Solved: Reloaded the PIX. Please see - Page 3

robert.huang · ‎02-27-2015

Hi All,

I have been struggling for some days and really need some help here. My PC (192.168.254.x) is on the same vlan with outside interface (192.168.254.171) of my PIX506E. When I launch the Cisco VPN client, my PC shows connected and gets the IP of 10.9.0.150 which is expected. However, it also gets the gateway of 10.9.0.1 which I have no idea where it comes from. Thus my PC can't access any internal network or external network.

I've listed my configuration below and highlighted the part that I typed in. PIX version 7.1(2) is the highest version I can install on PIX506E. Please help. Thanks a lot.

pixfirewall# sh run
: Saved
:
PIX Version 7.1(2)
!
hostname pixfirewall
enable password 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0
nameif outside
security-level 0
ip address 192.168.254.171 255.255.255.0
!
interface Ethernet1
nameif inside
security-level 100
ip address 10.10.10.1 255.255.255.0
!
passwd 2KFQnbNIdI.2KYOU encrypted
boot system flash:/pix712.bin
ftp mode passive
pager lines 24
logging enable
logging timestamp
logging buffered informational
mtu outside 1500
mtu inside 1500
ip local pool ROBERT-POOL 10.9.0.150-10.9.0.160 mask 255.255.255.0
no asdm history enable
arp timeout 14400
route outside 0.0.0.0 0.0.0.0 192.168.254.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy Robert-GP internal
group-policy Robert-GP attributes
dns-server value 8.8.8.8
username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15
username robert password yXUoa8oHzS0Ncp2O encrypted
username robert attributes
vpn-group-policy Robert-GP
aaa authentication ssh console LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set MYSET esp-3des esp-md5-hmac
crypto dynamic-map DYN1 1 set transform-set MYSET
crypto dynamic-map DYN1 1 set reverse-route
crypto map MYMAP 1 ipsec-isakmp dynamic DYN1
crypto map MYMAP interface outside
isakmp enable outside
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash sha
isakmp policy 1 group 2
isakmp policy 1 lifetime 43200
isakmp nat-traversal 30
tunnel-group ROBERT-GROUP type ipsec-ra
tunnel-group ROBERT-GROUP general-attributes
address-pool ROBERT-POOL
default-group-policy Robert-GP
tunnel-group ROBERT-GROUP ipsec-attributes
pre-shared-key *
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 60
ssh version 2
console timeout 0
ssl encryption rc4-md5
Cryptochecksum:7157c6095f2abae2aae9e15c1caa81aa
: end
pixfirewall#

robert.huang · ‎03-02-2015

I just tested with "same-security-traffic permit inter-interface". My VPN client 10.9.0.151 (original IP 192.168.254.111) still can't ping inside host 10.10.10.10. If I disconnect the VPN, the original IP can ping 10.10.10.10.10 without any problem which proves the end host 10.10.10.10 has correct gateway. I guess there is a problem with the access list. Again, VPN client can ping outside subnet and public IPs.

pixfirewall# sh run access-list
access-list nat0 extended permit ip 10.10.10.0 255.255.255.0 10.9.0.0 255.255.255.0
access-list nat-out extended permit ip 10.9.0.0 255.255.255.0 any
access-list nat0-out extended permit ip 10.9.0.0 255.255.255.0 192.168.254.0 255.255.255.0
access-list nat0-out extended permit ip 192.168.254.0 255.255.255.0 10.9.0.0 255.255.255.0
access-list outside-in extended permit ip 192.168.254.0 255.255.255.0 10.9.0.0 255.255.255.0
access-list outside-in extended permit icmp any any echo
access-list outside-in extended permit icmp any any echo-reply
access-list outside-in extended permit icmp any any unreachable
pixfirewall#
pixfirewall# sh run access-group
access-group outside-in in interface outside
pixfirewall#
pixfirewall# sh run nat
nat (outside) 0 access-list nat0-out
nat (outside) 1 access-list nat-out outside
nat (inside) 0 access-list nat0
pixfirewall#
pixfirewall# sh run global
global (outside) 1 interface
pixfirewall#
pixfirewall# sh run
: Saved
:
PIX Version 7.1(2)
!
hostname pixfirewall
enable password 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0
nameif outside
security-level 0
ip address dhcp setroute
!
interface Ethernet1
nameif inside
security-level 100
ip address 10.10.10.1 255.255.255.0
!
passwd 2KFQnbNIdI.2KYOU encrypted
boot system flash:/pix712.bin
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list nat0 extended permit ip 10.10.10.0 255.255.255.0 10.9.0.0 255.255.255.0
access-list nat-out extended permit ip 10.9.0.0 255.255.255.0 any
access-list nat0-out extended permit ip 10.9.0.0 255.255.255.0 192.168.254.0 255.255.255.0
access-list nat0-out extended permit ip 192.168.254.0 255.255.255.0 10.9.0.0 255.255.255.0
access-list outside-in extended permit ip 192.168.254.0 255.255.255.0 10.9.0.0 255.255.255.0
access-list outside-in extended permit icmp any any echo
access-list outside-in extended permit icmp any any echo-reply
access-list outside-in extended permit icmp any any unreachable
pager lines 24
logging enable
logging timestamp
logging buffered informational
mtu outside 1500
mtu inside 1500
ip local pool ROBERT-POOL 10.9.0.150-10.9.0.160 mask 255.255.255.0
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (outside) 0 access-list nat0-out
nat (outside) 1 access-list nat-out outside
nat (inside) 0 access-list nat0
access-group outside-in in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.254.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy Robert-GP internal
group-policy Robert-GP attributes
dns-server value 8.8.8.8
vpn-tunnel-protocol IPSec
username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15
username robert password yXUoa8oHzS0Ncp2O encrypted
username robert attributes
vpn-group-policy Robert-GP
aaa authentication ssh console LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set MYSET esp-3des esp-md5-hmac
crypto dynamic-map DYN1 1 set transform-set MYSET
crypto map MYMAP 1 ipsec-isakmp dynamic DYN1
crypto map MYMAP interface outside
isakmp enable outside
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash sha
isakmp policy 1 group 2
isakmp policy 1 lifetime 43200
tunnel-group ROBERT-GROUP type ipsec-ra
tunnel-group ROBERT-GROUP general-attributes
address-pool ROBERT-POOL
default-group-policy Robert-GP
tunnel-group ROBERT-GROUP ipsec-attributes
pre-shared-key *
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 60
ssh version 2
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect http
inspect icmp
!
service-policy global_policy global
ssl encryption rc4-md5
Cryptochecksum:0c6e2dbc774f2a63ac09ce94a2a974a0
: end
pixfirewall#

rizwanr74 · ‎03-02-2015

Can you please remove this user's profile attributes and try it.

username robert attributes
no vpn-group-policy Robert-GP

robert.huang · ‎03-02-2015

Just executed "no vpn-group-policy Robert-GP" under Robert's attributes. Still got same thing. I can ping outside subnet and internet. But I can't ping inside host 10.10.10.10.

rizwanr74 · ‎03-02-2015

Can you remove the no-nat line below.

no nat (inside) 0 access-list nat0

and try it?

robert.huang · ‎03-02-2015

Just excuted "no nat (inside) 0 access-list nat0". Same problem. I can ping outside subnet and internet. But I can't ping inside host 10.10.10.10. This IP of 10.10.10.10 is pingable by 192.168.254.111 when VPN gets disconnected.

pixfirewall# sh run nat
nat (outside) 0 access-list nat0-out
nat (outside) 1 access-list nat-out outside
pixfirewall# sh run nat
nat (outside) 0 access-list nat0-out
nat (outside) 1 access-list nat-out outside
pixfirewall#
pixfirewall# sh run access-list
access-list nat0 extended permit ip 10.10.10.0 255.255.255.0 10.9.0.0 255.255.255.0
access-list nat-out extended permit ip 10.9.0.0 255.255.255.0 any
access-list nat0-out extended permit ip 10.9.0.0 255.255.255.0 192.168.254.0 255.255.255.0
access-list nat0-out extended permit ip 192.168.254.0 255.255.255.0 10.9.0.0 255.255.255.0
access-list outside-in extended permit ip 192.168.254.0 255.255.255.0 10.9.0.0 255.255.255.0
access-list outside-in extended permit icmp any any echo
access-list outside-in extended permit icmp any any echo-reply
access-list outside-in extended permit icmp any any unreachable
pixfirewall#
pixfirewall# sh run global
global (outside) 1 interface
pixfirewall#

rizwanr74 · ‎03-02-2015

Reboot your PIX and then remote in.

Ping inside host

show crypto ipsec sa

post your output.

robert.huang · ‎03-03-2015

Reloaded the PIX. Please see below. Sorry I can't test between 8am-5pm EST. Have to go to work.

pixfirewall# sh crypto ipsec sa
interface: outside
Crypto map tag: DYN1, seq num: 1, local addr: 192.168.254.171

      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
      remote ident (addr/mask/prot/port): (10.9.0.150/255.255.255.255/0/0)
      current_peer: 192.168.254.111, username: robert
      dynamic allocated peer ip: 10.9.0.150

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 19, #pkts decrypt: 19, #pkts verify: 19
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #send errors: 0, #recv errors: 0

local crypto endpt.: 192.168.254.171, remote crypto endpt.: 192.168.254.111

path mtu 1500, ipsec overhead 60, media mtu 1500
current outbound spi: 9D6770BF

    inbound esp sas:
      spi: 0x69308CDD (1764789469)
         transform: esp-3des esp-md5-hmac
         in use settings ={RA, Tunnel, }
         slot: 0, conn_id: 1, crypto-map: DYN1
         sa timing: remaining key lifetime (sec): 28661
         IV size: 8 bytes
         replay detection support: Y
    outbound esp sas:
      spi: 0x9D6770BF (2640801983)
         transform: esp-3des esp-md5-hmac
         in use settings ={RA, Tunnel, }
         slot: 0, conn_id: 1, crypto-map: DYN1
         sa timing: remaining key lifetime (sec): 28660
         IV size: 8 bytes
         replay detection support: Y

pixfirewall#

rizwanr74 · ‎03-03-2015

As you can see, traffic is entering in via the remote-in connection and it is being decrypted, there is no return traffic is going back to remote-in tunnel peer.

- -- - -- - - - - -- - - -- - - -- - - - - - - -- - - - - - -

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 19, #pkts decrypt: 19, #pkts verify: 19

- -- - -- - - - - -- - - -- - - -- - - - - - - -- - - - - - -

so create a capture on the firewall, whether you can see return traffic is coming back to firewall inside interface.

Capture must be applied to inside interface.

access-list rhuang extended permit ip 10.9.0.0 255.255.255.0 host 10.10.10.10
access-list rhuang extended permit host 10.10.10.10 10.9.0.0 255.255.255.0

capture rhcapt access-list rhuang interface inside

now send traffic from vpn-clint to inside host.

last issue this command and exec mode

show capture rhcapt

robert.huang · ‎03-03-2015

o packet was captured when my VPN client 10.9.0.150 trying to ping 10.10.10.10.

pixfirewall# sh run access-list
access-list nat0 extended permit ip 10.10.10.0 255.255.255.0 10.9.0.0 255.255.255.0
access-list nat-out extended permit ip 10.9.0.0 255.255.255.0 any
access-list nat0-out extended permit ip 10.9.0.0 255.255.255.0 192.168.254.0 255.255.255.0
access-list nat0-out extended permit ip 192.168.254.0 255.255.255.0 10.9.0.0 255.255.255.0
access-list outside-in extended permit ip 192.168.254.0 255.255.255.0 10.9.0.0 255.255.255.0
access-list outside-in extended permit icmp any any echo
access-list outside-in extended permit icmp any any echo-reply
access-list outside-in extended permit icmp any any unreachable
access-list rhuang extended permit ip 10.9.0.0 255.255.255.0 host 10.10.10.10
access-list rhuang extended permit ip host 10.10.10.10 10.9.0.0 255.255.255.0
pixfirewall#
pixfirewall#
pixfirewall# sh cap
capture rhcapt type raw-data access-list rhuang interface inside
pixfirewall#
pixfirewall# sh cap rhcapt
0 packet captured
0 packet shown
pixfirewall#
pixfirewall# sh cryp ipse sa
interface: outside
    Crypto map tag: DYN1, seq num: 1, local addr: 192.168.254.171

      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
      remote ident (addr/mask/prot/port): (10.9.0.150/255.255.255.255/0/0)
      current_peer: 192.168.254.111, username: robert
      dynamic allocated peer ip: 10.9.0.150

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 11, #pkts decrypt: 11, #pkts verify: 11
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #send errors: 0, #recv errors: 0

local crypto endpt.: 192.168.254.171, remote crypto endpt.: 192.168.254.111

path mtu 1500, ipsec overhead 60, media mtu 1500
current outbound spi: CEB9AA2C

    inbound esp sas:
      spi: 0x1EABC711 (514574097)
         transform: esp-3des esp-md5-hmac
         in use settings ={RA, Tunnel, }
         slot: 0, conn_id: 1, crypto-map: DYN1
         sa timing: remaining key lifetime (sec): 28571
         IV size: 8 bytes
         replay detection support: Y
    outbound esp sas:
      spi: 0xCEB9AA2C (3468274220)
         transform: esp-3des esp-md5-hmac
         in use settings ={RA, Tunnel, }
         slot: 0, conn_id: 1, crypto-map: DYN1
         sa timing: remaining key lifetime (sec): 28568
         IV size: 8 bytes
         replay detection support: Y

pixfirewall#
pixfirewall# sh cap rhcapt
0 packet shown
pixfirewall#

rizwanr74 · ‎03-03-2015

I am not so sure, why you cannot see the capture, even though we can see, 11 packets were decrypted.

Your configuration is just fine.

Save your configuration to a text file and "wr erase" everything on your PIX and build it from the scratch.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 11, #pkts decrypt: 11, #pkts verify: 11

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

robert.huang · ‎03-03-2015

Just rebuilt the PIX from scratch. Still the same thing. The VPN IP 10.9.0.150 (original IP 192.168.254.111) can ping outside subnet and internet. But it can't ping inside host 10.10.10.10. This IP 10.10.10.10 is pingable by 192.168.254.111 when VPN gets disconnected.

I attached the latest show run.

rizwanr74 · ‎03-04-2015

I would suggest you to try with different device.

old device, cause unpredictable behaviors, this isn't a first time for me.

thanks

robert.huang · ‎03-04-2015

Hi Rizwan,

I've rated your answers. Thank you very much for your time.

Regards,

Robert

rizwanr74 · ‎03-05-2015

Hi Robert,

Try this line and let me know.

static (inside,outside) 10.0.0.0 10.0.0.0 netmask 255.0.0.0

thanks

robert.huang · ‎03-05-2015

Didn't work. Once I added "static (inside,outside) 10.0.0.0 10.0.0.0 netmask 255.0.0.0". I can't ping 10.10.10.10. Further more, I even lost accessing outside subnet 192.168.254.0/24. Decrypted packets keep increasing and there is no encrypted packets for destination 10.10.10.0/24 and 192.168.254.0/24. Ping public IP like www.google.ca is OK.

Once I remove the line, accessing tside subnet 192.168.254.0/24 and public IP is OK.

Client connected to remote access VPN but got wrong default gateway