PIX 501 not sending data into ipsec tunnel? (can't find sollution in groups)

Discussion in 'Cisco' started by lowlife123, Feb 20, 2006.

  1. lowlife123

    lowlife123 Guest

    Hi all of you,

    I know this question has been posted in the past, i've read them
    all/most of them :). I've been searching the groups and cisco site for
    days but can't figure this one out so if someone could help: that would
    be great because i'm going nuts over this pix...

    This is the setup

    comp with cisco vpn client <-> internet <-> pix 501 <-> 172.16.1.0/24
    net

    vpn client is version 4.6, pix is version 6.3(4)

    The pix has a public ip (it's on our colocation) and is directly
    connected to a router.

    I am able to connect to the pix with the vpn client but when i ping a
    machine in the 172.16.1.x net it fails.
    Internet connection is still up-and-running when connected to the vpn
    (because of the split-tunel)

    When i turn on icpm trace debugging i see the packets comming from the
    comp and returning from the machine in the 172.16.1 range but the
    replies don't seem to go 'back into the tunnel'. As you can see below
    the local-ip pool is excluded from nat.

    I've debugged all I can think of but it seems like some kind of routing
    issue where the pix drops the echo replies comming from 172.16.1.10 to
    192.168.1.100

    Does anybody have any idea's? Is there something missing in the config?
    I've setup allot of 836/837's with vpn but you don't need to create a
    specific route there ...

    Thanks for your help


    Building configuration...
    : Saved
    :
    PIX Version 6.3(4)
    interface ethernet0 auto
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password 8Ry2YjIyt7RRXU24 encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    hostname pixfirewall
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    access-list 100 permit ip 172.16.1.0 255.255.255.0 192.168.100.0
    255.255.255.0
    pager lines 24
    mtu outside 1500
    mtu inside 1500
    ip address outside [PUBLIC IP] 255.255.255.0
    ip address inside 172.16.1.2 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool mypool 192.168.100.100-192.168.100.200
    pdm history enable
    arp timeout 14400
    nat (inside) 0 access-list 100
    nat (inside) 1 0.0.0.0 0.0.0.0
    route outside 0.0.0.0 0.0.0.0 [PUBLIC ROUTER] 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    crypto ipsec transform-set myset esp-3des esp-md5-hmac
    crypto dynamic-map dynmap 100 set transform-set myset
    crypto map newmap 200 ipsec-isakmp dynamic dynmap
    crypto map newmap interface outside
    isakmp enable outside
    isakmp identity address
    isakmp policy 200 authentication pre-share
    isakmp policy 200 encryption 3des
    isakmp policy 200 hash md5
    isakmp policy 200 group 2
    isakmp policy 200 lifetime 86400
    vpngroup test address-pool mypool
    vpngroup test default-domain test-domain
    vpngroup test split-tunnel 100
    vpngroup test idle-time 1800
    vpngroup test password ********
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    terminal width 80
    Cryptochecksum:d7bfa50e8e18401ba0b1720a3ca3411d
    : end
     
    lowlife123, Feb 20, 2006
    #1
    1. Advertising

  2. In article <>,
    lowlife123 <> wrote:

    >PIX Version 6.3(4)


    >access-list 100 permit ip 172.16.1.0 255.255.255.0 192.168.100.0 255.255.255.0


    >nat (inside) 0 access-list 100


    >vpngroup test split-tunnel 100


    Never use the same ACL for two different purposes. Here you are
    using it for nat 0 access-list and also for split-tunnel .
     
    Walter Roberson, Feb 20, 2006
    #2
    1. Advertising

  3. lowlife123

    lowlife123 Guest

    Walter Roberson wrote:
    > In article <>,
    > lowlife123 <> wrote:
    >
    > >PIX Version 6.3(4)

    >
    > >access-list 100 permit ip 172.16.1.0 255.255.255.0 192.168.100.0 255.255.255.0

    >
    > >nat (inside) 0 access-list 100

    >
    > >vpngroup test split-tunnel 100

    >
    > Never use the same ACL for two different purposes. Here you are
    > using it for nat 0 access-list and also for split-tunnel .


    thanks for you reply. I've created a new access list:

    access-list 100 permit ip 172.16.1.0 255.255.255.0 192.168.100.0
    255.255.255.0
    access-list vpnsplit permit ip 172.16.1.0 255.255.255.0 192.168.100.0
    255.255.255.0
    nat (inside) 0 access-list 100
    vpngroup test split-tunnel vpnsplit

    but it makes no difference, still no data. Is the access list itself
    good? A misconfigured access list could be a logical explanation.

    I also tried :

    access-list vpnsplit permit ip 172.16.1.0 255.255.255.0 any

    but that made no difference, can't ping the host can't connect to the
    host.

    Have you got any other tips?
     
    lowlife123, Feb 20, 2006
    #3
  4. lowlife123

    Merv Guest

    Merv, Feb 20, 2006
    #4
  5. "lowlife123" <> skrev i en meddelelse
    news:...

    > PIX Version 6.3(4)
    > interface ethernet0 auto
    > interface ethernet1 100full
    > nameif ethernet0 outside security0
    > nameif ethernet1 inside security100
    > enable password 8Ry2YjIyt7RRXU24 encrypted
    > passwd 2KFQnbNIdI.2KYOU encrypted
    > hostname pixfirewall
    > fixup protocol dns maximum-length 512
    > fixup protocol ftp 21
    > fixup protocol h323 h225 1720
    > fixup protocol h323 ras 1718-1719
    > fixup protocol http 80
    > fixup protocol rsh 514
    > fixup protocol rtsp 554
    > fixup protocol sip 5060
    > fixup protocol sip udp 5060
    > fixup protocol skinny 2000
    > fixup protocol smtp 25
    > fixup protocol sqlnet 1521
    > fixup protocol tftp 69
    > names
    > access-list 100 permit ip 172.16.1.0 255.255.255.0 192.168.100.0
    > 255.255.255.0
    > pager lines 24
    > mtu outside 1500
    > mtu inside 1500
    > ip address outside [PUBLIC IP] 255.255.255.0
    > ip address inside 172.16.1.2 255.255.255.0
    > ip audit info action alarm
    > ip audit attack action alarm
    > ip local pool mypool 192.168.100.100-192.168.100.200
    > pdm history enable
    > arp timeout 14400
    > nat (inside) 0 access-list 100
    > nat (inside) 1 0.0.0.0 0.0.0.0


    were is your global 1 ?


    > route outside 0.0.0.0 0.0.0.0 [PUBLIC ROUTER] 1
    > timeout xlate 3:00:00
    > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225


    > sysopt connection permit-ipsec
    > crypto ipsec transform-set myset esp-3des esp-md5-hmac
    > crypto dynamic-map dynmap 100 set transform-set myset
    > crypto map newmap 200 ipsec-isakmp dynamic dynmap
    > crypto map newmap interface outside


    add the command : isakmp nat-t
    Thus enable clients behind NAT to pass traffik.
    I believe this to be your problem

    > isakmp enable outside
    > isakmp identity address
    > isakmp policy 200 authentication pre-share
    > isakmp policy 200 encryption 3des
    > isakmp policy 200 hash md5
    > isakmp policy 200 group 2
    > isakmp policy 200 lifetime 86400
    > vpngroup test address-pool mypool
    > vpngroup test default-domain test-domain
    > vpngroup test split-tunnel 100
    > vpngroup test idle-time 1800
    > vpngroup test password ********


    Does your SHOW VER list the 3des license ?
     
    Martin Bilgrav, Feb 21, 2006
    #5
  6. lowlife123

    lowlife123 Guest

    Thanks for you reply, the ping isn't the only thing that doesn't work.
    A 'simple' telnet doesn't work also. I've tried the stuff listed in the
    cisco document you gave me but that doesn't help. Just as a temp.
    solution i've created a static link between the cisco device behind the
    nat i want to reach and ACL-ed that one. That works fine so it is some
    kind of networking problem.

    The other thing is i've enabled 'sysopt connection permit-ipsec' which
    (correct me if i'm wrong :) means that no ACL's are applied to the
    traffic going into the tunnel.

    I'm going realy nuts over this pix....
     
    lowlife123, Feb 21, 2006
    #6
  7. lowlife123

    lowlife123 Guest

    sorry made a typo/missed some words (need more sleep :)

    "Just as a temp. solution i've created a static link between the cisco
    device behind the nat i want to reach and ACL-ed that one. That works
    fine so it is some kind of networking problem. "

    should be

    "Just as a temp. solution i've created a static link between the cisco
    device behind the PIX and the outside interface of the pix and ACL-ed
    that one.

    That works fine so it is NOT some kind of networking problem. "
     
    lowlife123, Feb 21, 2006
    #7
  8. lowlife123

    lowlife123 Guest

    sorry made a typo/missed some words (need more sleep :)

    "Just as a temp. solution i've created a static link between the cisco
    device behind the nat i want to reach and ACL-ed that one. That works
    fine so it is some kind of networking problem. "

    should be

    "Just as a temp. solution i've created a static link between the cisco
    device behind the PIX and the outside interface of the pix and ACL-ed
    that one.

    That works fine so it is NOT some kind of networking problem. "
     
    lowlife123, Feb 21, 2006
    #8
  9. lowlife123

    lowlife123 Guest

    Thanks for you reply

    i've tried both your suggestions but no luck. Isn't nat-traversal used
    to pass ipsec packages over a nat connection? The pix doesn't nat the
    packages comming from the local net (hence the 'nat inside 0...' line)
    so this shouldn't have any effect should it?

    I also tried another suggestion i got in the mail: selecting an ip-pool
    within the local net instead of a complete other range but no luck
    either.

    3DES enc. is there:

    VPN-DES: Enabled
    VPN-3DES-AES: Enabled

    I've configured allot of cisco (vpn) devices but this one i realy
    starting to drive me nuts, how difficult can it be to set up a vpn
    connection with a pix ? :'(

    I hope someone else has some more suggestions.
     
    lowlife123, Feb 22, 2006
    #9
  10. lowlife123

    lowlife123 Guest

    Hi everybody, i got the pix working and wanted to share the answer with
    you.

    I'm pretty sure the answer is that the pix by default blocks the vpn
    traffic on the outside interface (at least my pix does) and creating an
    access-list which permits the traffic between the local net and the
    ippool solved the problem.

    Below a working config where 172.16.1.0 255.255.255.0 is the local net
    behind the pix and 192.168.100.10-192.168.100.20 is the vpn pool. This
    example works with Cisco VPN client 4.x from winxp to the pix. I am
    able to ping a device behind the pix (just make sure this device has
    the pix as default gateway because the packages will originate from a
    192.168.100 address and thus it needs to send the replys to it's
    default router OR use an ippool from the same subnet) and i am able to
    telnet to this specific cisco device behind the pix :)

    Note: this is just a basic setup, you would want to create more
    security with trimmed down access-lists, extra authentication etc. etc.

    ---
    PIX Version 6.3(4)
    interface ethernet0 auto
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password 8Ry2YjIyt7RRXU24 encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    hostname pixfirewall
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    access-list vpn_no_nat permit ip 172.16.1.0 255.255.255.0 192.168.100.0
    255.255.255.0
    access-list vpn_split_tunnel permit ip 172.16.1.0 255.255.255.0
    192.168.100.0 255.255.255.0
    access-list vpn_allow_traffic permit icmp 192.168.100.0 255.255.255.0
    172.16.1.0 255.255.255.0
    access-list vpn_allow_traffic permit icmp 172.16.1.0 255.255.255.0
    192.168.100.0 255.255.255.0
    access-list vpn_allow_traffic permit ip 192.168.100.0 255.255.255.0
    172.16.1.0 255.255.255.0
    access-list vpn_allow_traffic permit ip 172.16.1.0 255.255.255.0
    192.168.100.0 255.255.255.0
    pager lines 24
    mtu outside 1500
    mtu inside 1500
    ip address outside [YOUR PUBLIC IP HERE] 255.255.255.0
    ip address inside 172.16.1.2 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool ippool 192.168.100.10-192.168.100.20
    pdm history enable
    arp timeout 14400
    nat (inside) 0 access-list vpn_no_nat
    access-group vpn_allow_traffic in interface outside
    route outside 0.0.0.0 0.0.0.0 [YOUR PUBLIC ROUTER HERE] 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    crypto ipsec transform-set vpnset esp-3des esp-md5-hmac
    crypto dynamic-map dynmap 10 set transform-set vpnset
    crypto map remote_vpn 20 ipsec-isakmp dynamic dynmap
    crypto map remote_vpn client configuration address initiate
    crypto map remote_vpn client configuration address respond
    crypto map remote_vpn interface outside
    isakmp enable outside
    isakmp identity address
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption 3des
    isakmp policy 10 hash md5
    isakmp policy 10 group 2
    isakmp policy 10 lifetime 86400
    vpngroup vpnclient address-pool ippool
    vpngroup vpnclient split-tunnel vpn_split_tunnel
    vpngroup vpnclient idle-time 1800
    vpngroup vpnclient password ********
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    terminal width 80
    Cryptochecksum:9859044fd9723646b435be5c883b124e
    : end
    ---
     
    lowlife123, Feb 25, 2006
    #10
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. John Ireland
    Replies:
    1
    Views:
    1,131
    Claude LeFort
    Nov 11, 2003
  2. a.nonny mouse
    Replies:
    2
    Views:
    1,183
  3. AM
    Replies:
    7
    Views:
    4,530
    kh_alex81
    Jul 19, 2007
  4. xman
    Replies:
    4
    Views:
    4,761
    Walter Roberson
    May 16, 2005
  5. Best Sollution

    , Feb 1, 2006, in forum: Wireless Networking
    Replies:
    1
    Views:
    506
    Jack \(MVP-Networking\).
    Feb 2, 2006
Loading...

Share This Page