cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1249
Views
0
Helpful
14
Replies

VPN Client on Exchange 5.5 behine CISCO PIX Firewall

jason-liu
Level 1
Level 1

I have VPN Client on Exchange 5.5 Server behining a Cisco PIX Firewall.

The VPN Client is connect to a VPN 3000 Concentrator on a remote site.

IF the Exchange 5.5 Server start the Internet Mail service to send a lot of mail , the VPN Connection will disconnect.

IF I put the Exchange 5.5 Server outside of the Cisco PIX Firewall . the operation is OK . So the problem maybe is the PIX Firewall Setting .

Can any body help me ?

Thanks a lot !

14 Replies 14

afakhan
Level 4
Level 4

Hi,

What pix model you have, is it 501/506, are you sending huge amount of data, how much?

In this scenario, better option to be configuring a L2L b/w VPN3K and your PIX FW.

It will save you from worries of sw client.

Thanks,

Afaq, CSE

Hi,

The Model of PIX is PIX 515 with two Interface

The PIX Version is 6.2(2).

The PIX VPN Client version is 3.6.2.

THe Connection is Below :

windows 2000 VPN Client (With Exchange 5.5)--PIX 515 Firewall--

-Internet--CheckPoint Firewall--VPN 3000--Exchange Hub Server (10.17.31.9)

The Windows 2000 Server have a Static IP Setting on the PIX Firewall.

On PIX Firewall, we also enable the VPN Function for outside User to creat VPN connection.

When the VPN Connection created,VPN Client get a DHCP IP Address (10.17.x.x) for that connection.

When the W2k VPN Client is outside of the PIX Firewall:

1.About 500 mails

2.About 20K~2000K each mail

we can delivery the mails and the VPN connection is OK.

When the VPN Client is inside of the PIX Firewall:

1. 1 -- 3 mail mail about 3000K each ,delivery and VPN Connection are OK.

2. More than 10 mail about 300k each,VPN Connection is loss.

Following is the PIX Setting about VPN Client connection :

-----------------------------------------------

...

access-list 101 permit ip 10.32.0.0 255.255.248.0 10.32.10.0 255.255.255.0

...

ip local pool vpn-client 10.32.10.20-10.32.10.50

...

nat (inside) 0 access-list 101

...

floodguard enable

...

sysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set kaovpn esp-des esp-sha-hmac

crypto dynamic-map dynmap 20 set transform-set kaovpn

crypto map kaovpn 20 ipsec-isakmp dynamic dynmap

crypto map kaovpn client configuration address initiate

crypto map kaovpn client configuration address respond

crypto map kaovpn interface outside

isakmp enable outside

isakmp key ******** address 0.0.0.0 netmask 0.0.0.0

isakmp identity address

isakmp client configuration address-pool local vpn-client outside

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption des

isakmp policy 20 hash sha

isakmp policy 20 group 2

-------------------------------------------------

Do I need to setup any ACL or something eles ?

Thanks.

The problem could be with the filter applied to the firewall policy. Check the default action of the filter to confirm it is set for drop.

Let me know if you need further assistance.

Hi,

Thanks for your reply.

Can you tell me how to check if the filter is the problem ?

Thanks and best Regards.

Jason.

Hi,

Just thought I might be able to help. I have a few questions:

1. Does the VPN tunnel originate from the Windows 2000 server or does it originate from the PIX firewall.

2. What is the IP address of the interface the Exchange server resides. It might affect the way to specify your access-list

3. Does your tunnel originate using DES encryption or 3DES

Hi,

1.We use CISCO VPN Client 3.6.2 on Windows 2000 server and create VPN

Connection with CISCO VPN 3000 concentrator.

2.The IP address of exchange is 10.69.20.205 inside of PIX Firewall.

The Static IP of Exchange is 211.32.20.205 outside of PIX Firewall.

3.The Tunnel uses 3DES encryption.

Thanks and Best Regards.

Jason

Hi,

We have try 2 type of VPN Solution: one for Cisco VPN 3000 Solution and Another Alta-avista VPN Solution.

1.Alta-avista is OK,but it does not support windows 2000.

2.Cisco VPN 3000 is Windows 2000 ready, but MS Exchange 5.5 sending

large number of mail will disconnect the VPN Connection.

After compare these two VPN Solution,I found something happen in PIX:

1.Alta-avista VPN Tunnel will create more than one connection in PIX Firewall.

2.CISCO VPN Tunnel will not creat another connection in PIX Firewall.

3.Windows 2000 Server with CISCO VPN Client will want to create some connection

with remote private IP addres (Which Firewall can not access) in PIX Firewall.

So,Can CISCO VPN Solution can create more one connection on PIX Firewall in a single VPM Client Tunnel Connection ?

Thanks and Best Regards.

Jason.

Hello,

We do some testing today and we find something:

1.All mail will route to remote Hub Server first.

2.If the VPN Client connection is not Created ,the mail can't send.

3.Max. Massage in a connection is 8 (Exchange default setting)

When the VPN Connection is created:

1.IF there are less than 8 messages is the Queue, resending those mail is OK (All in a single Mail Connection) .

2.IF there are more than 8 messages is the Queue, resending those mail need more than one Mail Connection and the VPN connection will be lost.

3.While the Mail connection is sending message and the user send a new message, Exchnage IMS will create a new mail Connection and the VPN Connection is lost too.

So,the problem maybe is: Exchange IMS creating the second Session (Mail connection) in the VPN Tunnel cause the VPN Connection disconnecting.

What can I do with the CISCO VPN 3000, PIX Firewall and VPN Client ?

Thanks.

Jason.

I know this may sound silly but have you disabled "fixup protocol smtp 25"?

I've seen strange things with it using vpn's

Just a thought...

Hi,

I Had tried this method, but it was not work.

When exchange want to use another mail connection,

it will not use the vpn tunnel and the VPN Connection will lost .

Why ?

Thanks.

Jason.

Hello,

Here are some logs about VPN Connection on PIX Firewall:

----

<190>Mar 19 2003 17:11:02: %PIX-6-302013: Built outbound TCP connection 123971 for outside:aaa.aaa.aaa.aaa/6666 (aaa.aaa.aaa.aaa/6666) to inside:ddd.ddd.ddd.ddd/1088 (bbb.bbb.bbb.bbb/1088)

<190>Mar 19 2003 17:13:25: %PIX-6-302013: Built outbound TCP connection 124117 for outside:ccc.ccc.ccc.ccc/25 (ccc.ccc.ccc.ccc/25) to inside:ddd.ddd.ddd.ddd/1099 (bbb.bbb.bbb.bbb/1099)

<190>Mar 19 2003 17:15:16: %PIX-6-302014: Teardown TCP connection 124111 for outside:ccc.ccc.ccc.ccc/25 to inside:ddd.ddd.ddd.ddd/1097 duration 0:02:01 bytes 0 SYN Timeout

<190>Mar 19 2003 17:15:26: %PIX-6-302014: Teardown TCP connection 124117 for outside:ccc.ccc.ccc.ccc/25 to inside:ddd.ddd.ddd.ddd/1099 duration 0:02:01 bytes 0 SYN Timeout

<190>Mar 19 2003 17:16:32: %PIX-6-302014: Teardown TCP connection 123971 for outside:aaa.aaa.aaa.aaa/6666 to inside:ddd.ddd.ddd.ddd/1088 duration 0:05:29 bytes 93589 TCP Reset-I

<190>Mar 19 2003 17:16:42: %PIX-6-106015: Deny TCP (no connection) from aaa.aaa.aaa.aaa/6666 to bbb.bbb.bbb.bbb/1088 flags ACK on interface outside

<190>Mar 19 2003 17:16:52: %PIX-6-106015: Deny TCP (no connection) from aaa.aaa.aaa.aaa/6666 to bbb.bbb.bbb.bbb/1088 flags ACK on interface outside

<190>Mar 19 2003 17:17:02: %PIX-6-106015: Deny TCP (no connection) from aaa.aaa.aaa.aaa/6666 to bbb.bbb.bbb.bbb/1088 flags ACK on interface outside

<190>Mar 19 2003 17:17:02: %PIX-6-106015: Deny TCP (no connection) from aaa.aaa.aaa.aaa/6666 to bbb.bbb.bbb.bbb/1088 flags ACK on interface outside

<190>Mar 19 2003 17:17:02: %PIX-6-106015: Deny TCP (no connection) from aaa.aaa.aaa.aaa/6666 to bbb.bbb.bbb.bbb/1088 flags ACK on interface outside

<190>Mar 19 2003 17:17:02: %PIX-6-106015: Deny TCP (no connection) from aaa.aaa.aaa.aaa/6666 to bbb.bbb.bbb.bbb/1088 flags RST on interface outside

---

aaa.aaa.aaa.aaa : Remote VPN 3000 concentrator IP address

bbb.bbb.bbb.bbb : VPN Client static Public IP address

ccc.ccc.ccc.ccc : Remote Exchange Hub Server IP Address

ddd.ddd.ddd.ddd : VPN Clinet Private IP address

Why VPN client want to create a new connection to the exchange throught the Firewall, Not through the tunnel ?

Can anyone help ??

Thanks.

Jason.

Hi Again,

Based on the logs you placed in the forum, and the information collected thus far, it seems your outbound connection is timing out - thus the syn timeout error messages and your firewall is blocking a connection from the VPN server thus the reason for the deny commands. I do not know Exchange very well, but I do know that if you have a bridgehead setup, Exchange might be using some other protocols (X.500, Ldap, etc) to communicate successfully.

Suggestions:

Place static statement for the VPN Client static Public address, or include the IP address of the VPN Client Static Public address in your Nat 0 statement.

Try using this command

static(inside, outside) host bbb host bbb

(Assumption is the Server is on the inside interface and the internet is on the outside)

Create an access-list that permits packets from the Remote VPN 3000 concentrators IP address to this VPN Client static public address.

Let me know if this helps

REgards,

Hi,

We have a Exchange 5.5 server useing VPN Client 3.6.2 behining PIX Firewall.

The VPN Client and VPN 3000 connection with 3-DES, and the PIX only support DES.

Is there any problem with this configuration ?

Thanks.

Jason.

I do not believe so. The 3DES connection takes place on the server. As far as the firewall is concerned, it is another payload.

Any success with my previous message?

Regards