Force Internet traffic thru VPN on PIX 506E

[deca2499]

Hello everyone,

I am trying to figure out a problem we are having at the company I work at. Let me give you a bit of an overview.


HQ in Mason, Ohio with a VPN3005, Outside IP of 172.16.180.90/30 (Changed the first two octets for security). Inside IP of 172.16.180.96/27 Branch in Pasadena, California with a PIX 506E, outside IP of 132.15.161.122. Inside IP 172.16.180.129/26.


The problem I am having is that HQ has a web filter that monitors Internet traffic and websites. Branch office is not getting Internet traffic through the filter. They can get to unauthorized and blocked websites.
I am thinking it may be some kind of routing issue, but am not sure at this point. I have been looking at the newsgroups and am finding that, if I am understanding correctly, the PIX will not send packets back out the same interface in which they arrived.

I am posting the config of the PIX on here so that you can see what I am dealing with. I was given a possible solution, but I am reluctant to try it as the firewall is 2500 miles away and I dont want to make changes to it unless I know exactly what is going to happen.

: Saved
: Written by enable_15 at 20:53:18.402 PDT Sun Jun 15 2008
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 4T3ptsQTHmNUt0bn encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname c506e
domain-name domain.com
clock timezone PST -8
clock summer-time PDT recurring
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
name 172.16.180.201 NetworkMonitor
name 172.16.180.90 VPNConcentrator
access-list 100 permit ip any any
access-list 100 permit tcp any any
access-list 100 permit udp any any
access-list 100 permit icmp any any
access-list outside_access_in deny tcp any any eq ldap
access-list outside_access_in deny tcp any any eq ldaps
access-list outside_access_in deny tcp any any eq www
access-list outside_access_in deny tcp any any eq telnet
access-list outside_access_in deny tcp any any eq finger
access-list outside_access_in deny tcp any any eq pop3
access-list outside_access_in deny tcp any any eq ident
access-list outside_access_in deny tcp any any eq ftp
access-list outside_access_in permit tcp any any eq ftp-data
access-list outside_access_in deny udp any any eq tftp
access-list outside_access_in deny udp any any eq netbios-ns
access-list outside_access_in deny udp any any eq netbios-dgm
access-list outside_access_in deny udp any any eq snmp
access-list outside_access_in deny udp any any eq snmptrap
access-list outside_access_in permit tcp host NetworkMonitor host 172.26.240.254 eq https
access-list outside_access_in deny icmp any any
access-list outside_access_in permit icmp host NetworkMonitor any
access-list outside_access_in deny tcp any any eq ssh
access-list outside_access_in permit tcp host NetworkMonitor host X.X.X.X eq ssh
access-list outside_access_in deny udp any any eq 389
access-list outside_access_in deny udp any any eq 443
access-list outside_access_in deny tcp any any eq 135
access-list outside_access_in deny udp any any eq 135
access-list outside_access_in deny tcp any any eq 137
access-list outside_access_in deny udp any any eq 139
access-list outside_access_in deny tcp any any eq 445
access-list outside_access_in deny udp any any eq 445
access-list outside_access_in deny tcp any any eq 1645
access-list outside_access_in deny udp any any eq radius
access-list outside_access_in deny tcp any any eq 1646
access-list outside_access_in deny udp any any eq radius-acct
access-list outside_access_in deny tcp any any eq 6101
access-list outside_access_in deny udp any any eq 6101
access-list outside_access_in deny tcp any any eq 6103
access-list outside_access_in deny udp any any eq 6103
access-list outside_access_in deny tcp any any eq 9100
access-list outside_access_in deny udp any any eq 9100
access-list outside_access_in deny tcp any any eq 1080
access-list outside_access_in deny udp any any eq 1080
access-list outside_access_in deny tcp any any eq 1449
access-list outside_access_in deny udp any any eq 1449
access-list outside_access_in deny tcp any any eq 2111
access-list outside_access_in deny udp any any eq 2111
access-list outside_access_in deny tcp any any eq 862
access-list outside_access_in deny udp any any eq 862
access-list outside_access_in deny tcp any any eq 521
access-list outside_access_in deny udp any any eq 521
access-list outside_access_in permit tcp host VPNConcentrator any
access-list outside_access_in permit udp host VPNConcentrator any
access-list outside_access_in permit gre host VPNConcentrator any
access-list outside_access_in deny tcp any any eq 4661
access-list outside_access_in deny udp any any eq 4661
access-list outside_access_in deny tcp any any eq 4662
access-list outside_access_in deny udp any any eq 4662
access-list outside_access_in deny tcp any any eq 81
access-list outside_access_in deny udp any any eq 81
access-list outside_access_in deny tcp any any eq 1041
access-list outside_access_in deny udp any any eq 1041
access-list outside_access_in deny tcp any any eq 1034
access-list outside_access_in deny udp any any eq 1034
access-list outside_access_in permit ip host VPNConcentrator any
access-list outside_access_in permit icmp any any
access-list 101 permit ip 172.16.180.128 255.255.255.192 172.16.180.0 255.255.255.192
access-list 101 permit ip 172.16.180.128 255.255.255.192 172.16.137.0 255.255.255.0
access-list 101 permit ip 172.16.180.128 255.255.255.192 172.16.138.0 255.255.255.0
access-list 101 permit ip 172.16.180.128 255.255.255.192 172.16.187.0 255.255.255.0
access-list 101 permit ip 172.16.180.128 255.255.255.192 172.16.186.0 255.255.255.0
access-list 101 permit ip 172.16.180.128 255.255.255.192 172.16.182.0 255.255.255.0
access-list 101 permit ip 172.16.180.128 255.255.255.192 172.16.211.0 255.255.255.0
access-list 101 permit ip 172.16.180.128 255.255.255.192 128.170.205.0 255.255.255.0
access-list 101 permit ip 172.16.180.128 255.255.255.192 128.170.65.0 255.255.255.0
access-list 101 permit ip 172.16.180.128 255.255.255.192 128.170.64.0 255.255.255.0
access-list 101 permit ip 172.16.180.128 255.255.255.192 172.16.180.96 255.255.255.240
access-list 101 permit ip 172.16.180.128 255.255.255.192 172.16.180.68 255.255.255.252
access-list 101 permit ip 172.16.180.128 255.255.255.192 172.16.180.64 255.255.255.252
pager lines 24
logging on
logging console alerts
interface ethernet0 auto
interface ethernet1 auto
icmp deny any traceroute outside
icmp permit host NetworkMonitor echo-reply outside
icmp permit host NetworkMonitor echo outside
icmp permit host NetworkMonitor traceroute outside
icmp permit 172.16.180.0 255.255.255.192 echo-reply inside
icmp permit 172.16.137.0 255.255.255.0 echo-reply inside
icmp permit 172.16.180.0 255.255.255.192 echo inside
icmp permit 172.16.137.0 255.255.255.0 echo inside
icmp permit 172.16.180.128 255.255.255.192 echo-reply inside
icmp permit 172.16.180.128 255.255.255.192 echo inside
icmp permit 172.16.180.128 255.255.255.192 traceroute inside
mtu outside 1500
mtu inside 1500
ip address outside X.X.X.X 255.255.255.252
ip address inside 172.16.180.129 255.255.255.192
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 X.X.X.X 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 172.16.180.0 255.255.255.192 outside
http 172.16.137.0 255.255.255.0 outside
http NetworkMonitor 255.255.255.255 outside
http NetworkMonitor 255.255.255.255 inside
http 172.16.180.0 255.255.255.192 inside
http 172.16.180.128 255.255.255.192 inside
http 172.16.137.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server inside 172.16.137.201 /
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set vpn2 esp-des esp-md5-hmac
crypto map vpn2 10 ipsec-isakmp
crypto map vpn2 10 match address 101
crypto map vpn2 10 set peer VPNConcentrator
crypto map vpn2 10 set transform-set vpn2
crypto map vpn2 interface outside
isakmp enable outside
isakmp key ss8r4eCEvpn address VPNConcentrator netmask 255.255.255.255
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
telnet timeout 5
ssh NetworkMonitor 255.255.255.255 outside
ssh 172.16.180.128 255.255.255.192 inside
ssh 172.16.180.0 255.255.255.192 inside
ssh 172.16.137.0 255.255.255.0 inside
ssh timeout 60
terminal width 80
Cryptochecksum:6789a0158aff20c80ef5c700a1e5047b
: end


Possible solution to add:

access-list frominside permit ip 172.16.180.128 255.255.255.192 172.16.180.0 255.255.255.192
access-list frominside permit ip 172.16.180.128 255.255.255.192 172.16.137.0 255.255.255.0
access-list frominside permit ip 172.16.180.128 255.255.255.192 172.16.138.0 255.255.255.0
access-list frominside permit ip 172.16.180.128 255.255.255.192 172.16.187.0 255.255.255.0
access-list frominside permit ip 172.16.180.128 255.255.255.192 172.16.186.0 255.255.255.0
access-list frominside permit ip 172.16.180.128 255.255.255.192 172.16.182.0 255.255.255.0
access-list frominside permit ip 172.16.180.128 255.255.255.192 172.16.211.0 255.255.255.0
access-list frominside permit ip 172.16.180.128 255.255.255.192 128.170.205.0 255.255.255.0
access-list frominside permit ip 172.16.180.128 255.255.255.192 128.170.65.0 255.255.255.0
access-list frominside permit ip 172.16.180.128 255.255.255.192 128.170.64.0 255.255.255.0
access-list frominside permit ip 172.16.180.128 255.255.255.192 172.16.180.96 255.255.255.240
access-list frominside permit ip 172.16.180.128 255.255.255.192 172.16.180.68 255.255.255.252
access-list frominside permit ip 172.16.180.128 255.255.255.192 172.16.180.64 255.255.255.252
access-group frominside in interface inside



I am rather new at working with PIXs and Cisco routers, so my understanding is not that great on this issue. Basically I need help on figuring out how to get the ALL traffic to come across the VPN to run through HQ. If you need more info, please let me know.


Thank you in advance for all your help.

 

[NetworkGhost]

You need to adjust your Match ACL ( access-list 101) to have a destination of any. Also the HQ headend will need to have their match acl updated also.

What type of device is the headend running?

http://www.wr-mem.com

 

[deca2499]

So would this command do it?
"access-list 101 permit ip any any"

The HQ has a VPN 3005 concentrator at our end.

What would be the correct command if that is not right?

Thank you for your prompt response..

 

[NetworkGhost]

access-list 101 permit ip 172.16.180.128 255.255.255.192 any


The other end would need the reverse of that defined in the group.

http://www.wr-mem.com

 

[deca2499]

Thanks for the reply NetworkGhost.

Do I still add in the access-list frominside as proposed above or just use the access-list 101 permit ip 172.16.180.128 255.255.255.192 any on the 506 and the reverse on the 3005?

Thank you again.

 

[NetworkGhost]

If you dont have an ACL applied to the inside interface yet then you wont need one. By Default Inside interface security level 100 has access to all lower security level interfaces.

http://www.wr-mem.com

 

[deca2499]

Are you talking about the ACL on the 3005, the 506, or both? I am new to working with the PIX, so I don't understand all this just yet. I want to make sure I understand the changes before I make any changes.

If I understand correctly,
the 506 would get this line:
access-list 101 permit ip 172.16.180.128 255.255.255.192 any
and the 3005 would get this one:
access-list 101 permit ip 172.16.180.97 255.255.255.224 any
correct?

If there is no ACL applied to the inside interface of the 3005, I dont need to make any changes to it.

Am I correct in this understanding?

Thank you again for your help.

 

[NetworkGhost]

The 3005 wont get an access-list. I believe you will need to configure the local network list to be 0.0.0.0 mask 0.0.0.0. I would also suggest you use a different ACL for your match address and nat bypass. This change will also effect traffic flow until everything is working as expected.


So first get the concentrator configured correctly before making changes to the ASA.

Add this line to the ASA:

access-list 101 permit ip 172.16.180.128 255.255.255.192 any

Take out these lines:
access-list 101 permit ip 172.16.180.128 255.255.255.192 172.16.180.0 255.255.255.192
access-list 101 permit ip 172.16.180.128 255.255.255.192 172.16.137.0 255.255.255.0
access-list 101 permit ip 172.16.180.128 255.255.255.192 172.16.138.0 255.255.255.0
access-list 101 permit ip 172.16.180.128 255.255.255.192 172.16.187.0 255.255.255.0
access-list 101 permit ip 172.16.180.128 255.255.255.192 172.16.186.0 255.255.255.0
access-list 101 permit ip 172.16.180.128 255.255.255.192 172.16.182.0 255.255.255.0
access-list 101 permit ip 172.16.180.128 255.255.255.192 172.16.211.0 255.255.255.0
access-list 101 permit ip 172.16.180.128 255.255.255.192 128.170.205.0 255.255.255.0
access-list 101 permit ip 172.16.180.128 255.255.255.192 128.170.65.0 255.255.255.0
access-list 101 permit ip 172.16.180.128 255.255.255.192 128.170.64.0 255.255.255.0
access-list 101 permit ip 172.16.180.128 255.255.255.192 172.16.180.96 255.255.255.240
access-list 101 permit ip 172.16.180.128 255.255.255.192 172.16.180.68 255.255.255.252
access-list 101 permit ip 172.16.180.128 255.255.255.192 172.16.180.64 255.255.255.252

Remove the 101 reference for NAT

no nat (inside) 0 access-list 101

Create a new nat ACL:

access-list no_nat permit ip 172.16.180.128 255.255.255.192 any
nat (inside) 0 access-list no_nat


This is by no means a small change. Be sure to know how to backout if this is a critical link. Good Luck!

http://www.wr-mem.com

 

[deca2499]

From all the lines that I am taking out on down is done on the 506, correct? I add in that one line to the ASA 5510? Do I just leave the config on the 3005 alone?

I just want to be clear as the remote office is 2200 miles away and I dont really have someone there able to assist.

Thank you for all of your assistance.

 

[NetworkGhost]

Wait, you have 3 devices? 506, 5510 and 3005?

If I were you I would get a OOB Modem for the remote office before doing any changes. Much cheaper than hiring a consultant or flying out to the site.

As long as you have the PIX set up for management access from the outside interface (SSH or HTTPS) than you should not lose management connectivity.

All the lines posted were for the 506. Not sure where the ASA 5510 fits in, I dont think you mentioned that yet... I think I made the mistake of calling the PIX the ASA.

http://www.wr-mem.com

 

[deca2499]

Oh shew.. You had me scared that I would have to do somethin to the ASA also.. LOL Since the ASA is passing everything for the VPN thru to the 3005, I didnt think it was necessary to include that in the disscussion. I apoligize if I should have included it earlier.

The HQ network is setup like this:
T1-->ASA-->3005 Concentrator-->4507
-->2811 Router-->4507

What would need to be changed on the 3005 before I do the PIX? Am I correct that I would need to have something like:
"access-list 101 permit ip 172.16.180.90 255.255.255.224 any" on the 3005? Unfortunatly I have yet to see the config on the 3005. I expect to see it tomorrow. I expect that will help me figure this out.

I appreciate your help and patience with this newbie on the PIX..

 

[NetworkGhost]

On the Concentrator you will need to define the local LAN for the connection in the IPSEC settings. You should make it 0.0.0.0 0.0.0.0. Remote LAN would be 172.16.180.128 255.255.255.192


Once you see the settings post the values for local and remote LANs

http://www.wr-mem.com

 

[deca2499]

I have the settings for the 3005. I will try to attach the file as it is a 45 page doc in Word at 8 pt font. I hope you can read it, cause I am not sure what I am looking at. It is an older Altiga box with version 1.66 on it.

 

[deca2499]

ok.. So that didnt work.. Or what do I look for?

 

[NetworkGhost]

Unfortunately I have not touched the Altiga. WOuld have to see the screen shots for the ISAKMP and IPSEC settings. If you have a ASA in front of this thing why are you not using that? Just curious.

http://www.wr-mem.com

 

[deca2499]

OK. Let's try this again. The link will be there till I am able to get this issue resolved. I hope this helps, as I really am not sure what to look for on this config.

Thank you for all your help.

 

[deca2499]

Would it be easier to have the ASA 5510 as the VPN termination point? Since it is an adaptive VPN/firewall, it should be more than capable of dealing with the tunnel and maybe even better than the current setup, yes/no??

Is the 506 capable of having two tunnels side by side, one live and one as a test to make sure everything would work then switch it over completely to the ASA?

 

[NetworkGhost]

The ASA is the replacement for both the PIX and Concentrator. The 506 can have multiple tunnels.

http://www.wr-mem.com