Need help with a PIX 520 and VPN traffic

06-27-2007

I need some help configuring a firewall that was pretty much thrown at
me to manage. I'm unable to get out of the firewall for an
application that requires the following ports be open (this is from
the application vendor:

Firewall ports (outbound) that need to be enabled:

TCP/264
IPSEC and IKE (UDP/500)
IPSEC ESP (IP type 50)
IPSEC AH (IP type 51)
TCP/500
UDP/2746
UDP/259
TCP/18231

Here's the current firewall config; the IOS has not been updated in a
seriously long time; I would really appreciate some help as to why I
am not able to get out of the firewall for this application.
Syslogging shows that acl_inside group is disallowing the connection.

The application vendor's IP's are 192.131.69.200 and 192.131.65.200

I am not familiar with CISCO firewalls, but I believe there might also
be an issue with NAT-T (correct me if I am wrong).

Thanks in advance for any/all help.

firewall config (condensed, minus some ACL's):

PIX Version 5.2(6)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 public security10
enable password 0NVe7N9xFeDnrRfe encrypted
passwd tflge61LqXv/Dm/V encrypted
hostname internetfw
domain-name masked.out
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol ftp 2120
no fixup protocol smtp 25
no names
access-list acl_inside deny ip any host 152.163.0.0
access-list acl_inside permit tcp any any eq ftp-data
access-list acl_inside permit tcp any any eq ftp
access-list acl_inside permit tcp any any eq domain
access-list acl_inside permit udp any any eq domain
access-list acl_inside permit tcp any any eq 443
access-list acl_inside permit tcp any any eq 554
access-list acl_inside permit tcp any any eq 1080
access-list acl_inside permit tcp any any eq 1755
access-list acl_inside permit tcp any any eq 1863
access-list acl_inside permit tcp any any eq 3101
access-list acl_inside permit tcp any any eq 3520
access-list acl_inside permit tcp any any eq 5050
access-list acl_inside permit tcp any any eq 5190
access-list acl_inside permit tcp any any eq 8000
access-list acl_inside permit tcp any any eq 8010
access-list acl_inside permit tcp any any eq 8080
access-list acl_inside permit icmp host 151.209.194.228 any echo
access-list acl_inside permit icmp host 151.209.194.119 any echo
access-list acl_inside permit icmp any any echo
access-list acl_inside permit tcp any any eq www
access-list acl_inside deny tcp any any eq smtp
access-list acl_inside deny tcp any any
access-list acl_inside deny udp any any
access-list acl_inside deny ip any any
access-list acl_inside deny udp any any eq tftp
access-list acl_inside deny tcp any any eq 81
access-list acl_inside deny tcp any any eq 135
access-list acl_inside deny udp any any eq 135
access-list acl_inside deny tcp any any eq 136
access-list acl_inside deny udp any any eq 136
access-list acl_inside deny tcp any any eq 137
access-list acl_inside deny udp any any eq netbios-ns
access-list acl_inside deny tcp any any eq 138
access-list acl_inside deny udp any any eq netbios-dgm
access-list acl_inside deny tcp any any eq 139
access-list acl_inside deny udp any any eq 139
access-list acl_inside deny tcp any any eq 445
access-list acl_inside deny udp any any eq 445
access-list acl_inside deny tcp any any eq 4444
access-list acl_inside permit tcp any host 192.131.69.200 eq 264
access-list acl_inside permit udp any host 192.131.69.200 eq isakmp
access-list acl_inside permit udp any host 192.131.69.200 eq 2746
access-list acl_inside permit udp any host 192.131.69.200 eq 259
access-list acl_inside permit tcp any host 192.131.69.200 eq 18231
access-list acl_inside permit udp any host 192.131.69.200 eq 4500
access-list acl_inside permit tcp any host 192.131.65.200 eq 264
access-list acl_inside permit udp any host 192.131.65.200 eq isakmp
access-list acl_inside permit udp any host 192.131.65.200 eq 2746
access-list acl_inside permit udp any host 192.131.65.200 eq 259
access-list acl_inside permit tcp any host 192.131.65.200 eq 18231
access-list acl_inside permit udp any host 192.131.65.200 eq 4500
access-list acl_inside permit tcp any host 192.131.69.200 eq 500
access-list acl_inside permit tcp any host 192.131.65.200 eq 500
access-list acl_outside deny tcp any any eq 135
access-list acl_outside deny tcp any any eq 136
access-list acl_outside deny tcp any any eq 137
access-list acl_outside deny tcp any any eq 138
access-list acl_outside deny tcp any any eq 139
access-list acl_outside permit tcp any host 63.205.237.14 eq www
access-list acl_outside permit tcp any host 192.131.69.200 eq 264
access-list acl_outside permit udp any host 192.131.69.200 eq isakmp
access-list acl_outside permit udp any host 192.131.69.200 eq 2746
access-list acl_outside permit udp any host 192.131.69.200 eq 259
access-list acl_outside permit tcp any host 192.131.69.200 eq 18231
access-list acl_outside permit udp any host 192.131.69.200 eq 4500
access-list acl_outside permit tcp any host 192.131.65.200 eq 264
access-list acl_outside permit udp any host 192.131.65.200 eq isakmp
access-list acl_outside permit udp any host 192.131.65.200 eq 2746
access-list acl_outside permit udp any host 192.131.65.200 eq 259
access-list acl_outside permit tcp any host 192.131.65.200 eq 18231
access-list acl_outside permit udp any host 192.131.65.200 eq 4500
access-list acl_outside permit tcp any host 192.131.69.200 eq 500
access-list acl_outside permit tcp any host 192.131.65.200 eq 500
pager lines 20
logging on
no logging timestamp
no logging standby
no logging console
no logging monitor
logging buffered warnings
logging trap warnings
no logging history
logging facility 20
logging queue 2048
logging host inside 151.209.194.228
no logging message 106011
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 100full
mtu outside 1500
mtu inside 1500
mtu public 1500
ip address outside masked 255.255.255.240
ip address inside 151.209.194.125 255.255.255.0
ip address public 10.101.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
failover
failover timeout 0:00:00
failover poll 15
failover ip address outside masked
failover ip address inside 151.209.194.222
failover ip address public 10.101.1.2
arp timeout 14400
global (outside) 1 masked
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) masked 151.209.194.228 netmask 255.255.255.255
0 0
static (public,outside) masked 10.101.1.197 netmask 255.255.255.255 0
0
static (inside,outside) masked 151.209.194.121 netmask 255.255.255.255
0 0
static (inside,outside) masked 151.209.194.133 netmask 255.255.255.255
0 0
static (inside,outside) masked 151.209.194.252 netmask 255.255.255.255
0 0
access-group acl_outside in interface outside
access-group acl_inside in interface inside
route outside 0.0.0.0 0.0.0.0 masked 1
route inside 151.209.0.0 255.255.0.0 151.209.194.121 1
route outside 151.209.24.0 255.255.255.0 masked 1
route outside 151.209.112.0 255.255.255.0 masked 1
route outside 151.209.113.0 255.255.255.0 masked 1
timeout xlate 1:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server vpn protocol tacacs+
snmp-server host inside 151.209.194.119
no snmp-server location
no snmp-server contact
snmp-server community !Now!3v3r
no snmp-server enable traps
floodguard enable
no sysopt route dnat
isakmp enable outside
isakmp identity hostname
telnet timeout 5
ssh timeout 60
terminal width 80

06-27-2007

wrote:
> I need some help configuring a firewall that was pretty much thrown at
> me to manage. I'm unable to get out of the firewall for an
> application that requires the following ports be open (this is from
> the application vendor:
>
> Firewall ports (outbound) that need to be enabled:
>
> TCP/264
> IPSEC and IKE (UDP/500)
> IPSEC ESP (IP type 50)
> IPSEC AH (IP type 51)
> TCP/500
> UDP/2746
> UDP/259
> TCP/18231
>
> Here's the current firewall config; the IOS has not been updated in a
> seriously long time; I would really appreciate some help as to why I
> am not able to get out of the firewall for this application.
> Syslogging shows that acl_inside group is disallowing the connection.
>
> The application vendor's IP's are 192.131.69.200 and 192.131.65.200
>
> I am not familiar with CISCO firewalls, but I believe there might also
> be an issue with NAT-T (correct me if I am wrong).
>
> Thanks in advance for any/all help.
>
> firewall config (condensed, minus some ACL's):
>
> PIX Version 5.2(6)
> nameif ethernet0 outside security0
> nameif ethernet1 inside security100
> nameif ethernet2 public security10
> enable password 0NVe7N9xFeDnrRfe encrypted
> passwd tflge61LqXv/Dm/V encrypted
> hostname internetfw
> domain-name masked.out
> fixup protocol ftp 21
> fixup protocol http 80
> fixup protocol h323 1720
> fixup protocol rsh 514
> fixup protocol rtsp 554
> fixup protocol sqlnet 1521
> fixup protocol sip 5060
> fixup protocol ftp 2120
> no fixup protocol smtp 25
> no names
> access-list acl_inside deny ip any host 152.163.0.0
> access-list acl_inside permit tcp any any eq ftp-data
> access-list acl_inside permit tcp any any eq ftp
> access-list acl_inside permit tcp any any eq domain
> access-list acl_inside permit udp any any eq domain
> access-list acl_inside permit tcp any any eq 443
> access-list acl_inside permit tcp any any eq 554
> access-list acl_inside permit tcp any any eq 1080
> access-list acl_inside permit tcp any any eq 1755
> access-list acl_inside permit tcp any any eq 1863
> access-list acl_inside permit tcp any any eq 3101
> access-list acl_inside permit tcp any any eq 3520
> access-list acl_inside permit tcp any any eq 5050
> access-list acl_inside permit tcp any any eq 5190
> access-list acl_inside permit tcp any any eq 8000
> access-list acl_inside permit tcp any any eq 8010
> access-list acl_inside permit tcp any any eq 8080
> access-list acl_inside permit icmp host 151.209.194.228 any echo
> access-list acl_inside permit icmp host 151.209.194.119 any echo
> access-list acl_inside permit icmp any any echo
> access-list acl_inside permit tcp any any eq www
> access-list acl_inside deny tcp any any eq smtp
> access-list acl_inside deny tcp any any
> access-list acl_inside deny udp any any
> access-list acl_inside deny ip any any
> access-list acl_inside deny udp any any eq tftp
> access-list acl_inside deny tcp any any eq 81
> access-list acl_inside deny tcp any any eq 135
> access-list acl_inside deny udp any any eq 135
> access-list acl_inside deny tcp any any eq 136
> access-list acl_inside deny udp any any eq 136
> access-list acl_inside deny tcp any any eq 137
> access-list acl_inside deny udp any any eq netbios-ns
> access-list acl_inside deny tcp any any eq 138
> access-list acl_inside deny udp any any eq netbios-dgm
> access-list acl_inside deny tcp any any eq 139
> access-list acl_inside deny udp any any eq 139
> access-list acl_inside deny tcp any any eq 445
> access-list acl_inside deny udp any any eq 445
> access-list acl_inside deny tcp any any eq 4444
> access-list acl_inside permit tcp any host 192.131.69.200 eq 264
> access-list acl_inside permit udp any host 192.131.69.200 eq isakmp
> access-list acl_inside permit udp any host 192.131.69.200 eq 2746
> access-list acl_inside permit udp any host 192.131.69.200 eq 259
> access-list acl_inside permit tcp any host 192.131.69.200 eq 18231
> access-list acl_inside permit udp any host 192.131.69.200 eq 4500
> access-list acl_inside permit tcp any host 192.131.65.200 eq 264
> access-list acl_inside permit udp any host 192.131.65.200 eq isakmp
> access-list acl_inside permit udp any host 192.131.65.200 eq 2746
> access-list acl_inside permit udp any host 192.131.65.200 eq 259
> access-list acl_inside permit tcp any host 192.131.65.200 eq 18231
> access-list acl_inside permit udp any host 192.131.65.200 eq 4500
> access-list acl_inside permit tcp any host 192.131.69.200 eq 500
> access-list acl_inside permit tcp any host 192.131.65.200 eq 500

The ACL's are read from top to bottom, you have explicit deny ACL

> access-list acl_inside deny ip any any

That ACL is being read by the firewall before

> access-list acl_inside permit tcp any host 192.131.69.200 eq 264
> access-list acl_inside permit udp any host 192.131.69.200 eq isakmp
> access-list acl_inside permit udp any host 192.131.69.200 eq 2746
> access-list acl_inside permit udp any host 192.131.69.200 eq 259
> access-list acl_inside permit tcp any host 192.131.69.200 eq 18231
> access-list acl_inside permit udp any host 192.131.69.200 eq 4500
> access-list acl_inside permit tcp any host 192.131.65.200 eq 264
> access-list acl_inside permit udp any host 192.131.65.200 eq isakmp
> access-list acl_inside permit udp any host 192.131.65.200 eq 2746
> access-list acl_inside permit udp any host 192.131.65.200 eq 259
> access-list acl_inside permit tcp any host 192.131.65.200 eq 18231
> access-list acl_inside permit udp any host 192.131.65.200 eq 4500
> access-list acl_inside permit tcp any host 192.131.69.200 eq 500
> access-list acl_inside permit tcp any host 192.131.65.200 eq 500

You need to move the above lines above all the deny statements you have
defined.

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Routing Question - How to send default internet traffic to PIX and VPN traffic from router out internet	Evolution	Cisco	1	02-27-2007 10:00 PM
Weird traffic problem - might be PIX 520 related.	ho	Cisco	3	02-05-2007 04:54 PM
VPN PIX-_static PIX ; PIX-dynamic_PIX ; VPN Client	Svenn	Cisco	3	03-13-2006 09:25 AM
PIX 520 VPN problem	CIB3RGUY	Cisco	7	09-23-2005 06:01 PM
PIX to PIX VPN and VPN Client to PIX Config Example?	GVB	Cisco	1	02-06-2004 07:44 PM