PIX 501 one way VPN traffic

Discussion in 'Cisco' started by Sogorman, May 22, 2010.

  1. Sogorman

    Sogorman

    Joined:
    May 22, 2010
    Messages:
    1
    Wanted to see if a Cisco master can look at this config and give me any ideas on why I am having problems with my VPN traffic. This local Pix 501 config is allowing me to establish an IPSEC tunnel to the remote network, and if i am on this local side I can get to network resources on the remote side without issue. The problem lies when a remote computers attempting to establish a connection to access any network resources on this local side everything just times out.

    Any Ideas? Thanks for the help in advance.

    Sean

    : Saved
    : Written by enable_15 at 17:08:29.422 UTC Fri May 21 2010
    PIX Version 6.3(5)
    interface ethernet0 auto
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password XXXXXXXXXX encrypted
    passwd XXXXXXXXXXX encrypted
    hostname DMPIX01
    domain-name cox.net
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    name XXX.XXX.XXX.XXX DM_IO_COLO
    object-group service DM_IO_COLO tcp
    description Direct Mailers Access to COLO
    port-object range 10433 10433
    access-list inside_out permit tcp any any eq www
    access-list inside_out permit tcp any any eq https
    access-list inside_out permit tcp any any eq smtp
    access-list inside_out permit tcp any any eq pop3
    access-list inside_out permit tcp any any eq imap4
    access-list inside_out permit tcp any any eq ftp
    access-list inside_out permit udp any any eq domain
    access-list inside_out permit tcp any any eq ftp-data
    access-list inside_out permit tcp any any eq 522
    access-list inside_out permit tcp any any eq 8200
    access-list inside_out permit tcp any any eq 500
    access-list inside_out permit tcp any any eq 3389
    access-list inside_out permit tcp any any eq 37
    access-list inside_out permit tcp any any eq 2190
    access-list inside_out permit tcp any any eq 4430
    access-list inside_out permit tcp any any range 7287 7288
    access-list inside_out permit tcp any any eq 8000
    access-list inside_out permit tcp any any range 8080 8089
    access-list inside_out permit udp any any eq ntp
    access-list inside_out permit udp any any eq 2190
    access-list inside_out permit udp any eq ntp any eq ntp
    access-list inside_out permit tcp any eq 37 any eq 37
    access-list inside_out permit tcp any eq https any eq https
    access-list inside_out permit tcp any eq 5005 any eq 5005
    access-list inside_out permit tcp any range 5222 5223 any range 5222 5223
    access-list inside_out permit tcp any range 7287 7288 any range 7287 7288
    access-list inside_out permit tcp any range 8000 8089 any range 8000 8089
    access-list inside_out permit udp any eq 5060 any eq 5060
    access-list inside_out permit udp any eq 5004 any eq 5004
    access-list inside_out permit tcp any eq 18182 any eq 18182
    access-list inside_out permit udp any eq 18182 any eq 18182
    access-list inside_out remark Satori NCOA
    access-list inside_out permit tcp any any eq 5150
    access-list inside_out permit tcp any eq imap4 any
    access-list inside_out permit tcp any eq 585 any
    access-list inside_out permit tcp any eq 993 any
    access-list inside_out permit tcp any eq 995 any
    access-list inside_out permit tcp any eq 465 any
    access-list inside_out permit tcp any host DM_IO_COLO
    access-list inside_out permit tcp any range ftp-data 9999 any range ftp-data 9999
    access-list outside_in permit tcp any any eq www
    access-list outside_in permit tcp any any eq https
    access-list outside_in permit tcp any any eq ftp
    access-list outside_in permit tcp any any eq ftp-data
    access-list outside_in permit tcp any any eq 3389
    access-list outside_in permit udp any eq time any eq time
    access-list outside_in permit udp any eq ntp any eq ntp
    access-list outside_in permit tcp any eq https any eq https
    access-list outside_in permit tcp any eq 5005 any eq 5005
    access-list outside_in permit tcp any range 5222 5223 any range 5222 5223
    access-list outside_in permit tcp any range 7287 7288 any range 7287 7288
    access-list outside_in permit tcp any range 8000 8089 any range 8000 8089
    access-list outside_in permit udp any eq 5060 any eq 5060
    access-list outside_in permit udp any eq 5004 any eq 5004
    access-list outside_in permit tcp any eq 18182 any eq 18182
    access-list outside_in permit udp any eq 18182 any eq 18182
    access-list outside_in remark Satori NCOA
    access-list outside_in permit tcp any any eq 5150
    access-list outside_in permit tcp any eq imap4 any
    access-list outside_in permit tcp any eq 585 any
    access-list outside_in permit tcp any eq 993 any
    access-list outside_in permit tcp any eq 995 any
    access-list outside_in permit tcp any eq 465 any
    access-list outside_in permit tcp host DM_IO_COLO any
    access-list outside_in permit tcp any range ftp-data 9999 any range ftp-data 9999
    access-list inside_outbound_nat0_acl permit ip interface inside 10.0.0.176 255.255.255.240
    access-list inside_outbound_nat0_acl permit ip interface inside 10.0.1.96 255.255.255.240
    access-list inside_outbound_nat0_acl permit ip 10.0.0.0 255.0.0.0 host 10.0.1.100
    access-list inside_outbound_nat0_acl permit ip any 10.0.1.0 255.255.255.240
    access-list BGLR permit ip 10.0.0.0 255.0.0.0 192.168.0.0 255.255.255.0
    pager lines 24
    logging on
    mtu outside 1500
    mtu inside 1500
    ip address outside dhcp setroute
    ip address inside 10.0.0.1 255.0.0.0
    ip audit info action drop
    ip audit attack action drop
    ip local pool Outside 10.0.1.1-10.0.1.10
    pdm location 10.0.0.10 255.255.255.255 inside
    pdm location 10.0.0.0 255.255.255.0 inside
    pdm location 10.0.0.176 255.255.255.240 outside
    pdm location 10.0.1.96 255.255.255.240 outside
    pdm location 10.0.1.100 255.255.255.255 outside
    pdm location DM_IO_COLO 255.255.255.255 outside
    pdm location 10.0.1.0 255.255.255.240 outside
    pdm logging informational 100
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list BGLR
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    static (inside,outside) tcp interface www 10.0.0.10 www netmask 255.255.255.255 0 0
    static (inside,outside) tcp interface https 10.0.0.10 https netmask 255.255.255.255 0 0
    static (inside,outside) tcp interface ftp 10.0.0.10 ftp netmask 255.255.255.255 0 0
    static (inside,outside) udp 98.165.38.179 5060 10.0.0.10 5060 netmask 255.255.255.255 0 0
    static (inside,outside) udp 98.165.38.179 5004 10.0.0.10 5004 netmask 255.255.255.255 0 0
    static (inside,outside) udp 98.165.38.179 18182 10.0.0.10 18182 netmask 255.255.255.255 0 0
    static (inside,outside) tcp 98.165.38.179 18182 10.0.0.10 18182 netmask 255.255.255.255 0 0
    access-group outside_in in interface outside
    access-group inside_out in interface inside
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout sip-disconnect 0:02:00 sip-invite 0:03:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local
    http server enable
    http 10.0.0.0 255.0.0.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    sysopt connection permit-pptp
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec transform-set fortinet esp-3des esp-sha-hmac
    crypto map test 10 ipsec-isakmp
    crypto map test 10 match address BGLR
    crypto map test 10 set peer DM_IO_COLO
    crypto map test 10 set transform-set fortinet
    crypto map test 10 set security-association lifetime seconds 86400 kilobytes 4608000
    crypto map test interface outside
    isakmp enable outside
    isakmp key XXXXXXXXX address DM_IO_COLO netmask 255.255.255.255
    isakmp policy 1 authentication pre-share
    isakmp policy 1 encryption 3des
    isakmp policy 1 hash sha
    isakmp policy 1 group 2
    isakmp policy 1 lifetime 86400
    telnet 10.0.0.0 255.255.255.0 inside
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    vpdn group PPTP-VPDN-GROUP accept dialin pptp
    vpdn group PPTP-VPDN-GROUP ppp authentication chap
    vpdn group PPTP-VPDN-GROUP client configuration address local Outside
    vpdn group PPTP-VPDN-GROUP pptp echo 60
    vpdn group PPTP-VPDN-GROUP client authentication local
    vpdn username Sean password XXXXXXXXXXX
    vpdn enable outside
    dhcpd address 10.0.0.150-10.0.0.200 inside
    dhcpd dns 68.2.16.20 68.2.16.24
    dhcpd lease 3600
    dhcpd ping_timeout 750
    dhcpd enable inside
    username XXXXXX password XXXXXXXXX encrypted privilege 15
    terminal width 80
    Cryptochecksum:76edf6566fe277c891866a5b63f7f328
    : end
    Sogorman, May 22, 2010
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Tim Fortea
    Replies:
    2
    Views:
    983
  2. Paul
    Replies:
    1
    Views:
    3,603
    Walter Roberson
    Dec 6, 2004
  3. Hank Zoeller

    VPN only one-way (PIX-501)

    Hank Zoeller, Jan 26, 2006, in forum: Cisco
    Replies:
    0
    Views:
    524
    Hank Zoeller
    Jan 26, 2006
  4. Aaron
    Replies:
    0
    Views:
    886
    Aaron
    Feb 23, 2007
  5. Evolution
    Replies:
    1
    Views:
    825
    Walter Roberson
    Feb 27, 2007
Loading...

Share This Page