Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations Chriss Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
PIX gets errors when I try to VPN from inside to another network
- Thread starter ForumKid
- Start date
- Thread starter
- #3
If you are trying to VPN from inside the pix to an outside resource you will get this error. From cisco site:
IPSec
PIXFirewall Version 6.3 provides improved support for application inspection of Encapsulating Security Payload (ESP) and for using IPSec with NAT.
ESP is an IPSec protocol that provides data confidentiality, data integrity, and protection services, optional data origin authentication, and anti-replay services. ESP encapsulates the data to be protected.
However, because ESP packets do not identify the ports that are involved, PAT is performed by assigning port 0 (zero). Only one ESP tunnel is supported at a time. Also, when the PIXFirewall has this feature enabled, it cannot terminate VPN tunnels in relation to other IPSec peers.
Application inspection of ESP traffic is disabled by default. To enable this feature, enter the following command:
fixup protocol esp-ike
When this feature is enabled, PIXFirewall preserves the IKE source port. Support is not provided for the following:
•ESP tunnel serialization
•SPI matching
•Recording of SPIs for each ESP connection
IPSec
PIXFirewall Version 6.3 provides improved support for application inspection of Encapsulating Security Payload (ESP) and for using IPSec with NAT.
ESP is an IPSec protocol that provides data confidentiality, data integrity, and protection services, optional data origin authentication, and anti-replay services. ESP encapsulates the data to be protected.
However, because ESP packets do not identify the ports that are involved, PAT is performed by assigning port 0 (zero). Only one ESP tunnel is supported at a time. Also, when the PIXFirewall has this feature enabled, it cannot terminate VPN tunnels in relation to other IPSec peers.
Application inspection of ESP traffic is disabled by default. To enable this feature, enter the following command:
fixup protocol esp-ike
When this feature is enabled, PIXFirewall preserves the IKE source port. Support is not provided for the following:
•ESP tunnel serialization
•SPI matching
•Recording of SPIs for each ESP connection
- Thread starter
- #5
ESP and fixup protocol esp-ike has absolutely nothing to do with this problem. ESP is protocol 50, and is used by IpSec VPNs.
Protocol 47 is GRE, which is used when you try to create PPTP vpns. PPTP is typically used by the Microsoft vpn client, amongst others.
Like ESP, PPTP does not pass pat devices well, as it is a portless protocol. The PAT device doesn't know how to translate it from an inside address to an outside address correctly.
Recognising this, Cisco introduced better support for this with the fixup protocol pptp 1723 command in Pix o/s 6.3
There are work arounds on earlier versions. If you only have one host behind the PIX that needs to create a pptp tunnel (the machine on 192.168.1.50) then create a static mapping that maps GRE traffic from that internal address to the outside address of the pix. If you have more than one host that requires the ability to create a PPTP vpn from behind your pix, forget it, upgrade to 6.3, which has much better vpn support than 6.2.
CCNA, MCSE, Cisco Firewall specialist, VPN specialist, wannabe CCSP
Protocol 47 is GRE, which is used when you try to create PPTP vpns. PPTP is typically used by the Microsoft vpn client, amongst others.
Like ESP, PPTP does not pass pat devices well, as it is a portless protocol. The PAT device doesn't know how to translate it from an inside address to an outside address correctly.
Recognising this, Cisco introduced better support for this with the fixup protocol pptp 1723 command in Pix o/s 6.3
There are work arounds on earlier versions. If you only have one host behind the PIX that needs to create a pptp tunnel (the machine on 192.168.1.50) then create a static mapping that maps GRE traffic from that internal address to the outside address of the pix. If you have more than one host that requires the ability to create a PPTP vpn from behind your pix, forget it, upgrade to 6.3, which has much better vpn support than 6.2.
CCNA, MCSE, Cisco Firewall specialist, VPN specialist, wannabe CCSP
- Thread starter
- #7
- Thread starter
- #8
Ah, you've fallen for the old "Static translation syntax is weird" trick. Although the static translation starts with "static (inside, outside)" which would make you assume you should put the inside address first, and the outside address second, it's actually round the other way. Why, no'one knows ... 
You need to put the translation in like
static (inside, outside) <public ip> 192.168.1.50 netmask 255.255.255.255 0 0
I should have posted this link before, this should help you out
And there's no lame questions mate
CCNA, MCSE, Cisco Firewall specialist, VPN specialist, wannabe CCSP
You need to put the translation in like
static (inside, outside) <public ip> 192.168.1.50 netmask 255.255.255.255 0 0
I should have posted this link before, this should help you out
And there's no lame questions mate
CCNA, MCSE, Cisco Firewall specialist, VPN specialist, wannabe CCSP
- Thread starter
- #10
Thank you very much. I do understand now. Only one problem though. When I add that static command, my client on the inside 192.168.1.50 can no longer even access the PPTP server. Without the static mapping it can connect and just hangs on the authentication process and throws those errors into my syslog. Is there something else that I am mising. i am not sure why the static mapping would prevent my inside client to not be able to access the machine now. I even cleared xlate and arp....
Now that you have a public IP mapped to your internal system you still need to open your ACL on the external interface. You will need to open the ports for TCP port 1723 and for IP 47. For security you should limit the connection from only the system IP that you want to connect to. Something like:
access-list outside_inside permit gre host X.X.X.X host 192.168.1.50
access-list outside_inside permit tcp host X.X.X.X host 192.168.1.50 eq 1723
access-list outside_inside permit gre host X.X.X.X host 192.168.1.50
access-list outside_inside permit tcp host X.X.X.X host 192.168.1.50 eq 1723
- Thread starter
- #12
Hi,
I originally thought that and I know i have to open my access-list. But if the static worked correctly, I would have gotten the syslog message saying that the traffic was denied or blocked by acl_out. I didn't get that message. I figured I'd open the access-list up last.
Does this make sense? I'm pretty positive that I would see a syslog error... Do I have to change PAT? Or add something on my inside access-list. But still syslog would generate an error message...
I originally thought that and I know i have to open my access-list. But if the static worked correctly, I would have gotten the syslog message saying that the traffic was denied or blocked by acl_out. I didn't get that message. I figured I'd open the access-list up last.
Does this make sense? I'm pretty positive that I would see a syslog error... Do I have to change PAT? Or add something on my inside access-list. But still syslog would generate an error message...
- Thread starter
- #13
For kicks I have added the correct access-list to my outside interface. And still the host 192.168.1.50 cannot access the internet nor can it access the PPTP. Is it possible that I need another special statement to allow that because the static mapping is stopping the access somehow. Any ideas are greatly appreciated.
- Thread starter
- #14
I'm not sure how to make this any clearer. I posted a link showing how to do it from cisco's website. Admittedly someone then posted an access list that won't work because it tries to allow traffic to the internal private address, rather than the nat-ed public address, which has probably messed you up a bit.
Configure the static translation as i've already explained. Configure an access control list to allow GRE traffic TO THAT STATIC PUBLIC IP ADDRESS, not the private address. Clear xlate, and you're done.
Basically you need an access list that reads
access-list outside_inside permit gre host <the pptp server> host <your static public address>
You don't need an ACL allowing port 1723 traffic. That originates from your machine inside the pix, and is allowed out. I'm assuming the static public address you're using is the same as the interface address of the pix, which is what you're also using in your nat statement.
If you missed that link, it's here;
If you're still not having any luck, post your pix config
CCNA, MCSE, Cisco Firewall specialist, VPN specialist, wannabe CCSP
Configure the static translation as i've already explained. Configure an access control list to allow GRE traffic TO THAT STATIC PUBLIC IP ADDRESS, not the private address. Clear xlate, and you're done.
Basically you need an access list that reads
access-list outside_inside permit gre host <the pptp server> host <your static public address>
You don't need an ACL allowing port 1723 traffic. That originates from your machine inside the pix, and is allowed out. I'm assuming the static public address you're using is the same as the interface address of the pix, which is what you're also using in your nat statement.
If you missed that link, it's here;
If you're still not having any luck, post your pix config
CCNA, MCSE, Cisco Firewall specialist, VPN specialist, wannabe CCSP
- Thread starter
- #16
Here goes. I am still stuck on this..not sure what is going here. Here is my config.
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname pixfirewall
domain-name xxx.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
names
access-list acl_out permit tcp any host <ip1> eq www
access-list acl_out permit gre host <pptp server> host <public static ip seen to the world which comes from my router>
access-list in_out permit ip any any
pager lines 24
logging on
logging trap warnings
logging history warnings
logging host inside 192.168.1.8
interface ethernet0 100full
interface ethernet1 100full
icmp deny any echo-reply outside
icmp permit any unreachable outside
mtu outside 1500
mtu inside 1500
ip address outside <ip3> 255.255.255.0
ip address inside 192.168.1.xxx 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip audit name attack1 info action alarm drop reset
ip audit interface outside attack1
ip audit info action alarm drop reset
ip audit attack action alarm drop reset
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
static (inside,outside> <pptp server> 192.168.1.50 netmask 255.255.255.255 0 0
access-group acl_out in interface outside
access-group in_out in interface inside
route outside 0.0.0.0 0.0.0.0 <ip4> 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
filter java 443 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
filter activex 443 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
filter java 80 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
filter activex 80 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
telnet timeout 60
ssh 192.168.1.2 255.255.255.255 inside
ssh timeout 60
terminal width 80
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname pixfirewall
domain-name xxx.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
names
access-list acl_out permit tcp any host <ip1> eq www
access-list acl_out permit gre host <pptp server> host <public static ip seen to the world which comes from my router>
access-list in_out permit ip any any
pager lines 24
logging on
logging trap warnings
logging history warnings
logging host inside 192.168.1.8
interface ethernet0 100full
interface ethernet1 100full
icmp deny any echo-reply outside
icmp permit any unreachable outside
mtu outside 1500
mtu inside 1500
ip address outside <ip3> 255.255.255.0
ip address inside 192.168.1.xxx 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip audit name attack1 info action alarm drop reset
ip audit interface outside attack1
ip audit info action alarm drop reset
ip audit attack action alarm drop reset
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
static (inside,outside> <pptp server> 192.168.1.50 netmask 255.255.255.255 0 0
access-group acl_out in interface outside
access-group in_out in interface inside
route outside 0.0.0.0 0.0.0.0 <ip4> 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
filter java 443 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
filter activex 443 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
filter java 80 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
filter activex 80 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
telnet timeout 60
ssh 192.168.1.2 255.255.255.255 inside
ssh timeout 60
terminal width 80
Your static statement is wrong. It should be
static (inside,outside> <public static ip seen to the world which comes from my router>
192.168.1.50 netmask 255.255.255.255 0 0
The same address that's used in your access-list acl_out command
Except i'm a bit worried about how you've phrased that ... are you using the public address of your router in the acl and the static command? You shouldn't be. You should be using an address that's on the outside range of the pix, for which the pix can proxy arp. Try using the outside interface address of the pix.
CCNA, MCSE, Cisco Firewall specialist, VPN specialist, wannabe CCSP
static (inside,outside> <public static ip seen to the world which comes from my router>
192.168.1.50 netmask 255.255.255.255 0 0
The same address that's used in your access-list acl_out command
Except i'm a bit worried about how you've phrased that ... are you using the public address of your router in the acl and the static command? You shouldn't be. You should be using an address that's on the outside range of the pix, for which the pix can proxy arp. Try using the outside interface address of the pix.
CCNA, MCSE, Cisco Firewall specialist, VPN specialist, wannabe CCSP
- Thread starter
- #18
Yes. i was using the router address in my acl_out statement and I was using the pptp server in the static command. OK I will change the acl_out to use the outside interface address and the static to also use the outside interface address. So it will be something like this:
access-list acl_out permit gre host <pptp server> host <outside interface ip>
static (inside,outside) <outside interface ip> 192.168.1.50 netmask 255.255.255.255 0 0
I'll let you know how I make out. Thanks and hopefully this does the trick.
access-list acl_out permit gre host <pptp server> host <outside interface ip>
static (inside,outside) <outside interface ip> 192.168.1.50 netmask 255.255.255.255 0 0
I'll let you know how I make out. Thanks and hopefully this does the trick.
- Thread starter
- #19
Sorry but if I add this static command it kills all outgoing internet connections from any client on the inside.
static (inside,outside) <outside interface ip> 192.168.1.50 netmask 255.255.255.255 0 0
There is something that we are missing I believe....ANy ideas?
static (inside,outside) <outside interface ip> 192.168.1.50 netmask 255.255.255.255 0 0
There is something that we are missing I believe....ANy ideas?
- Thread starter
- #20
After staring at the pix documentation and trying to figure things out, I see that with version 6.3(0) and above its a piece of cake. Well if we won't be able to figure this out, is there someone out there that can email me the image for 6.3. I'm coming to the conclusion that it is not possible on pre 6.3...
- Status
Similar threads
- Locked
- Question
- Locked
- Question
- Locked
- Question