PIX 501 not allowing connected VPN to ping or RDP

[Dalamir]

Hi all,

Problem an a 501 using 6.3(3) firmware.

VPN client connects just fine, however, users are unable to ping hosts on the LAN and no RDP session can be initiated.

The config:

interface ethernet0 10baset
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password M9v4JozybWM6igYh encrypted
passwd OJWhVZN54CKfmEtS encrypted
hostname pix-webo-15
domain-name support.nl
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name aa.aaa.aaa.aaa pix-reus
name ccc.ccc.ccc.ccc pix-webo-17
name c1c.c1c.c1c.c1c pix-webo-15
access-list ipsec permit ip 131.1.0.0 255.255.0.0 131.3.0.0 255.255.0.0
access-list ipsec permit ip 131.1.0.0 255.255.0.0 10.10.10.0 255.255.255.0
access-list ipsec permit ip 131.2.0.0 255.255.0.0 10.10.10.0 255.255.255.0
access-list ipsec permit ip 131.3.0.0 255.255.0.0 10.10.10.0 255.255.255.0
access-list ipsec permit ip 131.3.0.0 255.255.0.0 131.1.0.0 255.255.0.0
access-list nonat permit ip 131.1.0.0 255.255.0.0 131.3.0.0 255.255.0.0
access-list nonat permit ip 131.1.0.0 255.255.0.0 10.10.10.0 255.255.255.0
access-list nonat permit ip 131.2.0.0 255.255.0.0 10.10.10.0 255.255.255.0
access-list nonat permit ip 131.3.0.0 255.255.0.0 10.10.10.0 255.255.255.0
access-list nonat permit ip 131.1.0.0 255.255.0.0 192.168.1.0 255.255.255.0
access-list nonat permit ip 131.3.0.0 255.255.0.0 131.1.0.0 255.255.0.0
access-list reus permit ip 131.1.0.0 255.255.0.0 192.168.1.0 255.255.255.0
pager lines 24
logging on
logging timestamp
logging buffered debugging
mtu outside 1500
mtu inside 1500
ip address outside pix-webo-15 255.255.255.248
ip address inside 131.1.0.201 255.255.0.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnclients 131.3.0.1-131.3.0.254
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
conduit permit icmp any any
route outside 0.0.0.0 0.0.0.0 c2c.c2c.c2c.c2c 1
timeout xlate 0:05:00
timeout conn 0:00:00 half-closed 0:00:00 udp 5:00:00 rpc 120:00:00 h225 0:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server outside c3c.c3c.c3c.c3c pix
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap 20 ipsec-isakmp
crypto map mymap 20 match address reus
crypto map mymap 20 set peer pix-reus
crypto map mymap 20 set transform-set myset
crypto map mymap 30 ipsec-isakmp
crypto map mymap 30 match address ipsec
crypto map mymap 30 set peer pix-webo-17
crypto map mymap 30 set transform-set myset
crypto map mymap interface outside
isakmp enable outside
isakmp key ******** address pix-reus netmask 255.255.255.255
isakmp key ******** address pix-webo-17 netmask 255.255.255.255
isakmp identity address
isakmp nat-traversal 120
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup vpn3000 address-pool vpnclients
vpngroup vpn3000 split-tunnel ipsec
vpngroup vpn3000 idle-time 1800
vpngroup vpn3000 password ********
vpngroup vpn3001 address-pool vpnclients
vpngroup vpn3001 split-tunnel nonat
vpngroup vpn3001 idle-time 1800
vpngroup vpn3001 password ********
telnet timeout 5
ssh c4c.c4c.c4c.c4c 255.255.255.128 outside
ssh timeout 30
console timeout 0
terminal width 80
Cryptochecksum:cff61badb4818cfe8a3a518fce2821d7
: end

VPN host receives 131.3.0.2, target host is 131.1.0.4.
Debug icmp trace shows the ping request entering the pix, a reply is also formed, the host pinging does not receive an answer though.
Show access-list tells me :
access-list ipsec; 5 elements
access-list ipsec line 1 permit ip 131.1.0.0 255.255.0.0 131.3.0.0 255.255.0.0 (hitcnt=16)
access-list ipsec line 2 permit ip 131.1.0.0 255.255.0.0 10.10.10.0 255.255.255.0 (hitcnt=659)
access-list ipsec line 3 permit ip 131.2.0.0 255.255.0.0 10.10.10.0 255.255.255.0 (hitcnt=0)
access-list ipsec line 4 permit ip 131.3.0.0 255.255.0.0 10.10.10.0 255.255.255.0 (hitcnt=0)
access-list ipsec line 5 permit ip 131.3.0.0 255.255.0.0 131.1.0.0 255.255.0.0 (hitcnt=0)
access-list nonat; 6 elements
access-list nonat line 1 permit ip 131.1.0.0 255.255.0.0 131.3.0.0 255.255.0.0 (hitcnt=35)
access-list nonat line 2 permit ip 131.1.0.0 255.255.0.0 10.10.10.0 255.255.255.0 (hitcnt=803)
access-list nonat line 3 permit ip 131.2.0.0 255.255.0.0 10.10.10.0 255.255.255.0 (hitcnt=0)
access-list nonat line 4 permit ip 131.3.0.0 255.255.0.0 10.10.10.0 255.255.255.0 (hitcnt=0)
access-list nonat line 5 permit ip 131.1.0.0 255.255.0.0 192.168.1.0 255.255.255.0 (hitcnt=2)
access-list nonat line 6 permit ip 131.3.0.0 255.255.0.0 131.1.0.0 255.255.0.0 (hitcnt=0)
access-list reus; 1 elements
access-list reus line 1 permit ip 131.1.0.0 255.255.0.0 192.168.1.0 255.255.255.0 (hitcnt=2)
access-list dynacl6; 1 elements
access-list dynacl6 line 1 permit ip any host 131.3.0.2 (hitcnt=0)

So, afaict, the only thing not working is the pix relaying the answer to the host initiating the ping.
The dynacl looks like its supposed to allow precisely that, but doesn't seem to work.

Any thoughts, insights, mayhap even solutions would be very welcome.

Regards

Replies so far:

dloz (TechnicalUser)
3 Mar 06 14:28
access-list outside_INBOUND permit tcp any interface outside eq ssh
access-list outside_INBOUND permit icmp any any echo-reply
access-list outside_INBOUND permit icmp any any time-exceeded
access-list outide_INBOUND permit icmp any any unreachable
access-list outside_INBOUND permit tcp any interface outside eq https
access-list outside_INBOUND permit udp any interface outside eq ntp

I am some what new to pix boxes but on one I recently set up I needed to add theese access-list to allow ping replies to come back. I'm not real sure why I would need to do this but it started working after I did it.

 

[Dalamir]

It would appear that my earlier assessment was a bit to optimistic. The client says its connected, but the logs tell a different story:
1 08:46:30.421 03/10/06 Sev=Warning/2 IKE/0xA3000067
Received Unexpected InitialContact Notify (PLMgrNotify:886)

And the client statistics tell me that packets are being encrypted, but not decrypted.

Doing a debug crypto isakmp results in 5 pages of data, a bit to long to copy in my opinion, so I'll just paste the relevant bits:

crypto_isakmp_process_block:src:c5c.c5c.c5c.c5c, destix-webo-15 spt:500 dpt:500
OAK_AG exchange
ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: extended auth pre-share (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 2 against priority 10 policy

Right up to transform 10, then followed by:

crypto_isakmp_process_block:src:c5c.c5c.c5c.c5c, destix-webo-15 spt:4500 dpt:4500
OAK_AG exchange
ISAKMP (0): processing HASH payload. message ID = 0
ISAKMP (0): processing NOTIFY payload 24578 protocol 1
spi 0, message ID = 0
ISAKMP (0): processing notify INITIAL_CONTACT
ISAKMP (0:0): Detected NAT-D payload
ISAKMP (0:0): recalc my hash for NAT-D
ISAKMP (0:0): NAT match MINE hash
ISAKMP (0:0): Detected NAT-D payload
ISAKMP (0:0): recalc his hash for NAT-D
ISAKMP (0:0): NAT does not match HIS hash
hash received: 11 8d 8b 4e 3 db be c3 41 11 5e 93 2 f9 92 50
his nat hash : 67 46 2 e5 4 28 56 21 33 1 56 73 5b ea 24 80
ISAKMP (0): processing vendor id payload

ISAKMP (0): speaking to another IOS box!

ISAKMP (0): processing vendor id payload

ISAKMP (0): speaking to a Unity client

ISAKMP (0): SA has been authenticated
ISAKMP: Created a peer struct for c5c.c5c.c5c.c5c, peer port 37905
return status is IKMP_NO_ERROR
ISAKMP (0): sending INITIAL_CONTACT notify
ISAKMP (0): sending NOTIFY message 24578 protocol 1
ISAKMP (0): sending phase 1 RESPONDER_LIFETIME notify
ISAKMP (0): sending NOTIFY message 24576 protocol 1
VPN Peer: ISAKMP: Added new peer: ip:195.114.228.186/4500 Total VPN Peers:3
VPN Peer: ISAKMP: Peer ip:c5c.c5c.c5c.c5c/4500 Ref cnt incremented to:1 Total VPN Peers:3
ISAKMP: peer is a remote access client
crypto_isakmp_process_block:src:c5c.c5c.c5c.c5c, destix-webo-15 spt:4500 dpt:4500
ISAKMP_TRANSACTION exchange

Faced with this feedbakc I am left with the obvious conclusion that ISAKMP has not been succesfully completed.
The question now, is the mismatched hash the cause of my problems, or the unacceptable atts?

Onwards, I guess....