Re: PIX 501 and NAT-T

kandryc · ‎09-02-2005

I have been wading through posts about connecting remote clients using Cisco's VPN software to the PIX. I have set up VPN access to my PIX 501 unit however, I am unable to reach any of the servers on my internal LAN.

I have read that you nned to do the following:

# isakmp nat-traversal

However, this command is only for PIX software 6.3 and above. I have PIX software v6.2. This to me seems odd since, what is the purpose of having a VPN connection to the PIX if you are unable to get anywhhere on your internal LAN?

Also, is there a way to not use nat-traversal command and still access internal servers, or do I have to upgrade in order to get at my internal network servers?

I appreciate your time!

Sincerely,

~K

jmia · ‎09-02-2005

Kevin,

Verify your configuration with the following document:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009442e.shtml

NAT-Traversal is for PIX OS 6.3+, which would resolve your problem, thats only if your initiating the VPN client from behind a NAT device!!

Let me know how you get on and if this helps please rate post as it will help others.

Thanks -

Jay

kandryc · ‎09-03-2005

Hi Jay,

Thanks for your response. I have checked the configuration and it matches exactly what was posted in the document.

The VPN client is not beeing initialized behind a NAT device as it has a public IP address. The client is connected directly to the cable modem sitting out on the Internet. I can connect to the PIX using the Cisco VPN client software, however, I cannot ping any internal servers. When I ran the client VPN, it did assign me an IP of 192.168.2.1, but when I tried to ping a server on the 192.168.1.x subnet it failed. Secondly, when I tried to browse the network neighborhood on Win XP, that also failed.

Thanks,

~K

rating_is_vital · ‎09-04-2005

Hi,

Would you please post the configuration?

aacole · ‎09-05-2005

Does the server have a route to the 192.168.2.x network via the PIX?

Andy

kandryc · ‎09-05-2005

Here is the PIX configuration:

nameif ethernet0 outside security0

nameif ethernet1 inside security100

hostname myhost

domain-name mydomain.com

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

fixup protocol sip udp 5060

names

name 192.168.1.0 Andromeda

access-list inbound permit tcp any any eq www

access-list inbound permit tcp any any eq ssh

access-list inbound permit tcp any any eq https

access-list inbound permit tcp any any eq 5500

access-list inbound permit tcp any any eq ldaps

access-list 101 permit ip Andromeda 255.255.255.0 192.168.2.0 255.255.255.0

no pager

logging timestamp

logging trap informational

interface ethernet0 10baset

interface ethernet1 10full

mtu outside 1500

mtu inside 1500

ip address outside dhcp setroute retry 10

ip address inside 192.168.1.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool ippool 192.168.2.1-192.168.2.254

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list 101

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp interface www 192.168.1.100 www netmask 255.255.255.255 0 0

static (inside,outside) tcp interface ssh 192.168.1.100 ssh netmask 255.255.255.255 0 0

static (inside,outside) tcp interface https 192.168.1.100 https netmask 255.255.255.255 0 0

static (inside,outside) tcp interface 5500 192.168.1.100 5500 netmask 255.255.255.255 0 0

static (inside,outside) tcp interface ldaps 192.168.1.100 ldaps netmask 255.255.255.255 0 0

access-group inbound in interface outside

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

aaa authentication telnet console LOCAL

aaa authorization command LOCAL

http server enable

http Andromeda 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set myset esp-3des esp-md5-hmac

crypto dynamic-map dynmap 10 set transform-set myset

crypto map mymap 10 ipsec-isakmp dynamic dynmap

crypto map mymap interface outside

isakmp enable outside

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup vpn3000 address-pool ippool

vpngroup vpn3000 dns-server XXX.XXX.XXX.XXX XXX.XXX.XXX.XXX

vpngroup vpn3000 split-tunnel 101

vpngroup vpn3000 idle-time 1800

vpngroup vpn3000 password ********

vpngroup dns-server idle-time 1800

telnet Andromeda 255.255.255.0 inside

telnet timeout 5

ssh 192.168.1.1 255.255.255.255 inside

ssh Andromeda 255.255.255.0 inside

ssh timeout 60

dhcpd address 192.168.1.2-192.168.1.33 inside

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

dhcpd enable inside

privilege show level 0 command version

privilege show level 0 command curpriv

privilege show level 3 command pdm

privilege show level 3 command blocks

privilege show level 3 command ssh

privilege configure level 3 command who

privilege show level 3 command isakmp

privilege show level 3 command ipsec

privilege show level 3 command vpdn

privilege show level 3 command local-host

privilege show level 3 command interface

privilege show level 3 command ip

privilege configure level 3 command ping

privilege configure level 5 mode enable command configure

privilege show level 5 command running-config

privilege show level 5 command privilege

privilege show level 5 command clock

privilege show level 5 command ntp

jackko · ‎09-05-2005

one way to identify the issue is to establish the vpn via a dial-up account. if it works fine then it's definitely the nat-traversal and that mean you need to upgrade the pix os.

aacole · ‎09-06-2005

I have to do some work on a PIX in the lab today, so I've just tried this on my pix. Although its running 6.3(4) the VPN came up straight away. I used static ip addresses, a client directly connected to the outside and a router on the inside as my host.

When the VPN is established on the PIX run `show crypto isakmp sa' is is at QM_IDLE?

If so look at `sh crypto ipsec sa' can you see the current peer (the ISP assigned IP address on the client) and the dynamically allocated peer (assigned from your ip pool)? Also the inbound and outbound esp sas entries will contain spi details and other data.

Then check the packet counters, decaps are from the client, encaps are sent to the client. Try telnet from the client to your lan based host.

So if your client stats indicates the client is sending packets and the PIX shows them as decaps under `sh crypto ipsec sa' they are probably getting to the host and it's unable to reply to or route back to the pool address.

No packets under the decap counter, packets are crossing a NAT somewhere and so the IPSec process drops them.

Let us know how you get on.

Andy

kandryc · ‎09-06-2005

Hi Andy,

Thanks for your help! I will let you know the results as soon as I can. I will be busy the next few days, but will update you ASAP!

Thanks,

~K

jackko · ‎09-18-2005

just wondering how you go