Re: IPSEC through Pix Firewall problem

nojpt · ‎11-22-2006

Dear all,

Our current Peer-to-peer VPN setup does not pass through the pix firewall. We decided to put the same router (3640) on one of pix dmz interface. The new VPN router has a private address and thus being NATed by pix for the remote peers to connect. I have allowed UDP ISAKMP and ESP protocol both ways between peers.

Now the tunnel between peers are ok but email apps does not go through.

Has anybody experience the same? Appreciate help. Thanks!

Jon

zubairjalal · ‎11-24-2006

Jon. Can you please post some part of your config.

nojpt · ‎11-26-2006

Here are config of machines involved:

######################################################################################

PIX Firewall Config

object-group network RM-VPN-PEER

network-object host 203.x.x.13

!

access-list acl_outside permit esp object-group RM-VPN-PEER host 202.x.x.x

access-list acl_outside permit udp object-group RM-VPN-PEER host 202.x.x.x eq isakmp

!

access-list acl_vpn-dmz permit esp host 172.22.172.8 object-group RM-VPN-PEER

access-list acl_vpn-dmz permit udp host 172.22.172.8 object-group RM-VPN-PEER eq isakmp

!

static (vpn-dmz,outside) 202.x.x.x 172.22.172.8 netmask 255.255.255.255 0 0

!

#######################################################################################

HQVPN config:

crypto isakmp policy 1

authentication pre-share

group 2

crypto isakmp key ***Pre-shared-key-Here*** address 203.x.x.13

!

crypto ipsec transform-set standard esp-des esp-md5-hmac

!

crypto map adbvpn 10 ipsec-isakmp

set peer 203.167.113.13

set transform-set standard

match address TFO2

reverse-route

!

interface FastEthernet2/0

ip address 172.22.172.8 255.255.254.0

duplex auto

speed auto

crypto map adbvpn

!

ip access-list extended TFO2

permit ip 172.22.0.0 0.1.255.255 172.22.88.0 0.0.1.255

permit ip 192.x.x.0 0.0.0.255 172.22.88.0 0.0.1.255

permit ip 202.x.x.0 0.0.0.255 172.22.88.0 0.0.1.255

deny ip any any log

!

########################################################################################

Remote VPN Config:

crypto isakmp policy 1

authentication pre-share

group 2

crypto isakmp key ***Pre-shared-key-Here*** address 202.x.x.x

!

crypto ipsec transform-set standard esp-des esp-md5-hmac

!

crypto map adbvpn 10 ipsec-isakmp

set peer 202.x.x.x

set transform-set standard

match address TFO2

reverse-route

!

interface Ethernet1/0

ip address 172.22.172.8 255.255.254.0

duplex auto

speed auto

crypto map adbvpn

!

ip access-list extended TFO2

permit ip 172.22.88.0 0.0.1.255 172.22.0.0 0.1.255.255

permit ip 172.22.88.0 0.0.1.255 192.x.x.0 0.0.0.255

permit ip 172.22.88.0 0.0.1.255 202.x.x.0 0.0.0.255

deny ip any any log

Thanks everybody for taking sometime to lookup my problem.

zubairjalal · ‎11-24-2006

and what version are you running on the pix?

nojpt · ‎11-26-2006

Pix is running 6.3 OS

ajagadee · ‎11-28-2006

Jonathan,

If your tunnel is up and running, then the issue may not be on the pix. The pix is just a NAT Translating a device sitting behind the VPN Router and Internet.

Are you able to ping the server from the client. Is E mail the only application that is not working. What is the source and destination IP Addresses. It looks like the problem may be with fragmentation.

Please provide some additional details, if possible.

Regards,

Arul

** Please rate all helpful posts **

nojpt · ‎11-30-2006

Hi Arul,

HQ network is 172.22.0.0/15 while Remote network is 172.22.88.0/23.

My VPN is sitting at one of DMZ interface with 172.22.0.8/23 address and being NATed at the outside interface to 202.x.x.x.

I also tried the TCP-MSS=1392 at the VPN router to address possible fragmentation problem but it does resolve the issue of email not going through.

Now im entertaining the possibility of doing the NAT 0 for this DMZ interface as i am convinced this is a NAT-IPSEC incompatibility issue.

Any further help is very welcome.