RomualPiecyk
MIS
I have gone through the PDM to set up VPN on my PIX 501. From a public internet connection (ie. my brother's house or my place or business) I have loaded Cisco VPN Client v4.0.3(a). I can successfully connect, but cannot access any resources that are behind my PIX inside interface. I can't ping any addresses, nor can I open any file shares. While connected with the VPN client, I click on Status, Statistics, and notice the following:
a) On the Tunnel Details tab, under Transport, Transparent Tunneling is disabled. I believe it is suppose to say Active on UDP port 4500, right???
b) On the Route Details tab, under Secured Routes, in only have 0.0.0.0/0.0.0.0 listed. I believe it is suppose to list the network on the inside interface of my PIX, like 10.1.1.0/255.255.255.0, right???
I have configured my router to forward UDP port 500 to my PIX outside interface, as I have 2 different networks - one behind a PIX, one behind an ISA firewall. I want the VPN traffic to go to the PIX, and not the ISA network.
Any information anyone can offer will be HIGHLY APPRECIATED!!!
Here are the details of my setup, as well as running configs.
PERIMETER ROUTER: Cisco SOHO 91 cable modem router. Ethernet1 goes to cable modem, Ethernet0 is a 4 port switch.
PIX 501: Outside interface goes to Ethernet0 on PERIMETER ROUTER, Inside interface goes to a switch for my inside LAN.
PERIMETER ROUTER RUNNING CONFIG
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Router
!
enable secret 5 $1$7JTt$tlYzenZgxKwSFamOMrg9q.
!
username CRWS_Prem privilege 15 password 7 125D5453255A0A256E2475270010321252455
056020C0F0306
username administrator password 7 051D0F1B334541054E5240
ip subnet-zero
ip name-server 24.29.99.20
ip name-server 24.29.99.21
ip dhcp excluded-address 10.10.10.2
ip dhcp excluded-address 10.10.10.3
!
ip dhcp pool CLIENT
import all
network 10.10.10.0 255.255.255.0
default-router 10.10.10.1
lease 0 2
!
ip dhcp pool client
!
interface Ethernet0
ip address 10.10.10.1 255.255.255.0
ip nat inside
no cdp enable
hold-queue 32 in
hold-queue 100 out
!
interface Ethernet1
ip address dhcp client-id Ethernet1
ip nat outside
no cdp enable
!
ip nat inside source list 102 interface Ethernet1 overload
ip nat inside source static udp 10.10.10.3 500 interface Ethernet1 500
ip classless
ip route 172.20.8.0 255.255.248.0 10.10.10.2
ip route 172.20.24.0 255.255.248.0 10.10.10.3
ip http server
!
!
logging trap debugging
logging 172.20.24.50
access-list 102 permit ip 10.10.10.0 0.0.0.255 any
access-list 102 permit ip any any
no cdp run
!
line con 0
exec-timeout 120 0
no modem enable
stopbits 1
line aux 0
stopbits 1
line vty 0 4
exec-timeout 120 0
login local
length 0
!
scheduler max-task-time 5000
end
************************************************
PIX RUNNING CONFIG
PIX Version 6.3(3)
interface ethernet0 10full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password tlBiywx5FTMMAAQg encrypted
passwd tlBiywx5FTMMAAQg encrypted
hostname PIX-FW
domain-name domain.local
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
object-group network isanet
network-object 172.20.8.0 255.255.248.0
object-group network routernet
network-object 10.10.10.0 255.255.255.0
object-group network pixnet
network-object 172.20.24.0 255.255.248.0
object-group icmp-type canping
icmp-object echo-reply
icmp-object source-quench
icmp-object unreachable
icmp-object time-exceeded
icmp-object echo
object-group network vpnnet
network-object 172.20.8.0 255.255.248.0
access-list lanlist permit icmp host 10.10.10.4 any object-group canping
access-list lanlist permit ip host 10.10.10.4 any log
access-list lanlist permit ip 172.20.32.0 255.255.248.0 any log
access-list lanlist permit ip 172.20.8.0 255.255.248.0 any log
access-list inside_outbound_nat0_acl permit ip any 172.20.32.0 255.255.255.248
access-list outside_cryptomap_dyn_20 permit ip any 172.20.32.0 255.255.255.248
pager lines 24
logging on
logging timestamp
logging trap informational
logging queue 500
logging host inside 172.20.24.50
mtu outside 1500
mtu inside 1500
ip address outside 10.10.10.3 255.255.255.0
ip address inside 172.20.24.1 255.255.248.0
ip audit info action alarm
ip audit attack action alarm
ip local pool 2pool 172.20.32.1-172.20.32.5
pdm location 172.20.24.50 255.255.255.255 inside
pdm location 10.10.10.4 255.255.255.255 outside
pdm location 172.20.8.0 255.255.248.0 outside
pdm location 172.20.32.0 255.255.248.0 outside
pdm group isanet outside
pdm group vpnnet outside
pdm group aethyrnet outside
pdm group pixnet inside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group lanlist in interface outside
route outside 0.0.0.0 0.0.0.0 10.10.10.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 172.20.24.50 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community snmppword
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup vpngroup address-pool 2pool
vpngroup vpngroup dns-server 172.20.8.2 172.20.8.1
vpngroup vpngroup wins-server 172.20.8.56
vpngroup vpngroup idle-time 1800
vpngroup vpngroup password ********
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 172.20.24.50-172.20.24.74 inside
dhcpd dns 172.20.8.1 172.20.8.2
dhcpd wins 172.20.8.56
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd enable inside
terminal width 80
Cryptochecksum:11ceb6e47912569a1ac16eb319af58ee
: end
a) On the Tunnel Details tab, under Transport, Transparent Tunneling is disabled. I believe it is suppose to say Active on UDP port 4500, right???
b) On the Route Details tab, under Secured Routes, in only have 0.0.0.0/0.0.0.0 listed. I believe it is suppose to list the network on the inside interface of my PIX, like 10.1.1.0/255.255.255.0, right???
I have configured my router to forward UDP port 500 to my PIX outside interface, as I have 2 different networks - one behind a PIX, one behind an ISA firewall. I want the VPN traffic to go to the PIX, and not the ISA network.
Any information anyone can offer will be HIGHLY APPRECIATED!!!
Here are the details of my setup, as well as running configs.
PERIMETER ROUTER: Cisco SOHO 91 cable modem router. Ethernet1 goes to cable modem, Ethernet0 is a 4 port switch.
PIX 501: Outside interface goes to Ethernet0 on PERIMETER ROUTER, Inside interface goes to a switch for my inside LAN.
PERIMETER ROUTER RUNNING CONFIG
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Router
!
enable secret 5 $1$7JTt$tlYzenZgxKwSFamOMrg9q.
!
username CRWS_Prem privilege 15 password 7 125D5453255A0A256E2475270010321252455
056020C0F0306
username administrator password 7 051D0F1B334541054E5240
ip subnet-zero
ip name-server 24.29.99.20
ip name-server 24.29.99.21
ip dhcp excluded-address 10.10.10.2
ip dhcp excluded-address 10.10.10.3
!
ip dhcp pool CLIENT
import all
network 10.10.10.0 255.255.255.0
default-router 10.10.10.1
lease 0 2
!
ip dhcp pool client
!
interface Ethernet0
ip address 10.10.10.1 255.255.255.0
ip nat inside
no cdp enable
hold-queue 32 in
hold-queue 100 out
!
interface Ethernet1
ip address dhcp client-id Ethernet1
ip nat outside
no cdp enable
!
ip nat inside source list 102 interface Ethernet1 overload
ip nat inside source static udp 10.10.10.3 500 interface Ethernet1 500
ip classless
ip route 172.20.8.0 255.255.248.0 10.10.10.2
ip route 172.20.24.0 255.255.248.0 10.10.10.3
ip http server
!
!
logging trap debugging
logging 172.20.24.50
access-list 102 permit ip 10.10.10.0 0.0.0.255 any
access-list 102 permit ip any any
no cdp run
!
line con 0
exec-timeout 120 0
no modem enable
stopbits 1
line aux 0
stopbits 1
line vty 0 4
exec-timeout 120 0
login local
length 0
!
scheduler max-task-time 5000
end
************************************************
PIX RUNNING CONFIG
PIX Version 6.3(3)
interface ethernet0 10full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password tlBiywx5FTMMAAQg encrypted
passwd tlBiywx5FTMMAAQg encrypted
hostname PIX-FW
domain-name domain.local
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
object-group network isanet
network-object 172.20.8.0 255.255.248.0
object-group network routernet
network-object 10.10.10.0 255.255.255.0
object-group network pixnet
network-object 172.20.24.0 255.255.248.0
object-group icmp-type canping
icmp-object echo-reply
icmp-object source-quench
icmp-object unreachable
icmp-object time-exceeded
icmp-object echo
object-group network vpnnet
network-object 172.20.8.0 255.255.248.0
access-list lanlist permit icmp host 10.10.10.4 any object-group canping
access-list lanlist permit ip host 10.10.10.4 any log
access-list lanlist permit ip 172.20.32.0 255.255.248.0 any log
access-list lanlist permit ip 172.20.8.0 255.255.248.0 any log
access-list inside_outbound_nat0_acl permit ip any 172.20.32.0 255.255.255.248
access-list outside_cryptomap_dyn_20 permit ip any 172.20.32.0 255.255.255.248
pager lines 24
logging on
logging timestamp
logging trap informational
logging queue 500
logging host inside 172.20.24.50
mtu outside 1500
mtu inside 1500
ip address outside 10.10.10.3 255.255.255.0
ip address inside 172.20.24.1 255.255.248.0
ip audit info action alarm
ip audit attack action alarm
ip local pool 2pool 172.20.32.1-172.20.32.5
pdm location 172.20.24.50 255.255.255.255 inside
pdm location 10.10.10.4 255.255.255.255 outside
pdm location 172.20.8.0 255.255.248.0 outside
pdm location 172.20.32.0 255.255.248.0 outside
pdm group isanet outside
pdm group vpnnet outside
pdm group aethyrnet outside
pdm group pixnet inside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group lanlist in interface outside
route outside 0.0.0.0 0.0.0.0 10.10.10.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 172.20.24.50 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community snmppword
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup vpngroup address-pool 2pool
vpngroup vpngroup dns-server 172.20.8.2 172.20.8.1
vpngroup vpngroup wins-server 172.20.8.56
vpngroup vpngroup idle-time 1800
vpngroup vpngroup password ********
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 172.20.24.50-172.20.24.74 inside
dhcpd dns 172.20.8.1 172.20.8.2
dhcpd wins 172.20.8.56
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd enable inside
terminal width 80
Cryptochecksum:11ceb6e47912569a1ac16eb319af58ee
: end