Help with Pix 515E firewall and allowing Outbound VPNs

Discussion in 'Cisco' started by Kilgore Troute, Aug 26, 2004.

  1. Please help. Excuse my ignorance, our company is hiring a Networking
    guy, I'm more of a system admin. I need to set our pix up to allow
    one of our users to establish a VPN connection with another network.
    Currently, this user is doing so via cable modem, they want to put
    this user on our network and eliminate the cable modem. Here is my
    config! I am at a loss, i have tried everything.

    PIX Version 6.3(1)
    interface ethernet0 auto
    interface ethernet1 auto
    interface ethernet2 auto
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    nameif ethernet2 intf2 security4
    hostname pix
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol ils 389
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    names
    object-group network 1
    description metaframe farm
    network-object host 10.1.20.181
    network-object host 10.1.20.182
    network-object host 10.1.20.183
    network-object host 10.1.20.184
    network-object host 10.1.20.185
    network-object host 10.1.20.186
    network-object host 10.1.20.187
    access-list outside_in permit tcp any host xxx.xxx.5.5 eq smtp
    access-list outside_in permit tcp any host xxx.xxx.5.6 eq https
    access-list outside_in permit icmp any any
    access-list inside_in permit tcp host 10.1.20.111 any eq smtp
    access-list inside_in permit udp any any eq domain
    access-list inside_in permit tcp any any eq domain
    access-list inside_in permit icmp any any
    access-list inside_in permit ip any xxx.205.5.0 255.255.255.240
    access-list inside_in permit ip host 10.1.20.10 any
    access-list inside_in permit tcp any any eq citrix-ica
    access-list inside_in permit ip host 10.1.1.244 any
    access-list inside_in permit tcp any host 66.83.130.85 eq 400
    access-list inside_in permit tcp host 66.83.130.85 any eq 400
    access-list inside_in permit tcp any host 66.220.43.26 eq 3389
    access-list inside_in permit tcp host 66.220.43.26 any eq 3389
    access-list inside_in permit udp host 10.1.22.23 host 129.71.255.41 eq
    isakmp
    access-list inside_in permit udp host 129.71.255.41 host 10.1.22.23 eq
    isakmp
    access-list inside_in permit udp host 10.1.22.23 host 129.71.255.41 eq
    1701
    access-list inside_in permit udp host 129.71.255.41 host 10.1.22.23 eq
    1701
    access-list inside_in permit tcp host 10.1.22.23 host 129.71.255.41 eq
    pptp
    access-list inside_in permit tcp host 129.71.255.41 host 10.1.22.23 eq
    pptp
    access-list dmz_in permit udp any any eq domain
    access-list dmz_in permit tcp any any eq domain
    access-list dmz_in permit icmp any any
    access-list dmz_in permit tcp host 10.1.100.201 object-group 1 eq
    citrix-ica
    access-list dmz_in permit tcp host 10.1.100.201 host 10.1.20.102 eq
    https
    pager lines 24
    logging on
    mtu outside 1500
    mtu inside 1500
    mtu intf2 1500
    ip address outside xxx.xxx.5.3 255.255.255.240
    ip address inside 10.1.20.3 255.255.255.0
    ip address intf2 10.1.100.1 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    pdm location 10.1.20.72 255.255.255.255 inside
    pdm history enable
    arp timeout 14400
    global (outside) 1 xxx.xxx.5.4 netmask 255.255.255.255
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    static (inside,outside) xxx.xxx.5.5 10.1.20.111 netmask
    255.255.255.255 0 0
    static (intf2,outside) xxx.xxx.5.6 10.1.100.201 netmask
    255.255.255.255 0 0
    static (inside,intf2) 10.1.20.0 10.1.20.0 netmask 255.255.255.0 0 0
    access-group outside_in in interface outside
    access-group inside_in in interface inside
    access-group dmz_in in interface intf2
    route outside 0.0.0.0 0.0.0.0 151.205.5.1 1
    route inside 10.0.0.0 255.0.0.0 10.1.20.1 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server LOCAL protocol local
    aaa-server paartnerauth protocol radius
    aaa-server partnerauth protocol radius
    aaa-server partnerauth (inside) host 10.1.20.102 DHSDialIn timeout 5
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    crypto ipsec transform-set myset esp-des esp-md5-hmac
    crypto dynamic-map dynmap 1 set transform-set myset
    telnet 10.1.20.0 255.255.255.0 inside
    telnet timeout 5
    ssh 10.1.20.0 255.255.255.0 inside
    ssh timeout 5
    console timeout 0
    terminal width 80
    Kilgore Troute, Aug 26, 2004
    #1
    1. Advertising

  2. Hi,

    looks like you do not use VPN terminated on the PIX itselfs, so you need to
    upgrade to 6.3.3 and issue the command: fixup proto esp
    or pptp if that is.

    HTH
    Martin Bilgrav


    "Kilgore Troute" <> wrote in message
    news:...
    > Please help. Excuse my ignorance, our company is hiring a Networking
    > guy, I'm more of a system admin. I need to set our pix up to allow
    > one of our users to establish a VPN connection with another network.
    > Currently, this user is doing so via cable modem, they want to put
    > this user on our network and eliminate the cable modem. Here is my
    > config! I am at a loss, i have tried everything.
    >
    > PIX Version 6.3(1)
    > interface ethernet0 auto
    > interface ethernet1 auto
    > interface ethernet2 auto
    > nameif ethernet0 outside security0
    > nameif ethernet1 inside security100
    > nameif ethernet2 intf2 security4
    > hostname pix
    > fixup protocol ftp 21
    > fixup protocol h323 h225 1720
    > fixup protocol h323 ras 1718-1719
    > fixup protocol http 80
    > fixup protocol ils 389
    > fixup protocol rsh 514
    > fixup protocol rtsp 554
    > fixup protocol sip 5060
    > fixup protocol sip udp 5060
    > fixup protocol skinny 2000
    > fixup protocol smtp 25
    > fixup protocol sqlnet 1521
    > names
    > object-group network 1
    > description metaframe farm
    > network-object host 10.1.20.181
    > network-object host 10.1.20.182
    > network-object host 10.1.20.183
    > network-object host 10.1.20.184
    > network-object host 10.1.20.185
    > network-object host 10.1.20.186
    > network-object host 10.1.20.187
    > access-list outside_in permit tcp any host xxx.xxx.5.5 eq smtp
    > access-list outside_in permit tcp any host xxx.xxx.5.6 eq https
    > access-list outside_in permit icmp any any
    > access-list inside_in permit tcp host 10.1.20.111 any eq smtp
    > access-list inside_in permit udp any any eq domain
    > access-list inside_in permit tcp any any eq domain
    > access-list inside_in permit icmp any any
    > access-list inside_in permit ip any xxx.205.5.0 255.255.255.240
    > access-list inside_in permit ip host 10.1.20.10 any
    > access-list inside_in permit tcp any any eq citrix-ica
    > access-list inside_in permit ip host 10.1.1.244 any
    > access-list inside_in permit tcp any host 66.83.130.85 eq 400
    > access-list inside_in permit tcp host 66.83.130.85 any eq 400
    > access-list inside_in permit tcp any host 66.220.43.26 eq 3389
    > access-list inside_in permit tcp host 66.220.43.26 any eq 3389
    > access-list inside_in permit udp host 10.1.22.23 host 129.71.255.41 eq
    > isakmp
    > access-list inside_in permit udp host 129.71.255.41 host 10.1.22.23 eq
    > isakmp
    > access-list inside_in permit udp host 10.1.22.23 host 129.71.255.41 eq
    > 1701
    > access-list inside_in permit udp host 129.71.255.41 host 10.1.22.23 eq
    > 1701
    > access-list inside_in permit tcp host 10.1.22.23 host 129.71.255.41 eq
    > pptp
    > access-list inside_in permit tcp host 129.71.255.41 host 10.1.22.23 eq
    > pptp
    > access-list dmz_in permit udp any any eq domain
    > access-list dmz_in permit tcp any any eq domain
    > access-list dmz_in permit icmp any any
    > access-list dmz_in permit tcp host 10.1.100.201 object-group 1 eq
    > citrix-ica
    > access-list dmz_in permit tcp host 10.1.100.201 host 10.1.20.102 eq
    > https
    > pager lines 24
    > logging on
    > mtu outside 1500
    > mtu inside 1500
    > mtu intf2 1500
    > ip address outside xxx.xxx.5.3 255.255.255.240
    > ip address inside 10.1.20.3 255.255.255.0
    > ip address intf2 10.1.100.1 255.255.255.0
    > ip audit info action alarm
    > ip audit attack action alarm
    > pdm location 10.1.20.72 255.255.255.255 inside
    > pdm history enable
    > arp timeout 14400
    > global (outside) 1 xxx.xxx.5.4 netmask 255.255.255.255
    > nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    > static (inside,outside) xxx.xxx.5.5 10.1.20.111 netmask
    > 255.255.255.255 0 0
    > static (intf2,outside) xxx.xxx.5.6 10.1.100.201 netmask
    > 255.255.255.255 0 0
    > static (inside,intf2) 10.1.20.0 10.1.20.0 netmask 255.255.255.0 0 0
    > access-group outside_in in interface outside
    > access-group inside_in in interface inside
    > access-group dmz_in in interface intf2
    > route outside 0.0.0.0 0.0.0.0 151.205.5.1 1
    > route inside 10.0.0.0 255.0.0.0 10.1.20.1 1
    > timeout xlate 3:00:00
    > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    > 1:00:00
    > timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    > timeout uauth 0:05:00 absolute
    > aaa-server TACACS+ protocol tacacs+
    > aaa-server RADIUS protocol radius
    > aaa-server LOCAL protocol local
    > aaa-server paartnerauth protocol radius
    > aaa-server partnerauth protocol radius
    > aaa-server partnerauth (inside) host 10.1.20.102 DHSDialIn timeout 5
    > no snmp-server location
    > no snmp-server contact
    > snmp-server community public
    > no snmp-server enable traps
    > floodguard enable
    > sysopt connection permit-ipsec
    > crypto ipsec transform-set myset esp-des esp-md5-hmac
    > crypto dynamic-map dynmap 1 set transform-set myset
    > telnet 10.1.20.0 255.255.255.0 inside
    > telnet timeout 5
    > ssh 10.1.20.0 255.255.255.0 inside
    > ssh timeout 5
    > console timeout 0
    > terminal width 80
    Martin Bilgrav, Aug 26, 2004
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Dorian
    Replies:
    1
    Views:
    1,676
    Walter Roberson
    Sep 3, 2004
  2. Replies:
    1
    Views:
    6,775
    Dumbkid
    Feb 7, 2005
  3. BobLaubleau
    Replies:
    1
    Views:
    712
    BobLaubleau
    Sep 12, 2006
  4. Chris
    Replies:
    0
    Views:
    406
    Chris
    Oct 18, 2006
  5. James
    Replies:
    2
    Views:
    751
    Chad Mahoney
    Jan 9, 2007
Loading...

Share This Page