Remote Access VPN with PIX

[McDouglas]

Hi,

I'm having problem setting up remote access VPN with a PIX515E. I can establish a connection with the Cisco VPN client, but after that, i can't ping or access anything on the remote network.

I marked with bold the commands i used to set up the VPN config.

My config:

pix# show run
: Saved
:
PIX Version 8.0(2)
!
hostname *****
domain-name *****
enable password ***** encrypted
names
dns-guard
!
interface Ethernet0
nameif outside
security-level 0
ip address pppoe setroute
!
interface Ethernet1
nameif intranet
security-level 50
ip address 192.168.61.110 255.255.255.0
!
interface Ethernet2
nameif inside
security-level 100
ip address 172.16.0.1 255.255.0.0
!
passwd ***** encrypted
no ftp mode passive
dns server-group DefaultDNS
domain-name *****
object-group protocol all-ip
protocol-object tcp
protocol-object udp
protocol-object icmp
access-list intradmz extended permit icmp any any
access-list intradmz extended permit gre any any
access-list intradmz extended permit esp any any
access-list intradmz extended permit tcp any any eq pptp
access-list intradmz extended permit udp any any eq isakmp
access-list intradmz extended permit tcp host 192.168.61.101 any
access-list intradmz extended permit tcp host 192.168.61.100 any
access-list intradmz extended permit tcp any any eq ftp
access-list intradmz extended permit object-group all-ip host 192.168.61.109 any
access-list intradmz extended permit object-group all-ip host 192.168.61.103 any
access-list intradmz extended permit object-group all-ip host 192.168.61.111 any
access-list intradmz extended permit object-group all-ip host 192.168.61.115 any
access-list intradmz extended permit object-group all-ip host 192.168.61.3 any
access-list intradmz extended permit object-group all-ip host 192.168.61.7 any
access-list intradmz extended permit tcp any any eq 8182
access-list intradmz extended permit tcp any any eq https
access-list intradmz extended permit object-group all-ip host 192.168.61.53 any
access-list intradmz extended permit tcp host 192.168.61.121 any eq 21000
access-list intradmz extended permit udp host 192.168.61.121 any eq 21000
access-list intradmz extended permit object-group all-ip host 192.168.61.114 any
access-list internet extended permit icmp any any
access-list internet extended permit tcp any interface outside eq smtp
access-list internet extended permit tcp any interface outside eq ftp
access-list internet extended permit tcp any interface outside eq 995
access-list internet extended permit tcp any interface outside eq ident
access-list internet extended permit tcp any interface outside eq pptp
access-list internet extended permit gre any interface outside
access-list internet extended permit tcp any interface outside eq https
access-list internet extended permit tcp host ***** interface outside
access-list internet extended permit udp host ***** interface outside
access-list internet extended permit esp any any
access-list internet extended permit tcp any interface outside eq 23389
access-list internet extended permit tcp any interface outside eq 5500
access-list internet extended permit tcp any interface outside eq ssh
access-list internet extended permit tcp any interface outside eq 13389
access-list dk-ip extended permit tcp host ***** any
access-list dk-ip extended permit tcp any host *****
access-list DEMAND_DIAL_VPN_CLIENTS extended permit ip 192.168.0.0 255.255.0.0 192.168.81.0 255.255.255.0
access-list NO_NAT extended permit ip 192.168.0.0 255.255.0.0 192.168.81.0 255.255.255.0
pager lines 22
logging enable
logging monitor debugging
logging trap warnings
logging host inside 172.16.0.2
mtu outside 1492
mtu intranet 1500
mtu inside 1500
ip local pool DEMAND_DIAL_VPN_CLIENT_POOL 192.168.81.100-192.168.81.150 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (intranet) 1 192.168.0.0 255.255.0.0
nat (inside) 0 access-list NO_NAT
static (intranet,outside) tcp interface 13389 192.168.61.100 3389 netmask 255.255.255.255
static (intranet,outside) tcp interface 1122 192.168.61.100 ssh netmask 255.255.255.255
static (intranet,outside) tcp interface 23389 192.168.61.111 3389 netmask 255.255.255.255
static (intranet,outside) tcp interface ftp 192.168.61.109 ftp netmask 255.255.255.255
static (intranet,outside) tcp interface smtp 192.168.61.109 smtp netmask 255.255.255.255
static (intranet,outside) tcp interface https 192.168.61.109 https netmask 255.255.255.255
static (intranet,outside) tcp interface 5500 192.168.61.109 ssh netmask 255.255.255.255
access-group internet in interface outside
access-group intradmz in interface intranet
route intranet 192.168.0.0 255.255.0.0 192.168.61.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
snmp-server host intranet 192.168.61.109 community public
snmp-server location *****
no snmp-server contact
snmp-server community public
crypto ipsec transform-set TRANS_ESP_AES_SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto dynamic-map DYN_MAP 10 set transform-set TRANS_ESP_AES_SHA TRANS_ESP_3DES_SHA
crypto dynamic-map DYN_MAP 10 set security-association lifetime seconds 86400
crypto map OUTSIDE_MAP 30 ipsec-isakmp dynamic DYN_MAP
crypto map OUTSIDE_MAP interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 192.168.61.109 255.255.255.255 intranet
telnet timeout 30
ssh ***** 255.255.255.255 outside
ssh timeout 15
ssh version 1
console timeout 0
vpdn group pppoex request dialout pppoe
vpdn group pppoex localname *****
vpdn group pppoex ppp authentication pap
vpdn username pannonvrt@fixip password *********
priority-queue outside
no threat-detection basic-threat
no threat-detection statistics access-list
!
class-map inspection_default
match default-inspection-traffic
class-map *****
match access-list dk-ip
class-map mail_traffic
match port tcp eq smtp
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect http
inspect ils
inspect netbios
inspect pptp
inspect rsh
inspect rtsp
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect esmtp
policy-map qos
class mail_traffic
police output 122500
class *****
priority
!
service-policy global_policy global
service-policy qos interface outside
ssl encryption rc4-sha1
group-policy CISCO_CLIENT_VPN_POLICY internal
group-policy CISCO_CLIENT_VPN_POLICY attributes
dns-server value 192.168.61.111
vpn-idle-timeout 30
split-tunnel-policy tunnelspecified
split-tunnel-network-list value DEMAND_DIAL_VPN_CLIENTS
default-domain value *****
username ***** password ***** encrypted privilege 15
tunnel-group CISCO_CLIENT_VPN_GROUP type remote-access
tunnel-group CISCO_CLIENT_VPN_GROUP general-attributes
address-pool DEMAND_DIAL_VPN_CLIENT_POOL
default-group-policy CISCO_CLIENT_VPN_POLICY
tunnel-group CISCO_CLIENT_VPN_GROUP ipsec-attributes
pre-shared-key *****
tunnel-group CISCO_CLIENT_VPN_GROUP ppp-attributes
authentication ms-chap-v2
prompt hostname context
Cryptochecksum:*****
: end






pix# show version

Cisco PIX Security Appliance Software Version 8.0(2)

Compiled on Fri 15-Jun-07 18:25 by builders
System image file is "flash:/image"
Config file at boot was "startup-config"

pix up 17 hours 55 mins

Hardware: PIX-515E, 64 MB RAM, CPU Pentium II 433 MHz
Flash E28F128J3 @ 0xfff00000, 16MB
BIOS Flash AM29F400B @ 0xfffd8000, 32KB

0: Ext: Ethernet0 : address is 0013.8098.ff4a, irq 10
1: Ext: Ethernet1 : address is 0013.8098.ff4b, irq 11
2: Ext: Ethernet2 : address is 000e.0c6f.9001, irq 11

Licensed features for this platform:
Maximum Physical Interfaces : 3
Maximum VLANs : 10
Inside Hosts : Unlimited
Failover : Disabled
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Cut-through Proxy : Enabled
Guards : Enabled
URL Filtering : Enabled
Security Contexts : 0
GTP/GPRS : Disabled
VPN Peers : Unlimited

This platform has a Restricted (R) license.

Serial Number: *****
Running Activation Key: *****




Any ideas?

 

[Richy321]

Hi,

I am quite new to setting up remote access VPN's but might be able to make a few pointers.

When you say remote network - do you mean the end where the VPN dialler is being used, or the HQ end? If its the VPN dialler end, you may have enabled something called split-tunneling, basically when turned on or off (not sure which) it stops all traffic to the VPN dialler end machine, and only allows it to communicate with the far end.

Also do you have a route back to the virtual-pool address range on the PIX? This could explain why traffic isn't getting back. If its a default-gateway this should be ok.

Also it might be worth running some debugging stuff on the pix, i did this, and found a quick cut and paste to Google helps loads. You tend to find various configs and doing a comparision may help identify a missing line.

Good luck!

Rich.
CCNA - preparing for SNPA exam

 

[McDouglas]

Hello,

Sorry, by remote network i meant the HQ end, where the PIX is. I think split-tunneling is enabled in the group policy.



You got me with the route-back thing. I'm not sure about that. Here is the route table.

pix# show route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route

Gateway of last resort is 195.228.253.58 to network 0.0.0.0

C 192.168.61.0 255.255.255.0 is directly connected, intranet
S 192.168.81.100 255.255.255.255 [1/0] via [HQ ISP's router], outside
S* 0.0.0.0 0.0.0.0 [1/0] via [HQ ISP's router], outside
S 192.168.0.0 255.255.0.0 [1/0] via 192.168.61.254, intranet


I can only think of 3 things: ACL, routing, NAT?
Any idea what should I debug these?

 

[Richy321]

Hi, my fault, I never explain things clearly. - Is there a route to the 192.168.81.0 network from your internal HQ network, i.e. do you have a router sitting internally - or is the Pix the default route for all traffic internally?

Regards,



Rich.
CCNA - preparing for SNPA exam

 

[McDouglas]

Yes, there is, actually the PIX is the default gw.

But I can't even access the PIX itself from the VPN client.

 

[burtsbees]

I am not privy to the setup in a PIX...I will however tell you that the vpn pool MUST be excluded in the NAT ACL, so that the vpn addresses do NOT get NATted. The syntax compared between a router and a PIX is like night and day. If you know IOS, I can post some vpn commands that accomplish this...trouble is, that in a router, I have had to make the vpn pool in the same subnet as the LAN, but just make deny statements in the NAT acl, and permit the rest of the LAN. This is what solved this same problem I was having. I think that it was bugs in the IOS codes, because routers are really meant to...well, route! PIX and ASA are meant for this kinda stuff, but mine works great in a 2620XM with Advanced Enterprise 12.4(10).

Burt

 

[McDouglas]

Well I think the command

nat (inside) 0 access-list NO_NAT

does exactly that. VPN client's are not NATed.

 

[Supergrrover]

2 things I see -
1 - You also need to make sure the the sysopt connection permit-ipsec is enabled. It won't show up in the config. Do show running-config sysopt to see if it is up.

2 - If you are resolving by DNS, that is your problem. Your DNS server will not get VPN traffic. You will need to add it to you nat exempt.

add -
access-list NO_NAT extended permit ip 192.168.61.0 255.255.0.0 192.168.81.0 255.255.255.0

and
access-list DEMAND_DIAL_VPN_CLIENTS extended permit ip 192.168.61.0 255.255.0.0 192.168.81.0 255.255.255.0


If you are using the cisco client take this out as well
tunnel-group CISCO_CLIENT_VPN_GROUP ppp-attributes
authentication ms-chap-v2




Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[McDouglas]

If I enter what you wrote:

pix(config)# access-list NO_NAT extended permit ip 192.168.61.0 255.255.0.0 192.168.81.0 255.255.255.0
ERROR: IP address,mask <192.168.61.0,255.255.0.0> doesn't pair

I guess you wanted to type 24 bit mask, so i tried that too. Still could not ping the inside network.


Could you please explain what do you mean by "resolving by DNS"?

 

[Supergrrover]

Your DNS server is in your intranet (according to your config.) Your vpn clients can't reach that. You need to add it to your nat exemption and interesting traffic ACLs.
I was copying your ACLs from above and just changing the 3rd octect so that they reflected the right subnet.

Have you tested the ACL's applied to the interfaces? What does work for traffic between interfaces?


Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[McDouglas]

Just for testing, I allowed ANY traffic in ACL for both interfaces.

Still no luck. Can't even ping the PIX's internal IP address.

 

[burtsbees]

You don't want to add any for the nonat...right? Also, isn't this backwards?

add -
access-list NO_NAT extended permit ip 192.168.61.0 255.255.0.0 192.168.81.0 255.255.255.0

Don't you want to include the vpn to any for no nat, and any to the rest of the lan TO be natted?

Burt

 

[McDouglas]

Solved the problem.

nat (inside) 0 access-list NO_NAT


Silly me, forgot that the inside interface is not used, but the intranet one.

I guess this is what you get, if you don't clean up your config after removing the DMZ subnet.

Thanks for the suggestions anyway.