Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > PIX problems

Reply
Thread Tools

PIX problems

 
 
Doug
Guest
Posts: n/a
 
      01-07-2004
I have configured several PIXs w/VPN with no problem (I cheat and use the
PDM to configure them instead of the command line but that's all we've
needed so far). I have just installed two new PIX 501 boxes. ALMOST
everything works fine. From the inside out, there are no problems.
Connecting from the outside in, VPN client to PIX, is no problem either -
VPN connects every time. Doing anything over the VPN does not work. We
have configured the PIX to hand out addresses to VPN clients. It hands out
the correct addresses but the incorrect subnet masks. For example, the
inside at this location is 10.0.5.0/24. When VPN clients connect,they are
given a 10.0.5.x address from the pool but with only an 8-bit mask instead
of 24. Through the PDM, I can find no way to configure the mask that is
given to the clients. We have the same type of addressing schemes at other
locations where we've used the 501 and haven't had any of these issues. I
have blown these away and reconfigured several times and can't see anything
that I'm doing differently now as opposed to the other boxes that are
working.

Does anyone know what I'm missing?

Thanks for any ideas,

Doug


 
Reply With Quote
 
 
 
 
RM
Guest
Posts: n/a
 
      01-08-2004
Doug, in PDM choose the file menu and take a snap shot of the
configuration. Paste into a text file, marl out all of the public ip
addresses and send it to me or post, I can look at the config and tell you
where the issue is.

-D

"Doug" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> I have configured several PIXs w/VPN with no problem (I cheat and use the
> PDM to configure them instead of the command line but that's all we've
> needed so far). I have just installed two new PIX 501 boxes. ALMOST
> everything works fine. From the inside out, there are no problems.
> Connecting from the outside in, VPN client to PIX, is no problem either -
> VPN connects every time. Doing anything over the VPN does not work. We
> have configured the PIX to hand out addresses to VPN clients. It hands

out
> the correct addresses but the incorrect subnet masks. For example, the
> inside at this location is 10.0.5.0/24. When VPN clients connect,they are
> given a 10.0.5.x address from the pool but with only an 8-bit mask instead
> of 24. Through the PDM, I can find no way to configure the mask that is
> given to the clients. We have the same type of addressing schemes at

other
> locations where we've used the 501 and haven't had any of these issues. I
> have blown these away and reconfigured several times and can't see

anything
> that I'm doing differently now as opposed to the other boxes that are
> working.
>
> Does anyone know what I'm missing?
>
> Thanks for any ideas,
>
> Doug
>
>



 
Reply With Quote
 
 
 
 
scott enwright
Guest
Posts: n/a
 
      01-08-2004
Doug,

I have seen this before as you have either. Can you post you configuration
(change any public addresses to protect yourself before posting and I'll
tell you what it is.


Regards,

Scott.
\|/
(o o)
---------------------oOOO--(_)--OOOo----------------------
Out the 100Base-T, off the firewall, through the router, down
the T1, over the leased line, off the bridge, nothing but Net.
(Use ROT13 to see my email address)
.oooO Oooo.
----------------------( )---( )-----------------------
\ ( ) /
\_) (_/


"Doug" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> I have configured several PIXs w/VPN with no problem (I cheat and use the
> PDM to configure them instead of the command line but that's all we've
> needed so far). I have just installed two new PIX 501 boxes. ALMOST
> everything works fine. From the inside out, there are no problems.
> Connecting from the outside in, VPN client to PIX, is no problem either -
> VPN connects every time. Doing anything over the VPN does not work. We
> have configured the PIX to hand out addresses to VPN clients. It hands

out
> the correct addresses but the incorrect subnet masks. For example, the
> inside at this location is 10.0.5.0/24. When VPN clients connect,they are
> given a 10.0.5.x address from the pool but with only an 8-bit mask instead
> of 24. Through the PDM, I can find no way to configure the mask that is
> given to the clients. We have the same type of addressing schemes at

other
> locations where we've used the 501 and haven't had any of these issues. I
> have blown these away and reconfigured several times and can't see

anything
> that I'm doing differently now as opposed to the other boxes that are
> working.
>
> Does anyone know what I'm missing?
>
> Thanks for any ideas,
>
> Doug
>
>



 
Reply With Quote
 
Doug
Guest
Posts: n/a
 
      01-08-2004
Thanks for the replies guys,

Here's the confige (names and addresses have been changed to protect the
innocent - or nearly so

PIX Version 6.3(1)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxxxxxxxxxxx encrypted

passwd xxxxxxxxxxxx encrypted

hostname edgar

domain-name edgar.com

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

names

access-list inside_outbound_nat0_acl permit ip 10.0.5.0 255.255.255.0
10.0.5.64 255.255.255.224

access-list inside_outbound_nat0_acl permit ip any 10.0.5.48 255.255.255.240

access-list outside_cryptomap_dyn_20 permit ip any 10.0.5.48 255.255.255.240

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside xxx.xxx.xxx.xxx 255.255.255.252

ip address inside 10.0.5.254 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool mypool 10.0.5.50-10.0.5.60

pdm location xxx.xxx.xxx.xxx 255.255.255.255 outside

pdm location 10.0.5.0 255.255.255.0 inside

pdm location 10.0.5.64 255.255.255.224 outside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http xxx.xxx.xxx.xxx 255.255.255.255 outside

http 10.0.5.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

isakmp enable outside

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption 3des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

vpngroup myvpn address-pool mypool

vpngroup myvpn wins-server 10.0.5.100

vpngroup myvpn idle-time 1800

vpngroup myvpn password ********

telnet xxx.xxx.xxx.xxx 255.255.255.255 outside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd lease 3600

dhcpd ping_timeout 750

terminal width 80



Doug



"scott enwright" <(E-Mail Removed)> wrote in message
news:f19Lb.751$(E-Mail Removed)...
> Doug,
>
> I have seen this before as you have either. Can you post you

configuration
> (change any public addresses to protect yourself before posting and I'll
> tell you what it is.
>
>
> Regards,
>
> Scott.
> \|/
> (o o)
> ---------------------oOOO--(_)--OOOo----------------------
> Out the 100Base-T, off the firewall, through the router, down
> the T1, over the leased line, off the bridge, nothing but Net.
> (Use ROT13 to see my email address)
> .oooO Oooo.
> ----------------------( )---( )-----------------------
> \ ( ) /
> \_) (_/
>
>
> "Doug" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
> > I have configured several PIXs w/VPN with no problem (I cheat and use

the
> > PDM to configure them instead of the command line but that's all we've
> > needed so far). I have just installed two new PIX 501 boxes. ALMOST
> > everything works fine. From the inside out, there are no problems.
> > Connecting from the outside in, VPN client to PIX, is no problem

either -
> > VPN connects every time. Doing anything over the VPN does not work. We
> > have configured the PIX to hand out addresses to VPN clients. It hands

> out
> > the correct addresses but the incorrect subnet masks. For example, the
> > inside at this location is 10.0.5.0/24. When VPN clients connect,they

are
> > given a 10.0.5.x address from the pool but with only an 8-bit mask

instead
> > of 24. Through the PDM, I can find no way to configure the mask that is
> > given to the clients. We have the same type of addressing schemes at

> other
> > locations where we've used the 501 and haven't had any of these issues.

I
> > have blown these away and reconfigured several times and can't see

> anything
> > that I'm doing differently now as opposed to the other boxes that are
> > working.
> >
> > Does anyone know what I'm missing?
> >
> > Thanks for any ideas,
> >
> > Doug
> >
> >

>
>



 
Reply With Quote
 
scott enwright
Guest
Posts: n/a
 
      01-09-2004
Doug,

I believe the PIX is chaning the subnet mask because the VPN pool of IP
addresses is from the same range as the inside interface is. Change the
Pool of IP Address out of the 10.0.5.0/24 range. You will also need to
change the


These are the command that need some fixing:
1. ip local pool mypool 10.0.5.50-10.0.5.60
2. access-list inside_outbound_nat0_acl permit ip 10.0.5.0 255.255.255.0
10.0.5.64 255.255.255.224
3. access-list inside_outbound_nat0_acl permit ip any 10.0.5.48
255.255.255.240
4. access-list outside_cryptomap_dyn_20 permit ip any 10.0.5.48
255.255.255.240

I'd try and reallocate the pool for the VPN and see if that changes all four
of these lines. If you made the VPN IP Pool 'mypool' range from
10.0.6.1-10.0.6.254 you could see if the rest all change along with it.

Regards,

Scott.
\|/
(o o)
---------------------oOOO--(_)--OOOo----------------------
Out the 100Base-T, off the firewall, through the router, down
the T1, over the leased line, off the bridge, nothing but Net.
(Use ROT13 to see my email address)
.oooO Oooo.
----------------------( )---( )-----------------------
\ ( ) /
\_) (_/


"Doug" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Thanks for the replies guys,
>
> Here's the confige (names and addresses have been changed to protect the
> innocent - or nearly so
>
> PIX Version 6.3(1)
>
> interface ethernet0 auto
>
> interface ethernet1 100full
>
> nameif ethernet0 outside security0
>
> nameif ethernet1 inside security100
>
> enable password xxxxxxxxxxxx encrypted
>
> passwd xxxxxxxxxxxx encrypted
>
> hostname edgar
>
> domain-name edgar.com
>
> fixup protocol ftp 21
>
> fixup protocol h323 h225 1720
>
> fixup protocol h323 ras 1718-1719
>
> fixup protocol http 80
>
> fixup protocol ils 389
>
> fixup protocol rsh 514
>
> fixup protocol rtsp 554
>
> fixup protocol sip 5060
>
> fixup protocol sip udp 5060
>
> fixup protocol skinny 2000
>
> fixup protocol smtp 25
>
> fixup protocol sqlnet 1521
>
> names
>
> access-list inside_outbound_nat0_acl permit ip 10.0.5.0 255.255.255.0
> 10.0.5.64 255.255.255.224
>
> access-list inside_outbound_nat0_acl permit ip any 10.0.5.48

255.255.255.240
>
> access-list outside_cryptomap_dyn_20 permit ip any 10.0.5.48

255.255.255.240
>
> pager lines 24
>
> mtu outside 1500
>
> mtu inside 1500
>
> ip address outside xxx.xxx.xxx.xxx 255.255.255.252
>
> ip address inside 10.0.5.254 255.255.255.0
>
> ip audit info action alarm
>
> ip audit attack action alarm
>
> ip local pool mypool 10.0.5.50-10.0.5.60
>
> pdm location xxx.xxx.xxx.xxx 255.255.255.255 outside
>
> pdm location 10.0.5.0 255.255.255.0 inside
>
> pdm location 10.0.5.64 255.255.255.224 outside
>
> pdm logging informational 100
>
> pdm history enable
>
> arp timeout 14400
>
> global (outside) 1 interface
>
> nat (inside) 0 access-list inside_outbound_nat0_acl
>
> nat (inside) 1 0.0.0.0 0.0.0.0 0 0
>
> route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
>
> timeout xlate 0:05:00
>
> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
> 1:00:00
>
> timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
>
> timeout uauth 0:05:00 absolute
>
> aaa-server TACACS+ protocol tacacs+
>
> aaa-server RADIUS protocol radius
>
> aaa-server LOCAL protocol local
>
> http server enable
>
> http xxx.xxx.xxx.xxx 255.255.255.255 outside
>
> http 10.0.5.0 255.255.255.0 inside
>
> no snmp-server location
>
> no snmp-server contact
>
> snmp-server community public
>
> no snmp-server enable traps
>
> floodguard enable
>
> sysopt connection permit-ipsec
>
> crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
>
> crypto dynamic-map outside_dyn_map 20 match address

outside_cryptomap_dyn_20
>
> crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
>
> crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
>
> crypto map outside_map interface outside
>
> isakmp enable outside
>
> isakmp policy 20 authentication pre-share
>
> isakmp policy 20 encryption 3des
>
> isakmp policy 20 hash md5
>
> isakmp policy 20 group 2
>
> isakmp policy 20 lifetime 86400
>
> vpngroup myvpn address-pool mypool
>
> vpngroup myvpn wins-server 10.0.5.100
>
> vpngroup myvpn idle-time 1800
>
> vpngroup myvpn password ********
>
> telnet xxx.xxx.xxx.xxx 255.255.255.255 outside
>
> telnet timeout 5
>
> ssh timeout 5
>
> console timeout 0
>
> dhcpd lease 3600
>
> dhcpd ping_timeout 750
>
> terminal width 80
>
>
>
> Doug
>
>
>
> "scott enwright" <(E-Mail Removed)> wrote in message
> news:f19Lb.751$(E-Mail Removed)...
> > Doug,
> >
> > I have seen this before as you have either. Can you post you

> configuration
> > (change any public addresses to protect yourself before posting and I'll
> > tell you what it is.
> >
> >
> > Regards,
> >
> > Scott.
> > \|/
> > (o o)
> > ---------------------oOOO--(_)--OOOo----------------------
> > Out the 100Base-T, off the firewall, through the router, down
> > the T1, over the leased line, off the bridge, nothing but Net.
> > (Use ROT13 to see my email address)
> > .oooO Oooo.
> > ----------------------( )---( )-----------------------
> > \ ( ) /
> > \_) (_/
> >
> >
> > "Doug" <(E-Mail Removed)> wrote in message
> > news:(E-Mail Removed)...
> > > I have configured several PIXs w/VPN with no problem (I cheat and use

> the
> > > PDM to configure them instead of the command line but that's all we've
> > > needed so far). I have just installed two new PIX 501 boxes. ALMOST
> > > everything works fine. From the inside out, there are no problems.
> > > Connecting from the outside in, VPN client to PIX, is no problem

> either -
> > > VPN connects every time. Doing anything over the VPN does not work.

We
> > > have configured the PIX to hand out addresses to VPN clients. It

hands
> > out
> > > the correct addresses but the incorrect subnet masks. For example,

the
> > > inside at this location is 10.0.5.0/24. When VPN clients connect,they

> are
> > > given a 10.0.5.x address from the pool but with only an 8-bit mask

> instead
> > > of 24. Through the PDM, I can find no way to configure the mask that

is
> > > given to the clients. We have the same type of addressing schemes at

> > other
> > > locations where we've used the 501 and haven't had any of these

issues.
> I
> > > have blown these away and reconfigured several times and can't see

> > anything
> > > that I'm doing differently now as opposed to the other boxes that are
> > > working.
> > >
> > > Does anyone know what I'm missing?
> > >
> > > Thanks for any ideas,
> > >
> > > Doug
> > >
> > >

> >
> >

>
>



 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Pix-to-Pix and Client-to-Pix VPN AlanP Cisco 3 04-07-2004 05:06 AM
PIX to PIX VPN and VPN Client to PIX Config Example? GVB Cisco 1 02-06-2004 07:44 PM
vpnclient access to remote pix via pix-pix tunnel Bill F Cisco 1 11-25-2003 06:03 AM
[pix] desperatly need help with PIX-to-PIX config Remco Bressers Cisco 1 11-21-2003 08:58 PM
PIX to PIX to PIX meshed VPN Richard Cisco 1 11-15-2003 07:41 AM



Advertisments