cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3288
Views
0
Helpful
12
Replies

Outgoing IPSec VPN connection behind Pix535 problem: narrowed down to NAT-related

sean chang
Level 1
Level 1

Hi, everyone,     

Previously I saw a similar  thread and posted my troubles with outgoing VPN connections inside that thread:

https://supportforums.cisco.com/message/3688980#3688980

I did get great  help but unfortunatedly my problem is  somewhat different and the connection problem remains unsolved.  Here I summarize our  configurations again:

hostname pix535 8.0(4)

all PCs here are using private  IP such as  10.1.0.0/16 by dynamic NAT ,  we can't start  an OUTGOING  IPSec VPN ( such as  QuickVPN) to our branch offices but the other way around (incoming) is fine( we have working  IPsec /PP2P  server for long time). I did  some new tests yesterday which showed that if the PC has static NAT( mapped to a  real public IP), outgoing VPN connection is fine; if the same PC has no static NAT(it just hides behind the firewall by dynamic NAT), outgoing VPN is a  no-go ( same IP for the same PC), so I roughly narrowed down our VPN connection problem is NAT related, here  are some  NAT-related  commands from our PIX:

interface GigabitEthernet0
description to-cable-modem
nameif outside
security-level 0
ip address 70.169.X.X 255.255.255.0
ospf cost 10
!
interface GigabitEthernet1
description inside  10/16
nameif inside
security-level 100
ip address 10.1.1.254 255.255.0.0
ospf cost 10
!
!
interface Ethernet2
description vlan30
nameif dmz2
security-level 50
ip address 30.30.30.30 255.255.255.0
ospf cost 10
!
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

......

global (outside) 10 interface
global (dmz2) 10 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 10 inside8 255.255.255.0
nat (inside) 10 Vlan10 255.255.255.0
nat (inside) 10 vlan50 255.255.255.0
nat (inside) 10 192.168.0.0 255.255.255.0
nat (inside) 10 192.168.1.0 255.255.255.0
nat (inside) 10 192.168.10.0 255.255.255.0
nat (inside) 10 pix-inside 255.255.0.0

crypto isakmp nat-traversal 3600

-------

*****Packet capture  results are listed here for  the  same PC to the  same brach VPN  server  traffic, the major difference is UDP 4500 ( the PC with static NAT has good UDP 4500 traffic, the same PC with dynamic NAT has not):

#1:  when PC uses  static NAT, outgoing VPN is good:

54 packets captured
   1: 15:43:51.112054 10.1.1.82.1608 > 76.196.10.57.443: S 1763806634:1763806634(0) win 64240 <mss 1460,nop,nop,sackOK>
   2: 15:43:54.143028 10.1.1.82.1608 > 76.196.10.57.443: S 1763806634:1763806634(0) win 64240 <mss 1460,nop,nop,sackOK>
   3: 15:44:00.217273 10.1.1.82.1608 > 76.196.10.57.443: S 1763806634:1763806634(0) win 64240 <mss 1460,nop,nop,sackOK>
   4: 15:44:01.724938 10.1.1.82.1609 > 76.196.10.57.60443: S 2904546955:2904546955(0) win 64240 <mss 1460,nop,nop,sackOK>
   5: 15:44:01.784642 76.196.10.57.60443 > 10.1.1.82.1609: S 2323205974:2323205974(0) ack 2904546956 win 5808 <mss 1380,nop,nop,sackOK>
   6: 15:44:01.784886 10.1.1.82.1609 > 76.196.10.57.60443: . ack 2323205975 win 64240
   7: 15:44:01.785527 10.1.1.82.1609 > 76.196.10.57.60443: P 2904546956:2904547080(124) ack 2323205975 win 64240
   8: 15:44:01.856462 76.196.10.57.60443 > 10.1.1.82.1609: . ack 2904547080 win 5808
   9: 15:44:01.899596 76.196.10.57.60443 > 10.1.1.82.1609: P 2323205975:2323206638(663) ack 2904547080 win 5808
10: 15:44:02.056897 10.1.1.82.1609 > 76.196.10.57.60443: . ack 2323206638 win 63577
11: 15:44:03.495030 10.1.1.82.1609 > 76.196.10.57.60443: P 2904547080:2904547278(198) ack 2323206638 win 63577
12: 15:44:03.667095 76.196.10.57.60443 > 10.1.1.82.1609: . ack 2904547278 win 6432
13: 15:44:03.740592 76.196.10.57.60443 > 10.1.1.82.1609: P 2323206638:2323206697(59) ack 2904547278 win 6432
14: 15:44:03.741264 10.1.1.82.1609 > 76.196.10.57.60443: P 2904547278:2904547576(298) ack 2323206697 win 63518
15: 15:44:03.814029 76.196.10.57.60443 > 10.1.1.82.1609: . ack 2904547576 win 7504
16: 15:44:06.989008 76.196.10.57.60443 > 10.1.1.82.1609: P 2323206697:2323207075(378) ack 2904547576 win 7504
17: 15:44:06.990228 76.196.10.57.60443 > 10.1.1.82.1609: F 2323207075:2323207075(0) ack 2904547576 win 7504
18: 15:44:06.990564 10.1.1.82.1609 > 76.196.10.57.60443: . ack 2323207076 win 63140
19: 15:44:06.990656 10.1.1.82.1609 > 76.196.10.57.60443: P 2904547576:2904547613(37) ack 2323207076 win 63140
20: 15:44:06.990854 10.1.1.82.1609 > 76.196.10.57.60443: F 2904547613:2904547613(0) ack 2323207076 win 63140
21: 15:44:07.049359 76.196.10.57.60443 > 10.1.1.82.1609: R 2323207076:2323207076(0) win 0
22: 15:44:17.055417 10.1.1.82.500 > 76.196.10.57.500: udp 276
23: 15:44:17.137657 76.196.10.57.500 > 10.1.1.82.500: udp 140
24: 15:44:17.161475 10.1.1.82.500 > 76.196.10.57.500: udp 224
25: 15:44:17.309066 76.196.10.57.500 > 10.1.1.82.500: udp 220
26: 15:44:17.478780 10.1.1.82.4500 > 76.196.10.57.4500: udp 80
27: 15:44:17.550356 76.196.10.57.4500 > 10.1.1.82.4500: udp 64
28: 15:44:17.595214 10.1.1.82.4500 > 76.196.10.57.4500: udp 304
29: 15:44:17.753470 76.196.10.57.4500 > 10.1.1.82.4500: udp 304
30: 15:44:17.763037 10.1.1.82.4500 > 76.196.10.57.4500: udp 68
31: 15:44:17.763540 10.1.1.82.4500 > 76.196.10.57.4500: udp 56
32: 15:44:18.054516 10.1.1.82.4500 > 76.196.10.57.4500: udp 68
33: 15:44:18.124840 76.196.10.57.4500 > 10.1.1.82.4500: udp 68
34: 15:44:21.835390 10.1.1.82.4500 > 76.196.10.57.4500: udp 72
35: 15:44:21.850831 10.1.1.82.4500 > 76.196.10.57.4500: udp 80
36: 15:44:21.901183 76.196.10.57.4500 > 10.1.1.82.4500: udp 72
37: 15:44:22.063747 10.1.1.82.1610 > 76.196.10.57.60443: S 938188365:938188365(0) win 64240 <mss 1460,nop,nop,sackOK>
38: 15:44:22.104746 76.196.10.57.4500 > 10.1.1.82.4500: udp 80
39: 15:44:22.122277 76.196.10.57.60443 > 10.1.1.82.1610: S 1440820945:1440820945(0) ack 938188366 win 5808 <mss 1380,nop,nop,sackOK>
40: 15:44:22.122536 10.1.1.82.1610 > 76.196.10.57.60443: . ack 1440820946 win 64240
41: 15:44:22.123269 10.1.1.82.1610 > 76.196.10.57.60443: P 938188366:938188490(124) ack 1440820946 win 64240
42: 15:44:22.187108 76.196.10.57.60443 > 10.1.1.82.1610: . ack 938188490 win 5808
43: 15:44:22.400675 76.196.10.57.60443 > 10.1.1.82.1610: P 1440820946:1440821609(663) ack 938188490 win 5808
44: 15:44:22.474600 10.1.1.82.1610 > 76.196.10.57.60443: P 938188490:938188688(198) ack 1440821609 win 63577
45: 15:44:22.533648 76.196.10.57.60443 > 10.1.1.82.1610: . ack 938188688 win 6432
46: 15:44:22.742286 76.196.10.57.60443 > 10.1.1.82.1610: P 1440821609:1440821668(59) ack 938188688 win 6432
47: 15:44:22.742927 10.1.1.82.1610 > 76.196.10.57.60443: P 938188688:938189002(314) ack 1440821668 win 63518
48: 15:44:22.802570 76.196.10.57.60443 > 10.1.1.82.1610: . ack 938189002 win 7504
49: 15:44:25.180486 76.196.10.57.60443 > 10.1.1.82.1610: P 1440821668:1440821934(266) ack 938189002 win 7504
50: 15:44:25.181753 76.196.10.57.60443 > 10.1.1.82.1610: F 1440821934:1440821934(0) ack 938189002 win 7504
51: 15:44:25.181997 10.1.1.82.1610 > 76.196.10.57.60443: . ack 1440821935 win 63252
52: 15:44:25.182134 10.1.1.82.1610 > 76.196.10.57.60443: P 938189002:938189039(37) ack 1440821935 win 63252
53: 15:44:25.182333 10.1.1.82.1610 > 76.196.10.57.60443: F 938189039:938189039(0) ack 1440821935 win 63252
54: 15:44:25.241869 76.196.10.57.60443 > 10.1.1.82.1610: R 1440821935:1440821935(0) win 0

#2:  same PC with Dynamic  NAT, VPN connection fails:

70 packets captured
   1: 14:08:31.758261 10.1.1.82.1073 > 76.196.10.57.443: S 820187495:820187495(0) win 64240 <mss 1460,nop,nop,sackOK>
   2: 14:08:34.876907 10.1.1.82.1073 > 76.196.10.57.443: S 820187495:820187495(0) win 64240 <mss 1460,nop,nop,sackOK>
   3: 14:08:40.746055 10.1.1.82.1073 > 76.196.10.57.443: S 820187495:820187495(0) win 64240 <mss 1460,nop,nop,sackOK>
   4: 14:08:42.048627 10.1.1.82.1074 > 76.196.10.57.60443: S 3309127022:3309127022(0) win 64240 <mss 1460,nop,nop,sackOK>
   5: 14:08:42.120248 76.196.10.57.60443 > 10.1.1.82.1074: S 1715577781:1715577781(0) ack 3309127023 win 5808 <mss 1380,nop,nop,sackOK>
   6: 14:08:42.120568 10.1.1.82.1074 > 76.196.10.57.60443: . ack 1715577782 win 64240
   7: 14:08:42.121102 10.1.1.82.1074 > 76.196.10.57.60443: P 3309127023:3309127147(124) ack 1715577782 win 64240
   8: 14:08:42.183553 76.196.10.57.60443 > 10.1.1.82.1074: . ack 3309127147 win 5808
   9: 14:08:42.232867 76.196.10.57.60443 > 10.1.1.82.1074: P 1715577782:1715578445(663) ack 3309127147 win 5808
10: 14:08:42.405145 10.1.1.82.1074 > 76.196.10.57.60443: . ack 1715578445 win 63577
11: 14:08:43.791340 10.1.1.82.1074 > 76.196.10.57.60443: P 3309127147:3309127345(198) ack 1715578445 win 63577
12: 14:08:43.850450 76.196.10.57.60443 > 10.1.1.82.1074: . ack 3309127345 win 6432
13: 14:08:44.028196 76.196.10.57.60443 > 10.1.1.82.1074: P 1715578445:1715578504(59) ack 3309127345 win 6432
14: 14:08:44.058544 10.1.1.82.1074 > 76.196.10.57.60443: P 3309127345:3309127643(298) ack 1715578504 win 63518
15: 14:08:44.116403 76.196.10.57.60443 > 10.1.1.82.1074: . ack 3309127643 win 7504
16: 14:08:47.384654 76.196.10.57.60443 > 10.1.1.82.1074: P 1715578504:1715578882(378) ack 3309127643 win 7504
17: 14:08:47.385417 76.196.10.57.60443 > 10.1.1.82.1074: F 1715578882:1715578882(0) ack 3309127643 win 7504
18: 14:08:47.394068 10.1.1.82.1074 > 76.196.10.57.60443: . ack 1715578883 win 63140
19: 14:08:47.394922 10.1.1.82.1074 > 76.196.10.57.60443: P 3309127643:3309127680(37) ack 1715578883 win 63140
20: 14:08:47.395151 10.1.1.82.1074 > 76.196.10.57.60443: F 3309127680:3309127680(0) ack 1715578883 win 63140
21: 14:08:47.457633 76.196.10.57.60443 > 10.1.1.82.1074: R 1715578883:1715578883(0) win 0
22: 14:08:57.258073 10.1.1.82.500 > 76.196.10.57.500: udp 276
23: 14:08:57.336255 76.196.10.57.500 > 10.1.1.82.500: udp 40
24: 14:08:58.334211 10.1.1.82.500 > 76.196.10.57.500: udp 276
25: 14:08:58.412850 76.196.10.57.500 > 10.1.1.82.500: udp 40
26: 14:09:00.333311 10.1.1.82.500 > 76.196.10.57.500: udp 276
27: 14:09:00.410730 76.196.10.57.500 > 10.1.1.82.500: udp 40
28: 14:09:02.412561 10.1.1.82.1075 > 76.196.10.57.443: S 968016865:968016865(0) win 64240 <mss 1460,nop,nop,sackOK>
29: 14:09:04.349164 10.1.1.82.500 > 76.196.10.57.500: udp 276
30: 14:09:04.431648 76.196.10.57.500 > 10.1.1.82.500: udp 40
31: 14:09:05.442710 10.1.1.82.1075 > 76.196.10.57.443: S 968016865:968016865(0) win 64240 <mss 1460,nop,nop,sackOK>
32: 14:09:11.380427 10.1.1.82.1075 > 76.196.10.57.443: S 968016865:968016865(0) win 64240 <mss 1460,nop,nop,sackOK>
33: 14:09:12.349926 10.1.1.82.500 > 76.196.10.57.500: udp 276
34: 14:09:12.421502 10.1.1.82.1076 > 76.196.10.57.60443: S 3856215672:3856215672(0) win 64240 <mss 1460,nop,nop,sackOK>
35: 14:09:12.430794 76.196.10.57.500 > 10.1.1.82.500: udp 40
36: 14:09:12.481832 76.196.10.57.60443 > 10.1.1.82.1076: S 248909856:248909856(0) ack 3856215673 win 5808 <mss 1380,nop,nop,sackOK>
37: 14:09:12.527972 10.1.1.82.1076 > 76.196.10.57.60443: . ack 248909857 win 64240
38: 14:09:12.529238 10.1.1.82.1076 > 76.196.10.57.60443: P 3856215673:3856215797(124) ack 248909857 win 64240
39: 14:09:12.608275 76.196.10.57.60443 > 10.1.1.82.1076: . ack 3856215797 win 5808
40: 14:09:12.658581 76.196.10.57.60443 > 10.1.1.82.1076: P 248909857:248910520(663) ack 3856215797 win 5808
41: 14:09:12.664531 10.1.1.82.1076 > 76.196.10.57.60443: P 3856215797:3856215995(198) ack 248910520 win 63577
42: 14:09:12.725533 76.196.10.57.60443 > 10.1.1.82.1076: . ack 3856215995 win 6432
43: 14:09:12.880813 76.196.10.57.60443 > 10.1.1.82.1076: P 248910520:248910579(59) ack 3856215995 win 6432
44: 14:09:12.892272 10.1.1.82.1076 > 76.196.10.57.60443: P 3856215995:3856216293(298) ack 248910579 win 63518
45: 14:09:12.953029 76.196.10.57.60443 > 10.1.1.82.1076: . ack 3856216293 win 7504
46: 14:09:12.955043 76.196.10.57.60443 > 10.1.1.82.1076: F 248910579:248910579(0) ack 3856216293 win 7504
47: 14:09:12.955242 10.1.1.82.1076 > 76.196.10.57.60443: . ack 248910580 win 63518
48: 14:09:12.955516 10.1.1.82.1076 > 76.196.10.57.60443: P 3856216293:3856216330(37) ack 248910580 win 63518
49: 14:09:12.955730 10.1.1.82.1076 > 76.196.10.57.60443: F 3856216330:3856216330(0) ack 248910580 win 63518
50: 14:09:13.019743 76.196.10.57.60443 > 10.1.1.82.1076: R 248910580:248910580(0) win 0
51: 14:09:16.068691 10.1.1.82.500 > 76.196.10.57.500: udp 56
52: 14:09:16.227588 10.1.1.82.1077 > 76.196.10.57.60443: S 3657181617:3657181617(0) win 64240 <mss 1460,nop,nop,sackOK>
53: 14:09:16.283783 76.196.10.57.60443 > 10.1.1.82.1077: S 908773751:908773751(0) ack 3657181618 win 5808 <mss 1380,nop,nop,sackOK>
54: 14:09:16.306823 10.1.1.82.1077 > 76.196.10.57.60443: . ack 908773752 win 64240
55: 14:09:16.307692 10.1.1.82.1077 > 76.196.10.57.60443: P 3657181618:3657181742(124) ack 908773752 win 64240
56: 14:09:16.370998 76.196.10.57.60443 > 10.1.1.82.1077: . ack 3657181742 win 5808
57: 14:09:16.411935 76.196.10.57.60443 > 10.1.1.82.1077: P 908773752:908774415(663) ack 3657181742 win 5808
58: 14:09:16.417870 10.1.1.82.1077 > 76.196.10.57.60443: P 3657181742:3657181940(198) ack 908774415 win 63577
59: 14:09:16.509388 76.196.10.57.60443 > 10.1.1.82.1077: . ack 3657181940 win 6432
60: 14:09:16.708413 76.196.10.57.60443 > 10.1.1.82.1077: P 908774415:908774474(59) ack 3657181940 win 6432
61: 14:09:16.887100 10.1.1.82.1077 > 76.196.10.57.60443: P 3657181940:3657182254(314) ack 908774474 win 63518
62: 14:09:16.948193 76.196.10.57.60443 > 10.1.1.82.1077: . ack 3657182254 win 7504
63: 14:09:19.698465 76.196.10.57.60443 > 10.1.1.82.1077: P 908774474:908774740(266) ack 3657182254 win 7504
64: 14:09:19.699426 76.196.10.57.60443 > 10.1.1.82.1077: F 908774740:908774740(0) ack 3657182254 win 7504
65: 14:09:20.060162 10.1.1.82.1077 > 76.196.10.57.60443: . ack 908774741 win 63252
66: 14:09:20.062191 76.196.10.57.60443 > 10.1.1.82.1077: P 908774474:908774740(266) ack 3657182254 win 7504
67: 14:09:20.063732 10.1.1.82.1077 > 76.196.10.57.60443: . ack 908774741 win 63252
68: 14:09:20.063900 10.1.1.82.1077 > 76.196.10.57.60443: P 3657182254:3657182291(37) ack 908774741 win 63252
69: 14:09:20.064098 10.1.1.82.1077 > 76.196.10.57.60443: F 3657182291:3657182291(0) ack 908774741 win 63252
70: 14:09:20.127694 76.196.10.57.60443 > 10.1.1.82.1077: R 908774741:908774741(0) win 0
70 packets shown

we have  had this outgoing IPsec VPN connection problem for years ( initially I thought it's access restriction problem, but it does not work either if I  turn off all access-lists , yesterday's  experiment for the same PC further demostrates access-list restriction is not  the cause ). Any suggestions and  advices are greatly appreciated.

Sean

2 Accepted Solutions

Accepted Solutions

Hi Sean, please delete thess highlighted lines from your pix and try it and let me know, as these lines are not default configuration of PIX.

class-map vpn-udp-class

match access-list vpn-udp-acl

policy-map vpn-udp-policy

class vpn-udp-class

  inspect ipsec-pass-thru

policy-map type inspect dns migrated_dns_map_1

parameters

  message-length maximum 768

policy-map global_policy

class inspection_default

  inspect dns migrated_dns_map_1

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect http

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip

  inspect xdmcp

  inspect pptp

inspect ipsec-pass-thru

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

ip verify reverse-path interface outside

thanks

Rizwan Rafeek

View solution in original post

Hi Sean,

When you outside interface address (i.e. 70.169.138.132) has been PAT to rule# 10, you cannot use the same ip address for different rule number, as it has been taken by rule number #10

SubnetNetwork AddressStarting HostEnd HostBroadcastNetmask
070.169.138.070.169.138.170.169.138.25470.169.138.255255.255.255.0

Here I am creating rule number 11 and assinged a range of IPs of fifteen all together. (i.e. 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)

nat (inside) 11 172.16.0.0 255.255.255.0

global (outside) 11 70.169.138.2-70.169.138.16 netmask 255.255.255.0

Let me know, if this helps for natting.

thanks

Rizwan Rafeek.

View solution in original post

12 Replies 12

rizwanr74
Level 7
Level 7

Hi Sean,

Please post your config and state what is that you want to accomplish on your Pix535.

thanks

Sorry, I should have  posted all configurations. The following list only cuts     network objects list /access-list and  only takes  2 static NAT there, anything else is  as  it's displayed .

The goal is  :  all internal PCs can use   IPsec VPN client ( such as  QuickVPN client) to connect  to our branch offices, which  we  can't  do now ( i.e, if  we use  QuickVPN,  at the very last  step, it says:"the remote gateway is not responding, do  you want to wait?"). As I described above, the  QuickVPN client actually succeeds if the PC has static  NAT. Of course we can't do that as  public IP is almost impossible to obtain these days ( we only have 16 so far).   Thank you very much for  looking into this topic.

Saved
: Written by enable_15 at 08:46:46.597 EDT Tue Oct 2 2012
!
PIX Version 8.0(4)
!
hostname pix535

dns-guard
!
interface GigabitEthernet0
description to-cable-modem
nameif outside
security-level 0
ip address 70.169.x.x 255.255.255.0
ospf cost 10
!
interface GigabitEthernet1
description inside  10/16
nameif inside
security-level 100
ip address 10.1.1.254 255.255.0.0
ospf cost 10


!
interface Ethernet2
description vlan30
nameif dmz2
security-level 50
ip address 30.30.30.30 255.255.255.0
ospf cost 10
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface


ip local pool cnf-8-ip 10.1.1.192-10.1.1.199 mask 255.255.0.0
ip verify reverse-path interface outside
no failover
icmp unreachable rate-limit 1 burst-size 1

arp timeout 14400
global (outside) 10 interface
global (dmz2) 10 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 10 inside8 255.255.255.0
nat (inside) 10 Vlan10 255.255.255.0
nat (inside) 10 vlan50 255.255.255.0
nat (inside) 10 192.168.0.0 255.255.255.0
nat (inside) 10 192.168.1.0 255.255.255.0
nat (inside) 10 192.168.10.0 255.255.255.0
nat (inside) 10 pix-inside 255.255.0.0
nat (Ethernet4) 10 192.168.0.0 255.255.255.0

static (dmz2,outside) 70.183.X.X store.cnfei.com netmask 255.255.255.255
static (Ethernet4,inside) 192.168.0.0 192.168.0.0 netmask 255.255.255.0
static (inside,outside) 70.183.X.X internal netmask 255.255.255.255
static (inside,outside) 70.183.X.X fifa netmask 255.255.255.255

access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group Ethernet4_access_in in interface Ethernet4
access-group eth3_access_in in interface eth3
route outside 0.0.0.0 0.0.0.0 70.169.X.1 1
route inside inside8 255.255.255.0 10.8.1.1 1
route inside Vlan10 255.255.255.0 10.1.1.1 1
route inside vlan50 255.255.255.0 10.1.1.1 1
route inside 192.168.1.0 255.255.255.0 10.1.1.1 1
route inside 192.168.10.0 255.255.255.0 10.1.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
eou clientless password clms20996
aaa authentication ssh console LOCAL
http server enable
http pix-inside 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-MD5
crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 20 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA
crypto dynamic-map outside_dyn_map 40 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 40 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 60 match address outside_cryptomap_dyn_60
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-MD5 ESP-3DES-SHA ESP-DES-MD5 ESP-DES-SHA
crypto dynamic-map outside_dyn_map 60 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 60 set security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer X.X.X.X
crypto map outside_map 1 set transform-set ESP-DES-SHA
crypto map outside_map 1 set security-association lifetime seconds 28800
crypto map outside_map 1 set security-association lifetime kilobytes 4608000
crypto map outside_map 65534 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self

ip-address 10.1.1.254
crl configure
crypto ca trustpoint ASDM_TrustPoint1
enrollment self
subject-name CN=pix535
crl configure
crypto isakmp identity hostname
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 1
lifetime 86400
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 3600

ssh pix-inside 255.255.0.0 inside
ssh timeout 20
ssh version 1
console timeout 0
dhcpd dns 206.246.194.7 206.246.194.10

!
threat-detection basic-threat
no threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server paris source inside prefer
tftp-server inside seanlinux /pix
ssl encryption des-sha1 3des-sha1 aes256-sha1
ssl trust-point ASDM_TrustPoint1
ssl trust-point ASDM_TrustPoint0 inside
group-policy GroupPolicy1 internal
group-policy cnf-vpn-cls internal
group-policy cnf-vpn-cls attributes
wins-server value 10.1.1.7
dns-server value 10.1.1.7 10.1.1.205
vpn-tunnel-protocol IPSec l2tp-ipsec
default-domain value X.com

tunnel-group DefaultRAGroup ppp-attributes
authentication ms-chap-v2
tunnel-group cnf-vpn-cls type remote-access
tunnel-group cnf-vpn-cls general-attributes
address-pool cnf-8-ip
default-group-policy cnf-vpn-cls
tunnel-group cnf-vpn-cls ipsec-attributes
pre-shared-key **********
isakmp ikev1-user-authentication none
tunnel-group cnf-vpn-cls ppp-attributes
authentication ms-chap-v2
tunnel-group X.X.X.X type ipsec-l2l
tunnel-group X.X.X.X general-attributes
default-group-policy GroupPolicy1
tunnel-group X.X.X.X ipsec-attributes
pre-shared-key ***********
!
class-map vpn-udp-class
match access-list vpn-udp-acl
class-map inspection_default
match default-inspection-traffic
!
!
policy-map vpn-udp-policy
class vpn-udp-class
  inspect ipsec-pass-thru
policy-map type inspect dns migrated_dns_map_1
parameters
  message-length maximum 768
policy-map global_policy
class inspection_default
  inspect dns migrated_dns_map_1
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect http
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny 
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip 
  inspect xdmcp
  inspect pptp
  inspect ipsec-pass-thru
!
service-policy global_policy global
service-policy vpn-udp-policy interface outside
prompt hostname context
Cryptochecksum:a9cd8cad564dd27e90aa6fc63e33f7d7
: end

Hi Sean,

The critical ACL to your problem is "outside_1_cryptomap"

Which I do not see in the running config, which makes harder to understand what are allowed and what not going over the this ACL.

If you want your remote-client to access remote-tunnel's inside network, you need to no-nat vpn-pool traffic (with mask of 10.1.1.192 255.255.255.248), so no-nat Remote-tunnel's inside network on the outside interfaces, because your remote-client traffic and remote-tunnel's inside network are physically comming off the outside interface of your FW Pix535.

And then you must include in the crypto-acl and no-nat ACL your vpn-client pool to be allowed to traverse via the tunnel on the remote tunnel appliance itself and be sure to include a static route to push vpn-pool traffic to default-gateway address of remote-vpn-peer and no-nat must be set outside interface as well.

Thanks

Rizwan Rafeek

Thank you Rizwan,

Sorry I have not included our  ACLs,  Access-List is  mostly  Outside-coming-inside rules, which we don't have any problem, even for VPN connections.  Our problem is  from inside-to-outside VPN connections, which we  have  trouble for long time, again, our goal is using  VPN client connecting to outside  VPN servers, we don't have  access-list rule to block outgoing traffic yet we can't connect  to outsite VPN servers. The  exception is  that if my PC has  static NAT map, then outbound  VPN connection is   fine, which alone says outbound traffic is not blocked by  FW ACL, otherwise how can the same PC with the same IP address to the same outside  VPN server is working fine if it has  static NAT?   again, we don't have incoming VPN  problem  for remote clients, only have  outgoing VPN connection problem from local clients(PCs) to remote VPN services.    The  ACL rule outside_1_cryptomap is created  by Lan-2-Lan VPN wizard, which is not working either but I think our outbound  VPN connection problem is the culprit.  I  can delete it without any difference for outgoing VPN connection. 

I know this sounds  strange becuase my home uses $50 Linksys router and outbound VPN works perfectly, without any configurations.

Hope I made our problem a little clearer.

Once again I do appreciate your time and efforts looking into this topic.

access-list outside_1_cryptomap extended permit ip pix-inside 255.255.0.0 10.20.0.0 255.255.0.0

access-list vpn-udp-acl extended permit udp any any eq isakmp access-list

Hi Sean,

I have difficulties understanding the nature of the issue you are facing, it seems to be you have two problems if I am not mistaken, otherwise I see one of them problem is mentioned down below is merely a contradictory statement.

Problem one:

"Our problem is from   inside-to-outside VPN connections, which we   have trouble for long   time,"

"only have outgoing VPN   connection problem from local clients(PCs) to remote VPN services."

Problem two:

"again, our goal is using   VPN client connecting to outside   VPN servers, we don't have access-list   rule to block outgoing traffic yet we can't connect to outsite VPN servers."

"again, we don't have incoming VPN problem   for remote clients, only have   outgoing VPN connection problem from local clients(PCs) to remote VPN   services."  

Please help me understand which is the real issue.

What is the alias "pix-inside" comprise of ?

Thanks

Rizwan Rafeek

Thank you Rizwan again, I'm sorry I have not made my question very  clear, here is what stumps me:

I'm using  XP with QuickVpn Client 1.4.2 to  access one of our showroom computer via VPN connection from my office , the remote showroom is using Cisco WRV4400N router and its VPN is setup correctly(verified by VPN connection from my home PC). But I could NOT connect, it goes this way:  connecting..."server's certificate does not exist in your local computer, do you want to quit connection?" after answer NO, then  Connecting..activating Policy...Verifying network... finally it says :"the remote gateway is not responding, do you want to wait?",     the last cycle repeats  even I answer YES.

I  can ping  the remote IP from my XP, there is no  ACL blocking outgoing traffic; the funny thing is the same XP connects to the remote showroom fine if I have  a static NAT for this XP's  IP, as described above.  

My initial reaction is:  there should no configuration needed on PIX FW for  just  doing VPN client connection, as it's the case for my home PC, I don't know  where I did wrong for our PIX configurations.

I don't need this PIX as  VPN server now so I'm deleting all  VPN related configuations and all Access-List, so far nothing made difference.  I'm considering reset PIX to factory default so I can start over again, I just need do that on weekends.

If  you would like see all our PIX configurations, please drop me  an email    seanAT(stands for @)qkbags.com , thank you for your patience and  valuable time.

*pix-inside =10.1/16

sean

New Info: I actually got some new trace data for outgoing-VPN client dropping problem, the key difference is something called [Interface Pat] is used when the PC has no static NAT, here are the details: (pix inside=10.1/16)

#1: when the PC uses dynamic NAT, packet trace like the following:(I 'm using Cisco ASDM tracer)

Show rule in NAT Rules table. ( with red X Mark for NAT)

Config

nat (inside) 10 pix-inside 255.255.0.0

match ip inside pix-inside 255.255.0.0 outside any

dynamic translation to pool 10 (70.169.138.X [Interface PAT])

translate_hits = 297399, untranslate_hits = 2432

#2: when PC has static NAT, packet trace has 2 NAT sections, all are green

Show rule in NAT Rules table. (first NAT)

Config

static (inside,outside) 70.183.141.X xp2-a netmask 255.255.255.255

match ip inside host xp2-a outside any

static translation to 70.183.141.X

translate_hits = 1, untranslate_hits = 0

Info

Static translate xp2-a/0 to 70.183.141.X/0 using netmask 255.255.255.255

-------second NAT

Config

tatic (inside,outside) 70.183.141.X xp2-a netmask 255.255.255.255
match ip inside host xp2-a outside any
static translation to 70.183.141.X
translate_hits = 1, untranslate_hits = 0

we got 16 CIDR IP from COX, so the gateway is different from our assigned IP address. I don't know how the gateway is  marked as  PAT , I mostly use ASDM to configure  PIX, maybe I can change the  gateway to something other than PAT type?

Maybe this helps a little for our VPN connection problem? Thank you

Hi Sean, please delete thess highlighted lines from your pix and try it and let me know, as these lines are not default configuration of PIX.

class-map vpn-udp-class

match access-list vpn-udp-acl

policy-map vpn-udp-policy

class vpn-udp-class

  inspect ipsec-pass-thru

policy-map type inspect dns migrated_dns_map_1

parameters

  message-length maximum 768

policy-map global_policy

class inspection_default

  inspect dns migrated_dns_map_1

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect http

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip

  inspect xdmcp

  inspect pptp

inspect ipsec-pass-thru

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

ip verify reverse-path interface outside

thanks

Rizwan Rafeek

Thank you Rizwan,

           

I deleted    all rules  you mentioned above but still no luck.

Now I think I need change Global Address POOL  10 to  type of  NAT, when I try to recreate a new POOL, it has   3 choices:   

Range

,

Port Address Translation (PAT)

, or

PAT Address Translation (PAT) Using IP Address of the interface.

our OUTSIDE interface get one IP: 70.169.138.132, it doesn't allow me to choose  RANGE type(NAT) because it says:  "ending IP address must be greater than starting IP address",  so outside must be  PAT type.

The firewall rule as now is bare minimum, I don't know what else  I can do. Maybe I should just use Linksys router:)

Hi Sean,

When you outside interface address (i.e. 70.169.138.132) has been PAT to rule# 10, you cannot use the same ip address for different rule number, as it has been taken by rule number #10

SubnetNetwork AddressStarting HostEnd HostBroadcastNetmask
070.169.138.070.169.138.170.169.138.25470.169.138.255255.255.255.0

Here I am creating rule number 11 and assinged a range of IPs of fifteen all together. (i.e. 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)

nat (inside) 11 172.16.0.0 255.255.255.0

global (outside) 11 70.169.138.2-70.169.138.16 netmask 255.255.255.0

Let me know, if this helps for natting.

thanks

Rizwan Rafeek.

Thank you Rizwan,

we can't  have something like  70.169.138.2---70.169.138.16,  we are having CIDR address, the outside interface is only one IP , anything else is not ours. The 16 IP addresses assigned to us are in a totally different class from the outside interface IP, like 70.183.141.X.

I'm trying to configure  an old Cisco 871 router to see  what difference that router can make.

I do appreciate  your help.

It's been  2 weeks already, I actually made   progress on this outgoing VPN thing.  Though my solution may not be useful for others, I still post here: the cause is most likely a NAT issue related to COX CIDR address allocation,  Here  COX told me there is only one  routable IP:   70.169.X.X (one IP only),  our purchased IP is in a totally different class: 70.183.Y.Y,  I used one of the purchased  IP (70.183.Y.Z) as  the Interface PAT for all internal PCs: like---

#global( outside) 15 70.183.Y.Z 

# nat (inside) 15 10.1.0.0 255.255.0.0

The change  from the  routed  IP( of OUTSIDE Interface) to a  purchased IP for INSIDE interface NAT makes outgoing VPN working, though I don't understand why.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: