Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

cisco pix - can't see network - cisco vpn

Status
Not open for further replies.

kyle8198

Technical User
Jun 9, 2006
14
US
I have a cisco pix firewall 501e. I'm using the cisco vpn client to connect. I can connect & surf the net> But I can't view any of the connected networks pc's or shared files or map any drives. I know that I need to open some ports, but I'm horrible at ACL's could someone help me out. I need to open the following
TYPE PORT
TCP 10000
TCP 135-139
UDP 135-139
UDP 4500
UDP 62515
VNC 5900

please help if you can
 
Can you post your conf, minus the secure important stuff. We can help you out.

Frank
 
sounds like you havent added nat-traversal support. Like fdurham says, post your config.
 
blast... ok. Well, when I get into their office again, ill make a copy of the config & post it. But they ar about an hour away, and I can't (need help on this one too) can't remotely login to the pix either.
 
kyle8198,
If you trust yourself, you can this line to the firewalls -

sysopt connection permit-ipsec

and your VPN will bypass all inbound ACLs. This will not bypass outbound ACLs. If you want to lock it down leave that line out and explicity allow anything you want in ACLs. To be able to map drives and transfer files, you will also need TCP port 445 (SMB) to your list.




Brent
Systems Engineer / Consultant
CCNP
 
I'm not onsite, so i can't get my config. But can someone write an acl for me to allow or open these ports in a 501 pix

TCP 10000,135-139,445,443
UDP 135-139,4500,62515
VNC 5900

This is kill'n me, I can't find where in the gui interface to open them, and I'm not good w/ the cli. So um.. yeah. HELP!!! lol I appreciate anything you all could do.
 
I have the same problem but feel my problem is DNS. I have the Cisco VPN client 4.6. I can connect, surf and ping by IP address. However, when I attempt to map or use programs that have UNC designations they don't work. This was working properly until we had a DNS server go down and we had to add another. Our remote clients are on the subnet 192.168.33.0/24 while the domain we're connecting to is on 10.10.3.0/24. For some reason DNS won't resolve for the 192 subnet. Any ideas?
 
paste this into the config

group-object service tcp_inbound_services tcp
port-object range 135 139
port-object eq 445
port-object eq 443
port-object eq 10000
port-object eq 5900

group-object service udp_inbound_services udp
port-object range 135 139
port-object eq 4500
port-object eq 62515

access-list ACL_inbound permit tcp [Source IP] [Destination IP] object-group tcp_inbound_services
access-list ACL_inbound permit udp [Source IP] [Destination IP] object-group udp_inbound_services
access-list ACL_inbound deny ip any any

access-group ACL_inbound in interface outside


The Source IP/Destination IP can be of a few forms
host x.x.x.x - (just this one sepcifically)
any - (any ip0
x.x.x.x 255.255.255.0 (whatever your mask is) - (just this network)


Be sure to have your statics and NAT setup.

Brent
Systems Engineer / Consultant
CCNP, CCSP
 
Ok, great, let me ask you this. If I want them to be able to remote in from anywhere (they use laptops and travel), what do I need to do special?
 
ok... here's my running config.. finally. I'm going nut's here... I can get the VPN client to connect to the network, but I can't ping through, and i can't join the domain, and I can't access network shared files. So give me hand, throw me a bone... I'm gonna cry here. I strongly dislike cisco (only cuz I haven't taken the time to learn it)

Building configuration...
: Saved
:
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxxxxxxx encrypted
hostname DOMINEX-PIX
domain-name fw.dominex.local
fixup protocol ftp 20
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
object-group service DominexVPNClient tcp-udp
port-object eq 5900
port-object eq 10000
port-object eq 62515
port-object eq 4500
port-object range 443 445
port-object range 135 139
access-list 110 permit icmp any any
access-list 110 permit tcp any host 72.149.208.34 eq 4080
access-list nonat permit ip 192.168.0.0 255.255.255.0 host 192.168.1.0
access-list DominexVPNClient_splitTunnelAcl permit ip 192.168.0.0 255.255.0.0 any
access-list DominexVPNClient_splitTunnelAcl permit ip 192.168.1.0 255.255.255.0 any
access-list outside_in permit ip any any
access-list outside permit ip any any
access-list acl_out permit tcp any host 192.168.0.0 eq hostname
access-list acl_out permit tcp any host 192.168.0.0 eq https
access-list acl_out permit tcp any host 192.168.0.0 eq ssh
access-list outside_access_in permit tcp any any
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside xxxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
ip address inside 192.168.0.1 255.255.0.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnpool 192.168.1.1-192.168.1.50
pdm location xxx.xxx.xxx.xxx 255.255.255.0 outside
pdm location 192.168.1.0 255.255.255.0 inside
pdm location 192.168.0.150 255.255.255.255 inside
pdm location 192.168.0.0 255.255.255.0 inside
pdm location 192.168.1.0 255.255.255.255 outside
pdm location 0.0.0.0 255.255.0.0 inside
pdm location 0.0.0.0 255.255.255.0 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp xxx.xxx.xxx.xxx 4080 192.168.0.150 4080 netmask 255.255.255.255 0 0
access-group 110 in interface outside
route outside 0.0.0.0 0.0.0.0 72.149.208.33 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 68.208.35.0 255.255.255.0 outside
http 0.0.0.0 255.255.255.0 outside
http 192.168.1.0 255.255.255.0 inside
http 192.168.0.0 255.255.0.0 inside
http 0.0.0.0 0.0.0.0 inside
http 0.0.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
sysopt connection permit-l2tp
crypto ipsec transform-set strong esp-3des esp-sha-hmac
crypto dynamic-map DYNMAP 30 set transform-set strong
crypto map DominexCryptoMap 20 ipsec-isakmp dynamic DYNMAP
crypto map DominexCryptoMap client configuration address initiate
crypto map DominexCryptoMap client configuration address respond
crypto map DominexCryptoMap interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup DominexVPNClient address-pool vpnpool
vpngroup DominexVPNClient dns-server 192.168.0.2
vpngroup DominexVPNClient wins-server 192.168.0.2
vpngroup DominexVPNClient default-domain password
vpngroup DominexVPNClient split-tunnel DominexVPNClient_splitTunnelAcl
vpngroup DominexVPNClient split-dns dominex.local
vpngroup DominexVPNClient idle-time 1800
vpngroup DominexVPNClient secure-unit-authentication
vpngroup DominexVPNClient password ********
telnet 68.208.35.0 255.255.255.0 outside
telnet 192.168.0.0 255.255.0.0 inside
telnet 192.168.1.0 255.255.255.0 inside
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 60
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 60
console timeout 0
vpdn group 1 accept dialin pptp
vpdn group 1 ppp authentication pap
vpdn group 1 ppp authentication chap
vpdn group 1 ppp authentication mschap
vpdn group 1 ppp encryption mppe auto
vpdn group 1 client configuration address local vpnpool
vpdn group 1 client configuration dns 192.168.0.2
vpdn group 1 client configuration wins 192.168.0.2
vpdn group 1 pptp echo 60
vpdn group 1 client authentication local
vpdn username DominexVPN-PPTP password *********
vpdn enable outside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
terminal width 80
Cryptochecksum:8feda8e3012c5cd883c4649544a6f20b
: end
[OK]

 
A few things to change
If you are only using the VPN client software and aren't using PPTP or L2TP, remove all that stuff (VPDN stuff as well) including
crypto map DominexCryptoMap client configuration address initiate
crypto map DominexCryptoMap client configuration address respond
sysopt connection permit-pptp
sysopt connection permit-l2tp

Now -

access-list nonat permit ip 192.168.0.0 255.255.255.0 host 192.168.1.0
should be a network not a host
access-list nonat permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0

ip address inside 192.168.0.1 255.255.0.0
should be
ip address inside 192.168.0.1 255.255.255.0

vpngroup DominexVPNClient default-domain password
should be what ever your domain is.

add these two lines
crypto map DominexCryptoMap client authentication LOCAL
isakmp nat-traversal 20

You will then need to add usernames and passwords for the VPN client to authenticate against.

Take off the
isakmp enable outside and reapply it.

Get the VPN working first, then you can restrict access by taking off the
sysopt connection permit-ipsec
and applying tighter ACLs.


Brent
Systems Engineer / Consultant
CCNP, CCSP
 
I'm using the cisco vpn client. And it connects just fine. I have tunneling on so you can still surf the net (company's request)So, just need to know what to add to let them share network resources.
 
If the clients come from a nated network you need to add nat traversal support on your pix. Otherwise the packets will be dropped.

as stated from me and super before =)

isakmp nat-traversal 20
 
so, all i need to do to get them into the network is add that line?
 
I don't care about having extra stuff in the firewall right now, just want to share network files
 
ok, I'll give it a shot, I'm ready to take a sledge to this thing lol.
 
then you can add the line. And it will not mess anything up so dont worry about that.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top