Client unable to VPN through a PIX

[jgassner2]

Hello everybody,
I have a client who is trying to connect to their office via VPN to read email and fill out timesheets using a web application. He is using Microsoft Outlook for the email and the timesheet application I have no idea what that is. He is able to establish the VPN but when he tries to use Outlook it never connects. After 30 seconds, the VPN connecting supposedly drops. I have done some research and found a thread in this forum saying that I need to add some ACL statements allowing udp and esp to pass through. I entered them and he is still having the same problem. Is there other ports that I need to open up for Exchange or am I just missing something? Any help would be greatly appreciated. Thanks

Here is the current config.

PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password hpORDICAWWf3InaD encrypted
passwd OUnvq6kfP6ITkqjY encrypted
hostname PyrBL-P
domain-name anydomain.com
clock timezone CST -6
clock summer-time CDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 101 permit ip *.*.*.136 255.255.255.248 *.*.*.16 255.255.255.240
access-list 101 permit ip *.*.*.136 255.255.255.248 *.*.*.64 255.255.255.240
access-list 101 permit ip 10.100.1.0 255.255.255.0 *.*.*.16 255.255.255.240
access-list 101 permit ip 10.100.1.0 255.255.255.0 *.*.*.64 255.255.255.240
access-list 101 permit ip 10.100.1.0 255.255.255.0 10.100.2.0 255.255.255.0
access-list 101 permit ip 10.100.2.0 255.255.255.0 10.100.1.0 255.255.255.0
access-list acl_inside permit esp any any
access-list acl_inside permit udp any any eq isakmp
access-list acl_inside permit tcp any any eq pptp
access-list acl_outside permit esp any any
access-list acl_outside permit udp any any eq isakmp
pager lines 24
logging on
logging timestamp
logging buffered debugging
icmp permit *.*.*.16 255.255.255.240 outside
icmp permit *.*.*.64 255.255.255.240 outside
icmp permit 10.100.2.0 255.255.255.0 outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside *.*.*.138 255.255.255.248
ip address inside 10.100.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool Ignite 10.100.1.8-10.100.1.9
pdm location *.*.*.16 255.255.255.240 outside
pdm location *.*.*.64 255.255.255.240 outside
pdm location 10.100.1.0 255.255.255.240 inside
pdm location *.*.*.136 255.255.255.248 inside
pdm location *.*.*.64 255.255.255.240 outside
pdm location 10.100.1.0 255.255.255.0 outside
pdm location 10.100.1.10 255.255.255.255 inside
pdm location 10.100.1.11 255.255.255.255 inside
pdm location 10.100.1.12 255.255.255.255 inside
pdm location 10.100.1.13 255.255.255.255 inside
pdm location 10.100.2.0 255.255.255.0 inside
pdm location 10.100.2.0 255.255.255.0 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 10.100.1.13 10.100.1.13 netmask 255.255.255.255 0 0
static (inside,outside) 10.100.1.10 10.100.1.10 netmask 255.255.255.255 0 0
static (inside,outside) 10.100.1.11 10.100.1.11 netmask 255.255.255.255 0 0
static (inside,outside) 10.100.1.12 10.100.1.12 netmask 255.255.255.255 0 0
route outside 0.0.0.0 0.0.0.0 *.*.*.137 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
http server enable
http *.*.*.16 255.255.255.240 outside
http *.*.*.64 255.255.255.240 outside
http 10.100.1.0 255.255.255.240 inside
snmp-server location Bankers Lofts, 901 Washington, St. Louis, Mo
snmp-server contact Pyramid Const. (314)773-7333
snmp-server community PyrBL
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
sysopt connection permit-l2tp
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
isakmp enable outside
isakmp nat-traversal 20
telnet timeout 5
ssh *.*.*.* *.*.*.* outside
ssh 10.100.1.0 255.255.255.240 inside
ssh timeout 60
management-access inside
console timeout 10
vpdn group pptp accept dialin pptp
vpdn group pptp ppp authentication pap
vpdn group pptp ppp authentication chap
vpdn group pptp ppp authentication mschap
vpdn group pptp ppp encryption mppe auto required
vpdn group pptp client configuration address local Ignite
vpdn group pptp client configuration dns 24.217.0.3 24.217.0.4
vpdn group pptp pptp echo 60
vpdn group pptp client authentication local
vpdn username ignite password *********
vpdn enable outside
dhcpd address 10.100.1.20-10.100.1.239 inside
dhcpd dns 24.217.0.3 24.217.0.4
dhcpd lease 14400
dhcpd ping_timeout 750
dhcpd enable inside
username PyraM1D password R9A/0V58DcxDC/du encrypted privilege 15
username ignite password AtLc.CEAzYBhv6gF encrypted privilege 15
terminal width 80
banner exec Welcome
banner login Authorized Users Only are allowed, Please Login:
banner motd .
banner motd
banner motd ***************************************************************
banner motd * Unauthorized access to this device is strictly prohibited. *
banner motd * All attempts to access are recorded, and reviewed daily. *
banner motd * Violations will be reported to the appropriate authorities. *
banner motd * Violators will be prosecuted. *
banner motd ***************************************************************
Cryptochecksum:027cdf46d16f849fdceec1d1c7baf39b
: end

 

[horus42]

It looks like you are not actually filtering the outgoing traffic as I cannot see where you applied the "acl_inside " access list.

Do you know what the VPN termination device is?

 

[jgassner2]

horus42

I don't know exactly what the end device is, but I just sent an email to the client to find out. He has a temporary DSL connection and everything works out fine with that, so I at least know that the companies end works. I didn't apply the ACL because I am not sure if it will block all traffic afterwards. I am more fluent with Cisco routers than pix and I am not exactly sure how all the ACLs work with a pix. If you can clear it up that would also be great.

 

[horus42]

Right now because you have no access list applied to the outgoing traffic all traffic will be allowed out, and since the connection gets established at least we know you are not blocking their incoming traffic.

Do they have this problem only when they connect from your location? If they do 1st allow any traffic coming from their IP, if that fails make sure that your router is not causing the problem.


Hope that helps

 

[NetworkGhost]

Is the client able to use NAT Traversal? The problem is most likely due to the fact that Protocol 50 (ESP) cannot traverse PAT so secure data can nver be sent. The issue your left with is either assigning your internal host a static IP address to the ourside world on the firewall or getting nat traversal to work with your VPN Solution. Here is a good link:

http://www.isp-planet.com/technology/nat_ipsec.html

Free Firewall/Network/Systems Support-

http://firewalls.ath.cx:8080

 

[jgassner2]

Sorry for not responding so quickly. I had taken a day off to get some things for college ready. Thanks for the clear up of ACLs, horus42. The only other thing I can think of that I would have to do is add some more permit statements to allow access from my end into the pix. As for static mapping I don't think I can do that since there are few addresses and I might in the future have other clients from the same place needing to VPN out. Is there a way to permit all vpn traffic from anywhere without having to do mappings? I appreciate all your help.

 

[horus42]

You can just create an new access rule which allows any traffic coming from the VPN device to any device,

This is what you need

access-list 101 permit ip host VPN_PEER any
access-group[\code]

 

[horus42]

Sorry, this is what you need

access-list 101 permit ip host VPN_PEER any
access-group 101 in interface outside

 

[NetworkGhost]

Think you will still have problems. Whats type of VPN is it? Does the VPN support NAT Traversal? That is the only way you will get you IPSEC VPN to work when using PAT.

Free Firewall/Network/Systems Support-

http://firewalls.ath.cx:8080

 

[jgassner2]

I believe the VPN type is a GRE Tunnel with IPsec enabled NetworkGhost. I am willing to bet he is using the microsoft client. I think that horus42's solution should work. If I permit everything from his company through the pix then nothing should get blocked.