01-26-2007 06:18 AM
Hello,
i am facing very strange (for me) problem.
I configure remote access to our LAN.
With this topology:
client - internet - router - router - LAN
remote access working properly. Between routers there was no NAT configured.
When i change topology:
client - internet - router - PIX - router - LAN
problem arise. There is also no NAT between router - pix - router .... i configure nat exemption on PIX.
But i am not able to connect to VPN.
I open every traffic through PIX but connection progress is stopped after phase 1 is successfuly established.
I don't know what to do. Please could you help me with this?
Thank you very much!
01-29-2007 12:54 AM
What you want is certainly possible. There must be a mistake in your PIX configuration.
Regards,
Leo
01-29-2007 01:05 AM
Hi,
please could you take a look on my configuration. I spend a lot of time and maybe i am blind :(
interface Ethernet0
speed 10
duplex full
nameif outside
security-level 0
ip address 215.118.108.220 255.255.255.240
!
interface Ethernet2.90
vlan 90
nameif dmz-hp
security-level 12
ip address 215.118.108.137 255.255.255.252
!
access-list acl_outside extended permit udp any host 215.118.108.138 eq isakmp
access-list acl_outside extended permit esp any host 215.118.108.138
access-list acl_outside extended permit ah any host 215.118.108.138
access-list acl_outside extended permit ip any host 215.118.108.138
access-list acl_outside extended deny ip any any
!
access-list acl_hp extended permit esp any any
access-list acl_hp extended permit udp any any eq isakmp
access-list acl_hp extended permit icmp any any access-list acl_hp extended permit ip any any
!
access-list acl_bypass_hp extended permit ip any any
!
nat (dmz-hp) 0 access-list acl_bypass_hp
!
access-group acl_outside in interface outside
!
access-group acl_hp in interface dmz-hp
!
isakmp enable outside
isakmp enable dmz-hp
!
Please i really need help with this.
Thank you in advance.
01-29-2007 02:33 AM
It looks as if you are still trying to terminate the vpn on the router. A more preferrable option would be to terminate on the pix instead. Please check the URL below for a configuration example:
Regards,
Leo
01-29-2007 03:59 AM
Yes you are right!
I try to terminate remote access from VPN clients on router. But i need to "insert" PIX between router and clients. I can't terminate VPN on that PIX.
I think that VPN is configured properly on router, because it was ok ... until i insert that PIX between routers.
This is configuration of terminating router:
!
username ikvc_remote password 0 raIKVC
no aaa new-model
!
crypto isakmp policy 21
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key 0 3812.xA2i address 221.12.52.130
crypto isakmp client configuration address-pool local ippool
crypto isakmp client configuration group clientIKVC
key 0 ikvcRA
pool ippool
acl 199
crypto isakmp profile ikvc
match identity group clientIKVC
client authentication list clientIKVC
isakmp authorization list clientIKVC
client configuration address respond
!
crypto ipsec transform-set alfa esp-3des esp-md5-hmac
!
crypto dynamic-map dynmap 10
set transform-set alfa
set isakmp-profile ikvc
!
crypto map ikvc 20 ipsec-isakmp
set peer 221.12.52.130
set transform-set alfa
match address 103
crypto map ikvc 30 ipsec-isakmp dynamic dynmap
!
interface Ethernet0
description $FW_INSIDE$$ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-Ethernet 10/100$
ip address 192.168.12.1 255.255.255.0
ip nat inside
!
interface Ethernet1
description $FW_OUTSIDE$$ETH-LAN$
ip address 215.118.108.138 255.255.255.252
ip nat outside
duplex auto
crypto map ikvc
!
!
ip local pool ippool 192.168.13.1 192.168.13.254
ip nat inside source list nat interface Ethernet1 overload
!
ip access-list extended nat
deny ip 192.168.12.0 0.0.0.255 10.20.0.0 0.0.255.255
deny ip 192.168.12.0 0.0.0.255 192.168.13.0 0.0.0.255
permit ip any any
!
access-list 199 deny ip 192.168.12.0 0.0.0.255 192.168.13.0 0.0.0.255
access-list 199 permit ip 192.168.12.0 0.0.0.255 any
!
Thank for your effort
01-29-2007 04:52 AM
You may have a routing issue. Are you certain that the 215.118.108.136 /30-subnet is routed to your PIX?
The normal configuration would be to use a static translation between DMZ and outside. This implies that you change the peer ip adress for the remote router to an ip adress in the outside-subnet.
For the rest I would start simplifying the ACL's by permitting everything between the VPN peers. If that is working you can re-apply the security settings to make it as tight as possible.
Regards,
Leo
01-29-2007 06:49 AM
Hi Leo!
I am happy now :)
Remote access is finnaly done. I change "nat 0" to "static" and i rewrite access list ....
But i cant understatand why it don't work before.
If you take a look on PIX configuration, you can see, that everythink was permited :).
I don't know ... maybe somethink like ghost.
Thank you for your support!
Tomas
01-29-2007 06:56 AM
Thank you for rating my post!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide