04-12-2013 09:36 AM
I have gone through posts on the forum for allowing VPN access to a DMZ host but I am missing something and hoping another set of fresh eyes will spot the issue. Basically, need a VPN profile to allow vendor to access one host in the DMZ. The VPN will connect but I can't access the host. Here's the config and yes its an old Pix 515 running version 7.2(5) - will be getting new firewalls soon.
Thanks,
Gary
PIX Version 7.2(5)
!
!
interface Ethernet0
nameif outside
security-level 0
ip address xxxx 255.255.255.252
!
interface Ethernet1
nameif inside
security-level 100
ip address 192.168.254.254 255.255.255.0
!
interface Ethernet2
nameif dmz
security-level 50
ip address 10.1.1.1 255.255.255.0
!
same-security-traffic permit inter-interface
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit icmp any any time-exceeded
access-list outside_access_in extended permit ip 10.254.253.0 255.255.255.0 host 10.1.1.28
access-list inside_outbound_nat0_acl extended permit ip 192.168.254.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list inside_outbound_nat0_acl extended permit ip 192.168.254.0 255.255.255.0 10.254.253.0 255.255.255.0
access-list hvac_splittunnel standard permit host 10.1.1.28
access-list dmz_nat0_outbound extended permit ip host 10.1.1.28 10.254.253.0 255.255.255.0
ip local pool hvac 10.254.253.1-10.254.253.50 mask 255.255.255.0
nat-control
global (outside) 1 interface
nat (inside) 1 192.168.254.0 255.255.255.0
nat (dmz) 0 access-list dmz_nat0_outbound
nat (dmz) 1 10.1.1.0 255.255.255.0
static (dmz,outside) xxxxxx 10.1.1.2 netmask 255.255.255.255
static (dmz,outside) xxxxxx 10.1.1.3 netmask 255.255.255.255
static (inside,dmz) 192.168.254.0 192.168.254.0 netmask 255.255.255.0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 xxxxxxx 1
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 86400
crypto dynamic-map outside_dyn_map 20 set reverse-route
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp identity hostname
crypto isakmp enable outside
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
management-access inside
dhcpd dns 208.67.222.222 208.67.220.220
dhcpd ping_timeout 750
!
dhcpd address 192.168.254.100-192.168.254.200 inside
dhcpd enable inside
!
group-policy hvac internal
group-policy hvac attributes
vpn-idle-timeout 30
vpn-session-timeout 1440
split-tunnel-policy tunnelspecified
split-tunnel-network-list value hvac_splittunnel
username hvac password xxxx encrypted
tunnel-group DefaultRAGroup general-attributes
authentication-server-group (outside) RADIUS
tunnel-group hvac type ipsec-ra
tunnel-group hvac general-attributes
address-pool hvac
default-group-policy hvac
tunnel-group hvac ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
Solved! Go to Solution.
04-12-2013 10:10 AM
Gary,
Configure "crypto isakmp nat-t" and then test.
If it still doesn't work, please upload the following info from the setup, after you have connected the client:
1. show crypto isa sa
2. show crypto ipsec sa
Regards,
Sim.
04-12-2013 10:10 AM
Gary,
Configure "crypto isakmp nat-t" and then test.
If it still doesn't work, please upload the following info from the setup, after you have connected the client:
1. show crypto isa sa
2. show crypto ipsec sa
Regards,
Sim.
04-12-2013 11:07 AM
Thank you it worked. I had to reboot my PC and then all was good.
You are awesome!
04-12-2013 11:14 AM
Greg, I'm glad it worked.
Regards,
Sim.
----
Help out other by using the rating system and marking resolved questions as "Answered"
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide