cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1135
Views
0
Helpful
4
Replies

Cisco Pix Behind Adsl Router

Hi,

I'm trying to configure my Cisco Pix 501 behind adsl router (Linksys with 1 public ip only!!). I configure it on DMZ and I can to connect with ssh, pdm etc from my office.

I cannot to connect with vpn client.

This is my configuration:

PIX Version 6.3(5)

interface ethernet0 100full

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password V6IL8GTNlbf/rkrD encrypted

passwd V6IL8GTNlbf/rkrD encrypted

hostname pix-chri

domain-name acantho.com

clock timezone METDST 1

clock summer-time METDST recurring last Sun Mar 2:00 last Sun Oct 2:00

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list inside_access_in permit ip 10.0.0.0 255.255.255.0 any

access-list inside_access_in permit icmp any any

access-list inside_access_out permit icmp any any

access-list HOME_VPN_splitTunnelAcl permit ip any any

access-list inside_outbound_nat0_acl permit ip any 10.0.1.4 255.255.255.252

access-list outside_cryptomap_dyn_20 permit ip any 10.0.1.4 255.255.255.252

pager lines 24

logging on

logging console notifications

logging buffered notifications

mtu outside 1500

mtu inside 1500

ip address outside 192.168.1.253 255.255.255.0

ip address inside 10.0.0.254 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool casapool 10.0.1.5-10.0.1.7

pdm location xxx.xxx.185.125 255.255.255.255 outside

pdm location 192.168.1.0 255.255.255.0 outside

pdm location 10.0.0.0 255.255.255.0 inside

pdm location xxx.xxx.192.133 255.255.255.255 outside

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 1 10.0.0.0 255.255.255.0 0 0

access-group inside_access_out in interface outside

access-group inside_access_in in interface inside

route outside 0.0.0.0 0.0.0.0 192.168.1.1 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

aaa authentication ssh console LOCAL

ntp server xx.xxx.160.1 source outside

http server enable

http 192.168.1.0 255.255.255.0 outside

http xxx.xxx.1xx.115 255.255.255.255 outside

http 10.0.0.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set myset-des esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map client authentication LOCAL

crypto map outside_map interface outside

isakmp enable outside

isakmp identity address

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption 3des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

vpngroup HOME_VPN address-pool casapool

vpngroup HOME_VPN dns-server 192.168.1.1 xxx.xxx.160.1

vpngroup HOME_VPN split-tunnel HOME_VPN_splitTunnelAcl

vpngroup HOME_VPN idle-time 1800

vpngroup HOME_VPN password ********

telnet timeout 5

ssh xx.xxx.xxx.115 255.255.255.255 outside

ssh xxx.xxx.1xx.33 255.255.255.255 outside

ssh 192.168.1.0 255.255.255.0 outside

ssh 10.0.0.0 255.255.255.0 inside

ssh timeout 5

console timeout 0

dhcpd address 10.0.0.1-10.0.0.25 inside

dhcpd dns 192.168.1.1

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd enable inside

username xxx password xxxxxxxxxxxxxx encrypted privilege 15

terminal width 80

some idea?

Thanks

4 Replies 4

Dear Christian,

Thank you for posting.

Please add the following commands in configuration mode:

     isakmp key cisco1234 address 0.0.0.0 netmask 0.0.0.0 ---> Group password

     isakmp nat-traversal 20

Make sure the client is properly configured:

Then, turn on debugging and try to connect:

debug crypto isakmp   

debug crypto ipsec

*Please make sure you have enough lines of scrollback.

Further reference: http://www.cisco.com/en/US/docs/security/pix/pix63/configuration/guide/basclnt.html

Please keep me posted.

Thanks.

Hi and thank you.

I added your line but dont'work.

I  think it's dmz confiugration, maybe don't work ESP protocol ....

I  can not see anything from  the debug console. From internal ip it's work (I only have some error with policy).

Hi,

One thing I did not notice, please issue the following for now:

no crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20

Also, what does the client report? Remote gateway not longer responding?

The ESP packets are not the issue, at this point you need to make sure that ISAKMP (UDP port 500) is allowed and your ISP permits this traffic.

A packet-capture will be required to confirm whether the PIX receives the traffic or not.

http://www.cisco.com/en/US/docs/security/pix/pix63/command/reference/c.html#wp1053548

In your case:

access-list isakmp permit udp host 192.168.1.253 any eq 500

access-list isakmp permit udp any host 192.168.1.253 eq 500

capture isakmp access-list isakmp interface outside

Then try to connect and run the following command:

show capture isakmp

Please keep me posted.

Thanks.

Hi Javier,

now  the setup works.

I  had problems with NAT rules on my linksys router.

Now  I can connect to my PIX through DMZ of my router --> Internet --> Router Linksys (192.168.1.1)  -->DMZ --> OUTSIDE IP 192.168.1.253 --> Pix 501 --> INSIDE IP 10.0.0.254

Unfortunately  I still can not reach  any hosts on the network:

on my external Vpn Client I have:

IPv4. . . . . . . . . . . . : 10.0.1.5

Subnet mask . . . . . . . . . . . . . : 255.255.255.252

Gateway . . . . . . . . . : 10.0.1.6

Route print

        10.0.1.4  255.255.255.252         On-link          10.0.1.5    276

        10.0.1.5  255.255.255.255         On-link          10.0.1.5    276

        10.0.1.7  255.255.255.255         On-link          10.0.1.5    276

I  can not get no address ... 192.168.1.x or 10.0.0.x

Thank you very much

This is my last config:

interface ethernet0 100full

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password V6IL8GTNlbf/rkrD encrypted

passwd V6IL8GTNlbf/rkrD encrypted

hostname pix-chri

domain-name acantho.com

clock timezone METDST 1

clock summer-time METDST recurring last Sun Mar 2:00 last Sun Oct 2:00

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list inside_access_in permit ip 10.0.0.0 255.255.255.0 any

access-list inside_access_in permit icmp any any

access-list inside_access_out permit icmp any any

access-list HOME_VPN_splitTunnelAcl permit ip any any

access-list inside_outbound_nat0_acl permit ip any 10.0.1.4 255.255.255.252

access-list outside_cryptomap_dyn_20 permit ip any 10.0.1.4 255.255.255.252

pager lines 24

logging on

logging console notifications

logging buffered notifications

mtu outside 1500

mtu inside 1500

ip address outside 192.168.1.253 255.255.255.0

ip address inside 10.0.0.254 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool casapool 10.0.1.5-10.0.1.7 mask 255.255.255.252

###PDM config ok###

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 1 10.0.0.0 255.255.255.0 0 0

access-group inside_access_out in interface outside

access-group inside_access_in in interface inside

route outside 0.0.0.0 0.0.0.0 192.168.1.1 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

aaa authentication ssh console LOCAL

ntp server 213.174.160.1 source outside

###http config ok#####

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set myset-des esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map client authentication LOCAL

crypto map outside_map interface outside

isakmp enable outside

isakmp identity address

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption 3des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

vpngroup HOME_VPN address-pool casapool

vpngroup HOME_VPN dns-server 192.168.1.1 213.174.160.1

vpngroup HOME_VPN split-tunnel HOME_VPN_splitTunnelAcl

vpngroup HOME_VPN idle-time 1800

vpngroup HOME_VPN password ********

telnet timeout 5

ssh timeout 5

###ssh config ok@@@@

console timeout 0

dhcpd address 10.0.0.1-10.0.0.25 inside

dhcpd dns 192.168.1.1

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd enable inside

username user password xxxxxxxxxxxxxxxx encrypted privilege 15

terminal width 80