Re: PIX 501 Firewall Settings

mrjoetate · ‎01-05-2011

Greetings,

I am new to cisco and vpn networks. The issue could be clear to some; however, it is evading me (non ccna) and the tech who setup the network (ccna). I was hoping someone could point out the issue.

Problem: Network/VPN worked perfectly until the ISP changed the modem to a gateway. Currently everything inside the network is working perfectly; however, users cannot connect to the VPN.

Verification Steps Taken: Verified the new IP was entered into pix. Verified new IP was entered into VPN Clients.

Setup:

[internet cloud]

|

[SMC8014 Cable Gateway] - 70.62.13.50 - (firewall disabled, ISP verifies device is functional and publishing ip)

|

[Cisco PIX 501] - 70.62.13.51 - (configuration below)

|

[Eznet-8sw]

login as: *****

Sent username *****

*****@192.168.0.1's password:

Type help or '?' for a list of available commands.

Cochran-PIX>

Cochran-PIX> enable

Password: *****

Cochran-PIX# show configure

: Saved

: Written by enable_15 at 15:14:57.119 UTC Thu Dec 16 2010

PIX Version 6.3(4)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password ***** encrypted

passwd ***** encrypted

hostname Cochran-PIX

domain-name *****

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list NONAT permit ip 192.168.0.0 255.255.255.0 192.168.0.0 255.255.255.0

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside 70.62.13.51 255.255.255.248

ip address inside 192.168.0.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool cochranvpnpool 192.168.0.25-192.168.0.50

no pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list NONAT

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

route outside 0.0.0.0 0.0.0.0 70.62.13.49 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

tftp-server inside 192.168.0.51 /cochran-pix051605

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set CochranVPNSET esp-aes-256 esp-sha-hmac

crypto dynamic-map DYNCochranVPNMAP 10 set transform-set CochranVPNSET

crypto map CochranMAP 10 ipsec-isakmp dynamic DYNCochranVPNMAP

crypto map CochranMAP client configuration address initiate

crypto map CochranMAP client configuration address respond

crypto map CochranMAP interface outside

isakmp enable outside

isakmp identity address

isakmp nat-traversal 20

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption aes-256

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup CochranCPA address-pool cochranvpnpool

vpngroup CochranCPA dns-server 192.168.0.150 209.18.47.61

vpngroup CochranCPA split-tunnel NONAT

vpngroup CochranCPA idle-time 1800

vpngroup CochranCPA password *****

vpngroup CochranMAP idle-time 1800

telnet timeout 5

ssh 192.168.0.0 255.255.0.0 inside

ssh timeout 30

console timeout 0

dhcpd address 192.168.0.51-192.168.0.99 inside

dhcpd dns 192.168.0.150 209.18.47.61

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd domain rr.com

dhcpd enable inside

terminal width 80

banner login WARNING!

banner login This is a private computer facility to be accessed

banner login and used for company business only. Access to it

banner login any reason must be specifically authorized.

banner login Violators will be prosecuted to the fullest extent

banner login of local, state and federal laws.

Cryptochecksum:c62070b682ddee189e2fe66090f18284

Cochran-PIX#

Any suggestions would be appreciated and if you need any additional information just let me know.

Edit: I forgot to mention the error code 403 by the client. The users complain of 3 different error codes; however, when I used their system and attempted to connect I only had a 403 error.

Message was edited by: Joe Tate (added error)

guzman.barrio · ‎01-05-2011

Hi Joe,

Can you post the outputs from the execution of the following commands in the PIX:

debug crypto isakmp

debug crypto ipsec

debug crypto vpnclient

The users fail to connect because the user is rejected or you they can't establish phase 1 connection?

A few questions more:

you put in the diagram 70.62.13.50 like gateway but you configure a default route to the outside using this other gateway 70.62.13.49, is this correct?

Can the users navigate to the Internet from the inside through the PIX after the change of gateway?

Regards,

Guzmán

mrjoetate · ‎01-05-2011

The users fail to connect because the user is rejected or you they can't establish phase 1 connection?

Cannot establish connection.

A few questions more:

you put in the diagram 70.62.13.50 like gateway but you configure a default route to the outside using this other gateway 70.62.13.49, is this correct?

That's possibly the issue... 50 is the gateway not 49 and I didn't even notice that setting as incorrect. I wasn't the technician to setup the device but the original tech hasn't solved the issue in over four months so they asked me to take a look. Thanks for pointing this out.

Can the users navigate to the Internet from the inside through the PIX after the change of gateway

Yes they can. The internet is working perfectly inside, everything is working perfectly inside.

As to the publish of those commands I will have to grab them later this afternoon and post them. I will post back in the next few hours. Do you know the command for changing this or should I lookup the command with the utility on this site?

Message was edited by: Joe Tate (typos)

guzman.barrio · ‎01-05-2011

Joe, the command to change the route in the PIX is:

FW>ena

FW#configure terminal

FW(config)#route outside 0.0.0.0 0.0.0.0 70.62.13.50

FW(config)#no route outside 0.0.0.0 0.0.0.0 70.62.13.49

To collect the information you need to log the session in your terminal emulation software.

Regards,

Guzmán

mrjoetate · ‎01-05-2011

Cochran-PIX# configure terminal

Cochran-PIX(config)# route outside 0.0.0.0 0.0.0.0 70.62.13.50

cannot add route entry. possible conflict with existing routes

Usage: [no] route []

Cochran-PIX(config)# no route outside 0.0.0.0 0.0.0.0 70.62.13.49

Cochran-PIX(config)# route outside 0.0.0.0 0.0.0.0 70.62.13.50

doing this disabled the internet from working inside the network. I went ahead and did this:

Cochran-PIX(config)# no route outside 0.0.0.0 0.0.0.0 70.62.13.50

Cochran-PIX(config)# route outside 0.0.0.0 0.0.0.0 70.62.13.49

and it started working again. the ISP may have provided me with wrong information on the outside IP (they have poor level 1 tech support) which would make my diagram incorrect.

on another note the .49 is not the PIX and I'm curious if I could use .51 instead... http://www.1d107.com/?Link=ip shows "Your IP is: 70.62.13.51"

More advice?

p.s. I attached a graphic of the error I receive when trying to connect. When I use an incorrect IP I receive a 412 error; however, using the correct IP it seams as if it attempts to contact the gateway and it just isn't responding.

Message was edited by: Joe Tate (attached screenshot of error)

mrjoetate · ‎01-06-2011

I've scraped this device due to age. I picked up a new cisco firewall and the system is working perfectly

guzman.barrio · ‎01-06-2011

Good decision Joe

Regards,

Guzmán