IPSEC pass thru on PIX 506e 2

[STF26]

It seems like a few people have posted on this before but I cannot make a any sense of the replies.

Very simple- I have a Cisco PIX 506e at home. I want use the Cisco VPN client 4.x behind it to connect to a Cisco PIX 515e. With my linksys router, it works perfect so I know it is not an issue with me cable modem etc. I have tried adding the various sysopt permit... commands for ipsec that I have seen in prior post but i still can not get anywhere. I can connect to the other pix and it actually asks for my radius auth. After auth, it connects but I cannot access any resources thru the tunnel. I have tried some acls that would allow ipsec but to no avail.

I am wondering if someone has a sample config that would demonstrate what I am trying to do?

Thanks

STF

 

[dopehead]

Sounds like you are using legacy ipsec towards the pix, you need "fixup protocol esp" so you can do ESP over PAT.

Jan

Network Systems Engineer
CCNA/CQS/CCSP

 

[STF26]

When I try to issue that command I get:

PAT for ESP cannot be enabled since ISAKMP is enabled. Please correct your conf
iguration and re-issue the command!

In addition, I do have a line in my config about a NAT traversal.

If I look at the syslog, when I try to VPN to the other PIX, I get:

%PIX-3-305006: portmap translation creation failed for protocol 50

I really appreciate your input. I am very surprised on how hard it is do something that I would consider pretty simple.

Here is the full config.


PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password LwyAcSqvBqEbQanB encrypted
passwd RRK/X4EvxHLvskWh encrypted
hostname
domain-name
clock timezone EST 5
clock summer-time EDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list inbound permit icmp any any
access-list inbound permit tcp any any eq smtp
access-list inbound permit tcp any any eq https
access-list inbound permit tcp any any eq 3389
access-list inbound permit esp any any
access-list inbound permit ah any any
access-list inbound permit udp any any eq isakmp
access-list nonat permit ip xxx.xxx.xxx.0 255.255.255.0 xxx.xxx.xxx.0 255.255.255
.0
access-list split permit ip xxx.xxx.xxx.0 255.255.255.0 xxx.xxx.xxx.0 255.255.255
.0
pager lines 24
logging on
logging timestamp
logging trap debugging
logging host inside xxx.xxx.xxx.200 6/1468
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside xxx.xxx.xxx.xxx 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool ippool 172.16.100.5-172.16.100.10
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 xxx.xxx.xxx.0 255.255.255.0 0 0
static (inside,outside) tcp interface https xxx.xxx.xxx.200 https netmask 255.25
5.255.255 0 0
static (inside,outside) tcp interface smtp xxx.xxx.xxx.200 smtp netmask 255.255.
255.255 0 0
static (inside,outside) tcp interface 3389 xxx.xxx.xxx.xxx 3389 netmask 255.255.2
55.255 0 0
access-group inbound in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa-server partnerauth protocol radius
aaa-server partnerauth (inside) host xxx.xxx.xxx.200 $TF=radius timeout 5
ntp server xxx.xxx.xxx.200 source inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt ipsec pl-compatible
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap client authentication partnerauth
crypto map mymap interface outside
isakmp enable outside
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup * address-pool ippool
vpngroup * dns-server xxx.xxx.xxx.200
vpngroup * wins-server xxx.xxx.xxx.200
vpngroup * default-domain
vpngroup * split-tunnel split
vpngroup * idle-time 1800
vpngroup * password ********
telnet xxx.xxx.xxx.0 255.255.255.0 inside
telnet timeout 20
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:647752a4149c27791058754a238202e9
: end

Let me know what you think.

Thanks

 

[STF26]

I wanted to add some additional thoughts to my other posts

I also use the safenet VPN client to connect to some various watchguard sites and that client works fine. I am not sure why but I assume that it operates on some different ports etc. After searching around extensively, I have started to understand the situation with the Pix. If I use the fixup protocol ike command, I will be able to have one IPSEC tunnel originate from my pix however, I will not be allowed to have any tunnels terminate to it.

There is also the isakmp nat traversal which I have enabled on my side but I guess that I will have to enable it on the other pix. I did try to VPN to my pix from that one and it did not work even though I have the nat traversal 20 in my config.

I hope someone can shed some light to this for me. It is driving me nuts. I cannot believe that the $ 70.00 linksys firewall worked fine and the PIX does not...

Thanks

 

[dopehead]

The Safenet client probably uses nat-t or some other encapsulation of the esp protocol. The Cisco Secure 4.x/3.x client can of course use this, but might not do that if you are using it behind the pix. The fixup esp command doesn't work when the pix you are trying to connect through is also used for vpn.

So, solution would be to debug on the remote pix when you try to vpn client to it and check if it is trying nat traversal at all. Because that is the solution to your problem, since it uses udp port 500 and 4500, whereas legacy ipsec uses protocol 50/51 and udp 500.


Jan

Network Systems Engineer
CCNA/CQS/CCSP

 

[STF26]

I agree with you about the watchguard client. If I turn on the nat traversal on the remote pix maybe this will work? How do I know if it is trying nat traversal? If I have NAT traversal enabled on my 506e, shouldn't I be able to get into it from behind another pix.

Thanks

 

[dopehead]

Yes, nat traversal only requeires udp ports and no esp translation, so this should work.

If you do a "debug crypto isakmp" on the remote pix you will see some debug stating that remote end supports NAT-T, can't remember the exact msg.

Jan

Network Systems Engineer
CCNA/CQS/CCSP

 

[themut]

You should also see packets on UDP port 4500.

 

[STF26]

I finnaly was able to resolve this issue. I added the line isakmp nat traversal 20 on the remote pix and everything started working great. It was that easy. I am very appreciative on everyone's input and I hope that this thread serves as a resource to someone else that encounters this same issue.

I had one additional question regarding my vpn group. Is it possible to create an additional vpn group that could restrict the users that use it to certain ports/hosts etc.?

 

[dopehead]

Well, yes....two different approaches. Both require you to use different ip pools for your groups, then you can do access-lists to stop one pool from accessing what you don't wan't them to see.
Problem is that it is return traffic from the lan that you can block, so security wise it's not such a great solution.

Another way is to do a "no sysopt connection permit-ipsec", but then you would have to know what the address of the clients connecting via vpn is, which usually one doesn't.

Jan

Network Systems Engineer
CCNA/CQS/CCSP

 

[theskipper101]

My situation was similar in problem...so I will share. The error I was getting was:

PIX-3-305006: regular translation creation failed for protocol 50 src inside: <IP> dest outside: <IP>

My Network Diagram

Cisco VPN (v4.x.x)--->PIX<--->Internet--->Destination PIX--->Local network

Notice that my local PIX DID have isakmp enabled since it also DID accept VPNs...two way VPN traffic...

Anyway, I couldn't gain access to the Destination PIX to try to enable isakmp nat-traversal...that's what I think (from reading this thread) was the problem...

SO, as a workaround...

I disabled isakmp on my local PIX interface and added the fixup protocol ESP-IKE

I also had to DISABLE my transparent tunneling on the client (ver 4.x.x.)since the fixup protocol esp takes care of that...

Whallla...

Up and running. Finally...

Thanks!

-Skip

PS...I've had a ticket open to Cisco for a month...this thread did more in a day!

 

[ZenMuster]

NewBe need your help. Hi guys, I have PIX501 version 6.2 and I would like to connect to it from home using cisco client software. So far I'm not successful. I'm using PAt on the PIX may that is creating problem. Could someone check my config and tell me what I'm missing?

Thank you,

Alex.

PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password QB.o4qtAUf2x8nuB encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
domain-name ciscopix.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
name 192.168.1.3 MAILServer
object-group service MailServices tcp
description SMTP and Secure IMAP
port-object eq 993
port-object eq smtp
port-object eq pop3
port-object eq pop2
port-object eq imap4
port-object eq https
port-object eq www
port-object eq 1723
access-list inside_access_in permit tcp any host xx.xx.xxx.xxx object-group Mail
Services
access-list 80 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
pager lines 24
interface ethernet0 10baset
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address outside xx.xx.xxx.xxx 255.255.255.240
ip address inside 192.168.1.1 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip audit info action alarm
ip audit attack action alarm
ip local pool local2 192.168.2.1-192.168.2.254
pdm location 192.168.1.0 255.255.255.0 inside
pdm location MAILServer 255.255.255.255 inside
pdm location 192.168.1.200 255.255.255.248 outside
pdm location 192.168.2.0 255.255.255.0 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
global (outside) 1 xx.xx.xxx.xxx
nat (inside) 0 access-list 80
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) interface MAILServer netmask 255.255.255.255 0 0
access-group inside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 68.72.225.181 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa-server authserver protocol radius
aaa-server authserver (inside) host 192.168.1.4 abcdef timeout 5
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
no sysopt route dnat
crypto ipsec transform-set strong esp-3des esp-sha-hmac
crypto map mymap 20 ipsec-isakmp dynamic cisco
crypto map mymap client configuration address initiate
crypto map partner-map 20 ipsec-isakmp dynamic cisco
crypto map partner-map client configuration address initiate
crypto map partner-map client configuration address respond
crypto map partner-map client authentication authserver
crypto map partner-map interface outside
crypto map map-partner 20 ipsec-isakmp dynamic cisco
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp identity address
isakmp client configuration address-pool local local2 outside
isakmp policy 10 authentication rsa-sig
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup client address-pool local2
vpngroup client dns-server 192.168.1.4
vpngroup client wins-server 192.168.1.4
vpngroup client default-domain cisco.com
vpngroup client split-tunnel 80
vpngroup client idle-time 1800
vpngroup client password ********
vpngroup local idle-time 1800
vpngroup local2 idle-time 1800
vpngroup cliant idle-time 1800
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
vpdn group PPTP-VPDN-GROUP accept dialin pptp
vpdn group PPTP-VPDN-GROUP ppp authentication pap
vpdn group PPTP-VPDN-GROUP ppp authentication chap
vpdn group PPTP-VPDN-GROUP ppp authentication mschap
vpdn group PPTP-VPDN-GROUP ppp encryption mppe auto
vpdn group PPTP-VPDN-GROUP client configuration address local local2
vpdn group PPTP-VPDN-GROUP client configuration dns 192.168.1.4
vpdn group PPTP-VPDN-GROUP client configuration wins 192.168.1.4
vpdn group PPTP-VPDN-GROUP pptp echo 60
vpdn group PPTP-VPDN-GROUP client authentication local
vpdn username xxxxxxxxx password ********
vpdn enable outside
username Administrator password 9mwY2PwxvSXALQE5 encrypted privilege 15
terminal width 80