Pix to Pix VPN, only some devices on remote side can be seen!!!

[1computergeek]

I have a simple pix to pix (506 to 501) vpn using 3des encryption. There are three users on the remote side (print server and 2 users) behind the 501 whose computers I can see. The 501 has a 10 user inside license with a 10 user ike peer license. I cannot see 3 other computers and they cannot see my side. I have cleared the arp tables, the pix is running dhcp so all the machines are getting their ip's from same place. They are connected to a linksys 10/100 8 port switch and there's also a 10 mb intel hub. I have tried moving the computers that I cannot see to a port on the 501 with no luck. I have issued the clear arp, clear xlate. Any ideas.

: Written by enable_15 at 23:48:40.775 UTC Wed Apr 30 2003
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password fLaVj9vmMJVNv7pS encrypted
passwd fLaVj9vmMJVNv7pS encrypted
hostname ########
domain-name weblaundry.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list 101 permit ip 192.168.32.0 255.255.255.0 10.1.0.0 255.255.0.0
pager lines 24
interface ethernet0 10baset
mtu outside 1500
mtu inside 1500
ip address outside #.#.#.# 255.255.255.248
ip address inside 192.168.32.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 #.#.#.# netmask 255.255.255.248
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 #.#.#.# 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 s
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local http server enable
http #.#.#.# 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set nissan esp-3des esp-md5-hmac
crypto map ford 1 ipsec-isakmp
crypto map ford 1 match address 101
crypto map ford 1 set peer ###############
crypto map ford 1 set transform-set nissan
crypto map ford interface outside
isakmp enable outside
isakmp key ******** address ############### netmask 255.255.255.255
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 1000
outside
telnet 192.168.32.0 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
dhcpd address 192.168.32.10-192.168.32.40 inside
dhcpd lease 1800000
dhcpd ping_timeout 750
dhcpd domain ###########.com
dhcpd enable inside
username pixadmin password KzS0q4Gm0ULxseDq encrypted privilege 0
terminal width 80
Cryptochecksum:90c42c86c8d20869993e99b782e76677
Cisco PIX Firewall Version 6.2(2)
Cisco PIX Device Manager Version 2.0(2)

Compiled on Fri 07-Jun-02 17:49 by morlee

riverside-fw up 2 days 21 hours

Hardware: PIX-501, 16 MB RAM, CPU Am5x86 133 MHz
Flash E28F640J3 @ 0x3000000, 8MB
BIOS Flash E28F640J3 @ 0xfffd8000, 128KB

0: ethernet0: address is 000b.fd19.93f5, irq 9
1: ethernet1: address is 000b.fd19.93f6, irq 10
Licensed Features:
Failover: Disabled
VPN-DES: Enabled
VPN-3DES: Enabled
Maximum Interfaces: 2
Cut-through Proxy: Enabled
Guards: Enabled
URL-filtering: Enabled
Inside Hosts: 10
Throughput: Limited
IKE peers: 10

 

[yizhar]

HI.

Use syslog messages to get more info.
Start with level 4, and if you don't get enough info you can try level 6.
Gather messages at both sides.

> I cannot see 3 other computers
What exactly do you mean?
Did you try to ping by ip address?
What did you do, and what were the results?

Use "ipconfig /all" on several hosts - do you get the exact same configuration (excluding ip address and host name of course)?



Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[1computergeek]

Thanks for responding. I didn't mean to be vague. On the remote side (which is where the 501 is located) there are 6 hosts (5 computers and 1 print server). From my side of the wan (which is where the pix 506 is) I can successfully ping 3 of the devices. The other three I cannot. Telnet to remote pix I can ping them fine locally. I just can't do it across the wan. All of the devices are on the 1 linksys switch and 1 intel hub. I ran debug icmp trace on both of the pixes, on my side I saw the packets sent but no reply. On the remote side there were no messages. When I pinged a device that was responding there were messages on both pixes. I'll let you know about the other logging you told me to enable.
P.S. Cisco is not being very helpful with this issue. They normally are but the engineers I've been working this with don't seem to check their email.

 

[EddieVenus]

I am having the same (nearly exact) problem. I have tried sysopt noproxyarp inside and will see if that fixes things tomorrow when all the users show up. But I am not sure it will help. It is worth a try though.

FYI syslog states that I am exceeding my 10 user limit. Which I would be but I only have 9 devices + the PIX. 2 printers, a LAN switch and 6 machines. I use the VPN to go to corporate (who uses a 506e) and use 3 machines, a file server, an exchange server and an AS400. I get that same message about the licenses being exceeded everytime I ping more than 10 addresses at the remote from the corp end too.

What, I think, was meant by he cannot see the other machines is that they are not pingable or reachable through any means from corp. They can be pinged by the PIX closest to them, but not from any point further down the path. They also cannot see the corp end either. Nor can they cannot get online. And everytime they try, or I try to see them I see a message in the syslog stating that I am over my 10 user limit.

I only have 9 total devices there, I cannot be over the 10 user limit, even PDM tells me that I am only using 4 of 10 host licenses. I hope to understand what the problem is, but I figure that someone out there already knows and might be able to enlighten me. and I know I am not the only one who wants to know.

EddieVenus

 

[EddieVenus]

I have mad numerous changes to the network since the last post. None fixed the problem. However I have found some causes of the problem. And they are all assinine.

If you ping the whole subnet for example,it will not allow you to do this. Only 10 addresses are pingable. Even if there are no devices at those address. How retarded is that. As proof, which you can try if you have a 501 with 10 user lic. Issue a clear xlate, show xlate combo and see if you have any machines in translations. If not then, from a remote network, ping the whole subnet. You will not get replies back from devices that are not there of course. But you will only get replies back from the first 10 IPs if you have devices at those addresses. If not, you will not recieve any replies, even from addresses that exist. If you do not have devices at those addresses, like if they are all 100 and up, then you might get a reply from a few of the real machines, assuming they made a conn or xlate after you cleared the xlates and before you pinged 10 IPs. In fact if you just ping the known IPs after issuing a clear xlate, you will get all the replies (assuming you are pinging less than 10 of course). Now for proof of how many licenses are in use issue a show local-host and see how many are used and how.

What does this mean? It means that IP addresses that have no xlate or conn are getting a license. It means that unless you set the timeouts to mere seconds that these licenses stay active for at least an hour, and up to 3. It means that the PIX is not counting licenses like they say it is, and you are getting ripped off. It says that smaller pix's like the 501 are prone to a major DoS attack from within the protected network. Just ping the subnet they are on, anyone without a current xlate or conn cannot get one for hours.

Even with an active xlate or conn you can get blocked. This one I am still trying to figure out, but it has happened a few times now and it is annoying.

For now the only fix I have is to either upgrade the 501 to 50 users, or to a 506. Or to place a small batch file with a telnet to the remote pix, issue a clear xlate command then logoff and close. This last one works, but only after the fact, I have to know that someone cannot get somewhere before I can fix it. There is also the setting of the timeout values to very low numbers, but this is not good since I understand that if I timeout a connection it will drop the rest of the packets destined for that connection. Meaning a file transfer would fail, and so on and so forth. None are good fixes. But they all work.

I appologise for the length of this post. But there was alot of important info to share.

Eddie Venus

 

[EddieVenus]

OK, so it turned out that I just had to ask the right question. The solution came from themut, in this thread
thread35-666813 you disable sysopt connect permit-ipsec and then put in an access-list only allowing access to the devices that you want to get to on the inside. the trick it the access-list.

It has to say permit ip any host insidelanip
or else it will not work with a VPN. Also it has to be applies of course to the outside interface, which is why we had to diable sysopt connect permit-ipsec. And lastly it has to allow for 10 or less inside hosts, or else you run the risk of using up too many licenses.

I am happy to know this is finally closed. I hope this was the problem in the first place. It was for me, but I cannot be sure that 1computergeek had the same issue.

Eddie Venus