Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

hi all, I'm having a problem

Status
Not open for further replies.

praks25

MIS
Sep 5, 2003
13
hi all,
I'm having a problem trying to successfully connect to networks behind firewalls from behind my PIX firewall.
we connect to about 10 to 15 sites and most sites require us to VPN in using CISCO client software.
we can successfully dial in with the CISCO client software but cannot ping or access anything at the other network.
but if we change over to an external IP we can successfully connect as well as access all the resources at the other network.
I have noticed this problem to occur only with CISCO client VPN software using IPSEC. most of the internal IP's are port mapped through the PIX. I understand that IPSEC produces encryption and more importantly authentication. I have setup ESP-MD5 authentication, which i believe excludes the header part of the packet specifically for natted or port mapped IP's. But I don't know if this authentication is somehow including the data packet header as part of the authentication hashing algorithm. when viewing the statistics of the IPSEC connection i see that packets are being encrypted and sent out, but in the "bytes in" column
i see the "packets decrypted" as 0 and "packets bypassed" continually incrementing. I even natted some internal IP's to external IP's on the PIX to see if this was problem specifially with port mapping but we still cannot successfully VPN in to other networks
accessing networks from within our network using PPTP works fine.
I do not want to setup a site-to-site VPN as some sites don't use a PIX and besides that would not solve our connectivity to all sites from within our network. i am kinda worried coz having our machines on external IP's is not a good security practice
so is there some command or setup i am missing here.
any help would be appreciated.
Thankyou

here is my PIX config
PIX Version 6.3(1)
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 auto shutdown
interface ethernet3 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
nameif ethernet3 intf3 security6
enable password .7Z3JGvXPROuK6nt encrypted
passwd .7Z3JGvXPROuK6nt encrypted
hostname XXXXXXXPIXfirewall
domain-name XXX.net
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list acl_out permit icmp any any
access-list acl_out permit tcp any host XXX.XXX.XXX.154 eq pptp log
access-list acl_out permit tcp any host XXX.XXX.XXX.31 eq https
access-list acl_out permit tcp any any eq www
access-list acl_in permit ip 10.90.10.0 255.255.255.0 10.90.100.0 255.255.255.0
access-list acl_in permit udp any any
access-list acl_in permit tcp any any
access-list acl_in permit icmp any any
pager lines 24
logging on
logging buffered errors
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
mtu intf2 1500
mtu intf3 1500
ip address outside XXX.XXX.XXX.154 255.255.255.0
ip address inside 10.90.10.1 255.255.255.0
no ip address intf2
no ip address intf3
ip audit info action alarm
ip audit attack action alarm
ip local pool XXXVPN1 10.90.100.1-10.90.100.252
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address intf2
no failover ip address intf3
pdm location 10.90.10.0 255.255.255.0 inside
pdm location XXX.XXX.XXX.0 255.255.255.0 outside
pdm location 10.90.100.0 255.255.255.0 outside
pdm location 10.90.10.31 255.255.255.255 inside
pdm location 10.90.10.88 255.255.255.255 inside
pdm location 10.90.10.97 255.255.255.255 inside
pdm location XXX.XXX.XXX.3 255.255.255.255 outside
pdm history enable
arp timeout 14400
global (outside) 1 XXX.XXX.XXX.66
global (outside) 30 XXX.XXX.XXX.139
global (outside) 40 XXX.XXX.XXX.23
global (outside) 10 XXX.XXX.XXX.88
nat (inside) 0 access-list acl_in
nat (inside) 40 10.90.10.22 255.255.255.255 0 0
nat (inside) 10 10.90.10.88 255.255.255.255 0 0
nat (inside) 30 10.90.10.144 255.255.255.255 0 0
nat (inside) 1 10.90.10.0 255.255.255.0 0 0
static (inside,outside) XXX.XXX.XXX.31 10.90.10.31 netmask 255.255.255.255 0 0
access-group acl_out in interface outside
route outside 0.0.0.0 0.0.0.0 XXX.XXX.XXX.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http XXX.XXX.XXX.0 255.255.255.0 outside
http 10.90.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
isakmp enable outside
isakmp key ******** address XXX.XXX.XXX.3 netmask 255.255.255.255
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 1
isakmp policy 20 lifetime 86400
vpngroup XXX address-pool XXXVPN1
vpngroup XXX dns-server XXX.XXX.XXX.150 XXX.XXX.XXX.155
vpngroup XXX default-domain XXX.net
vpngroup XXX split-tunnel acl_in
vpngroup XXX idle-time 1800
vpngroup XXX password ********
telnet 10.90.10.0 255.255.255.0 inside
telnet timeout 60
ssh 0.0.0.0 0.0.0.0 outside
ssh 10.90.10.0 255.255.255.0 inside
ssh timeout 60
console timeout 0
vpdn group XXX accept dialin pptp
vpdn group XXX ppp authentication mschap
vpdn group XXX ppp encryption mppe auto
vpdn group XXX client configuration address local mantisVPN1
vpdn group XXX client configuration dns XXX.XXX.XXX.150 XXX.XXX.XXX.155
vpdn group XXX client configuration wins XXX.XXX.XXX.150
vpdn group XXX pptp echo 60
vpdn group XXX client authentication local
vpdn username password
vpdn username password
vpdn username password
vpdn username password
vpdn username password
vpdn username password
vpdn username password
vpdn username password
vpdn username password
vpdn username password
vpdn username password
vpdn username password
vpdn username password
vpdn username password
vpdn username password
vpdn username password
vpdn username password
vpdn username password
vpdn username password
vpdn enable outside
dhcpd address 10.90.10.170-10.90.10.239 inside
dhcpd dns XXX.XXX.XXX.150 XXX.XXX.XXX.155
dhcpd wins XXX.XXX.XXX.150
dhcpd lease 604800
dhcpd ping_timeout 750
dhcpd enable inside
terminal width 80
Cryptochecksum:2d7978746f1eb185c3b2930f7859dec9
: end
 
Can you try to configure a static translation on the PIX for the VPN client? Make sure both UDP 500 and ip protocol 50 are not blocked. If packets are being encrypted but no packets are decrypted it may be an issue with IP protocol 50 being blocked along the way. What is the headend device?
 
by configuring a static translation on the PIX for the VPN client do you mean configuring a static translation for one of the machines inside the other network to it's PIX?
I assumed that adding the command "sysopt connection permit-ipsec" would drop the need to specifically open up ports 50, 51 and udp 500.
what do u mean by headend device? i would assume your asking about our CISCO 2600 router that connects to the ISP via a T-1, behind it is the PIX and behind the PIX is the network.
it's the same at most of our other client sites.
thanx once again
 
themut,
your solution was right.
I static natted the internal IP to an external and opened up ports 50, 51 and udp 500 in the access list on the outside interface and it worked.
I tried leaving just the access-list ports (50,51,500 on external interface) open and port mapping (instead of static natting)like is usually done but it won't work.
So do i have to static nat every internal IP that needs to CISCO vpn out?
this will be a problem as we don't have that many external IP's
thankyou
John
 
You do not need a static translation as long as your headend device supports NAT-T. That´s the reason I asked you about it earlier. If you enable NAT-T on the headend device then you will not need the static translation othewise there´s no way around it.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top