Re: PIX 515 VPN Problem

kelly-mark · ‎06-19-2003

Hi,

I am currently trying to install a PIX 515R to do PAT from a private 10 network to the outside world, I also have one server that is used for mail and I have created a static NAT entry for this. This all seems to be working fine.

My problem arrises when I try to set up a vpngroup so that I can connect to the private network remotely using VPN Client 3.5.1 on a win2K machine. I can establish the tunnel to the PIX from my Client however I cannot seem to ping anything on the inside 10 network. I am at a bit of a loss as to what I am doing wrong.

The config I have is as follows:

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password *******

passwd *******

hostname Si*****

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

names

access-list 100 permit icmp any any echo-reply

access-list 100 permit icmp any any time-exceeded

access-list 100 permit icmp any any unreachable

access-list 100 permit tcp 19*.*.1.0 255.255.255.0 host 62.*.*.* eq smtp

access-list 100 permit tcp 19*.*.4.0 255.255.255.0 host 62.*.*.* eq smtp

access-list 150 permit ip 10.0.0.0 255.255.255.0 20.0.0.0 255.255.255.0

pager lines 24

logging on

no logging timestamp

no logging standby

no logging console

no logging monitor

logging buffered errors

logging trap notifications

no logging history

logging facility 20

logging queue 512

logging host inside 10.0.0.1

ip local pool ippool 20.0.0.1-20.0.0.254

interface ethernet0 auto

interface ethernet1 auto

mtu outside 1500

mtu inside 1500

ip address outside 62.*.*.* 255.255.255.248

ip address inside 10.0.0.254 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

no failover

arp timeout 14400

global (outside) 1 62.*.*.* netmask 255.255.255.248

nat (inside) 0 access-list 150

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) 62.*.*.* 10.0.0.1

access-group 100 in interface outside

route outside 0.0.0.0 0.0.0.0 62.*.*.* 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

no sysopt route dnat

isakmp identity hostname

telnet 10.0.0.1 255.255.255.255 inside

telnet timeout 5

sysopt connection permit-ipsec

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto dynamic-map cisco 1 set transform-set myset

crypto map dyn-map 20 ipsec-isakmp dynamic cisco

crypto map dyn-map interface outside

isakmp enable outside

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup ****lremote address-pool ippool

vpngroup ****lremote dns-server 10.0.0.1

vpngroup ****lremote default-domain linro.com

vpngroup ****lremote idle-time 1800

vpngroup ****lremote password ********

ssh timeout 5

terminal width 80

: end

[OK]

This was the config that I put onto the PIX which was straight out of the box.

Is there anything that I have over looked? any help would be greatly appreciated.

Thanks,

Mark Kelly

Report Inappropriate Content · ‎06-19-2003

Hi Mark,

What you are seeing is correct. The Internet Engineering task Force (IETF) produced Request For Comments(RFC) 1597 back in 1996. This plan set aside several private network address spaces to help with the dwindling Class C address problem(all classes for that matter). Under the plan, anyone in the world can use 172.16.0.0 255.255.0.0, 172.17.0.0 255.255.0.0, 10.0.0.0 255.0.0.0 , 192.168.0.0 255.255.0.0, as much as they want internal to their network. However they must run Network Address Translation(NAT) on the device facing the outside ISP. By translating the addresses, there won't be billions of duplicate IP addresses seen in the Internet. All internal addresses look like one external valid IP address once traffic passes from inside to outside. As part of the plan, all commercial ISPs, government agencies, research networks (Like the National Science Foundation - the NSFnet) or otherwise bone fide Internet constituent network providers, forcefully block routing of all source addresses mentioned above. They have to. The people at your company headquarters probably can ping out, if your company runs NAT or the right proxying service. But you'll never be able to ping these 10, 192.168, 172.16, 172.17 addresses unless you are internal to your network. the benefit is, now the whole world gets to use the address spaces freely INSIDE private companies, and only needs one or two real world IP addresses for their external router.

kelly-mark · ‎06-19-2003

Hi,

Yes I am aware of the private addressing scheme, however the private addresses should be sent down the VPN tunnel and not seen by the outside world, and certainly not routed as the packets should be encapsulated, seeing the tunnel endpoints as the outside interface of the PIX which is internet addressable and also the VPN Client which is also Internet addressable. My problem however is that it doesn't work how I want it to and I dont know why!

Report Inappropriate Content · ‎06-20-2003

Sorry about me overlooking tunneled source addresses. Sounds like you are behind the eight ball. My personal advive is to call the TAC and get them to solve it. Your client pays for some tech support just by buying the product. There is no shame whatsoever in asking the gurus at Cisco for help - once you know how, put it in your notebook! I do it! Mark - How is Telindus to work for?

mostiguy · ‎06-20-2003

Did you do a clear xlate after your nat (0) commands? Your config looks highly similar to my home vpn setup, and I cannot see anything wrong:

your nat 1 and 0 statements make sense.

global makes sense.

your crypto and vpn config is identical to mine, but i use 3des.

etc,etc.