Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

VPN seems to be one way

Status
Not open for further replies.

seands

Technical User
Sep 26, 2001
21
GB
Hi all

I’m having a problem with our VPN tunnel. It seems to be one way. The offsite network can vpn in fine and access the network, and remote desktop connection okay. But the main office network can’t access the offsite network or RDC. I posted my configs off both firewalls. The main office firewall is PIX515E and offsite is a PIX515. At the moment I have created static and access-list to a server on the inside of the Offsite network which I can RDC to as a temporary solution, but I want to remove this. We are setting this VPN up so we can do offsite replication.

We do have another VPN setup to another PIX, which is for a team of Developers, which as far as I know is working. We also have VPN access for Cisco VPN client, which works fine.

Can any one tell me where I might be going wrong in my config or if it might be something else?

Thanks
Sean


OFFSITE PIX515

PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
enable password aemJ.VX2g7H8fA5t encrypted
passwd sAaq1rM1VV1kwXG/ encrypted
hostname pby
domain-name pby.cdoor.co.uk
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 101 permit ip 192.168.10.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list cel-vpn permit ip 192.168.10.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list acl-out permit tcp host 85.110.78.19 host 85.112.186.190 eq 3389
pager lines 24
logging on
logging trap informational
logging history informational
logging host inside 192.168.10.3
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside 85.112.186.186 255.255.255.248
ip address inside 192.168.10.2 255.255.255.0
no ip address intf2
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address intf2
pdm location 10.10.10.42 255.255.255.255 outside
pdm history enable
arp timeout 14400
global (outside) 1 85.112.186.187
nat (inside) 0 access-list cel-vpn
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 85.112.186.190 192.168.10.3 netmask 255.255.255.255 0 0
access-group acl-out in interface outside
route outside 0.0.0.0 0.0.0.0 82.111.186.185 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 10.10.10.42 255.255.255.255 outside
http 192.168.10.3 255.255.255.255 inside
http 10.10.10.42 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
crypto ipsec transform-set cel esp-des esp-md5-hmac
crypto map cityeq 15 ipsec-isakmp
crypto map cityeq 15 match address 101
crypto map cityeq 15 set peer 85.110.78.18
crypto map cityeq 15 set transform-set cel
crypto map cityeq interface outside
isakmp enable outside
isakmp key ******** address 85.110.78.18 netmask 255.255.255.255
isakmp identity address
isakmp policy 15 authentication pre-share
isakmp policy 15 encryption des
isakmp policy 15 hash sha
isakmp policy 15 group 1
isakmp policy 15 lifetime 86400
telnet 10.10.10.42 255.255.255.255 inside
telnet 192.168.10.3 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
management-access inside
console timeout 0
terminal width 80
Cryptochecksum:181329aae4618f708bd6a9ce1cd1f319
: end
[OK]




MAIN OFFICE PIX515E

PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
interface ethernet3 auto shutdown
interface ethernet4 auto shutdown
interface ethernet5 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security50
nameif ethernet3 intf3 security6
nameif ethernet4 intf4 security8
nameif ethernet5 intf5 security10
enable password PM2KRvYB/lpypI6X encrypted
passwd yPySdjYRSYeuYsSk encrypted
hostname tctyq
domain-name tctyq.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list acl-out permit tcp any host 85.110.78.20 eq smtp
access-list acl-out permit icmp any any
access-list acl-dmz permit tcp host 168.10.10.2 host 10.10.10.60 eq smtp
access-list acl-dmz deny ip any 10.10.10.0 255.255.255.0
access-list acl-dmz permit ip any any
access-list cel-vpn permit ip host 10.10.10.190 192.168.3.0 255.255.255.0
access-list cel-vpn permit ip host 10.10.10.253 192.168.3.0 255.255.255.0
access-list cel-vpn permit ip host 10.10.10.59 192.168.3.0 255.255.255.0
access-list cel-vpn permit ip host 10.10.10.50 192.168.3.0 255.255.255.0
access-list cel-vpn permit ip 10.10.10.0 255.255.255.0 100.0.1.0 255.255.255.0
access-list cel-vpn permit ip 10.10.10.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list 125 permit ip host 10.10.10.253 192.168.3.0 255.255.255.0
access-list 125 permit ip host 10.10.10.190 192.168.3.0 255.255.255.0
access-list 125 permit ip host 10.10.10.59 192.168.3.0 255.255.255.0
access-list 125 permit ip host 10.10.10.50 192.168.3.0 255.255.255.0
access-list 101 permit ip 10.10.10.0 255.255.255.0 192.168.10.0 255.255.255.0
pager lines 24
logging on
logging trap informational
logging history informational
logging host inside 10.10.10.42
logging host inside 10.10.10.105
mtu outside 1500
mtu inside 1500
mtu intf2 1500
mtu intf3 1500
mtu intf4 1500
mtu intf5 1500
ip address outside 85.110.78.18 255.255.255.240
ip address inside 10.10.10.4 255.255.255.0
ip address intf2 168.10.10.1 255.255.255.0
no ip address intf3
no ip address intf4
no ip address intf5
ip audit name intrusion attack action alarm drop
ip audit interface outside intrusion
ip audit info action alarm
ip audit attack action alarm drop
ip local pool kcippool 100.0.1.1-100.0.1.3
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address intf2
no failover ip address intf3
no failover ip address intf4
no failover ip address intf5
pdm history enable
arp timeout 14400
global (outside) 1 85.110.78.19
nat (inside) 0 access-list cel-vpn
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (intf2,outside) 85.110.78.20 168.10.10.2 netmask 255.255.255.255 0 0
static (inside,intf2) 10.10.10.60 10.10.10.60 netmask 255.255.255.255 0 0
static (inside,intf2) 10.10.10.42 10.10.10.42 netmask 255.255.255.255 0 0
static (inside,intf2) 10.10.10.50 10.10.10.50 netmask 255.255.255.255 0 0
static (inside,intf2) 10.10.10.171 10.10.10.171 netmask 255.255.255.255 0 0
static (inside,intf2) 10.10.10.221 10.10.10.221 netmask 255.255.255.255 0 0
access-group acl-out in interface outside
access-group acl-dmz in interface intf2
route outside 0.0.0.0 0.0.0.0 85.110.78.17 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa-server kcl9 protocol radius
aaa-server kcl9 max-failed-attempts 3
aaa-server kcl9 deadtime 10
aaa-server kcl9 (inside) host 10.10.10.27 aaaaaaaa timeout 5
http server enable
http 10.10.10.42 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt ipsec pl-compatible
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto ipsec transform-set engd esp-des esp-md5-hmac
crypto ipsec transform-set thepres esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 5 ipsec-isakmp
crypto map mymap 5 match address 125
crypto map mymap 5 set peer 62.46.32.26
crypto map mymap 5 set transform-set engd
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap 15 ipsec-isakmp
crypto map mymap 15 match address 101
crypto map mymap 15 set peer 85.112.186.186
crypto map mymap 15 set transform-set thepres
crypto map mymap client authentication kcl9
crypto map mymap interface outside
isakmp enable outside
isakmp key ******** address 62.46.32.26 netmask 255.255.255.255
isakmp key ******** address 85.112.186.186 netmask 255.255.255.255
isakmp identity address
isakmp nat-traversal 20
isakmp policy 5 authentication pre-share
isakmp policy 5 encryption des
isakmp policy 5 hash sha
isakmp policy 5 group 2
isakmp policy 5 lifetime 86400
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 15 authentication pre-share
isakmp policy 15 encryption des
isakmp policy 15 hash sha
isakmp policy 15 group 1
isakmp policy 15 lifetime 86400
vpngroup kcrvpn1 address-pool kcippool
vpngroup kcrvpn1 dns-server 10.10.10.254
vpngroup kcrvpn1 wins-server 10.10.10.253
vpngroup kcrvpn1 default-domain tctyq.com
vpngroup kcrvpn1 idle-time 1800
vpngroup kcrvpn1 password ********
telnet 10.10.10.42 255.255.255.255 inside
telnet timeout 10
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:04ff73d4d960aaa9481a67ef139bf909
: end
[OK]


 
When I run a syslog server at the Offsite network this is the error message I get when I try to Remote Desktop Connection

%PIX-4-106023: Deny tcp src outside 10.10.10.42/2349 dst inside 192.168.10.3/3389 by access-group "acl-out"


Hope this might help.

Sean
 
try this on your OffSite PIX firewall

sysopt connection permit-ipsec
 
Thanks GConnect that sorted the problem.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top