Hello everybody,
I have a client who is trying to connect to their office via VPN to read email and fill out timesheets using a web application. He is using Microsoft Outlook for the email and the timesheet application I have no idea what that is. He is able to establish the VPN but when he tries to use Outlook it never connects. After 30 seconds, the VPN connecting supposedly drops. I have done some research and found a thread in this forum saying that I need to add some ACL statements allowing udp and esp to pass through. I entered them and he is still having the same problem. Is there other ports that I need to open up for Exchange or am I just missing something? Any help would be greatly appreciated. Thanks
Here is the current config.
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password hpORDICAWWf3InaD encrypted
passwd OUnvq6kfP6ITkqjY encrypted
hostname PyrBL-P
domain-name anydomain.com
clock timezone CST -6
clock summer-time CDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 101 permit ip *.*.*.136 255.255.255.248 *.*.*.16 255.255.255.240
access-list 101 permit ip *.*.*.136 255.255.255.248 *.*.*.64 255.255.255.240
access-list 101 permit ip 10.100.1.0 255.255.255.0 *.*.*.16 255.255.255.240
access-list 101 permit ip 10.100.1.0 255.255.255.0 *.*.*.64 255.255.255.240
access-list 101 permit ip 10.100.1.0 255.255.255.0 10.100.2.0 255.255.255.0
access-list 101 permit ip 10.100.2.0 255.255.255.0 10.100.1.0 255.255.255.0
access-list acl_inside permit esp any any
access-list acl_inside permit udp any any eq isakmp
access-list acl_inside permit tcp any any eq pptp
access-list acl_outside permit esp any any
access-list acl_outside permit udp any any eq isakmp
pager lines 24
logging on
logging timestamp
logging buffered debugging
icmp permit *.*.*.16 255.255.255.240 outside
icmp permit *.*.*.64 255.255.255.240 outside
icmp permit 10.100.2.0 255.255.255.0 outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside *.*.*.138 255.255.255.248
ip address inside 10.100.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool Ignite 10.100.1.8-10.100.1.9
pdm location *.*.*.16 255.255.255.240 outside
pdm location *.*.*.64 255.255.255.240 outside
pdm location 10.100.1.0 255.255.255.240 inside
pdm location *.*.*.136 255.255.255.248 inside
pdm location *.*.*.64 255.255.255.240 outside
pdm location 10.100.1.0 255.255.255.0 outside
pdm location 10.100.1.10 255.255.255.255 inside
pdm location 10.100.1.11 255.255.255.255 inside
pdm location 10.100.1.12 255.255.255.255 inside
pdm location 10.100.1.13 255.255.255.255 inside
pdm location 10.100.2.0 255.255.255.0 inside
pdm location 10.100.2.0 255.255.255.0 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 10.100.1.13 10.100.1.13 netmask 255.255.255.255 0 0
static (inside,outside) 10.100.1.10 10.100.1.10 netmask 255.255.255.255 0 0
static (inside,outside) 10.100.1.11 10.100.1.11 netmask 255.255.255.255 0 0
static (inside,outside) 10.100.1.12 10.100.1.12 netmask 255.255.255.255 0 0
route outside 0.0.0.0 0.0.0.0 *.*.*.137 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
http server enable
http *.*.*.16 255.255.255.240 outside
http *.*.*.64 255.255.255.240 outside
http 10.100.1.0 255.255.255.240 inside
snmp-server location Bankers Lofts, 901 Washington, St. Louis, Mo
snmp-server contact Pyramid Const. (314)773-7333
snmp-server community PyrBL
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
sysopt connection permit-l2tp
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
isakmp enable outside
isakmp nat-traversal 20
telnet timeout 5
ssh *.*.*.* *.*.*.* outside
ssh 10.100.1.0 255.255.255.240 inside
ssh timeout 60
management-access inside
console timeout 10
vpdn group pptp accept dialin pptp
vpdn group pptp ppp authentication pap
vpdn group pptp ppp authentication chap
vpdn group pptp ppp authentication mschap
vpdn group pptp ppp encryption mppe auto required
vpdn group pptp client configuration address local Ignite
vpdn group pptp client configuration dns 24.217.0.3 24.217.0.4
vpdn group pptp pptp echo 60
vpdn group pptp client authentication local
vpdn username ignite password *********
vpdn enable outside
dhcpd address 10.100.1.20-10.100.1.239 inside
dhcpd dns 24.217.0.3 24.217.0.4
dhcpd lease 14400
dhcpd ping_timeout 750
dhcpd enable inside
username PyraM1D password R9A/0V58DcxDC/du encrypted privilege 15
username ignite password AtLc.CEAzYBhv6gF encrypted privilege 15
terminal width 80
banner exec Welcome
banner login Authorized Users Only are allowed, Please Login:
banner motd .
banner motd
banner motd ***************************************************************
banner motd * Unauthorized access to this device is strictly prohibited. *
banner motd * All attempts to access are recorded, and reviewed daily. *
banner motd * Violations will be reported to the appropriate authorities. *
banner motd * Violators will be prosecuted. *
banner motd ***************************************************************
Cryptochecksum:027cdf46d16f849fdceec1d1c7baf39b
: end
I have a client who is trying to connect to their office via VPN to read email and fill out timesheets using a web application. He is using Microsoft Outlook for the email and the timesheet application I have no idea what that is. He is able to establish the VPN but when he tries to use Outlook it never connects. After 30 seconds, the VPN connecting supposedly drops. I have done some research and found a thread in this forum saying that I need to add some ACL statements allowing udp and esp to pass through. I entered them and he is still having the same problem. Is there other ports that I need to open up for Exchange or am I just missing something? Any help would be greatly appreciated. Thanks
Here is the current config.
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password hpORDICAWWf3InaD encrypted
passwd OUnvq6kfP6ITkqjY encrypted
hostname PyrBL-P
domain-name anydomain.com
clock timezone CST -6
clock summer-time CDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 101 permit ip *.*.*.136 255.255.255.248 *.*.*.16 255.255.255.240
access-list 101 permit ip *.*.*.136 255.255.255.248 *.*.*.64 255.255.255.240
access-list 101 permit ip 10.100.1.0 255.255.255.0 *.*.*.16 255.255.255.240
access-list 101 permit ip 10.100.1.0 255.255.255.0 *.*.*.64 255.255.255.240
access-list 101 permit ip 10.100.1.0 255.255.255.0 10.100.2.0 255.255.255.0
access-list 101 permit ip 10.100.2.0 255.255.255.0 10.100.1.0 255.255.255.0
access-list acl_inside permit esp any any
access-list acl_inside permit udp any any eq isakmp
access-list acl_inside permit tcp any any eq pptp
access-list acl_outside permit esp any any
access-list acl_outside permit udp any any eq isakmp
pager lines 24
logging on
logging timestamp
logging buffered debugging
icmp permit *.*.*.16 255.255.255.240 outside
icmp permit *.*.*.64 255.255.255.240 outside
icmp permit 10.100.2.0 255.255.255.0 outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside *.*.*.138 255.255.255.248
ip address inside 10.100.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool Ignite 10.100.1.8-10.100.1.9
pdm location *.*.*.16 255.255.255.240 outside
pdm location *.*.*.64 255.255.255.240 outside
pdm location 10.100.1.0 255.255.255.240 inside
pdm location *.*.*.136 255.255.255.248 inside
pdm location *.*.*.64 255.255.255.240 outside
pdm location 10.100.1.0 255.255.255.0 outside
pdm location 10.100.1.10 255.255.255.255 inside
pdm location 10.100.1.11 255.255.255.255 inside
pdm location 10.100.1.12 255.255.255.255 inside
pdm location 10.100.1.13 255.255.255.255 inside
pdm location 10.100.2.0 255.255.255.0 inside
pdm location 10.100.2.0 255.255.255.0 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 10.100.1.13 10.100.1.13 netmask 255.255.255.255 0 0
static (inside,outside) 10.100.1.10 10.100.1.10 netmask 255.255.255.255 0 0
static (inside,outside) 10.100.1.11 10.100.1.11 netmask 255.255.255.255 0 0
static (inside,outside) 10.100.1.12 10.100.1.12 netmask 255.255.255.255 0 0
route outside 0.0.0.0 0.0.0.0 *.*.*.137 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
http server enable
http *.*.*.16 255.255.255.240 outside
http *.*.*.64 255.255.255.240 outside
http 10.100.1.0 255.255.255.240 inside
snmp-server location Bankers Lofts, 901 Washington, St. Louis, Mo
snmp-server contact Pyramid Const. (314)773-7333
snmp-server community PyrBL
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
sysopt connection permit-l2tp
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
isakmp enable outside
isakmp nat-traversal 20
telnet timeout 5
ssh *.*.*.* *.*.*.* outside
ssh 10.100.1.0 255.255.255.240 inside
ssh timeout 60
management-access inside
console timeout 10
vpdn group pptp accept dialin pptp
vpdn group pptp ppp authentication pap
vpdn group pptp ppp authentication chap
vpdn group pptp ppp authentication mschap
vpdn group pptp ppp encryption mppe auto required
vpdn group pptp client configuration address local Ignite
vpdn group pptp client configuration dns 24.217.0.3 24.217.0.4
vpdn group pptp pptp echo 60
vpdn group pptp client authentication local
vpdn username ignite password *********
vpdn enable outside
dhcpd address 10.100.1.20-10.100.1.239 inside
dhcpd dns 24.217.0.3 24.217.0.4
dhcpd lease 14400
dhcpd ping_timeout 750
dhcpd enable inside
username PyraM1D password R9A/0V58DcxDC/du encrypted privilege 15
username ignite password AtLc.CEAzYBhv6gF encrypted privilege 15
terminal width 80
banner exec Welcome
banner login Authorized Users Only are allowed, Please Login:
banner motd .
banner motd
banner motd ***************************************************************
banner motd * Unauthorized access to this device is strictly prohibited. *
banner motd * All attempts to access are recorded, and reviewed daily. *
banner motd * Violations will be reported to the appropriate authorities. *
banner motd * Violators will be prosecuted. *
banner motd ***************************************************************
Cryptochecksum:027cdf46d16f849fdceec1d1c7baf39b
: end