Cisco VPN clients not passing traffic after new PTP IPSec tunnel is up

Discussion in 'Cisco' started by GuenTech, May 21, 2009.

  1. GuenTech

    GuenTech

    Joined:
    May 21, 2009
    Messages:
    6
    cisco vpn client version: 5.0.03.0300 and 4.x ( I use 5.0.03.0300, all other users use the 4.x clients)

    PIX Version 6.3(5)

    I recently inherited IT for this company. They had a working Pix 515E config which included Cisco VPN client. I was recently tasked with getting PTP IPSec tunnel working between HQ and a remote office (terminating at the remote office ISP concentrator.

    With scratchy knowledge of IOS, I was able to get this up and running pretty easily, however now that is up, the VPN Clients are having problems. They are passing phase 1 & 2 negotiation just fine. They authenticate and are able to create their connection and receive an IP from the IP Pool on the Pix 515E, however they can no longer pass traffic thru this tunnel. Prior to setting up the IPSec tunnel to the remote office, Cisco VPN clients were working just fine. I fear that in some of my editing of the access-list, or while building the crypto map I screwed something up that has know "broken" these Cisco VPN clients.

    Below, I have included my running config on our Pix 515E.

    Any help is appreciated, TIA

    John
    -------------------------------------------------------------------------------------------

    <edit>
    I failed to include "show isakmp sa detail" information in my original post.

    sho isakmp sa detail
    Total : 2
    Embryonic : 0
    Local Remote Encr Hash Auth State Lifetime
    XX.X.XXX.X:4500 XX.X.XXX.X:39985 3des md5 psk QM_IDLE 86361
    XX.X.XXX.X:500 XX.X.XXX.X:500 3des md5 psk QM_IDLE 8236

    ===============
    running Config
    ===============

    sh run
    : Saved
    :
    PIX Version 6.3(5)
    interface ethernet0 auto
    interface ethernet1 auto
    interface ethernet2 auto shutdown
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    nameif ethernet2 intf2 security4
    enable password XXXXXXXXXXXX encrypted
    passwd XXXXXXXXXXX encrypted
    hostname XXXXXXXXX
    domain-name PWG.LOC
    fixup protocol dns maximum-length 1500
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol ils 389
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    no fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    name XX.XXX.XXX.XXX PUB-J4Systems
    access-list out_in permit icmp any any
    access-list out_in permit tcp any host XX.X.XX.XX eq smtp
    access-list out_in permit tcp any host XX.X.XX.XX eq pop3
    access-list out_in permit tcp any host XX.X.XX.XX eq 8000
    access-list out_in permit tcp any host XX.X.XX.XX eq smtp
    access-list out_in permit tcp any host XX.X.XX.XX eq 59001
    access-list out_in permit udp any host XX.X.XX.XX eq 59001
    access-list out_in permit tcp any host XX.X.XX.XX eq 59002
    access-list out_in permit udp any host XX.X.XX.XX eq 59002
    access-list out_in permit tcp any host XX.X.XX.XX eq 59003
    access-list out_in permit udp any host XX.X.XX.XX eq 59003
    access-list out_in permit tcp any host XX.X.XX.XX eq 59004
    access-list out_in permit udp any host XX.X.XX.XX eq 59004
    access-list out_in permit tcp any host XX.X.XX.XX eq 59005
    access-list out_in permit udp any host XX.X.XX.XX eq 59005
    access-list out_in permit tcp any host XX.X.XX.XX eq 59006
    access-list out_in permit udp any host XX.X.XX.XX eq 59006
    access-list out_in permit tcp any host XX.X.XX.XX eq 59007
    access-list out_in permit udp any host XX.X.XX.XX eq 59007
    access-list out_in permit tcp any host XX.X.XX.XX eq 59008
    access-list out_in permit udp any host XX.X.XX.XX eq 59008
    access-list 101 permit ip 10.1.150.0 255.255.255.0 10.1.200.0 255.255.255.0
    access-list 101 permit ip 10.1.150.0 255.255.255.0 192.168.2.0 255.255.255.0
    access-list 101 permit ip 10.1.150.0 255.255.255.0 10.1.250.0 255.255.255.0
    access-list 101 permit ip 10.1.150.0 255.255.255.0 192.168.1.0 255.255.255.0
    access-list 120 permit ip 10.1.150.0 255.255.255.0 10.1.200.0 255.255.255.0
    access-list 130 permit ip 10.1.150.0 255.255.255.0 10.1.250.0 255.255.255.0
    access-list split permit ip 10.1.150.0 255.255.255.0 192.168.2.0 255.255.255.0
    access-list DalVPN permit ip 10.1.150.0 255.255.255.0 10.0.1.0 255.255.255.0
    access-list in_out permit tcp host 10.1.150.240 any eq smtp
    access-list in_out permit tcp host 10.1.150.248 any eq smtp
    access-list in_out deny ip host 10.1.150.118 any
    access-list in_out permit tcp host 10.1.150.197 any eq smtp
    access-list in_out permit tcp host 10.1.150.202 any eq smtp
    access-list in_out deny tcp any any eq smtp
    access-list in_out permit ip any any
    pager lines 24
    logging on
    logging trap warnings
    logging host inside 10.1.150.172
    mtu outside 1500
    mtu inside 1500
    mtu intf2 1500
    ip address outside XX.X.XX.XX 255.255.255.248
    ip address inside 10.1.150.1 255.255.255.0
    no ip address intf2
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool INTPool 192.168.2.1-192.168.2.30
    pdm history enable
    arp timeout 14400
    global (outside) 1 XX.X.XX.XX
    nat (inside) 0 access-list 101
    nat (inside) 1 10.1.150.0 255.255.255.0 0 0
    static (inside,outside) tcp XX.X.XX.XX pop3 10.1.150.248 pop3 netmask 255.255.255.255 0 0
    static (inside,outside) tcp XX.X.XX.XX smtp 10.1.150.240 smtp netmask 255.255.255.255 0 0
    static (inside,outside) tcp XX.X.XX.XX 8000 10.1.150.240 8000 netmask 255.255.255.255 0 0
    static (inside,outside) tcp XX.X.XX.XX smtp 10.1.150.248 smtp netmask 255.255.255.255 0 0
    static (inside,outside) tcp XX.X.XX.XX 59001 10.1.150.230 59001 netmask 255.255.255.255 0 0
    static (inside,outside) udp XX.X.XX.XX 59001 10.1.150.230 59001 netmask 255.255.255.255 0 0
    static (inside,outside) tcp XX.X.XX.XX 59002 10.1.150.231 59002 netmask 255.255.255.255 0 0
    static (inside,outside) udp XX.X.XX.XX 59002 10.1.150.231 59002 netmask 255.255.255.255 0 0
    static (inside,outside) tcp XX.X.XX.XX 59003 10.1.150.231 59003 netmask 255.255.255.255 0 0
    static (inside,outside) udp XX.X.XX.XX 59003 10.1.150.231 59003 netmask 255.255.255.255 0 0
    static (inside,outside) tcp XX.X.XX.XX 59004 10.1.150.231 59004 netmask 255.255.255.255 0 0
    static (inside,outside) udp XX.X.XX.XX 59004 10.1.150.231 59004 netmask 255.255.255.255 0 0
    static (inside,outside) tcp XX.X.XX.XX 59005 10.1.150.231 59005 netmask 255.255.255.255 0 0
    static (inside,outside) udp XX.X.XX.XX 59005 10.1.150.231 59005 netmask 255.255.255.255 0 0
    static (inside,outside) tcp XX.X.XX.XX 59006 10.1.150.231 59006 netmask 255.255.255.255 0 0
    static (inside,outside) udp XX.X.XX.XX 59006 10.1.150.231 59006 netmask 255.255.255.255 0 0
    static (inside,outside) tcp XX.X.XX.XX 59007 10.1.150.231 59007 netmask 255.255.255.255 0 0
    static (inside,outside) udp XX.X.XX.XX 59007 10.1.150.231 59007 netmask 255.255.255.255 0 0
    static (inside,outside) tcp XX.X.XX.XX 59008 10.1.150.231 59008 netmask 255.255.255.255 0 0
    static (inside,outside) udp XX.X.XX.XX 59008 10.1.150.231 59008 netmask 255.255.255.255 0 0
    access-group out_in in interface outside
    route outside 0.0.0.0 0.0.0.0 XX.X.XX.XX 1
    timeout xlate 1:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout sip-disconnect 0:02:00 sip-invite 0:03:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local
    aaa-server XXX-XXXXX protocol radius
    aaa-server XXX-XXXXX max-failed-attempts 3
    aaa-server XXX-XXXXX deadtime 10
    aaa-server XXX-XXXXX (inside) host 10.1.150.249 XXXXXXXXX timeout 10
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    crypto ipsec transform-set INTPSet esp-3des esp-md5-hmac
    crypto dynamic-map dynmap 10 set transform-set INTPSet
    crypto map INTPMap 50 ipsec-isakmp
    crypto map INTPMap 50 match address DalVPN
    crypto map INTPMap 50 set peer XX.XX.XX.XX
    crypto map INTPMap 50 set transform-set INTPSet
    crypto map INTPMap 99 ipsec-isakmp dynamic dynmap
    crypto map INTPMap client authentication IPT-FPAPP
    crypto map INTPMap interface outside
    isakmp enable outside
    isakmp key ******** address XX.XX.XX.XX netmask 255.255.255.255 no-xauth no-config-mode
    isakmp identity address
    isakmp nat-traversal 20
    isakmp policy 1 authentication pre-share
    isakmp policy 1 encryption 3des
    isakmp policy 1 hash md5
    isakmp policy 1 group 1
    isakmp policy 1 lifetime 86400
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption 3des
    isakmp policy 10 hash md5
    isakmp policy 10 group 2
    isakmp policy 10 lifetime 86400
    vpngroup INTPGroup address-pool INTPool
    vpngroup INTPGroup dns-server 10.1.150.249
    vpngroup INTPGroup wins-server 10.1.150.249
    vpngroup INTPGroup default-domain pwg.loc
    vpngroup INTPGroup split-tunnel split
    vpngroup INTPGroup idle-time 1800
    vpngroup INTPGroup password ********
    telnet 10.1.150.0 255.255.255.0 inside
    telnet timeout 60
    ssh PUB-J4Systems 255.255.255.224 outside
    ssh 10.1.150.0 255.255.255.0 inside
    ssh timeout 60
    console timeout 0
    terminal width 80
    Cryptochecksum:XXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    : end
     
    Last edited: May 23, 2009
    GuenTech, May 21, 2009
    #1
    1. Advertising

  2. GuenTech

    GuenTech

    Joined:
    May 21, 2009
    Messages:
    6
    It's me again. I'm still playing around with this, but did some discovery:


    I have the following related access-list entries (101 is for my VPNGroup using cisco VPN client. DalVPN is for my IPSec tunnel between our PIX 515E and the VPN concentrator):

    access-list 101 permit ip 10.1.150.0 255.255.255.0 10.1.250.0 255.255.255.0
    access-list DalVPN permit ip 10.1.150.0 255.255.255.0 10.0.1.0 255.255.255.0

    IF I use:

    nat (inside) 0 access-list 101

    THEN my Cisco VPN clients work great, but my IPSEC tunnel to Dallas dies.

    IF I use:

    nat (inside) 0 access-list DalVPN

    THEN my IPSec tunnel to Dallas works great, but Cisco VPN clients can not pass traffic.

    Previously I had both the VPN network and the IPSec network in the same access-list (101) allowing me to use the nat (inside) 0 access-list 101 in an attempt to address both networks... this did not work either.



    :dontknow:
     
    GuenTech, May 23, 2009
    #2
    1. Advertising

  3. GuenTech

    GuenTech

    Joined:
    May 21, 2009
    Messages:
    6
    SOLVED: Cisco VPN clients not passing traffic after new PTP IPSec tunnel is up

    I have solved the problem:

    Added the following to my 101 access-list to except traffic from the NAT process:

    access-list 101 permit ip 10.1.150.0 255.255.255.0 10.0.1.0 255.255.255.0

    Poof! now both the PIX to Concentrator IPSec tunnel and the Cisco VPN Clients pass data back and forth properly.

    However, the Cisco VPN clients can not pass data thru the IPSec tunnel between the PIX to the Concentrator.

    So... PIX1=HQ
    Cisco VPN clients connect via PIX1 and can see the entire network at HQ.
    PIX1 has an IPSec tunnel to a Concentrator in Dallas. HQ can talk to Dallas and vice versa.
    Cisco VPN clients can not talk to Dallas.

    Any thoughts?
     
    GuenTech, May 23, 2009
    #3
  4. GuenTech

    sdunn96

    Joined:
    Oct 30, 2008
    Messages:
    34
    Anybody have any ideas on this either?
    I am trying to do the same thing.

    I have IPSec tunnel between two sites, both phave PIX 515E's.
    I have remote access VPN Clients that connect to one site.
    I want to be able to all for access to the remote IPSec site network.
     
    sdunn96, Nov 18, 2010
    #4
  5. GuenTech

    GuenTech

    Joined:
    May 21, 2009
    Messages:
    6
    My apologies for not posting my findings on this earlier.

    If you are talking about having your remote VPN clients being able to pass data to hosts on the other side of your IPSEC tunnel to a remote site, it is my understanding that this is not possible with the PIX 515E.

    Reason: Data comes IN from a VPN client from our external interface (labeled as "outside" in most configs). Data going OUT to your IPSEC tunnel goes out on that same interface. PIX will not allow traffic from an untrusted interface ("outside") to another untrusted interface ("outside"). I think the solution would be to use a 3rd interface for your IPSEC tunnel but I have yet to test this.

    Someone please correct me if I am wrong here.

    Regards,
    GuenTech
     
    GuenTech, Nov 19, 2010
    #5
  6. GuenTech

    sdunn96

    Joined:
    Oct 30, 2008
    Messages:
    34
    That has been the conclusion I have been coming to as well. :(

    So I have been trying to figure out if I can rig another way in doing what I want to do.
    But no such luck.

    I saw one post saying that version 7.x would allow for this, and the reason I think it will is that in version 7.x you can set an option to allow traffic to flow between interfaces that have the same security level.
    On one PIX (my Remote VPN Access PIX), we are running PIX OS 6.3
    While at the other end of the IPSec tunnel, we are running 7.2(1)

    I guess on my 6.3 PIX, I could get another interface card and set him to an outside interface with another Public IP address, and set a tunnel up like that.....would involve getting our ISP out to re-do their router config.
     
    sdunn96, Nov 19, 2010
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. John Ireland
    Replies:
    1
    Views:
    1,092
    Claude LeFort
    Nov 11, 2003
  2. David Mitchell
    Replies:
    0
    Views:
    831
    David Mitchell
    Jun 21, 2006
  3. ricecs@gmail.com
    Replies:
    1
    Views:
    852
    James
    Aug 22, 2006
  4. iam23m
    Replies:
    0
    Views:
    682
    iam23m
    Oct 27, 2006
  5. ashley.lawrence@gmail.com
    Replies:
    2
    Views:
    992
    Walter Roberson
    Aug 22, 2007
Loading...

Share This Page