Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > IPSEC tunnel through outbound ACL on PIX 501

Reply
Thread Tools

IPSEC tunnel through outbound ACL on PIX 501

 
 
xman
Guest
Posts: n/a
 
      05-15-2005
Hi All
I have a very simple outbound ACL on a Pix 501:

access-list in-out line 1 permit tcp any any eq ftp (hitcnt=0)
access-list in-out line 2 permit tcp any any eq www (hitcnt=130)
access-list in-out line 3 permit tcp any any eq citrix-ica (hitcnt=0)
access-list in-out line 4 permit udp any any eq isakmp (hitcnt=3)
access-list in-out line 5 permit tcp any any eq 51 (hitcnt=0)
access-list in-out line 6 permit tcp any any eq 50 (hitcnt=0)
access-list in-out line 7 permit tcp any any eq 1863 (hitcnt=11)
access-list in-out line 8 permit tcp any any eq https (hitcnt=
access-list in-out line 9 permit tcp any any eq aol (hitcnt=0)

I am trying to create an ipsec tunnel through 501 to another PIX with a
cisco client. The log shows that phase 1 (IKE) is completing
successfully, but the connection fails after that. If I remove the ACL
from the inside interface (no access-group in-out in interface inside)
the client connects immediately.

I know I am probably missing something obvious here, but any help would
really be appreciated.

Thanks.

 
Reply With Quote
 
 
 
 
Walter Roberson
Guest
Posts: n/a
 
      05-15-2005
In article <(E-Mail Removed) .com>,
xman <(E-Mail Removed)> wrote:
:I have a very simple outbound ACL on a Pix 501:

:access-list in-out line 1 permit tcp any any eq ftp (hitcnt=0)
:access-list in-out line 2 permit tcp any any eq www (hitcnt=130)
:access-list in-out line 3 permit tcp any any eq citrix-ica (hitcnt=0)
:access-list in-out line 4 permit udp any any eq isakmp (hitcnt=3)
:access-list in-out line 5 permit tcp any any eq 51 (hitcnt=0)
:access-list in-out line 6 permit tcp any any eq 50 (hitcnt=0)
:access-list in-out line 7 permit tcp any any eq 1863 (hitcnt=11)
:access-list in-out line 8 permit tcp any any eq https (hitcnt=
:access-list in-out line 9 permit tcp any any eq aol (hitcnt=0)

:I am trying to create an ipsec tunnel through 501 to another PIX with a
:cisco client. The log shows that phase 1 (IKE) is completing
:successfully, but the connection fails after that. If I remove the ACL
:from the inside interface (no access-group in-out in interface inside)
:the client connects immediately.

Make sure that nat-traversal is turned on on the remote pix
(isakmp nat-traversal 20), and open outbound port udp 4500.
--
Would you buy a used bit from this man??
 
Reply With Quote
 
 
 
 
xman
Guest
Posts: n/a
 
      05-15-2005
Thank you very much. UDP 4500 did the trick.

 
Reply With Quote
 
Paul Womar
Guest
Posts: n/a
 
      05-15-2005
xman <(E-Mail Removed)> wrote:

> I have a very simple outbound ACL on a Pix 501:
>
> access-list in-out line 5 permit tcp any any eq 51 (hitcnt=0)
> access-list in-out line 6 permit tcp any any eq 50 (hitcnt=0)
>
> I am trying to create an ipsec tunnel through 501 to another PIX with a
> cisco client. The log shows that phase 1 (IKE) is completing
> successfully, but the connection fails after that. If I remove the ACL
> from the inside interface (no access-group in-out in interface inside)
> the client connects immediately.
>
> I know I am probably missing something obvious here, but any help would
> really be appreciated.


I see you have had one answer suggested already but I suspect those two
ACL lines above are not what you intended (i.e. opening ports for Remote
Mail Checking Protocol & IMP Logical Address Maintenance). I would
think you want to allow ESP & AH traffic to pass, you need to allow
*protocols* 50 & 51 through NOT TCP *ports*. I think you probably
intended something closer to the following:

access-list in-out line 5 permit ah any any
access-list in-out line 6 permit esp any any
--
-> The email address used in this message *IS* valid <-
 
Reply With Quote
 
Walter Roberson
Guest
Posts: n/a
 
      05-15-2005
In article <1gwmk2r.ugl2szt8jje7N%{$PW$}@womar.co.uk>,
Paul Womar <{$PW$}@womar.co.uk> wrote:
man <(E-Mail Removed)> wrote:
:> access-list in-out line 5 permit tcp any any eq 51 (hitcnt=0)
:> access-list in-out line 6 permit tcp any any eq 50 (hitcnt=0)

:I see you have had one answer suggested already but I suspect those two
:ACL lines above are not what you intended (i.e. opening ports for Remote
:Mail Checking Protocol & IMP Logical Address Maintenance).

I missed that in my answer, partly because I know that ESP and AH
show up by name instead of by number, so I didn't "see" the 50 and 51.

: I would
:think you want to allow ESP & AH traffic to pass, you need to allow
:*protocols* 50 & 51 through NOT TCP *ports*. I think you probably
:intended something closer to the following:

:access-list in-out line 5 permit ah any any
:access-list in-out line 6 permit esp any any

Those aren't needed. The structure of the ACLs suggests strongly
that the OP is doing PAT, NAT at the very least. AH can't be
NAT'd, and ESP can't be PAT'd, so if AH or ESP were the issue then
probably the connection wouldn't have worked even without the
inside ACL. ESP will work with static NAT, but if the problem were
with ESP not getting through static NAT then the OP would have needed
to have opened ESP from the outside to the inside, and in doing so
would have noticed that it was a protocol rather than a port.


When you have nat-traversal active in a PAT situation, you need
UDP 500 and UDP 4500, and everything else is handled dynamically.

--
"[...] it's all part of one's right to be publicly stupid." -- Dave Smey
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Use Microsoft VPN Client OUTBOUND through PIX 501 James B. Wood Cisco 7 06-25-2006 10:23 AM
PIX 501 not sending data into ipsec tunnel? (can't find sollution in groups) lowlife123 Cisco 9 02-25-2006 10:45 AM
Outbound VPN through a Pix 501 gencode Cisco 1 05-02-2005 08:07 PM
Split Tunnel Blocks http through tunnel but passes http around tunnel a.nonny mouse Cisco 2 09-19-2004 12:10 AM
PIX - Can extended ACL's be used as crypto ACL's on a PIX Shad T Cisco 0 06-29-2004 06:27 PM



Advertisments