Solved: VPn works on inside interface but not outside

gagiftbaskets · ‎09-26-2011

I have a PIX-525 with an UR license. I was trying to get my VPN to work from my iphone over the weekend but to no avail. I then changed the interface to the inside to see if my iMac could connect and bingo! It worked. I then tried to connect via inside interface with my iphone and it worked.

I connected a PIX-515e and, using the same settings, can connect to the outside interface via my iPhone.

Strange.

Now, to answer the pressing questions, yes I changed the server IP address in my IPSEC client settings to reflect the outside and inside interfaces as I was testing each one. I was using a preshared secret. Yes, the secret was entered correctly and they all matched...yes, the tunnel name was entered correctly. I was using local user database for authentication with username/password (i.e. no certificate authorization to make things simpler for debugging). I changed the syslog to debugging and I see absolutely no errors when trying to connect my iphone to the outside interface (i.e. turning wifi off so I'm on my 3G data network). The only thing I see is where my iphone hits the outside interface and it does a teardown (or whatever its called) but that's it.

Why would this work like a charm with my PIX-515e and not my PIX-525? Could the VPN accelerator card in the 525 be at fault? The 515e does not have the aecellerator card. Any ideas why I can esablish a VPN connection on the inside interface but not the outside????

Herbert Baerten · ‎09-30-2011

Hi Tim,

well it's not so much the DNS rewrite that is the problem (if you just remove the dns keyword the VPN will still fail) but the fact that you use the outside interface for NAT. So all traffic destined to your outside interface address is forwarded to "gcbrouter", including the vpn traffic.

I'm trying to think of a way to solve this but I can't really find anythign straight away. Using a different interface is not going to work since you can only have one default route.

I'm wondering if this would work:

remove the interface NAT:

no static (DMZ,outside) interface gcbrouter netmask 255.255.255.255 dns

replace it with interface PAT, i.e. add one such line for each port you want to be reachable on the DMZ server:

static (DMZ,outside) tcp interface 80 gcbrouter 80 netmask 255.255.255.255 dns

static (DMZ,outside) tcp interface 25 gcbrouter 25 netmask 255.255.255.255 dns

etc.

In all honesty I've never seen dns-rewrite being used with PAT so not entirely sure if this will work.

hth

Herbert

View solution in original post

Herbert Baerten · ‎09-29-2011

Tim,

I don't think it's the crypto hardware if it works fine on the inside.

Just a guess: do you have isakmp enabled on the outside interface?

If that's not it, what exactly do you see in the syslogs when it fails ?

Can you also get "debug crypto isakmp 10" ?

Herbert

gagiftbaskets · ‎09-29-2011

Thanks for the reply! I appreciate it I had a breakthrough last night :). Here is the offending code:

static (DMZ,outside) interface gcbrouter netmask 255.255.255.255 dns

I have clients on my inside interface that need to access DMZ servers by their FQDN. I do not have a separate DNS server so I am using DNS re-write to accomplish that. When I delete that line, VPN works but then I can't access the servers by their FQDN.

Is there a way for DNS rewrite and VPN to coexist on the same interface/IP address? I have 1 static IP. A thought would be to use one of my unused interfaces to connect to my comcast gateway and use the public IP of the gateway to access my VPN.

...or is there a better way with the firewall config?

Herbert Baerten · ‎09-30-2011

Hi Tim,

well it's not so much the DNS rewrite that is the problem (if you just remove the dns keyword the VPN will still fail) but the fact that you use the outside interface for NAT. So all traffic destined to your outside interface address is forwarded to "gcbrouter", including the vpn traffic.

I'm trying to think of a way to solve this but I can't really find anythign straight away. Using a different interface is not going to work since you can only have one default route.

I'm wondering if this would work:

remove the interface NAT:

no static (DMZ,outside) interface gcbrouter netmask 255.255.255.255 dns

replace it with interface PAT, i.e. add one such line for each port you want to be reachable on the DMZ server:

static (DMZ,outside) tcp interface 80 gcbrouter 80 netmask 255.255.255.255 dns

static (DMZ,outside) tcp interface 25 gcbrouter 25 netmask 255.255.255.255 dns

etc.

In all honesty I've never seen dns-rewrite being used with PAT so not entirely sure if this will work.

hth

Herbert

gagiftbaskets · ‎09-30-2011

I fixed my problem. I used DNSMasq on my internal router (cisco router running DD-WRT) to provide the internal IPs of my servers to the clients behind that router (essentially using my router as a dns server with just a few entries). I then removed the static route to by gcbrouter and added the port forwards like you suggested but without the dns re-write. I no longer need the dns re-write because my router is now acting as my first dns server - but only providing addresses for my internal web and email server - and then going to my two external dns servers for everything else.

It works fine now.

Thanks!

Tim

Herbert Baerten · ‎09-30-2011

Great, thanks for the confirmation! Can I just ask you to mark this thread as Answered please?

thanks

Herbert

gagiftbaskets · ‎09-30-2011

Will do once I get to a computer.

Sent from my iPhone.