Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > mixing pix-to-pix vpn and pptp-dial-in-vpn on pix501

Reply
Thread Tools

mixing pix-to-pix vpn and pptp-dial-in-vpn on pix501

 
 
Tom
Guest
Posts: n/a
 
      11-16-2004
Hi NG,

is it basically possible to mix pix-to-pix ipsec vpn and
pptp-dial-in-vpn?
i run into some troubles with my config after connecting a branch office.
 
Reply With Quote
 
 
 
 
Walter Roberson
Guest
Posts: n/a
 
      11-16-2004
In article <(E-Mail Removed) >,
Tom <(E-Mail Removed)> wrote:
:is it basically possible to mix pix-to-pix ipsec vpn and
ptp-dial-in-vpn?
:i run into some troubles with my config after connecting a branch office.

It should be possible. Tell us more about your configuration and the
problems you are encountering?

--
Pity the poor electron, floating around minding its own business for
billions of years; and then suddenly Bam!! -- annihilated just so
you could read this posting.
 
Reply With Quote
 
 
 
 
Tom
Guest
Posts: n/a
 
      11-17-2004
http://www.velocityreviews.com/forums/(E-Mail Removed)-cnrc.gc.ca (Walter Roberson) wrote in message news:<cnd85f$rd6$(E-Mail Removed)>...
> In article <(E-Mail Removed) >,
> Tom <(E-Mail Removed)> wrote:
> :is it basically possible to mix pix-to-pix ipsec vpn and
> ptp-dial-in-vpn?
> :i run into some troubles with my config after connecting a branch office.
>
> It should be possible. Tell us more about your configuration and the
> problems you are encountering?


thank you walter,
the problem is that the pix dont passes the pakets through the
pptp-dial-in-tunnel with the message "rec'd paket is not an ipsec
paket".
this is clear for me cause:
*) i can only bind one access-list to the "nat 0" statement
*) so i have to put the adresses for the dial-in clients and the
ipsec-tunnel in one access-list
*) but for the pix this access-list is "linked" to the crypto map so
the pix handles only ipsec traffic

i dont know how to handle this.
here goes my config (ip's cleared out,static's and access-lists
shrinked):

pix1(config)# wr te
Building configuration...
: Saved
:
PIX Version 6.3(1)
interface ethernet0 10baset
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ZijiPTxiw8a3tA6R encrypted
passwd 1EgFjE4cZDhur5Yg encrypted
hostname pix1
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
names
object-group network sysadmins
access-list inside-in permit tcp 192.168.10.0 255.255.255.0 any eq ssh
access-list inside-in permit tcp 192.168.10.0 255.255.255.0 any eq www
access-list inside-in permit tcp 192.168.10.0 255.255.255.0 host
potato eq 3306
access-list inside-in deny ip any any
access-list outside-in permit tcp object-group sysadmins host
XXXXXXXXX eq 3389
access-list outside-in deny ip any any

access-list vpn permit ip any 192.168.10.192 255.255.255.224
access-list vpn permit ip 192.168.10.192 255.255.255.224 any
--> PPTP Dial in clients
access-list vpn permit ip 192.168.10.0 255.255.255.0 192.168.1.0
255.255.255.0 --> Branch Office

pager lines 24
logging on
mtu outside 1500
mtu inside 1500
ip address outside XXX.XXX.XXX.XXX 255.255.255.248
ip address inside 192.168.10.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpn-pool 192.168.10.201-192.168.10.210
no pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list vpn
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp XXX.XXX.XXX.XXX smtp mail smtp netmask
255.255.255.255 0 0
access-group outside-in in interface outside
access-group inside-in in interface inside
route outside 0.0.0.0 0.0.0.0 XXX.XXX.XXX.XXX 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa-server partnerauth protocol radius
aaa-server partnerauth (inside) host 192.168.10.13 XXXXX timeout 5
aaa-server PPTP-VPDN-GROUP protocol radius
aaa-server PPTP-VPDN-GROUP (inside) host 192.168.10.13 XXXX timeout 10
snmp-server host outside potato poll
snmp-server contact XXXXXXXXXXXXXxx
snmp-server community XXXXXXXXXXXXXXXXXX
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set apolloset esp-des esp-sha-hmac
crypto map apollomap 10 ipsec-isakmp
crypto map apollomap 10 match address vpn
crypto map apollomap 10 set XXXXXXXXX
crypto map apollomap 10 set transform-set apolloset
crypto map apollomap interface outside
isakmp enable outside
isakmp key ******** address XXXXXXXXX netmask 255.255.255.255
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 2400
telnet timeout 5
ssh XXXXXXXXX 255.255.255.255 outside
ssh XXXXXXXXX 255.255.255.255 outside
ssh XXXXXXXXX 255.255.255.255 outside
ssh XXXXXXXXX 255.255.255.255 inside
ssh timeout 5
console timeout 0
vpdn group PPTP-VPDN-GROUP accept dialin pptp
vpdn group PPTP-VPDN-GROUP ppp authentication mschap
vpdn group PPTP-VPDN-GROUP ppp encryption mppe auto required
vpdn group PPTP-VPDN-GROUP client configuration address local vpn-pool
vpdn group PPTP-VPDN-GROUP client configuration dns srv1 srv2
vpdn group PPTP-VPDN-GROUP client authentication aaa PPTP-VPDN-GROUP
vpdn group PPTP-VPDN-GROUP pptp echo 60
vpdn enable outside
terminal width 80
Cryptochecksum:d90625f0b8179140805ed290e6c333db
: end
[OK]
pix1(config)#
 
Reply With Quote
 
PES
Guest
Posts: n/a
 
      11-17-2004
Tom wrote:
> (E-Mail Removed)-cnrc.gc.ca (Walter Roberson) wrote in message news:<cnd85f$rd6$(E-Mail Removed)>...
>
>>In article <(E-Mail Removed) >,
>>Tom <(E-Mail Removed)> wrote:
>>:is it basically possible to mix pix-to-pix ipsec vpn and
>>ptp-dial-in-vpn?
>>:i run into some troubles with my config after connecting a branch office.
>>
>>It should be possible. Tell us more about your configuration and the
>>problems you are encountering?

>
>
> thank you walter,
> the problem is that the pix dont passes the pakets through the
> pptp-dial-in-tunnel with the message "rec'd paket is not an ipsec
> paket".
> this is clear for me cause:
> *) i can only bind one access-list to the "nat 0" statement
> *) so i have to put the adresses for the dial-in clients and the
> ipsec-tunnel in one access-list
> *) but for the pix this access-list is "linked" to the crypto map so
> the pix handles only ipsec traffic
>
> i dont know how to handle this.
> here goes my config (ip's cleared out,static's and access-lists
> shrinked):
>
> pix1(config)# wr te
> Building configuration...
> : Saved
> :
> PIX Version 6.3(1)
> interface ethernet0 10baset
> interface ethernet1 100full
> nameif ethernet0 outside security0
> nameif ethernet1 inside security100
> enable password ZijiPTxiw8a3tA6R encrypted
> passwd 1EgFjE4cZDhur5Yg encrypted
> hostname pix1
> fixup protocol ftp 21
> fixup protocol h323 h225 1720
> fixup protocol h323 ras 1718-1719
> fixup protocol http 80
> fixup protocol ils 389
> fixup protocol pptp 1723
> fixup protocol rsh 514
> fixup protocol rtsp 554
> fixup protocol sip 5060
> fixup protocol sip udp 5060
> fixup protocol skinny 2000
> no fixup protocol smtp 25
> fixup protocol sqlnet 1521
> names
> object-group network sysadmins
> access-list inside-in permit tcp 192.168.10.0 255.255.255.0 any eq ssh
> access-list inside-in permit tcp 192.168.10.0 255.255.255.0 any eq www
> access-list inside-in permit tcp 192.168.10.0 255.255.255.0 host
> potato eq 3306
> access-list inside-in deny ip any any



The above line is technically unnecessary due to the architecture of the
pix. Someone may have put it in there just so they could see it, but it
does make administering the pix more difficult.

> access-list outside-in permit tcp object-group sysadmins host
> XXXXXXXXX eq 3389
> access-list outside-in deny ip any any


The above line is technically unnecessary due to the architecture of the
pix. Someone may have put it in there just so they could see it, but it
does make administering the pix more difficult.

>
> access-list vpn permit ip any 192.168.10.192 255.255.255.224


The above line is bad form. You should not use the keyword any in any
acl that is used as a crypto acl.

> access-list vpn permit ip 192.168.10.192 255.255.255.224 any
> --> PPTP Dial in clients


What is the above line for? It is specified and bound to a crypot acl
and nonat acl.

> access-list vpn permit ip 192.168.10.0 255.255.255.0 192.168.1.0
> 255.255.255.0 --> Branch Office


The above line is correct, however, it should be the only line in
access-list vpn

>
> pager lines 24
> logging on
> mtu outside 1500
> mtu inside 1500
> ip address outside XXX.XXX.XXX.XXX 255.255.255.248
> ip address inside 192.168.10.1 255.255.255.0
> ip audit info action alarm
> ip audit attack action alarm
> ip local pool vpn-pool 192.168.10.201-192.168.10.210
> no pdm history enable
> arp timeout 14400
> global (outside) 1 interface
> nat (inside) 0 access-list vpn


You should not use your crypto acl as a nonat acl. In some cases, this
can cause unexpected results due to the way the asa modifies the acl
internally.

> nat (inside) 1 0.0.0.0 0.0.0.0 0 0
> static (inside,outside) tcp XXX.XXX.XXX.XXX smtp mail smtp netmask
> 255.255.255.255 0 0
> access-group outside-in in interface outside
> access-group inside-in in interface inside
> route outside 0.0.0.0 0.0.0.0 XXX.XXX.XXX.XXX 1
> timeout xlate 0:05:00
> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
> 1:00:00
> timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
> timeout uauth 0:05:00 absolute
> aaa-server TACACS+ protocol tacacs+
> aaa-server RADIUS protocol radius
> aaa-server LOCAL protocol local
> aaa-server partnerauth protocol radius
> aaa-server partnerauth (inside) host 192.168.10.13 XXXXX timeout 5
> aaa-server PPTP-VPDN-GROUP protocol radius
> aaa-server PPTP-VPDN-GROUP (inside) host 192.168.10.13 XXXX timeout 10
> snmp-server host outside potato poll
> snmp-server contact XXXXXXXXXXXXXxx
> snmp-server community XXXXXXXXXXXXXXXXXX
> no snmp-server enable traps
> floodguard enable
> sysopt connection permit-ipsec
> sysopt connection permit-pptp
> crypto ipsec transform-set apolloset esp-des esp-sha-hmac
> crypto map apollomap 10 ipsec-isakmp
> crypto map apollomap 10 match address vpn
> crypto map apollomap 10 set XXXXXXXXX
> crypto map apollomap 10 set transform-set apolloset
> crypto map apollomap interface outside
> isakmp enable outside
> isakmp key ******** address XXXXXXXXX netmask 255.255.255.255
> isakmp identity address
> isakmp policy 10 authentication pre-share
> isakmp policy 10 encryption 3des
> isakmp policy 10 hash md5
> isakmp policy 10 group 2
> isakmp policy 10 lifetime 2400
> telnet timeout 5
> ssh XXXXXXXXX 255.255.255.255 outside
> ssh XXXXXXXXX 255.255.255.255 outside
> ssh XXXXXXXXX 255.255.255.255 outside
> ssh XXXXXXXXX 255.255.255.255 inside
> ssh timeout 5
> console timeout 0
> vpdn group PPTP-VPDN-GROUP accept dialin pptp
> vpdn group PPTP-VPDN-GROUP ppp authentication mschap
> vpdn group PPTP-VPDN-GROUP ppp encryption mppe auto required
> vpdn group PPTP-VPDN-GROUP client configuration address local vpn-pool
> vpdn group PPTP-VPDN-GROUP client configuration dns srv1 srv2
> vpdn group PPTP-VPDN-GROUP client authentication aaa PPTP-VPDN-GROUP
> vpdn group PPTP-VPDN-GROUP pptp echo 60
> vpdn enable outside
> terminal width 80
> Cryptochecksum:d90625f0b8179140805ed290e6c333db
> : end
> [OK]
> pix1(config)#




Personally, I would do a routed subnet on the pptp. However, sharing
the range with the inside may work as well.


Here are my recommendations in how I would do it.

Clear you current vpn-pool address pool.

no ip local pool vpn-pool
ip local pool vpn-pool 192.168.9.1-192.168.9.254

Clear your crypto acl vpn and recreate it with only the following line.

no access-list vpn
access-list vpn permit ip 192.168.10.0 255.255.255.0 192.168.1.0
255.255.255.0

Create a nonat acl
access-list nonat permit ip 192.168.10.0 255.255.255.0 192.168.1.0
255.255.255.0
access0list nonat permit ip 192.168.9.0 255.255.255.0 192.168.1.0
255.255.255.0

Bind it to nat 0
nat (inside) 0 access-list nonat




--
-------------------------
Paul Stewart
Lexnet Inc.
Email address is in ROT13
 
Reply With Quote
 
Tom
Guest
Posts: n/a
 
      11-17-2004
hello paul,

your explanation point me to my problem.
i've read many sample configs from cisco but the nat 0 acl and crypto acl
was always the same in the samples.

but you told me to split-off the acl and make one for the nat 0 and one for
the crypto.
i just corrected my config and it works now.

big thanks & regards,
thomas
"PES" <(E-Mail Removed)> schrieb im Newsbeitrag
news:419b2a6d$(E-Mail Removed)...
> Tom wrote:
> > (E-Mail Removed)-cnrc.gc.ca (Walter Roberson) wrote in message

news:<cnd85f$rd6$(E-Mail Removed)>...
> >
> >>In article <(E-Mail Removed) >,
> >>Tom <(E-Mail Removed)> wrote:
> >>:is it basically possible to mix pix-to-pix ipsec vpn and
> >>ptp-dial-in-vpn?
> >>:i run into some troubles with my config after connecting a branch

office.
> >>
> >>It should be possible. Tell us more about your configuration and the
> >>problems you are encountering?

> >
> >
> > thank you walter,
> > the problem is that the pix dont passes the pakets through the
> > pptp-dial-in-tunnel with the message "rec'd paket is not an ipsec
> > paket".
> > this is clear for me cause:
> > *) i can only bind one access-list to the "nat 0" statement
> > *) so i have to put the adresses for the dial-in clients and the
> > ipsec-tunnel in one access-list
> > *) but for the pix this access-list is "linked" to the crypto map so
> > the pix handles only ipsec traffic
> >
> > i dont know how to handle this.
> > here goes my config (ip's cleared out,static's and access-lists
> > shrinked):
> >
> > pix1(config)# wr te
> > Building configuration...
> > : Saved
> > :
> > PIX Version 6.3(1)
> > interface ethernet0 10baset
> > interface ethernet1 100full
> > nameif ethernet0 outside security0
> > nameif ethernet1 inside security100
> > enable password ZijiPTxiw8a3tA6R encrypted
> > passwd 1EgFjE4cZDhur5Yg encrypted
> > hostname pix1
> > fixup protocol ftp 21
> > fixup protocol h323 h225 1720
> > fixup protocol h323 ras 1718-1719
> > fixup protocol http 80
> > fixup protocol ils 389
> > fixup protocol pptp 1723
> > fixup protocol rsh 514
> > fixup protocol rtsp 554
> > fixup protocol sip 5060
> > fixup protocol sip udp 5060
> > fixup protocol skinny 2000
> > no fixup protocol smtp 25
> > fixup protocol sqlnet 1521
> > names
> > object-group network sysadmins
> > access-list inside-in permit tcp 192.168.10.0 255.255.255.0 any eq ssh
> > access-list inside-in permit tcp 192.168.10.0 255.255.255.0 any eq www
> > access-list inside-in permit tcp 192.168.10.0 255.255.255.0 host
> > potato eq 3306
> > access-list inside-in deny ip any any

>
>
> The above line is technically unnecessary due to the architecture of the
> pix. Someone may have put it in there just so they could see it, but it
> does make administering the pix more difficult.
>
> > access-list outside-in permit tcp object-group sysadmins host
> > XXXXXXXXX eq 3389
> > access-list outside-in deny ip any any

>
> The above line is technically unnecessary due to the architecture of the
> pix. Someone may have put it in there just so they could see it, but it
> does make administering the pix more difficult.
>
> >
> > access-list vpn permit ip any 192.168.10.192 255.255.255.224

>
> The above line is bad form. You should not use the keyword any in any
> acl that is used as a crypto acl.
>
> > access-list vpn permit ip 192.168.10.192 255.255.255.224 any
> > --> PPTP Dial in clients

>
> What is the above line for? It is specified and bound to a crypot acl
> and nonat acl.
>
> > access-list vpn permit ip 192.168.10.0 255.255.255.0 192.168.1.0
> > 255.255.255.0 --> Branch Office

>
> The above line is correct, however, it should be the only line in
> access-list vpn
>
> >
> > pager lines 24
> > logging on
> > mtu outside 1500
> > mtu inside 1500
> > ip address outside XXX.XXX.XXX.XXX 255.255.255.248
> > ip address inside 192.168.10.1 255.255.255.0
> > ip audit info action alarm
> > ip audit attack action alarm
> > ip local pool vpn-pool 192.168.10.201-192.168.10.210
> > no pdm history enable
> > arp timeout 14400
> > global (outside) 1 interface
> > nat (inside) 0 access-list vpn

>
> You should not use your crypto acl as a nonat acl. In some cases, this
> can cause unexpected results due to the way the asa modifies the acl
> internally.
>
> > nat (inside) 1 0.0.0.0 0.0.0.0 0 0
> > static (inside,outside) tcp XXX.XXX.XXX.XXX smtp mail smtp netmask
> > 255.255.255.255 0 0
> > access-group outside-in in interface outside
> > access-group inside-in in interface inside
> > route outside 0.0.0.0 0.0.0.0 XXX.XXX.XXX.XXX 1
> > timeout xlate 0:05:00
> > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
> > 1:00:00
> > timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
> > timeout uauth 0:05:00 absolute
> > aaa-server TACACS+ protocol tacacs+
> > aaa-server RADIUS protocol radius
> > aaa-server LOCAL protocol local
> > aaa-server partnerauth protocol radius
> > aaa-server partnerauth (inside) host 192.168.10.13 XXXXX timeout 5
> > aaa-server PPTP-VPDN-GROUP protocol radius
> > aaa-server PPTP-VPDN-GROUP (inside) host 192.168.10.13 XXXX timeout 10
> > snmp-server host outside potato poll
> > snmp-server contact XXXXXXXXXXXXXxx
> > snmp-server community XXXXXXXXXXXXXXXXXX
> > no snmp-server enable traps
> > floodguard enable
> > sysopt connection permit-ipsec
> > sysopt connection permit-pptp
> > crypto ipsec transform-set apolloset esp-des esp-sha-hmac
> > crypto map apollomap 10 ipsec-isakmp
> > crypto map apollomap 10 match address vpn
> > crypto map apollomap 10 set XXXXXXXXX
> > crypto map apollomap 10 set transform-set apolloset
> > crypto map apollomap interface outside
> > isakmp enable outside
> > isakmp key ******** address XXXXXXXXX netmask 255.255.255.255
> > isakmp identity address
> > isakmp policy 10 authentication pre-share
> > isakmp policy 10 encryption 3des
> > isakmp policy 10 hash md5
> > isakmp policy 10 group 2
> > isakmp policy 10 lifetime 2400
> > telnet timeout 5
> > ssh XXXXXXXXX 255.255.255.255 outside
> > ssh XXXXXXXXX 255.255.255.255 outside
> > ssh XXXXXXXXX 255.255.255.255 outside
> > ssh XXXXXXXXX 255.255.255.255 inside
> > ssh timeout 5
> > console timeout 0
> > vpdn group PPTP-VPDN-GROUP accept dialin pptp
> > vpdn group PPTP-VPDN-GROUP ppp authentication mschap
> > vpdn group PPTP-VPDN-GROUP ppp encryption mppe auto required
> > vpdn group PPTP-VPDN-GROUP client configuration address local vpn-pool
> > vpdn group PPTP-VPDN-GROUP client configuration dns srv1 srv2
> > vpdn group PPTP-VPDN-GROUP client authentication aaa PPTP-VPDN-GROUP
> > vpdn group PPTP-VPDN-GROUP pptp echo 60
> > vpdn enable outside
> > terminal width 80
> > Cryptochecksum:d90625f0b8179140805ed290e6c333db
> > : end
> > [OK]
> > pix1(config)#

>
>
>
> Personally, I would do a routed subnet on the pptp. However, sharing
> the range with the inside may work as well.
>
>
> Here are my recommendations in how I would do it.
>
> Clear you current vpn-pool address pool.
>
> no ip local pool vpn-pool
> ip local pool vpn-pool 192.168.9.1-192.168.9.254
>
> Clear your crypto acl vpn and recreate it with only the following line.
>
> no access-list vpn
> access-list vpn permit ip 192.168.10.0 255.255.255.0 192.168.1.0
> 255.255.255.0
>
> Create a nonat acl
> access-list nonat permit ip 192.168.10.0 255.255.255.0 192.168.1.0
> 255.255.255.0
> access0list nonat permit ip 192.168.9.0 255.255.255.0 192.168.1.0
> 255.255.255.0
>
> Bind it to nat 0
> nat (inside) 0 access-list nonat
>
>
>
>
> --
> -------------------------
> Paul Stewart
> Lexnet Inc.
> Email address is in ROT13



 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
I want to create Site to Site VPN with Cisco PIX501 and Linksys RV082 thanhtike@gmail.com Cisco 1 09-10-2007 10:03 PM
Sitting behind a local pix501 and can't access an external site with Pix501 from Cisco VPN CLient- why? simon Cisco 1 09-21-2004 12:52 PM
PIX501 and VPN Client 4.0 config problem Jens Meyer Cisco 4 12-22-2003 08:40 PM
Re: Pix501 VPN Woes - help needed Greg Cisco 0 07-16-2003 09:44 PM
Re: Pix501 VPN Woes - help needed Rik Bain Cisco 1 07-16-2003 05:39 PM



Advertisments