Can someone help me with this PIX 501/VPN config?

[gman10]

Hey all-

I had this PIX deployed at customer site which was configured by someone that doesn't work here anymore.. I'd like certain people including myself to be able to VPN to it from our remote office.. I will post the config and am wondering what I need to edit in order for this functionality to happen. It doesn't look like there is an outside address configured on the PIX so my VPN client needs an outside address interface (entry) to be inputted.. Also, this PIX is sitting behind a cable modem where addresses are probably assigned via DHCP from what I gather. Well, here's the config, if anyone can shed some light, that would be great!

PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 4.hz0DbMxoBv3gTr encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname NSUHPIX501
domain-name CANSUH.net
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list inside_outbound_nat0_acl permit ip any 10.0.0.144 255.255.255.240
access-list outside_cryptomap_dyn_20 permit ip any 10.0.0.144 255.255.255.240
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 10.0.0.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool NSUHAdminsPool 10.0.0.151-10.0.0.155
pdm location 24.46.16.0 255.255.240.0 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 24.46.16.0 255.255.240.0 outside
http 10.0.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup NSUHAdmins address-pool NSUHAdminsPool
vpngroup NSUHAdmins idle-time 1800
vpngroup NSUHAdmins password ********
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
terminal width 80
Cryptochecksum:477fea9b79bc2365b88b40548f5fb962
: end
[OK]


thx again!
gman

 

[tonymullen]

first off, your access-lists are not doing anything as there are no access-group lines. also, if you apply either of these to the inside interface you'll not be able to access any external ips. (both lines say "from any IP only allow access to 10.0.0.144").

I think you'll need an
access-list inbound permit ip 10.0.0.0 255.255.255.0 any
and
access-group inbound in interface outside
- this applies the rule to the interface.

get rid of the existing access lists & if you need to restrict outbound traffic then create an access list and apply it to the inside interface.

then it will probably work. Your obvious problem is the dhcp IP address. You'll need to know this (sh interface i think will give this). Also if it changes ip address your vpn will fail. I'd strongly recommend getting a fixed ip address if you really need this. Also the vpn wizard in the pdm is pretty helpful if you are unsure of the pix command line.

hope this makes sense - I'm not fully awake yet.
Tony

 

[gman10]

Tony thank you!!

I have the flu and will be home today so I sympathize with you in not knowing if your fully awake.. Anyway, I yanked the PIX from the customer site and have it home with me w/ my laptop so testing this won't be the most awesome verture.. Regardless, I could still change the access-lists and create the groups you were suggesting, then of course there is the BIGGEST situation of gaining the actual DHCP'd address from the PIX once deployed behind the cable modem again..

Two questions: I'll never need for anyone at the customer side to ever get out VPN style .. I and a few select people will be VPNing in to the customer from our remote office so do these inbound commands seem right?

access-list inbound permit ip 10.0.0.0 255.255.255.0 any
and
access-group inbound in interface outside

just want to be sure but it seems right..

Next question, The PDM wizard, can I still activate this while the PIX is connected to my laptop? never used the feature before but sounds great! Either I believe that sh interface will work as long as the cable modem is attached to the PIX.. Thanks for any additional info you can provide
gman

 

[tonymullen]

to access the pdm just

https://intaddrfirewall

that access rule that you've written basically says that anyone with a 10.0.0.x address can access anything on the inside network.

If you aren't too comfortable with the command line then I'd suggest using the pdm. If you want to see what its doing then keep a telnet session up at the same time and use sh commands to display the config after you click apply.

you can configure everything with the pdm, it just gives things unwieldy names if you have to key them in at the command line.

The other option rather than getting a fixed ip at the main site is to get a fixed ip at the remote site and create a dynamic vpn tunnel (there are very good instructions on this on the cisco website

http://www.cisco.com/en/US/products...s_configuration_example09186a0080094680.shtml

).

 

[gman10]

Hello all-

Well, I finally got this PIX 501 back at the customer site.. I am able to VPN to it from my laptop and home pc to the PIX but this is what I can't do.. The computers at the customer site are all on a 10.0.0.x range and I can't ping any of them or access any of the server shared drives (obviously, since I can't ping).. Although, my VPN connection does connect me fine, using the proper VPN "User and password".. I wanted to mention that the outside address is really the cable modem address, when I do a "sho ip" the inside address is fine but the outside address is definately the cable modem address 24.XX.XX.250.. when I ping -a this address, the name it returns is a cable modem FQDN, could this be my problem? I didn't officially configure my outside interface with this ip.. would I need to configure it as such: PIX>config> ip address outside 24.xx.xx.250 255.XX.XX.XX, if so,, I couldn't give it the IP of the cable modem.. can't use the address for PIX and cable modem?? Perhaps I need another access-list allowing me privileges to the internal pc's.. not sure.. I just plugged the cat5 in to the PIX port and it went online and can get internet access from the customer's server.. I posted my config below, if anyone would please take a look at it and give me a hand, I would truly appreciate it.. thanks to all and have a great weekend!

gman

PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 79ydhj.qE/V4VR3M encrypted
passwd 79ydhj.qE/V4VR3M encrypted
hostname PIX501
domain-name xxxxxx.net
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list inbound permit ip 10.0.0.0 255.255.255.0 any
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 10.0.0.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool AdminsPool 10.0.0.151-10.0.0.155
pdm location 24.46.16.0 255.255.240.0 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group inbound in interface outside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225

1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 24.46.16.0 255.255.240.0 outside
http 10.0.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup Admins address-pool NSUHAdminsPool
vpngroup Admins idle-time 1800
vpngroup Admins password ********
telnet 10.0.0.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
terminal width 80
Cryptochecksum:6d4bd05c01fd6b93fa9d01a643d49a2f
: end
[OK]

 

[tonymullen]

Not sure if you have an answer to this yet. The ip address of the interface is fine set to dhcp (just remember it may change).

I think your problem is that you haven't specified to negate nat for the vpn'd network. You need this line:

nat (inside) 0 access-list inbound
This would work, but instead of this I would have a separate acl for the no-nat:
access-list no-nat permit ip 10.0.0.0 255.255.255.0 destip destmask
nat (inside) 0 access-list no-nat