PIx 525 VS pix 501 vpn with different vlans

[Namik]

Hi everybody!
I'm not so professional with vpn's and I need your help or advice
My network is cisco 3750 with different vlans - connected to pix525(easy vpn server)-remote sites must be connected through Pix501 vpn (easy vpn hardware client)

As I understand the inside port wich connected to 3750 must be trunk port yes? I can create interfaces for all vlans what i have in 3750 on Pix525,also i can make different users for different vlAns...I need Multiple VPN Group Clients to use Different VLANs after Connecting to a Pix
did any one have such configuration?

 

[Supergrrover]

Ask and you shall receive

http://www.cisco.com/en/US/products...s_configuration_example09186a00806ab788.shtml

Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[Namik]

nice, I've seen and read this article many many times at cisco, but configuration of pix515 and pix525 is not the same unfortunately..I cannot use same configuration on PIX 525

 

[Supergrrover]

What exactly is different? The 525 is the just more powerful hardware. The OS is the same.


Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[Namik]

for example there is no such command on PIx 525 like group-policy

 

[Supergrrover]

Which version of the PIX OS are you using on both?



Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[Namik]

Cisco PIX Firewall Version 6.3(5)
Cisco PIX Device Manager Version 3.0(4)

Compiled on Thu 04-Aug-05 21:40 by morlee

mvdpix up 13 days 20 hours

Hardware: PIX-525, 256 MB RAM, CPU Pentium III 600 MHz
Flash E28F128J3 @ 0x300, 16MB
BIOS Flash AM29F400B @ 0xfffd8000, 32KB

Encryption hardware device : VAC+ (Crypto5823 revision 0x1)
0: ethernet0: address is 0015.c6ba.5b23, irq 10
1: ethernet1: address is 0015.c6ba.5b24, irq 11
2: gb-ethernet0: address is 000e.0c9b.7599, irq 10
3: gb-ethernet1: address is 000e.0c84.2452, irq 5
Licensed Features:
Failover: Enabled
VPN-DES: Enabled
VPN-3DES-AES: Disabled
Maximum Physical Interfaces: 8
Maximum Interfaces: 12
Cut-through Proxy: Enabled



and that on Pix 501
Cisco PIX Firewall Version 6.3(5)
Cisco PIX Device Manager Version 3.0(4)

Compiled on Thu 04-Aug-05 21:40 by morlee

idrak up 12 mins 49 secs

Hardware: PIX-501, 16 MB RAM, CPU Am5x86 133 MHz
Flash E28F640J3 @ 0x3000000, 8MB
BIOS Flash E28F640J3 @ 0xfffd8000, 128KB

0: ethernet0: address is 001b.d4e8.1937, irq 9
1: ethernet1: address is 001b.d4e8.1938, irq 10
Licensed Features:
Failover: Disabled
VPN-DES: Enabled
VPN-3DES-AES: Enabled
Maximum Physical Interfaces: 2
Maximum Interfaces: 2
Cut-through Proxy: Enabled
Guards: Enabled
URL-filtering: Enabled
Inside Hosts: 10

 

[Supergrrover]

group-policy is available on PIX OS7.x and up. It won't be on either of the two versions you posted. Commands are OS related not hardware related.
The 525 will run OS7x (and maybe 8x). You can upgrade it and have the extra features.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00804708d8.shtml

Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[Namik]

Thats the config from 525

Building configuration...
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
interface gb-ethernet0 1000auto shutdown
interface gb-ethernet1 1000auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif gb-ethernet0 intf2 security4
nameif gb-ethernet1 intf3 security6
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname mvd
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 10.10.170.0 255.255.255.0
access-list outside_cryptomap_dyn_20 permit ip any 10.10.170.0 255.255.255.0
access-list 101 permit tcp host 10.10.170.0 any
access-list 101 permit ip 10.10.170.0 255.255.255.224 any
access-list 101 permit icmp 10.10.170.0 255.255.255.224 any
access-list 101 permit icmp any any traceroute
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any unreachable
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp 10.10.170.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list 101 permit ip 10.10.170.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list 101 permit tcp 10.10.170.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list 101 permit udp 10.10.170.0 255.255.255.0 192.168.1.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
mtu intf2 1500
mtu intf3 1500
ip address outside 192.168.240.253 255.255.255.0
ip address inside 192.168.1.253 255.255.255.0
no ip address intf2
no ip address intf3
ip audit info action alarm
ip audit attack action alarm
ip local pool mvd 10.10.170.1-10.10.170.200
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address intf2
no failover ip address intf3
pdm location 192.168.1.70 255.255.255.255 inside
pdm location 192.168.240.70 255.255.255.255 outside
pdm location 10.10.170.0 255.255.255.255 outside
pdm location 10.10.170.0 255.255.255.224 outside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group 101 in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.240.70 255.255.255.255 outside
http 192.168.1.70 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication LOCAL
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup mvd address-pool mvd
vpngroup mvd idle-time 1800
vpngroup mvd password ********
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
username ***** password WU712Qw3lg7mFjEr encrypted privilege 15
terminal width 80
Cryptochecksum:e65881d5f538ab907cf585a760b276bb
: end
[OK]

split tunneling no needed
with this config i cannot access my local network
but the same config works on my pix 501 and I can access my network
From 525 inside i can ping whole inside network whithout problem, but from vpn i cannot

 

[Namik]

any one have any idea whats wrong in this config?

 

[geeksquad]

Hi Brent,

Got a sticky one for you....
I manange a PIX 515 for a customer. Behind it sits a MPLS cloud. A customer(Kerry) of our customer is connecting onto the MPLS cloud and getting rid of their ISDN Internet connection. Now all Kerry's Internet traffic comes and goes through our PIX.
They have remote clients that use the Cisco VPN client + the Microsoft XP VPN client to terminate on a Cisco VPN concentrator.
The way we have setup this is to setup a static NAT on the PIX that NAT's a public address to the address of their concentator. I have got the Cisco VPN client connections working but cannot seem to get the Windows XP VPN client to work. It hangs at the authentication prompt. I have opened all the nessecary ports and enabled the pptp fixup protocol...
I think there is a GRE problem or maybe a port I am missing!!

While running a debug pptp and initiating a connection this is what I noticed .....

PPTP start-control-request: (outside:193.x.x.x/31932 -> eth2:10.26.0.198/47878)
PPTP start-control-reply: (outside:193.x.x.x/31932 <- eth2:10.26.0.198/47878)
PPTP outgoing-call-request: (outside:193.x.x.x/31932 -> eth2:10.26.0.198/47878)
PPTP outgoing-call-reply: (outside:193.x.x.x/31932 <- eth2:10.26.0.198/47878)
PPTP set-link-info: (outside:193.x.x.x/31932 -> eth2:10.26.0.198/47878)
PPTP disconnect-notify: (outside:193.x.x.x/31932 -> eth2:10.26.0.198/47878)
requesting gre CID 16384 removal

Have you ever seen any issues like this before man... ??

 

[Namik]

any one can help?

 

[brianinms]

Namik, can you give an update of exactly what isnt working?

 

[Namik]

I can connect to vpn, but I cannot browse or ping any device in LAN

 

[brianinms]

Remove this line

crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20

 

[Namik]

hi brianinms, I removed the line crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20 but it not solved problem..any other idea?

 

[brianinms]

Are you masking the true outside ip address? You are trying to ping something on the 192.168.1.0 network? What is the ip address of the machine you are connecting from?

 

[Namik]

I'm trying to ping 192.168.1.6 and 192.168.1.100.
And I connecting from ip adress 192.168.240.70 to PIX

 

[brianinms]

add

isakmp nat-traversal 20

 

[Namik]

added, also not helped


uilding configuration...
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
interface gb-ethernet0 1000auto shutdown
interface gb-ethernet1 1000auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif gb-ethernet0 intf2 security4
nameif gb-ethernet1 intf3 security6
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname mvd
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 10.10.170.0 255.255.255.0
access-list outside_cryptomap_dyn_20 permit ip any 10.10.170.0 255.255.255.0
access-list 101 permit tcp host 10.10.170.0 any
access-list 101 permit ip 10.10.170.0 255.255.255.224 any
access-list 101 permit icmp 10.10.170.0 255.255.255.224 any
access-list 101 permit icmp any any traceroute
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any unreachable
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp 10.10.170.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list 101 permit ip 10.10.170.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list 101 permit tcp 10.10.170.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list 101 permit udp 10.10.170.0 255.255.255.0 192.168.1.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
mtu intf2 1500
mtu intf3 1500
ip address outside 192.168.240.253 255.255.255.0
ip address inside 192.168.1.253 255.255.255.0
no ip address intf2
no ip address intf3
ip audit info action alarm
ip audit attack action alarm
ip local pool mvd 10.10.170.1-10.10.170.200
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address intf2
no failover ip address intf3
pdm location 192.168.1.70 255.255.255.255 inside
pdm location 192.168.240.70 255.255.255.255 outside
pdm location 10.10.170.0 255.255.255.255 outside
pdm location 10.10.170.0 255.255.255.224 outside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group 101 in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.240.70 255.255.255.255 outside
http 192.168.1.70 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication LOCAL
crypto map outside_map interface outside
isakmp enable outside
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup mvd address-pool mvd
vpngroup mvd idle-time 1800
vpngroup mvd password ********
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
username ***** password WU712Qw3lg7mFjEr encrypted privilege 15
terminal width 80
Cryptochecksum:e65881d5f538ab907cf585a760b276bb
: end
[OK]