07-22-2002 01:59 AM - edited 02-21-2020 11:56 AM
We have a PIX 520 (ver 6.2.2) and using Cisco VPN Client 5.3.2. VPN connections using IPsec over UDP works fine. When using TCP, the PIX firewall rejects any connections (it returns a packet with RST flag set).
How can we fix this problem?
07-22-2002 02:37 AM
I tnink there might some configuration in your PIX make it not working.
Are you using IP inspect in the PIX ?
Would you please upload the PIX config (delete the passowrd and true ip address) and we will have look with that ?
Best Regards,
07-22-2002 03:55 AM
Hi! Tanks for your answer.
Below you can read our PIX config. We have used PDM ver 2.0.2 to configure VPN. We used VPN wizard.
We are using interface named VPN for our tests.
Best regards
PIX config:
pixfirewall# show runn
: Saved
:
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
nameif ethernet3 vpn security15
enable password L4oiKMFqu295Ts2J encrypted
passwd L4oiKMFqu295Ts2J encrypted
hostname pixfirewall
domain-name ciscopix.com
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
no names
access-list CSM-acl-inside permit icmp any any echo-reply
.
.
.
access-list CSM-acl-inside permit ip 10.11.0.0 255.255.0.0 10.80.0.0 255.255.0.0
access-list CSM-acl-outside permit icmp any any echo-reply
.
.
.
access-list CSM-acl-outside permit udp host 10.80.1.18 host xxx.xxx.xxx.xxx
access-list CSM-acl-dmz permit udp xxx.xxx.xxx.xxx 255.255.255.224 host xxx.xxx.xxx.xxx eq syslog
.
.
.
access-list CSM-acl-dmz permit tcp xxx.xxx.xxx.xxx 255.255.255.224 host xxx.xxx.xxx.xxx eq smtp
access-list inside_outbound_nat0_acl permit ip any 10.100.1.0 255.255.255.0
access-list vpn_cryptomap_dyn_20 permit ip any 10.100.1.0 255.255.255.0
access-list vpn_cryptomap_dyn_40 permit ip any 10.100.1.0 255.255.255.0
pager lines 24
logging on
logging timestamp
logging buffered warnings
logging trap warnings
logging history warnings
logging host inside xxx.xxx.xxx.xxx
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 auto
interface ethernet3 auto
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu vpn 1500
ip address outside 10.70.1.2 255.255.255.0
ip address inside xxx.xxx.xxx.xxx 255.255.255.0
ip address dmz xxx.xxx.xxx.xxx 255.255.255.224
ip address vpn xxx.xxx.xxx.xxx 255.255.255.224
ip audit info action alarm
ip audit attack action alarm
ip local pool IT-ip-pool 10.100.1.1-10.100.1.254
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
failover ip address dmz 0.0.0.0
failover ip address vpn 0.0.0.0
pdm location 10.10.111.7 255.255.255.255 inside
.
.
.
pdm location 10.101.1.0 255.255.255.0 vpn
pdm logging warnings 100
pdm history enable
arp timeout 14400
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 0 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 10.10.0.0 10.10.0.0 netmask 255.255.0.0 0 0
static (inside,outside) xxx.xxx.xxx.0 xxx.xxx.xxx.0 netmask 255.255.255.0 0 0
static (inside,outside) xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx netmask 255.255.255.255 0 0
static (inside,outside) xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx netmask 255.255.255.224 0 0
static (inside,outside) xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx netmask 255.255.255.255 0 0
static (inside,dmz) 10.10.111.7 10.10.111.7 netmask 255.255.255.255 0 0
static (inside,dmz) xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx netmask 255.255.255.255 0 0
static (inside,outside) 10.11.0.0 10.11.0.0 netmask 255.255.0.0 0 0
static (inside,dmz) xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx netmask 255.255.255.255 0 0
access-group CSM-acl-outside in interface outside
access-group CSM-acl-inside in interface inside
access-group CSM-acl-dmz in interface dmz
route vpn 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
.
.
.
route dmz xxx.xxx.xxx.0 255.255.255.224 xxx.xxx.xxx.xxx 1
timeout xlate 3:00:00
timeout conn 0:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute uauth 0:04:00 inactivity
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http xxx.xxx.xxx.0 255.255.255.0 inside
snmp-server host inside xxx.xxx.xxx.xxx
no snmp-server location
no snmp-server contact
snmp-server community ******
no snmp-server enable traps
no floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto dynamic-map vpn_dyn_map 20 match address vpn_cryptomap_dyn_20
crypto dynamic-map vpn_dyn_map 20 set transform-set ESP-DES-MD5
crypto dynamic-map vpn_dyn_map 40 match address vpn_cryptomap_dyn_40
crypto dynamic-map vpn_dyn_map 40 set transform-set ESP-DES-SHA
crypto map vpn_map 65535 ipsec-isakmp dynamic vpn_dyn_map
crypto map vpn_map interface vpn
isakmp enable vpn
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
isakmp policy 40 authentication pre-share
isakmp policy 40 encryption des
isakmp policy 40 hash sha
isakmp policy 40 group 2
isakmp policy 40 lifetime 86400
vpngroup IT address-pool IT-ip-pool
vpngroup IT dns-server xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
vpngroup IT default-domain karlstad.se
vpngroup IT idle-time 1800
vpngroup IT max-time 3600
vpngroup IT password ********
vpngroup IT-TEST address-pool IT-ip-pool
vpngroup IT-TEST idle-time 1800
vpngroup IT-TEST password ********
telnet xxx.xxx.xxx.0 255.255.255.0 inside
telnet timeout 20
ssh timeout 5
terminal width 80
Cryptochecksum:2226d30fbf594b0121de963e5053542f
: end
pixfirewall#
07-22-2002 04:59 PM
I have checked your config,
"access-group CSM-acl-outside in interface outside "
IPSEC over TCP default using TCP port 10000.
In CSM-acl-outside, where is the permit tcp port 10000 for the outside interface of your pix outside interface ip address (10.70.1.2 ) ?
Without allowing tcp 10000 for your PIX outside interface, IPSEC over TCP will not be working.
Best Regards,
07-23-2002 12:45 AM
We are using interface named VPN for vpn termination (iinterface outside is not connected to Internet), and we have already tried access-lists according to following:
access-list CSM-acl-vpn permit tcp any host
access-group CSM-acl-vpn in interface vpn
It doesn't work.
Why do you not have to define access lists for VPN over UDP? This works fine.
If it would work with IPsec over TCP, how do you change TCP port number in the PIX firewall?
When we are trying to connect using Cisco VPN client 3.5.2 with option IPsec over TCP we get the following error message in the client Log viewer regardless if we have defined access-lists or not.
78 10:41:01.250 07/23/02 Sev=Warning/2 IPSEC/0x6370001E
Unexpected TCP control packet received from 194.103.29.35, src port 10000, dst port 4654, flags 14h
79 10:41:06.187 07/23/02 Sev=Warning/3 DIALER/0xE3300015
GI VPN start callback failed "CM_CTCP_FAIL" (1Dh).
.
Best regards
07-23-2002 05:55 AM
without permit udp 10000, the IPSEC over UDP will not be working fine.
You still can get connection, but after that, you check the status of the VPN client, you might see "IPSEC over UDP" or NAT tranparency is inactive.
That means it is still using normal IPSEC ports.
"sysopt connection permit IPSEC" open UDP 500, protocol ESP and AH for you on the PIX. So you do not need extra access-list with it.
IPSEC over TCP can pass PIX without a problem for sure.
Please do further tests as be below:
1 Directly connect your PC to the concentrator outside interface, bypass PIX, see "IPSEC over TCP" working or not.
2 If above working fine, add "permit ip host x.x.x.x host y.y.y.y" from your PC to the concentrator translated ip address, (wide open for all ip traffic between each other).
3 Check anything else blocking TCP 10000 or not.
Any further issues, please open a TAC case, we will help you to make it working.
Best Regards,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide