«

[GuenTech]

cisco vpn client version: 5.0.03.0300 and 4.x ( I use 5.0.03.0300, all other users use the 4.x clients)

PIX Version 6.3(5)

I recently inherited IT for this company. They had a working Pix 515E config which included Cisco VPN client. I was recently tasked with getting PTP IPSec tunnel working between HQ and a remote office (terminating at the remote office ISP concentrator.

With scratchy knowledge of IOS, I was able to get this up and running pretty easily, however now that is up, the VPN Clients are having problems. They are passing phase 1 & 2 negotiation just fine. They authenticate and are able to create their connection and receive an IP from the IP Pool on the Pix 515E, however they can no longer pass traffic thru this tunnel. Prior to setting up the IPSec tunnel to the remote office, Cisco VPN clients were working just fine. I fear that in some of my editing of the access-list, or while building the crypto map I screwed something up that has know "broken" these Cisco VPN clients.

Below, I have included my running config on our Pix 515E.

Any help is appreciated, TIA

John
-------------------------------------------------------------------------------------------

<edit>
I failed to include "show isakmp sa detail" information in my original post.

sho isakmp sa detail
Total : 2
Embryonic : 0
Local Remote Encr Hash Auth State Lifetime
XX.X.XXX.X:4500 XX.X.XXX.X:39985 3des md5 psk QM_IDLE 86361
XX.X.XXX.X:500 XX.X.XXX.X:500 3des md5 psk QM_IDLE 8236

===============
running Config
===============

sh run
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
enable password XXXXXXXXXXXX encrypted
passwd XXXXXXXXXXX encrypted
hostname XXXXXXXXX
domain-name PWG.LOC
fixup protocol dns maximum-length 1500
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name XX.XXX.XXX.XXX PUB-J4Systems
access-list out_in permit icmp any any
access-list out_in permit tcp any host XX.X.XX.XX eq smtp
access-list out_in permit tcp any host XX.X.XX.XX eq pop3
access-list out_in permit tcp any host XX.X.XX.XX eq 8000
access-list out_in permit tcp any host XX.X.XX.XX eq smtp
access-list out_in permit tcp any host XX.X.XX.XX eq 59001
access-list out_in permit udp any host XX.X.XX.XX eq 59001
access-list out_in permit tcp any host XX.X.XX.XX eq 59002
access-list out_in permit udp any host XX.X.XX.XX eq 59002
access-list out_in permit tcp any host XX.X.XX.XX eq 59003
access-list out_in permit udp any host XX.X.XX.XX eq 59003
access-list out_in permit tcp any host XX.X.XX.XX eq 59004
access-list out_in permit udp any host XX.X.XX.XX eq 59004
access-list out_in permit tcp any host XX.X.XX.XX eq 59005
access-list out_in permit udp any host XX.X.XX.XX eq 59005
access-list out_in permit tcp any host XX.X.XX.XX eq 59006
access-list out_in permit udp any host XX.X.XX.XX eq 59006
access-list out_in permit tcp any host XX.X.XX.XX eq 59007
access-list out_in permit udp any host XX.X.XX.XX eq 59007
access-list out_in permit tcp any host XX.X.XX.XX eq 59008
access-list out_in permit udp any host XX.X.XX.XX eq 59008
access-list 101 permit ip 10.1.150.0 255.255.255.0 10.1.200.0 255.255.255.0
access-list 101 permit ip 10.1.150.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 101 permit ip 10.1.150.0 255.255.255.0 10.1.250.0 255.255.255.0
access-list 101 permit ip 10.1.150.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list 120 permit ip 10.1.150.0 255.255.255.0 10.1.200.0 255.255.255.0
access-list 130 permit ip 10.1.150.0 255.255.255.0 10.1.250.0 255.255.255.0
access-list split permit ip 10.1.150.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list DalVPN permit ip 10.1.150.0 255.255.255.0 10.0.1.0 255.255.255.0
access-list in_out permit tcp host 10.1.150.240 any eq smtp
access-list in_out permit tcp host 10.1.150.248 any eq smtp
access-list in_out deny ip host 10.1.150.118 any
access-list in_out permit tcp host 10.1.150.197 any eq smtp
access-list in_out permit tcp host 10.1.150.202 any eq smtp
access-list in_out deny tcp any any eq smtp
access-list in_out permit ip any any
pager lines 24
logging on
logging trap warnings
logging host inside 10.1.150.172
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside XX.X.XX.XX 255.255.255.248
ip address inside 10.1.150.1 255.255.255.0
no ip address intf2
ip audit info action alarm
ip audit attack action alarm
ip local pool INTPool 192.168.2.1-192.168.2.30
pdm history enable
arp timeout 14400
global (outside) 1 XX.X.XX.XX
nat (inside) 0 access-list 101
nat (inside) 1 10.1.150.0 255.255.255.0 0 0
static (inside,outside) tcp XX.X.XX.XX pop3 10.1.150.248 pop3 netmask 255.255.255.255 0 0
static (inside,outside) tcp XX.X.XX.XX smtp 10.1.150.240 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp XX.X.XX.XX 8000 10.1.150.240 8000 netmask 255.255.255.255 0 0
static (inside,outside) tcp XX.X.XX.XX smtp 10.1.150.248 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp XX.X.XX.XX 59001 10.1.150.230 59001 netmask 255.255.255.255 0 0
static (inside,outside) udp XX.X.XX.XX 59001 10.1.150.230 59001 netmask 255.255.255.255 0 0
static (inside,outside) tcp XX.X.XX.XX 59002 10.1.150.231 59002 netmask 255.255.255.255 0 0
static (inside,outside) udp XX.X.XX.XX 59002 10.1.150.231 59002 netmask 255.255.255.255 0 0
static (inside,outside) tcp XX.X.XX.XX 59003 10.1.150.231 59003 netmask 255.255.255.255 0 0
static (inside,outside) udp XX.X.XX.XX 59003 10.1.150.231 59003 netmask 255.255.255.255 0 0
static (inside,outside) tcp XX.X.XX.XX 59004 10.1.150.231 59004 netmask 255.255.255.255 0 0
static (inside,outside) udp XX.X.XX.XX 59004 10.1.150.231 59004 netmask 255.255.255.255 0 0
static (inside,outside) tcp XX.X.XX.XX 59005 10.1.150.231 59005 netmask 255.255.255.255 0 0
static (inside,outside) udp XX.X.XX.XX 59005 10.1.150.231 59005 netmask 255.255.255.255 0 0
static (inside,outside) tcp XX.X.XX.XX 59006 10.1.150.231 59006 netmask 255.255.255.255 0 0
static (inside,outside) udp XX.X.XX.XX 59006 10.1.150.231 59006 netmask 255.255.255.255 0 0
static (inside,outside) tcp XX.X.XX.XX 59007 10.1.150.231 59007 netmask 255.255.255.255 0 0
static (inside,outside) udp XX.X.XX.XX 59007 10.1.150.231 59007 netmask 255.255.255.255 0 0
static (inside,outside) tcp XX.X.XX.XX 59008 10.1.150.231 59008 netmask 255.255.255.255 0 0
static (inside,outside) udp XX.X.XX.XX 59008 10.1.150.231 59008 netmask 255.255.255.255 0 0
access-group out_in in interface outside
route outside 0.0.0.0 0.0.0.0 XX.X.XX.XX 1
timeout xlate 1:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa-server XXX-XXXXX protocol radius
aaa-server XXX-XXXXX max-failed-attempts 3
aaa-server XXX-XXXXX deadtime 10
aaa-server XXX-XXXXX (inside) host 10.1.150.249 XXXXXXXXX timeout 10
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set INTPSet esp-3des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set INTPSet
crypto map INTPMap 50 ipsec-isakmp
crypto map INTPMap 50 match address DalVPN
crypto map INTPMap 50 set peer XX.XX.XX.XX
crypto map INTPMap 50 set transform-set INTPSet
crypto map INTPMap 99 ipsec-isakmp dynamic dynmap
crypto map INTPMap client authentication IPT-FPAPP
crypto map INTPMap interface outside
isakmp enable outside
isakmp key ******** address XX.XX.XX.XX netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp nat-traversal 20
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 86400
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup INTPGroup address-pool INTPool
vpngroup INTPGroup dns-server 10.1.150.249
vpngroup INTPGroup wins-server 10.1.150.249
vpngroup INTPGroup default-domain pwg.loc
vpngroup INTPGroup split-tunnel split
vpngroup INTPGroup idle-time 1800
vpngroup INTPGroup password ********
telnet 10.1.150.0 255.255.255.0 inside
telnet timeout 60
ssh PUB-J4Systems 255.255.255.224 outside
ssh 10.1.150.0 255.255.255.0 inside
ssh timeout 60
console timeout 0
terminal width 80
Cryptochecksum:XXXXXXXXXXXXXXXXXXXXXXXXXXXXX
: end

[GuenTech]

It's me again. I'm still playing around with this, but did some discovery:


I have the following related access-list entries (101 is for my VPNGroup using cisco VPN client. DalVPN is for my IPSec tunnel between our PIX 515E and the VPN concentrator):

access-list 101 permit ip 10.1.150.0 255.255.255.0 10.1.250.0 255.255.255.0
access-list DalVPN permit ip 10.1.150.0 255.255.255.0 10.0.1.0 255.255.255.0

IF I use:

nat (inside) 0 access-list 101

THEN my Cisco VPN clients work great, but my IPSEC tunnel to Dallas dies.

IF I use:

nat (inside) 0 access-list DalVPN

THEN my IPSec tunnel to Dallas works great, but Cisco VPN clients can not pass traffic.

Previously I had both the VPN network and the IPSec network in the same access-list (101) allowing me to use the nat (inside) 0 access-list 101 in an attempt to address both networks... this did not work either.

[GuenTech]

I have solved the problem:

Added the following to my 101 access-list to except traffic from the NAT process:

access-list 101 permit ip 10.1.150.0 255.255.255.0 10.0.1.0 255.255.255.0

Poof! now both the PIX to Concentrator IPSec tunnel and the Cisco VPN Clients pass data back and forth properly.

However, the Cisco VPN clients can not pass data thru the IPSec tunnel between the PIX to the Concentrator.

So... PIX1=HQ
Cisco VPN clients connect via PIX1 and can see the entire network at HQ.
PIX1 has an IPSec tunnel to a Concentrator in Dallas. HQ can talk to Dallas and vice versa.
Cisco VPN clients can not talk to Dallas.

Any thoughts?

[sdunn96]

Anybody have any ideas on this either?
I am trying to do the same thing.

I have IPSec tunnel between two sites, both phave PIX 515E's.
I have remote access VPN Clients that connect to one site.
I want to be able to all for access to the remote IPSec site network.

[GuenTech]

My apologies for not posting my findings on this earlier.

If you are talking about having your remote VPN clients being able to pass data to hosts on the other side of your IPSEC tunnel to a remote site, it is my understanding that this is not possible with the PIX 515E.

Reason: Data comes IN from a VPN client from our external interface (labeled as "outside" in most configs). Data going OUT to your IPSEC tunnel goes out on that same interface. PIX will not allow traffic from an untrusted interface ("outside") to another untrusted interface ("outside"). I think the solution would be to use a 3rd interface for your IPSEC tunnel but I have yet to test this.

Someone please correct me if I am wrong here.

Regards,
GuenTech

[sdunn96]

That has been the conclusion I have been coming to as well.

So I have been trying to figure out if I can rig another way in doing what I want to do.
But no such luck.

I saw one post saying that version 7.x would allow for this, and the reason I think it will is that in version 7.x you can set an option to allow traffic to flow between interfaces that have the same security level.
On one PIX (my Remote VPN Access PIX), we are running PIX OS 6.3
While at the other end of the IPSec tunnel, we are running 7.2(1)

I guess on my 6.3 PIX, I could get another interface card and set him to an outside interface with another Public IP address, and set a tunnel up like that.....would involve getting our ISP out to re-do their router config.