopt ipsec pl-compatible

crypto ipsec transform-set cpd-strong esp-3des esp-sha-hmac

crypto map cpd-vpn 10 ipsec-isakmp

crypto map cpd-vpn 10 match address encrypt-co

crypto map cpd-vpn 10 set peer 65.x.x.x

crypto map cpd-vpn 10 set transform-set cpd-strong

crypto map cpd-vpn 20 ipsec-isakmp

crypto map cpd-vpn 20 match address encrypt-bo

crypto map cpd-vpn 20 set peer 65.x.x.x

crypto map cpd-vpn 20 set transform-set cpd-strong

crypto map cpd-vpn 30 match address encrypt-sv

crypto map cpd-vpn 30 set peer 65.x.x.x

crypto map cpd-vpn 30 set transform-set cpd-strong

crypto map cpd-vpn interface outside

isakmp enable outside

isakmp key ******** address 65.x.x.x netmask 255.255.255.255

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption aes

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

telnet 192.168.5.0 255.255.255.0 inside

telnet 172.16.33.0 255.255.255.0 inside

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 5

console timeout 0

terminal width 80

Cryptochecksum:17301fe229f

3b066da905

466f7875bf

2

: end

Thanks all.

Mohammad Alhyari · ‎09-09-2012

Hey ,

two solutions are available here :

1- The remote side can access internet via its local ISP and in this case you need to modify the crypto access list :

no permit ip local_net any

and add more specific subnets :

permit ip local_net remote_net

2- the remote side can go through the l2l tunnel and then access the internet using the ISP at your side . for this to work you need to configure haipinning :

nat (outside) 1 subnet_at_remote_side

global (outside) 1 interface

plus

same-security-traffic permit intra-interface.

HTH .

MOhammad.

oszkari · ‎09-09-2012

Traffic comming over vpn (from pix 501) will arrive on the outside interface of the pix 515; in order to reach the internet traffic will have to exit on the same outside interface in which entered. This is not allowed in PIX/ASA unless you configure hairpining, which I'm afraid it is supported only in version 7 or above.

check out this doc:

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080734db7.shtml

HTH

ubergeek1 · ‎09-09-2012

Actually the Internet access is out 192.168.5.1. Here is what it looks like:

[PIX 501] ----------------------------VPN-------------------[PIX 515]-----------------------[Catalyst Switch 0.0.0.0 0.0.0.0 192.168.5.1]

Thats what it looks like visually. So traffic coming from the 501 needs to hit the switch to go out 192.168.5.1 for Internet traffic, however it never gets there. I have captured the traffic on the switch and I dont see any of the web requests. So I think the problem is the 515. Am I headed down the right path?

oszkari · ‎09-09-2012

Right, I missed your default route on 515 going towards the inside interface.

Do you want to do the NAT on 515 for the networks behind 501 or you have a NAT device after the Catalyst sw which can/will take care of the NAT.

ubergeek1 · ‎09-09-2012

The default route on the 515 lands the traffic into the Catalyst sw. The Catalyst sw default route goes to 192.168.5.1 which is another PIX. NAT is done there for the remote subnet for the 501 with this statement:

global (outside) 192.168.5.150

nat (inside) 1 172.16.38.0 255.255.255.255.0 0 0

route (inside) 172.16.38.0 255.255.255.0 [Catalyst sw IP]

Thats what it looks like.

oszkari · ‎09-09-2012

In that case your pix515 config looks alright.

If you do a show crypto ipsec sa on the 515 do you see the encap/decap counters incrementing?

Do you see anything on the logs of pix 515 when you initate an nternet connection from behind the 501 subnet?

Can you do a packet capture on the PIX515 inside interface and see whether the packets leave the interface or not.

ubergeek1 · ‎09-11-2012

I do see the encap/decap counters incrementing. I dont see anthing in the syslog with traffic coming from the 501. What are the commands for the packet capture? To explain this visually, let me draw out another crude diagram

[PIX 501] ----------------------------VPN-------------------[PIX 515]-------172.16.33.x-vlan---------------[Catalyst Switch 192.168.5.x]--------- [PIX 192.168.5.1]--------------------------INTERNET

Could it be related to natting the traffic coming from the 501 and then natting again at the 5.1 PIX? Also I noticed that if I removed the following line from the 501:

access-list encrypt permit ip 172.16.38.0 255.255.255.0 any

And replaced it with:

access-list encrypt permit ip 172.16.38.0 255.255.255.0 192.168.5.0 255.255.255.0

Now I had Internet access but the Internet access was not traversing the tunnel but going out the remote office DSL, so the PIX was in a split tunnel mode once the above was changed.

Another item to note, all of my PIX's are affected by this but not an ASA 5505 that is in a remote office. I was thinking NAT-T? What do you all think? Thanks

oszkari · ‎09-11-2012

Check out this link for the capture command:

http://www.cisco.com/en/US/docs/security/pix/pix63/command/reference/c.html#wp1053548

If you put back the original config you should see traffic coming from 172.16.38.0 255.255.255.0 and leaving the PIX 515 inside interface.

I don't think it is NAT-T related, if it was NAT-T issue then you wouldn't see encaps/decaps counters incrementing on the PIX 515.

I was wondering why do you want to tunnel the internet traffic through the HO? Especially that you took the proxy out of the picture. Those pix501 have pretty low VPN troughput capacity (2-3Mbps), probably you could benefit more from a split tunneling solution. Use the VPN for business traffic only and keep the internet traffic local to the branch.

ubergeek1 · ‎09-11-2012

Thanks for the reply. I am concerned about the security with the split tunnel. What are your thoughts there?

oszkari · ‎09-11-2012

Unless you have some device in the HO wich does layer 5-7 inspection of the traffic there is no point to send the Internet traffic there. There is no difference in the protection offered by an 501 or an 515 pix.