Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Cannot Hit Mapped SSH server from a device in outside interfaces subnet

Status
Not open for further replies.

synack3

IS-IT--Management
Jul 25, 2012
1
US
I have a a PIX 501. I have the connected to my ISP on a sub-net with 6 usable IP addresses. We needed to add WI-Fi access, but for security reasons we don't allow any WI-Fi on our inside Network. So we setup another cheap Tenda Wireless N router on another one of the public IP's from our ISP. If users need to access the inside network behind the PIX they must build a VPN from their laptop. This part has been working for about a year now.

-------------------
| Exchange Server | 10.54.226.14/255.255.255.0
-------------------
|
|
V

10.54.226.1 255.255.255.0 - Inside Interface

-------
| PIX |
-------

56.83.143.26/255.255.255.248 - Outside Interface

|
|
|
V

-------
| DSL | 56.83.143.25/255.255.255.248 -----------> Out to Internet
-------

^
|
|
|

56.83.143.30/255.255.255.248 - WAN Interface

----------
| Tenda |
----------

10.200.200.1/255.255.255.0 - LAN(WLAN) Side

^
|
|

----------
| Laptop | - 10.200.200.101/255.255.255.0
----------
Trying to Hit Exchange Server via

So, I have a Exchange 2010 Server and I have port 443 mapped to it from from PIX, so users with iPhones can use ActiveSync to sync up there phones e-mail with Exhange. It works great from anywhere on the Internet. However it will no work from the Tenda Router. It simply times out. Also from any machine inside the pix I can ping everywhere except the other IP's in the outside interfaces subnet. I have also tried putting my laptop in the subnet of the pix's outside interface and giving it a public ip in that range and nothing. I enabled debug and syslog and get nothing in the logs when I try to connect. I ran netstat on the exchange server and can see 2 packets are received from the outside IP of the router/laptop when I try to connect on port 443 so I know the packets are getting to the server, but they are not getting back. So I though maybe it is because it is natting it on the way out or something so I tried adding the outside IP of the router/laptop to the no nat ACL and it made not difference. It also tried temporarily removing the static mapping for the exchange server on 443 and tried to then ping from it to the router and nothing.

I can telnet the PIX itself and do a ping to the router/laptop and get a response. I can also ping the PIX outside IP from the laptop/router and get a response.

Any Idea's I have been pulling my hair out for a while now!

Config:

: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password <ommited> encrypted
passwd <ommited> encrypted
hostname Loc_D
domain-name dpl.local
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.1.0 Loc_A
name 192.168.3.0 Loc_B
name 192.168.2.0 Loc_C
name 10.54.226.0 Loc_D
access-list inside_outbound_nat0_acl permit ip Loc_D 255.255.255.0 Loc_A 255.255.255.0
access-list inside_outbound_nat0_acl permit ip Loc_D 255.255.255.0 Loc_B 255.255.255.0
access-list inside_outbound_nat0_acl permit ip any 10.54.226.160 255.255.255.224
access-list inside_outbound_nat0_acl permit ip Loc_D 255.255.255.0 Loc_C 255.255.255.0
access-list inside_outbound_nat0_acl permit ip any host 56.83.143.30
access-list outside_cryptomap_20 permit ip Loc_D 255.255.255.0 Loc_A 255.255.255.0
access-list outside_cryptomap_20 permit ip Loc_D 255.255.255.0 Loc_B 255.255.255.0
access-list outside_cryptomap_40 permit ip Loc_D 255.255.255.0 Loc_C 255.255.255.0
access-list outside_cryptomap_40 permit ip Loc_D 255.255.255.0 Loc_A 255.255.255.0
access-list outside_cryptomap_40 permit ip Loc_D 255.255.255.0 Loc_B 255.255.255.0
access-list outside_cryptomap_dyn_20 permit ip any 10.54.226.160 255.255.255.224
access-list EW-VPN_splitTunnelAcl permit ip Loc_D 255.255.255.0 any
access-list 110 permit tcp any host 56.83.143.26 eq smtp
access-list 110 permit tcp any host eq 9500
access-list 110 permit tcp host 12.54.64.234 host 56.83.143.26 eq 3389
access-list 110 permit tcp any host 56.83.143.26 eq https
access-list 110 permit icmp any any
access-list outside_cryptomap_dyn_20_1 permit ip any 10.54.226.160 255.255.255.224
access-list outside_cryptomap_40_1 permit ip Loc_D 255.255.255.0 Loc_C 255.255.255.0
access-list outside_cryptomap_20_1 permit ip Loc_D 255.255.255.0 Loc_A 255.255.255.0
access-list outside_cryptomap_20_1 permit ip Loc_D 255.255.255.0 Loc_B 255.255.255.0
access-list acl_outbound deny ip any host 56.83.143.30
access-list acl_outbound permit ip any any
pager lines 24
logging on
logging buffered debugging
logging trap notifications
logging host inside 10.54.226.12
mtu outside 1500
mtu inside 1500
ip address outside 56.83.143.26 255.255.255.248
ip address inside 10.54.226.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool IPSEC_Pool 10.54.226.160-10.54.226.185
pdm location 10.254.226.0 255.255.255.0 inside
pdm location Loc_A 255.255.255.0 inside
pdm location Loc_C 255.255.255.0 inside
pdm location Loc_B 255.255.255.0 inside
pdm location Loc_A 255.255.255.0 outside
pdm location Loc_B 255.255.255.0 outside
pdm location Loc_C 255.255.255.0 outside
pdm location 10.54.226.12 255.255.255.255 inside
pdm location 172.16.29.0 255.255.255.0 inside
pdm location Loc_D 255.255.255.0 outsidepdm location 10.54.226.160 255.255.255.224 outside
pdm location 10.54.226.13 255.255.255.255 inside
pdm location <Ommitted> 255.255.255.255 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp 56.83.143.26 smtp 10.54.226.12 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp 56.83.143.26 9500 10.54.226.12 5900 netmask 255.255.255.255 0 0
static (inside,outside) tcp 56.83.143.26 3389 10.54.226.13 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp 56.83.143.26 https 10.54.226.14 https netmask 255.255.255.255 0 0
access-group 110 in interface outside
route outside 0.0.0.0 0.0.0.0 56.83.143.25 1
route inside 172.16.29.0 255.255.255.0 10.54.226.253 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http Loc_D 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
sysopt ipsec pl-compatible
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map_1 20 match address outside_cryptomap_dyn_20_1
crypto dynamic-map outside_dyn_map_1 20 set transform-set ESP-3DES-MD5
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer <Omitted>
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 40 ipsec-isakmp
crypto map outside_map 40 match address outside_cryptomap_40
crypto map outside_map 40 set peer <ommited>
crypto map outside_map 40 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication LOCAL
crypto map outside_map_1 20 ipsec-isakmp
crypto map outside_map_1 20 match address outside_cryptomap_20_1
crypto map outside_map_1 20 set peer <Omitted>
crypto map outside_map_1 20 set transform-set ESP-3DES-MD5
crypto map outside_map_1 40 ipsec-isakmp
crypto map outside_map_1 40 match address outside_cryptomap_40_1
crypto map outside_map_1 40 set peer <omitted>
crypto map outside_map_1 40 set transform-set ESP-3DES-MD5
crypto map outside_map_1 65535 ipsec-isakmp dynamic outside_dyn_map_1
crypto map outside_map_1 client authentication LOCAL
crypto map outside_map_1 interface outside
isakmp enable outside
isakmp key ******** address <Omitted> netmask 255.255.255.255
isakmp key ******** address <omitted> netmask 255.255.255.255 no-xauth no-con
fig-mode
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup EW-VPN address-pool IPSEC_Pool
vpngroup EW-VPN dns-server 10.54.226.12
vpngroup EW-VPN default-domain dpl.local
vpngroup EW-VPN split-tunnel EW-VPN_splitTunnelAcl
vpngroup EW-VPN idle-time 1800
vpngroup EW-VPN password ********
telnet Loc_A 255.255.255.0 inside
telnet Loc_C 255.255.255.0 inside
telnet Loc_B 255.255.255.0 inside
telnet Loc_D 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn username ****** password *********
vpdn enable outside
dhcpd address 10.54.226.2-10.54.226.254 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
username ****** password ****** encrypted privilege 15
username ****** password ****** encrypted privilege 15
username ****** password ****** encrypted privilege 15
username ****** password ****** encrypted privilege 15
username ****** password ****** encrypted privilege 15
username ****** password ****** encrypted privilege 15
terminal width 80
Cryptochecksum: <ommitted>
: end
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top