PIX not passing ports through VPN

tholmes · ‎04-15-2004

Site1 want to access an XCOM server in Site2 from their XCOM server on port 8044

The destination address they use is 172.23.192.222 which goes to the PIX and is translated to 10.0.0.49 – The XCOM server

The VPN comes up fine, phases 1 and 2. The thing is they can’t get on the XCOM at all.

When I CVPN in I CAN ping 10.0.0.49 AND telnet on port 8044 ok

I can also ping 172.23.192.222 address and 10.0.0.49 responds, so the translation is working but I can’t telnet 172.23.192.222 8044

I can’t write an ACL allowing port 8044 in cos it’s coming through the tunnel so all ports are already passed through

If you could give the config the once over. Any ideas or help appreciated

Details have been omitted to protect the innocent

PIX Version 6.3(1)

access-list nonat permit ip LocalLAN 255.255.255.0 20.1.2.0 255.255.255.0

access-list nonat permit ip host ExtXCOM host IntXCOM

access-list SiteToSite permit ip host ExtXCOM host IntXCOM

ip address outside OutsideAddress 255.255.255.248

ip address inside InsideAddress 255.255.255.0

ip local pool tony 20.1.2.1-20.1.2.20

global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) ExtMail IntMail netmask 255.255.255.255 0 0

static (inside,outside) ExtXCOM IntXCOM netmask 255.255.255.255 0 0

access-group out_acl in interface outside

route outside 0.0.0.0 0.0.0.0 NextHopAddress 1

route outside 20.1.x.x.x.255.0 NextHopAddress 1

sysopt connection permit-ipsec

crypto ipsec transform-set myset esp-3des esp-sha-hmac

crypto dynamic-map dynmap 10 set transform-set myset

crypto map mymap 10 ipsec-isakmp dynamic dynmap

crypto map mymap 20 ipsec-isakmp

crypto map mymap 20 match address SiteToSite

crypto map mymap 20 set peer ExtXCOM

crypto map mymap 20 set transform-set myset

crypto map mymap interface outside

isakmp enable outside

isakmp key ******** address ExtXCOM netmask 255.255.255.255

isakmp identity address

isakmp nat-traversal 20

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

isakmp policy 20 authentication pre-share

isakmp policy 20 hash sha

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

vpngroup vpn3000 address-pool tony

vpngroup vpn3000 split-tunnel nonat

vpngroup vpn3000 idle-time 1800

vpngroup vpn3000 password ***

telnet LocalLAN 255.255.255.0 inside

telnet 20.1.2.0 255.255.255.0 inside

ssh timeout 5

management-access inside

mostiguy · ‎04-16-2004

Thru a point to point tunnel, people will be attempting to connect to the non natted IP address, not the external ip address. Can they do this?

tholmes · ‎04-18-2004

Hi thanks for the reply, yes they can, they direct traffic to an outside address that is statically mapped to the inside, I simulated the remote end on friday and it worked

Cheers Tony

bcarroll · ‎04-17-2004

your nat (inside) 0 is tied to this access-list: access-list nonat permit ip host ExtXCOM host IntXCOM

When you connect site to site you want a nat (inside) 0 on both sides to define the private addresses on both sides. Basically one side is 10.0.0.49 and the other side is X.X.X.X.

Give that a try.

tholmes · ‎04-18-2004

Thaks for the reply, on Friday I simulated the remote end, traffic coming into ExtXCOM was translated to IntXCOM and it worked fine, I think the problem is at the customers remote end

Cheers Tony