10-30-2013 05:18 AM
One other thing - I had a problem with the key pairing so I rebuilt the rsa 1024 and the unit started working. Unfortunately I reloaded without the config in place and now I cannot get it to work again. Any help will be greatly apprecaited although I did review a dozen other posts of people having similar problems and for some reason there is never any conclusion as to the solution and I am not sure why.
Some other info from the client end:
I just ran the stats on the client and packets are being encrypted BUT none are decrypted.
Also Tunnel received 0 and sent 115119
Encryption is 168-bit 3-DES
Authentication is HMAC-SHA1
also even though the allow LAN is selected in the Cisco VPN client it states the local LAN is disabled in the client stats
also Transparent tunneling is selcted but in the stats it states it is inactive
I am connecting with the Cisco VPN Client Ver 5.0.07.0440
This config works. It is on the internal net 192.168..40.x and all users obtain dhcp and surf the web. It has required ports opened.The problem is that you can connect remotely via the VPN and you receive an IP address from the remote-vpn pool but you cannot see any machines on the internal network. The pix is at 40.2 and you cannot ping the pix and the pix from the remote PC connecting via the VPN and youcannot ping the remote PC from the PIX console when the remote is connected and receives the first IP address in the VPN pool of 192.168.40.25
I need to see the internal network and map network drives. I have another friend that is running the same config and it works but his computer is on a linksys wireless and has an IP of 192.168.1.x and the IP he receives from the VPN pool is 192.168.1.25 so I do not know if the same network is allowing this config to work even if there is an error in the config. In my present case I obtain the ip of 192.168.40.25 from the VPN pool and my connecting pc on 192.168.1.x I really am not sure how the VPN virtual adapter works. I am assuming it routes all traffic from your connecting PC to and from the virtual adapater but I really do not know for sure.
Other people have had similar issues with accessing the internal network from the VPN. One solution was the split-tunnel, another was the natting and another had to do with the encrption where there and an issue with the encrypt and ecrypt which was stopping the communicaton via the VPN.
I still cannot seem to find the issue with this config and any help will be greatly appreciated.
This is the config
********************************************************
interface ethernet0 100full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password somepassword
hostname hostname
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
object-group network internal_trusted_net
network-object 192.168.40.0 255.255.255.0
object-group icmp-type icmp_outside
icmp-object echo-reply
icmp-object unreachable
icmp-object time-exceeded
icmp-object source-quench
access-list OutToIn permit icmp any xxx.xxx.xxx.0 255.255.255.248 object-group icmp_outside
access-list no_nat_inside permit ip 192.168.40.0 255.255.255.0 192.168.40.0 255.255.255.0
access-list split_tunnel permit ip 192.168.40.0 255.255.255.0 192.168.40.0 255.255.255.0
access-list OutToIn permit ip any any
access-list outbound permit ip any any
(NOTE: I had many more entries in the access list but removed them. Even with the above two allowing everything it does not work)
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside xxx.xxx.xxx.xxx 255.255.255.248
ip address inside 192.168.40.2 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpn_client_pool 192.168.40.25-192.168.40.30
pdm history enable
arp timeout 14400
global (outside) 1 interface
I had this statement missing from the previous posted config but even with the nat (inside) 0 access-list no_nat_inside it still does not work.
nat (inside) 0 access-list no_nat_inside
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group acl_outside_in in interface outside
access-group outbound in interface inside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.40.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community $XXXXXX$
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set 3des_strong esp-3des esp-sha-hmac
crypto dynamic-map clientmap 50 set transform-set 3des_strong
crypto map vpn 50 ipsec-isakmp dynamic clientmap
crypto map vpn client configuration address initiate
crypto map vpn client configuration address respond
crypto map vpn client authentication LOCAL
crypto map vpn interface outside
isakmp enable outside
isakmp identity address
isakmp client configuration address-pool local vpn_client_pool outside
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup remote-vpn split-tunnel split_tunnel
vpngroup remote-vpn idle-time 10800
vpngroup remote-vpn password ANOTHER PASSWORD
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 192.168.40.0 255.255.255.0 inside
ssh timeout 30
console timeout 60
dhcpd address 192.168.40.100-192.168.40.131 inside
dhcpd dns xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd enable inside
username AUSER password PASSWORD privilege 15
terminal width 80
****************** End of config
I have been searching docs and other people's postings trying to obtain the info to make this work. It appears pretty much boiler plate but I believe my problem is in the natting. I am using a range in the internal network for the VPN pool and I have tried switching this to other networks but this has not helped. Unfortunately I have been unable to get the PDM to work and I believe this is a PC config thing and I did not want to waste the time on it. I read a post where a person using the PDM interface with the same problem (not being able to access the internal network) was able to go to a section in the VPN wizard and set the Address Exeption Translation. They said they originally set the VPN subnet when they did not have to. Many of the other blogs I read also stated that if the natting is not proper for the VPN pool- that it will not work but I am confused by the examples. They show as I do the complete range for an access-list called no_nat_inside but I believe it should only have the VPN pool IP range and not the entire network since the others do require natting - not sure if my thought process is correct here. Any help will be greatly apprecaited. Also this morning I just tried a boiler plate example from CISCO and it also did not do what I need for it to do. And I also connect a PC to obtain an IP to see if I can see it - no good. The PC can ping the PIX and viceversa but no one can ping the remote PC that connects via the CISCO Remote VPN client even though it receive an address from the vpnpool. Also include LAN is checked off on the client. This was mentioned in anther post.
Thank you once again.
10-30-2013 05:23 AM
Hi,
Have you applied the NAT0 ACL at any point? In the above configuration it is not applied to the ASA so its not used
You have this ACL
access-list no_nat_inside permit ip 192.168.40.0 255.255.255.0 192.168.40.0 255.255.255.0
To use it as a NAT0 ACL you would have to add
nat (inside) 0 access-list no_nat_inside
Naturally I would suggest changing the VPN Pool to something else than the internal network and changing the above NAT0 ACL to reflect that change
- Jouni
10-30-2013 06:36 AM
Sorry I was experimenting with this and posted the config with the line you suggested missing.
Even with the nat (inside) 0 access-list no_nat_inside it still does not work.
Can I please trouble you to review this and let me know any thoughts you have concerning it.
I have been experimenting on and off for days and just cant get it.
Thank you.
10-31-2013 02:39 AM
Hi,
Did you change the VPN Pool used? This would mean changing the NAT0 ACL and Split Tunnel ACL too.
If you do those changes and they dont work after that could you then provide us with screenshots from the VPN Client computer from the Statistics section of the VPN Client software. Check for a tab that lists routes and also show us the tab with the data counters so we can see how the situation looks on the client side.
To be honest its been a long time since I have configured a PIX with the old 6.x series software so I am not sure if there is any VPN related configurations missing.
But I would start changing the VPN Pool to something else than the LAN network and testing connectivity through the VPN to the LAN with different services like ICMP. You could even install VNC server on some host and try to connect to it from the client computer.
- Jouni
10-31-2013 03:19 AM
I did try a different internal network and changed the no_nat and split_tunnel but it still did not work. Just to clean it up I will try it again today. Unfortunately I had it running yesterday but I thought for sure it had to do with the RSA private key pairing. When I rebuilt the RSA it worked. After a reset I was back to the same problem. I also noticed on these devices that when you do not have a good private key in place that the commands act very erratic. I also read on some posts that some people would enter CLI statements that make no sense at all but the unit starts operating properly afterwards. I have a few of these units I have been testing and a 6.3(4) version was giving a few errors (route, access-list and subnet mask, etc errors)when I pasted a known working config minus my VPN problem. After I rebuilt the RSA everything went back to normal so I am wondering if these units and their OS are a little unstable and if the commands must be entered and saved in a certain order ( aside from the access-lists) for the unit to operate properly. I will try a new config and post it later. I did find many posts concerning similar problems but no one listed a working config after they reported they solved the problem. Some people discuss crypto, isakmp nat-traversal, default routes, as the problem and since I was able to get it to work with a RSA rebuild I am wondering if it is a decryption issue. Thank you for responding.
10-31-2013 03:57 AM
Hi,
If I have understood your problem correctly then you are able to connect with the VPN but you are not able to form connections to the LAN through that VPN connection. That is why I asked to see some screenshots so we could confirm if the Client is truly forwarding any traffic to the VPN to beging with and if its routing table is ok according to the VPN Client software.
If possible you can also check the output of this command on the PIX when the VPN Client connection is on and being tested
show crypto ipsec sa
It should show you if packets are flowing to both directions.
- Jouni
10-31-2013 04:38 AM
Hi,
I just finished changing the config and I changed the following:
access-list OutToIn permit icmp any any
access-list OutToIn permit IP any any
access-list outbound permit icmp any any
access-list outbound permit IP any any
access-list split_tunnel permit ip 192.168.40.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list no_nat_inside permit ip 192.168.40.0 255.255.255.0 10.10.10.0 255.255.255.0
ip local pool vpn_client_pool 10.10.10.1-10.10.10.10
Before I did this, with the pool the same as the network there was always traffic being encrypted via the client but no decrypts coming back. Now I only see a encrypt from the client maching when I try to ping another machine on the network or the PIX itself. So there are encrypts but no decrypts which is the same problem I had before - also the transparent tunneling is inactive and when I had this running before it was active with udp and some value.
I am going crazy with this config. Yesterday I had it running and I could ping computers on the network and the encrypts and decrypts counters were both increasing. I wish I would have stopped at that point but I was certain it had to do with rebuilding the RSA and I wanted to be able to confirm this. Thank you for responding.
10-31-2013 05:02 AM
Hi,
You should probably keep the Transparent Tunneling enabled in the connection profile configured on the actual VPN Client software to avoid possible problems.
If you are seeing traffic flow to the VPN but not getting anything back then the problem might usually be NAT on the central device. In this case it doesnt seem to apply though. It could naturally be that the actual hosts just arent replying to the ICMP but even in this case you have pointed out that they have replied before.
One common problem related to ICMP is missing the ICMP Inspection or the Fixup ICMP in the case of your older software. I am not sure its a problem in the case of VPN but could always try
fixup protocol icmp
fixup protocol icmp error
- Jouni
10-31-2013 05:53 AM
Hi,
I put in the fixup protocol icmp error (the other command did not work) and now the transparent tunneling is active on udp port 4500 which it was not before. But still no decrypts. I tried also isakmp nat-transversal and crypto for the same.I am worried that these device are a little screwy. I have the same config on another pix without DHCP and it works fine and yet when you copy the config to another it does not. Do you know if the PIX501 is a reliable device?
OK just double checked everything and on the client side - packets sent none received.
Packets are encrypted none decrypted.
When I try to ping the PIX or a PC on the network the packets sent and encrypted counter increases
When I try to ping from the PIX to the VPN_client that is attached, no packets received on the client and timeout on the PIX.
Another person said the problem was the default route. My external network has a route to the gateway 0.0.0.0 0.0.0.0 gateway
is it possible the external VPN IP_Pool is responding to this gateway and not the PC connected via the VPN?
This would explain what packets are sent and ecrypted by the client and yet nothing it received back.
Any thoughts? Once again thank you for your time.
I just ran the command you requested
show crypto ipsec sa
Results:
Cyprto map tag: vpn, local addr, My External/public IP address on the PIX external interface
nothing else.
10-31-2013 06:35 AM
Hi,
PIX501 is a very very old Cisco firewall that has not been sold for a long time to my understanding. It also doesnt support even close to new software levels.
If you wanted to replace the PIX501 the corresponding model nowadays would be ASA5505 which is the smallest Cisco ASA firewall with 8 switch port module. There is already a new ASA5500-X Series (while ASA5505 is of the original ASA 5500 Series) but they have not yet introduced a replacing model for this model nor have they stopped selling this unit. I have a couple of them at home. Though naturally they are more expensive than your usual consumer firewalls.
But if you wanted to replace your PIX firewall then I would probably suggest ASA5505. Naturally you could get some other models too but the cost naturally rises even more. I am not sure at what price these are sold as used.
I used some PIX501 firewalls at the start of my career but have not used them in ages since ASA5505 is pretty much the firewall model we use when we need a firewall/vpn device for a smaller network/branch site.
Here is a PDF of the original ASA5500 Series.
Here is a PDF of the new ASA5500-X Series
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/at_a_glance_c45-701635.pdf
I am afraid that its very hard for me atleast to troubleshoot this especially since I have not seen any outputs yet. Also the very old CLI and lack of GUI (?) make it harder to see what the problem is.
Could you provide the requested outputs?
From the PIX after connection test
show crypto ipsec sa
Screen captures of the VPN Client routing and statistics sections.
- Jouni
10-31-2013 06:43 AM
I just ran the command you requested (I rant this before and update my last post).
show crypto ipsec sa
Results:
Cyprto map tag: vpn, local addr, My External/public IP address on the PIX external interface
This is the only output, nothing else.
CLIENT STATS:
Bytes Crypto
Received 0 Encryption 168-bit-3-DES
Sent 15268 Authrntication HMAC-SHA1
Packets Transport
Encrypted 155 Transport Tunneling Active on UPD port 4500
Decrypted 0 Local Lan Disabled
Discarded 4 Compression: No
Bypassed 1769
10-31-2013 06:54 AM
Hi,
You should see more than that in the output.
You should see something like this
local ident (addr/mask/prot/port): (
remote ident (addr/mask/prot/port): (
And a lot more like counters of encapsulated/decapsulated and encrypted/decrypted packets.
If you dont see that I doubt it can work. But seems wierd to me that the VPN would even be connected if you didnt see anything in the output of that command.
- Jouni
10-31-2013 07:20 AM
Hi,
I really want to thank you for taking your time to help.
I am not certain of the Crypto commands but I did look at some of the results and there does not appear to be anything going on. Based on the config can you see what may be missing?? The device works internally with no problem and you can connect externally but that is as far as you can go. Is there a different encryption method I can try to test with that you can recommend. Can I send the unit to you?? I am using it with one PC connected to the switch port which obtains IP from DHCP on the unit and I connect to the WAN port from my PC where I set the IP address to another public IP on the same subnet as the external address of the PIX. Then I also run a hyperterminal session on the serial port to make config changes and run some diags. I think I have tried this every way possible. Any thoughts on the ecryption and once again thank you for your time.
10-31-2013 07:30 AM
Hi,
I vaguely remember having problems while labing some VPN Client setup when I was connected directly to the firewalls external connected network. I added a router in between the firewall and the client the connection worked just fine.
Is this PIX actually connected to the public network? If not then I would suggest trying to add some router/l3switch in between and connect the VPN Client PC to its own subnet and then try the connections again. If you have the PIX connected to public network then I would test the VPN from behind another Internet connection rather than from the directly connected public network.
I dont know if you sending the unit to me would really help the situation I don't work for Cisco and Cisco doesnt even offer any support for the PIX firewalls anymore (to my understanding atleast) since they are very old models.
If the PIX is connected to public network then I could always try to check the configurations remotely and test the VPN Client connection at the same time.
But as I said, if you are just testing this setup as a lab them I would suggest adding a router between the Client and PIX and testing again.
- Jouni
10-31-2013 07:51 AM
OK I got to work and thanks to you! The FIXUP Protocol ICMP error seems to have solved the problem however I still
need the following:
access-list outbound permit IP any any
and this is tied to the internal interface.
I am going to try to make it specific for the external network. Any thoughts? I read if you set up an access list outbound on the internal interface then the same is set for the external coming in - is this true?. If this is so, I am not worried about what people access from the inside going out, just want people can access from the Internet to hack the system coming in.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide