Configure Pix501 VPN with Cisco 837

[syncreon]

Hi there,

I have the following scenario...

Internet (ADSL) -> Cisco 837 -> Lan 192.168.1.0

This all works fine, internet access, web server access etc. I also have the Cisco 837 connected to a Pix 501 which in turn connects to a seperate LAN in our building 172.20.4.0. I have the Pix 501 setup as a VPN server, from any client on the 192.168.1.0 network I can connect through the Pix onto my second LAN, obtain an address and it all works fine.

However, when I try to VPN from the internet through the Cisco 837, It just does not connect at all. I believe I need to port forward (NAT) on the 837 to the Pix box?? Here is my config, can anybody tell me if I am missing something obvious?

WWADSL#sh run
Building configuration...

Current configuration : 2650 bytes
!
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname WWADSL
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$RLjO$.otKlniZBscACswq85As7.
!
username admin password 0 *****
no aaa new-model
ip subnet-zero
!
!
ip dhcp excluded-address 192.168.1.251
ip dhcp excluded-address 192.168.1.111
ip dhcp excluded-address 192.168.1.100
ip dhcp excluded-address 192.168.1.80
!
ip dhcp pool WWCLIENTS
import all
network 192.168.1.0 255.255.255.0
default-router 192.168.1.251
dns-server 194.72.0.114 62.6.40.162
!
!
ip ips po max-events 100
no ftp-server write-enable
!
!
!
!
!
!
!
interface Ethernet0
ip address 192.168.1.251 255.255.255.0
ip nat inside
ip virtual-reassembly
no cdp enable
hold-queue 100 out
!
interface ATM0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface FastEthernet1
no ip address
duplex auto
speed auto
!
interface FastEthernet2
no ip address
duplex auto
speed auto
!
interface FastEthernet3
no ip address
duplex auto
speed auto
!
interface FastEthernet4
no ip address
duplex auto
speed auto
!
interface Dialer0
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname B002913@hg40.btclick.com
ppp chap password 0 *******
ppp pap sent-username B002913@hg40.btclick.com password 0 rustlers1
ppp ipcp dns request
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
!
no ip http server
no ip http secure-server
ip nat inside source list 110 interface Dialer0 overload
ip nat inside source static udp 192.168.1.100 10000 interface Dialer0 10000
ip nat inside source static tcp 192.168.1.100 10000 interface Dialer0 10000
ip nat inside source static udp 192.168.1.100 4500 interface Dialer0 4500
ip nat inside source static esp 192.168.1.100 interface Dialer0
ip nat inside source static udp 192.168.1.100 500 interface Dialer0 500
ip nat inside source static tcp 192.168.1.80 25 interface Dialer0 25
ip nat inside source static tcp 192.168.1.80 80 interface Dialer0 80
!
!
access-list 1 permit any
access-list 110 permit ip 192.168.1.0 0.0.0.255 any
dialer-list 1 protocol ip permit
no cdp run
!
control-plane
!
!
line con 0
no modem enable
transport preferred all
transport output all
line aux 0
transport preferred all
transport output all
line vty 0 4
login local
transport preferred all
transport input telnet ssh
transport output none
!
scheduler max-task-time 5000
end

WWADSL#

Regards
John

 

[syncreon]

Forgot to add... the address 192.168.1.100 is the outside address on my Pix501.

 

[Minue]

Hello
If I understood correctly you would like to VPN from the Internet into your private network.
Do have a static public address,are you using the cisco vpn client to make the connection to the PIX.You should also post a "show run" of the PIX.
For now try to forward also "ahp" protocol.Normally the PIX should terminate the tunnel with a public address.But with some hard work your setup should work as well.
Regards

 

[syncreon]

Hi minue, we do have a static address yes, 81.149.160.175. This is a sh run of the pix...

WWVPN# sh run
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ***** encrypted
passwd ***** encrypted
hostname WWVPN
domain-name *****.com
no fixup protocol dns
no fixup protocol ftp 21
no fixup protocol h323 h225 1720
no fixup protocol h323 ras 1718-1719
no fixup protocol http 80
no fixup protocol rsh 514
no fixup protocol rtsp 554
no fixup protocol sip 5060
fixup protocol sip udp 5060
no fixup protocol skinny 2000
no fixup protocol smtp 25
no fixup protocol sqlnet 1521
no fixup protocol tftp 69
names
name 172.20.4.0 hinckley_lan_b
name 3.1.0.0 dublin_lan
object-group network EXTACCESS
network-object LAPTOP 255.255.255.255
access-list inside_outbound_nat0_acl permit ip any 172.20.12.0 255.255.255.0
access-list outside_cryptomap_dyn_20 permit ip any 172.20.12.0 255.255.255.0
access-list outside_access_in permit ip 172.20.12.0 255.255.255.0 any
pager lines 24
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside 192.168.1.100 255.255.255.0
ip address inside 172.20.7.110 255.255.252.0
ip audit info action alarm
ip audit attack action alarm
ip local pool WW_IP_POOL 172.20.12.0-172.20.12.254 mask 255.255.255.0
pdm location 172.20.7.105 255.255.255.255 inside
pdm location dublin_lan 255.255.0.0 inside
pdm location 172.20.7.6 255.255.255.255 inside
pdm location LAPTOP 255.255.255.255 outside
pdm group EXTACCESS outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
access-group outside_access_in in interface outside
route inside dublin_lan 255.255.0.0 172.20.7.251 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 0
aaa-server RADIUS (inside) host 172.20.7.6 ***** timeout 5
aaa-server LOCAL protocol local
aaa authentication telnet console LOCAL
aaa authorization command LOCAL
http server enable
http hinckley_lan_b 255.255.252.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-AES-128-MD5
crypto map inside_map interface inside
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication RADIUS
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption aes
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup wwgroup address-pool WW_IP_POOL
vpngroup wwgroup dns-server 172.20.7.4
vpngroup wwgroup wins-server 172.20.7.4
vpngroup wwgroup default-domain walshwestern.com
vpngroup wwgroup idle-time 1800
vpngroup wwgroup password ********
telnet 172.20.7.105 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
username wwvpn password ***** encrypted privilege 15
terminal width 80
Cryptochecksum:16e709cacde4a039e28cbf020602aa40
: end
WWVPN#

 

[Minue]

Hello
I forgot to ask if you can access the Internet from the behind the PIX (the client on the 172.20.7.110 network).Also are you using the cisco vpn client software to connect to the PIX.
Regards

 

[syncreon]

Looking back into this now, I am trying to connect from home (ISP Address is 86.20.84.42). I have turned on logging on the Cisco Pix and am now seeing the following errors:

Message ID - Description
110001 - No route to 86.20.84.42 from 192.168.1.100
110001 - No route to 86.20.84.42 from 192.168.1.100
110001 - No route to 86.20.84.42 from 192.168.1.100
602203 - ISAKMP Session disconnected (local 192.168.1.100 (responder), remote 86.20.84.42)

So it would appear that the router is tunneling the traffic correctly, but once it hits the Pix and tries going back the other way it doesnt know how to get to 86.20.84.42. Is that correct?

 

[Minue]

Hello
Try to put this statement into the PIX config
route outside 0.0.0.0 0.0.0.0 192.168.1.251

Regards