cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1179
Views
0
Helpful
4
Replies

creating a remote site vpn

rustomhind
Level 1
Level 1

HI,

I have a pix firewall 501 with ios ver 6.3 and 3.0(4) pdm installed. I tried creating a remote access vpn through pdm vpn wizard. I could successfully connect to the firewall but none of my internal components can be accessed through the vpn. Also the pdm does show my vpn to be up and working. There is also one more thing. The firewall was only meant to act as a vpn terminator. No filtering was to be done and hence I created an access-list  and applied it to both interfaces.

access-list outin permit ip any any

access-group outin in interface outside

access-group outin in interface inside

if both interfaces were configured to pass all traffic from both interface why can ppl from the vpn access any part of my network. Here is my pix configuration and sh ver output

sh run

: Saved

:

PIX Version 6.3(5)

interface ethernet0 100full

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 28UZ5k5cyiO1vK/z encrypted

hostname punepix

domain-name rstforum.net

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

<--- More --->

names

access-list outin permit ip any any

access-list inside_outbound_nat0_acl permit ip any 192.168.200.0 255.255.255.128

access-list outside_cryptomap_dyn_20 permit ip any 192.168.200.0 255.255.255.128

access-list outin permit ip any any

access-group outin in interface outside

access-group outin in interface inside

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside 114.143.XX.XX 255.255.255.0

ip address inside 192.168.6.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool RST_VPN_POOL 192.168.200.1-192.168.200.100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

router ospf 1

  network 192.168.6.0 255.255.255.0 area 0

  area 0 authentication message-digest

  log-adj-changes

route outside 0.0.0.0 0.0.0.0 114.143.29.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

<--- More --->

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http 0.0.0.0 0.0.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map client authentication LOCAL

crypto map outside_map interface outside

<--- More --->

isakmp enable outside

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption 3des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

vpngroup RST_VPN address-pool RST_VPN_POOL

vpngroup RST_VPN dns-server 4.2.2.2

vpngroup RST_VPN idle-time 1800

vpngroup RST_VPN password ********

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

username rustom password zEkdgwmwPhkthzSs encrypted privilege 15

username vagish password tGokRW6wigOWAze8 encrypted privilege 15

terminal width 80

Cryptochecksum:05dc87d47eb55dc1b071e1590b16063f

: end

punepix#

punepix# sh ver

Cisco PIX Firewall Version 6.3(5)

Cisco PIX Device Manager Version 3.0(4)

Compiled on Thu 04-Aug-05 21:40 by morlee

punepix up 6 hours 20 mins

Hardware:   PIX-501, 16 MB RAM, CPU Am5x86 133 MHz

Flash E28F640J3 @ 0x3000000, 8MB

BIOS Flash E28F640J3 @ 0xfffd8000, 128KB

0: ethernet0: address is 0009.4306.0bc3, irq 9

1: ethernet1: address is 0009.4306.0bc5, irq 10

Licensed Features:

Failover:                    Disabled

VPN-DES:                     Enabled

VPN-3DES-AES:                Enabled

Maximum Physical Interfaces: 2

Maximum Interfaces:          2

Cut-through Proxy:           Enabled

Guards:                      Enabled

URL-filtering:               Enabled

Inside Hosts:                Unlimited

please advice as I am not much into security.

Thank you

4 Replies 4

Yudong Wu
Level 7
Level 7

Please turn on NAT-t "isakmp nat-traversal" if your vpn client is behind a NAT device.

HI, DID TRY THE FOLLOWING BUT STILL AM FACING THE SAME PROBLEM. THERE IS SOMETHING UNUSUAL GOING ON IN MY NETWORK. I HAVE ATTACHED A NETWORK DIAGRAM SO YOU CAN UNDERSTAND THE SCENARIO. I CAN PING HTE CALL MANAGER IN TEH DIAGRAM. BUT NOT REGISTER ANY PHONES ON IT. I CAN NOT PING ANY OF THE ROUTERS INTERFACES BUT CAN PING A FEW HOSTS ON THE NETWORK. I CAN PING 192.168.5.3 HOST ON A NETWORK BUT CANNOT TELNET THROUGH THE VPN. IF THE ACCESS-LIST SAYS PERMIT IP ANY ANY ON BOTH INTERFACES THEN WHY IS IT NOT ALLOWING ANY TRAFFIC. I HAVE ATTACHED A DIAGRAM WHICH CONTAINS A MAP AND ROUTING TABLE EXAMPLE OF THE SCENAIRO. I HAVE BEEN TRYING THIS OUT SINCE THE LAST WEEK. PLZ DO SUGGEST AS I'M GETTING FRUSTRATED.

THANK YOU

Hi,

Are you able to ping the router's 192.168.6.2 IP address?

What is the host that has the IP address of 192.168.5.3? Please apply captures on the PIX's inside interface and let's see what is exactly going on over there.

https://supportforums.cisco.com/docs/DOC-1222

Regards,

Prapanch

If you can ping the inside IP from VPN client, you VPN should be OK.

As for why you can not telnet to the inside host or IP softphone can not register with Call manager, it might be caused by something else.

I would suggestion you

1) turn on logging buffer on PIX, then try the telnet connection and ip phone registrataion to see if you can see any error in the log.

2) capture 'show crypto ipsec sa" before and after you try the telnet or ip phone registration to see if the decap/encap count incrementing

3) can you telnet to the router's IP successfully from vpn client?