Re: Contivity VPN client behind PIX 515

patelkartikb · ‎11-06-2006

Hi,

I am having problem connecting Contivity VPN client behind Pix 515. It works fine outside firewall but not inside.

I know that I need to open some port or do one to one natting, but as I am new to Pix, I do not wanted to take any changes for misconfiguring..

Here also I am attaching the required documents on what to do, but I dont know how to do .....

Please anybody, somebody, everybody explain the procedure on how to solve this ???

I will really appriciate your help..

Thanks and Regards

trmccart · ‎11-06-2006

The answer is: it depends upon how your VPN Client is configured.

(1) You will need to allow Internet Key Exchange (IKE) to occur, which uses UDP port 500. You will also see the term ISAKMP (Internet Security Association and Key Management Protocol) which refers to the protocol that allows IKE to occur.

(2) You will need to allow IPSec traffic:

Option (a): Allow native IPSec traffic (un-encapsulated). This will typically be IP protocol numbers 50, for ESP (Encapsulated Security Payload). Very rarely an organization will use IP protocol number 51 for AH (Authenticated Header). In general, if AH is being used then data is not being encrypted.

Option (b): IPSec over UDP: Tunneling IPSec traffic over UDP port numbers. Historically, the Cisco VPN default for IPSec over UDP is UDP port number 10000.

Option (c): IPSec over TCP: Tunneling IPSec traffic over TCP port numbers. Historically, the Cisco VPN default for IPSec over TCP is TCP port number 10000.

Option (d): IPSec over UDP (Standard-based): Relatively new (several years old now) is NAT-T (Network Address Translation - Traversal) uses UDP port 4500 to negotiate IPSec.

Assumption: I assumed from your question that you do not allow inside devices unrestricted access to the Internet.

Recommendation: Allow Options (a) and (d) -- insure that the VPN clients are configured to support NAT-T. NAT-T should detect if IPSec encapsulation over UDP is needed, if not then it will run native IPSec in order to avoid the unnecessary overhead of encapsulation.

Common misconfiguration: It is very common for firewall rules to allow more ports for VPN access than what is truly required. Most often the IP protocol number 51 (for AH) is a misconfiguration and should be removed.

Commonly deployed Cisco Firewall feature: An easy way 'out' is to deploy the 'sysopt connection permit-ipsec' feature. This allows UDP port 500, and IP protocol numbers 50 and 51. This permits IPSec traffic to pass through the Cisco firewall without a check of access-list command statements. If you are running PIX/ASA code 7.1(1) or later then the command is 'sysopt connection permit-vpn'.

Best Regards,

Troy McCarty

P.S.: Many companies allow unrestricted access from the inside of their networks to the outside. The IKE (isakmp) exchanges create two uni-directional tunnels. IKE sets up a single IPSec bi-directional tunnel. The point being that you may need to allow UDP 500 in from the outside.

patelkartikb · ‎11-06-2006

Thanks troy,

I really appriciate your reply.

Could you please let me know how can I do this ?

I am new to pix so I really dont know how to configure ...

I will really appriciate your help.

Thanks and Regards

zubairjalal · ‎11-07-2006

sysopt connection permit-ipsec is the command to get it working

patelkartikb · ‎11-07-2006

Thanks for your reply. I already have sysopt connection permit-ipsec enable, but still it did not work.... Here is the configuration, see if you can find any problem ?

Thanks and I really appriciate your time.

PIX Version 6.3(4)

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 dmznet security50

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list acl_out remark outside to dmz

access-list acl_out remark outside to inside

access-list acl_dmz remark dmz to inside

icmp deny any echo outside

mtu outside 1500

mtu inside 1500

mtu dmznet 1500

ip audit info action alarm

ip audit attack action alarm

pdm history enable

arp timeout 14400

global (outside) 1 ***.**.**.141-***.**.**.150

global (outside) 1 ***.**.**.140

global (dmznet) 1 192.***.3.250-192.***.3.254

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

nat (dmznet) 2 0.0.0.0 0.0.0.0 0 0

access-group acl_out in interface outside

access-group acl_dmz in interface dmznet

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

no snmp-server location

no snmp-server contact

snmp-server community *

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

isakmp enable outside

isakmp peer ip 192.165.218.121 no-xauth no-config-mode

isakmp policy 20 authentication rsa-sig

isakmp policy 20 encryption des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

ssh timeout 5

console timeout 0

dhcpd lease 3600

dhcpd ping_timeout 750

terminal width 80

: end

trmccart · ‎11-07-2006

Kartik,

I mocked this up in a lab based upon your configuration as much as I could. My inside 'client' was able to establish a VPN connection to my outside VPN service without any need to add anything to the PIX configuration.

What did I learn?

Your configuration does not show an access-list being applied to the inside interface. I did not have the 'sysopt permit-ipsec' command applied. The VPN Client and Server were able to negotiate a UDP connection -- source port UDP 500 to destination port UDP 500. NAT-T executed to establish IPSec/UDP on port 4500.

A 'show conn' showed a session on UDP 500 and UDP 4500.

The question I would then ask is whether the VPN client/server solution you are using is allowing IPSec/UDP to occur. I will try to disable NAT-T on my VPN setup...

Here is the config off my Lab PIX:

sho run

: Saved

:

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxx

passwd xxx

hostname PIX1

domain-name cisco.com

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list acl-outside deny ip any any

no pager

logging on

logging timestamp

logging buffered debugging

icmp permit any outside

icmp permit any inside

mtu outside 1500

mtu inside 1500

ip address outside 192.168.1.1 255.255.255.0

ip address inside 10.1.1.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm history enable

arp timeout 14400

global (outside) 1 172.16.x.x.16.1.150

global (outside) 1 172.x.x.140

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

isakmp enable outside

isakmp peer ip 192.165.218.121 no-xauth no-config-mode

isakmp policy 20 authentication rsa-sig

isakmp policy 20 encryption des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

terminal width 80

Cryptochecksum:xxx

: end

Here is a 'show conn' on the PIX:

PIX1(config)# sho conn

2 in use, 2 most used

UDP out 192.168.1.2:4500 in 10.1.1.2:4500 idle 0:00:06 flags -

UDP out 192.168.1.2:500 in 10.1.1.2:500 idle 0:00:11 flags -

Looking at the log via 'show log':

302015: Built outbound UDP connection 15 for outside:192.168.1.2/500 (192.168.1.2/500) to inside:10.1.1.2/500 (172.16.1.143/500)

302015: Built outbound UDP connection 16 for outside:192.168.1.2/4500 (192.168.1.2/4500) to inside:10.1.1.2/4500 (172.16.1.143/4500)

trmccart · ‎11-07-2006

Kartik,

I have verified -- I disabled NAT-T on my inside client and the IPSec session could not be successfully negotiated.

My best guess, the Nortel VPN solution needs to be 'tweaked' to allow IPSec over TCP/UDP.

Regards,

Troy

Fernando_Meza · ‎11-08-2006

Hi .. just my 20 cents here .. NAT-T needs to be enabled on any client which sits behind a device which performs NAT/PAT. The server and the client needs to support NAT-T which you might need to double check . For Cisco VPN client by enabling UDP 500 and 4500 on both directions on the PIX will do the trick.

Cheers,

patelkartikb · ‎11-24-2006

Hi,

I don't know whats wrong but I cannot able to establish connections. It establish udp 500 but it cannot establish 4500, I dont know why ?

Thanks for your help

Please tell me if I am doing someting wrong.

I am attaching my config here, please help me.....