Solved: Re: Pix to Pix Easy VPN - Almost there.. Need help :( - Page 2

rmoore.2010 · ‎03-09-2010

I've spent countless hours now trying to implement a Pix to Pix VPN. I thought I would post this in hopes someone could help me.

I can get my Pix 501 to open a tunnel to the Pix 506e. These are both on separate ISPs.

I can ping from the Pix 501 console to the Pix 506e Inside Interface IP.

I can ping from the Pix 506e console to the Pix 501 Inside Interface IP.

I cannot ping hosts on either PIX beyond the Inside interface.

With logging console 7 activated, I receive the following error when pinging the host 172.16.54.5 from the console on the Pix 501.

305005: No translation group found for icmp src outside:100.1.1.10 dst inside:172.16.54.5 (type 8, code 0)

For privacy reasons, I have changed the IP addresses and passwords.

PIX506e Outside (ISP1): 200.1.1.10
ISP1 Gateway: 200.1.1.1

PIX501 Outside (ISP): 100.1.1.10
ISP2 Gateway: 100.1.1.1

Here are my configurations:

Pix 506e (Server)
----------------------------------------------
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ******** encrypted
passwd ******** encrypted
hostname vpnserver
domain-name mydomain.com
clock timezone CST -6
clock summer-time CDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 101 permit icmp any any
access-list NONAT permit ip 172.16.54.0 255.255.255.0 192.168.6.0 255.255.255.0
access-list NONAT permit ip 192.168.6.0 255.255.255.0 172.16.54.0 255.255.255.0
access-list 110 permit ip 172.16.54.0 255.255.255.0 192.168.6.0 255.255.255.0
access-list 110 permit ip 192.168.6.0 255.255.255.0 172.16.2.0 255.255.255.0
access-list 110 permit ip host 100.1.1.10 172.16.2.0 255.255.255.0
pager lines 24
logging on
mtu outside 1500
mtu inside 1500
ip address outside 200.1.1.10 255.255.255.128
ip address inside 172.16.54.5 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnpool 172.16.54.201-172.16.54.210
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NONAT
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group 110 in interface inside
route outside 0.0.0.0 0.0.0.0 200.1.1.1 1
route inside 172.16.2.0 255.255.255.0 172.16.54.254 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap client authentication LOCAL
crypto map mymap interface outside
isakmp enable outside
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup mygroup address-pool vpnpool
vpngroup mygroup dns-server 172.16.2.1
vpngroup mygroup default-domain mydomain.com
vpngroup mygroup idle-time 1800
vpngroup mygroup password ********
vpngroup idle-time idle-time 1800
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
management-access inside
console timeout 0
vpdn username myuser password *********
vpdn enable outside
username myuser password ******** encrypted privilege 2
terminal width 80
----------------------------------------------

Pix 501 (Client)
----------------------------------------------
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ******** encrypted
passwd ******** encrypted
hostname vpnclient
domain-name mydomain.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 17
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 100 permit icmp any any
pager lines 24
logging on
logging monitor debugging
mtu outside 1500
mtu inside 1500
ip address outside 100.1.1.10 255.255.255.0
ip address inside 192.168.6.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0 100.1.1.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 192.168.6.0 255.255.255.0 inside
telnet timeout 30
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 30
management-access inside
console timeout 0
dhcpd address 192.168.6.20-192.168.6.200 inside
dhcpd dns 172.16.2.1 172.16.2.2
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd enable inside
vpnclient server 200.1.1.10
vpnclient mode network-extension-mode
vpnclient vpngroup mygroup password ********
vpnclient username myuser password ********
vpnclient enable
terminal width 80
----------------------------------------------

Yudong Wu · ‎03-11-2010

You already use acl 110 on inside interface?

access-group 110 in interface inside

Can you use a new ACL? try this

access-list 120 permit ip 172.16.54.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list 120 permit ip 172.16.2.0 255.255.255.0 192.168.1.0 255.255.255.0

192.168.1 is ip pool's ip address.

After tunnel is up, check 501 to see how NAT and ACL are added by EASY VPN?

rmoore.2010 · ‎03-11-2010

Ok I made the proposed changes...

Here is my ACL and VPN section on the 506e:

access-list NONAT permit ip 172.16.54.0 255.255.255.0 192.168.6.0 255.255.255.0
access-list NONAT permit ip 172.16.2.0 255.255.255.0 192.168.6.0 255.255.255.0
access-list 110 permit ip 172.16.54.0 255.255.255.0 192.168.6.0 255.255.255.0
access-list 120 permit ip 172.16.54.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list 120 permit ip 172.16.2.0 255.255.255.0 192.168.1.0 255.255.255.0

vpngroup mygroup address-pool vpnpool

vpngroup mygroup dns-server 172.16.2.1
vpngroup mygroup default-domain mydomain.com
vpngroup mygroup split-tunnel 120
vpngroup mygroup idle-time 1800
vpngroup mygroup password ********

I can't ping from 172.16.54.10 -> 192.168.6.5

I think traffic is passing through from 192.168.6.5 -> 172.16.2.x and 172.16.54.x because I can see it on the 506e console montior.

On the 501, here are my ACL and NAT outputs:

vpnclient# show access-list

access-list _vpnc_acl line 1 permit ip 192.168.6.0 255.255.255.0 172.16.54.0 255.255.255.0 (hitcnt=0)
access-list _vpnc_acl line 2 permit ip 192.168.6.0 255.255.255.0 172.16.2.0 255.255.255.0 (hitcnt=14)
access-list _vpnc_acl line 3 permit ip host 100.1.1.10 172.16.54.0 255.255.255.0 (hitcnt=3)
access-list _vpnc_acl line 4 permit ip host 100.1.1.10 172.16.2.0 255.255.255.0 (hitcnt=3)

vpnclient# show nat

nat (inside) 0 access-list _vpnc_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0

Shouldn't I still be able to pass traffic back to 192.168.6.x clients from my 172.16.54.x clients?

Yudong Wu · ‎03-11-2010

First, when doing ping, try ping from/to a host behind PIX.

If you ping from 192.168.6.x to 172.16.54.x, did it work?

If not, you need check the "show crypto ipsec sa" to see if encrypt/decrypt count is incrementing.

If you would like to initiate traffic from server side (ping from 172.16.54.x to 192.168.6.x), you might need "vpnclient mode network-extension-mode" on 501.

rmoore.2010 · ‎03-15-2010

Kevin-

I decided at this point to move back to specifying peers manually. I know we were very close. I could get the full tunnel working, just not the split. Thank you though for all your help.