PIX 501 <-> PIX 501 - Problem contating private networks on the inside

Discussion in 'Cisco' started by Andre, Feb 20, 2005.

  1. Andre

    Andre Guest

    Hi,

    First off i can tell you that i have no experience with setting up vpn
    connections. Now that i got that out... Im trying to configure 2 x
    Cisco PIX 501
    firewalls to create a vpn-tunnel from 2 seperate locations. So that i
    can access both internal networks from either location. So far i have
    managed to setup a tunnel wich kinda works. Both the IKE and IPSEC
    tunnels are up and working.. but i cannot reach the internal networks
    on the inside of either pix.

    This is getting me very frustrated.. So if anyone can lend a hand i
    would jump for joy and then some! :)

    Added a stripped dump of configuration on PIX number 2. Since both
    PIX's use the same config except changes in IP addresses i only
    included config for one of them.

    CISCO PIX 501 - %NAME USED BELOW% == PIX2
    ---------------------------------------------------------------
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol icmp error
    fixup protocol ils 389
    fixup protocol pptp 1723
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    access-list inside_outbound_nat0_acl permit ip
    <PRIVATE-IP-ADDRESS-PIX2> 255.255.255.0 <PRIVATE-IP-ADDRESS-PIX1>
    255.255.255.0
    access-list outside_cryptomap_20 permit ip <PRIVATE-IP-ADDRESS-PIX2>
    255.255.255.0 <PRIVATE-IP-ADDRESS-PIX1> 255.255.255.0
    mtu outside 1500
    mtu inside 1500
    ip address outside dhcp setroute
    ip address inside <PRIVATE-IP-ADDRESS-PIX1> 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list inside_outbound_nat0_acl
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    timeout xlate 0:05:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto map outside_map 20 ipsec-isakmp
    crypto map outside_map 20 match address outside_cryptomap_20
    crypto map outside_map 20 set peer <PUBLIC-IP-ADDRESS-PIX1>
    crypto map outside_map 20 set transform-set ESP-DES-MD5
    crypto map outside_map interface outside
    isakmp enable outside
    isakmp enable inside
    isakmp key ******** address <PUBLIC-IP-ADDRESS-PIX1> netmask
    255.255.255.255 no-xauth no-config-mode
    isakmp policy 20 authentication pre-share
    isakmp policy 20 encryption des
    isakmp policy 20 hash md5
    isakmp policy 20 group 2
    isakmp policy 20 lifetime 86400


    Any help appreciated! :)
    Andre
    Andre, Feb 20, 2005
    #1
    1. Advertising

  2. In article <>,
    Andre <> wrote:
    >Im trying to configure 2 x Cisco PIX 501


    :Added a stripped dump of configuration on PIX number 2.

    :CISCO PIX 501 - %NAME USED BELOW% == PIX2

    :access-list inside_outbound_nat0_acl permit ip <PRIVATE-IP-ADDRESS-PIX2> 255.255.255.0 <PRIVATE-IP-ADDRESS-PIX1> 255.255.255.0

    That's fine for PIX2.

    :access-list outside_cryptomap_20 permit ip <PRIVATE-IP-ADDRESS-PIX2> 255.255.255.0 <PRIVATE-IP-ADDRESS-PIX1> 255.255.255.0

    That's fine for PIX1.

    :ip address inside <PRIVATE-IP-ADDRESS-PIX1> 255.255.255.0

    But that's only fine for PIX1.

    :global (outside) 1 interface
    :nat (inside) 0 access-list inside_outbound_nat0_acl
    :nat (inside) 1 0.0.0.0 0.0.0.0 0 0

    :sysopt connection permit-ipsec

    Okay, so you don't need any 'access-group' or outside ACL.

    :crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

    That's a bit odd, in that that is the weakest of all the available
    security combinations. Some items in the rest of the configuration
    show me that you have PIX 6.3(something), so you could be using
    AES provided that you are not in one of the banned countries and are
    not one of the banned persons.

    MD5 is weaker than SHA1; and DES is weaker than 3DES which is weaker
    than any of the available AES.

    :crypto map outside_map 20 ipsec-isakmp
    :crypto map outside_map 20 match address outside_cryptomap_20
    :crypto map outside_map 20 set peer <PUBLIC-IP-ADDRESS-PIX1>
    :crypto map outside_map 20 set transform-set ESP-DES-MD5
    :crypto map outside_map interface outside
    :isakmp enable outside

    Okay.

    :isakmp enable inside

    You don't need that.

    :isakmp key ******** address <PUBLIC-IP-ADDRESS-PIX1> netmask 255.255.255.255 no-xauth no-config-mode

    Okay.

    :isakmp policy 20 authentication pre-share
    :isakmp policy 20 encryption des
    :isakmp policy 20 hash md5
    :isakmp policy 20 group 2
    :isakmp policy 20 lifetime 86400

    Okay.


    There is nothing in your config that looks wrong, other than the
    obvious typo in the IP.

    How are you doing the testing? If you are trying to ping the inside
    IP of the remote PIX, then that will not work [though there is a way
    to force it.]

    --
    csh is bad drugs.
    Walter Roberson, Feb 20, 2005
    #2
    1. Advertising

  3. Andre

    Andre Guest

    Re: PIX 501 <-> PIX 501 - Problem contating private networks on theinside

    Walter Roberson wrote:
    > In article <>,
    > Andre <> wrote:
    >
    >>Im trying to configure 2 x Cisco PIX 501

    >
    >
    > :Added a stripped dump of configuration on PIX number 2.
    >
    > :CISCO PIX 501 - %NAME USED BELOW% == PIX2
    >
    > :access-list inside_outbound_nat0_acl permit ip <PRIVATE-IP-ADDRESS-PIX2> 255.255.255.0 <PRIVATE-IP-ADDRESS-PIX1> 255.255.255.0
    >
    > That's fine for PIX2.
    >
    > :access-list outside_cryptomap_20 permit ip <PRIVATE-IP-ADDRESS-PIX2> 255.255.255.0 <PRIVATE-IP-ADDRESS-PIX1> 255.255.255.0
    >
    > That's fine for PIX1.
    >
    > :ip address inside <PRIVATE-IP-ADDRESS-PIX1> 255.255.255.0
    >
    > But that's only fine for PIX1.
    >
    > :global (outside) 1 interface
    > :nat (inside) 0 access-list inside_outbound_nat0_acl
    > :nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    >
    > :sysopt connection permit-ipsec
    >
    > Okay, so you don't need any 'access-group' or outside ACL.
    >
    > :crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    >
    > That's a bit odd, in that that is the weakest of all the available
    > security combinations. Some items in the rest of the configuration
    > show me that you have PIX 6.3(something), so you could be using
    > AES provided that you are not in one of the banned countries and are
    > not one of the banned persons.
    >
    > MD5 is weaker than SHA1; and DES is weaker than 3DES which is weaker
    > than any of the available AES.
    >
    > :crypto map outside_map 20 ipsec-isakmp
    > :crypto map outside_map 20 match address outside_cryptomap_20
    > :crypto map outside_map 20 set peer <PUBLIC-IP-ADDRESS-PIX1>
    > :crypto map outside_map 20 set transform-set ESP-DES-MD5
    > :crypto map outside_map interface outside
    > :isakmp enable outside
    >
    > Okay.
    >
    > :isakmp enable inside
    >
    > You don't need that.
    >
    > :isakmp key ******** address <PUBLIC-IP-ADDRESS-PIX1> netmask 255.255.255.255 no-xauth no-config-mode
    >
    > Okay.
    >
    > :isakmp policy 20 authentication pre-share
    > :isakmp policy 20 encryption des
    > :isakmp policy 20 hash md5
    > :isakmp policy 20 group 2
    > :isakmp policy 20 lifetime 86400
    >
    > Okay.
    >
    >
    > There is nothing in your config that looks wrong, other than the
    > obvious typo in the IP.
    >
    > How are you doing the testing? If you are trying to ping the inside
    > IP of the remote PIX, then that will not work [though there is a way
    > to force it.]
    >

    Thanks for you reply Walter! The security is very low i know.. but this
    is just a test run to get everything up and running. I didnt want to get
    problems just because of security reasons first. How im testing this? Im
    trying to access FTP->21 and RDP->3389 on the private networks of either
    location. But it doesnt connect to those servers.

    This is from the debug log on PIX2:
    "6 Feb 20 2005 18:21:18 302013: Built inbound TCP connection 201 for
    outside: <PIX1-PRIVATE>/2000 (<PIX1-PRIVATE>/2000) to inside:
    <PIX2-PRIVATE>/3389 (<PIX2-PRIVATE>/3389)"

    It looks like it gets a request from PIX1 to connect to the server.. but
    nothing happens. Maybe its something im just not getting? this is my
    first time with pix+vpn so im still a newbie.

    Thanks for any help!
    Andre
    Andre, Feb 20, 2005
    #3
  4. Re: PIX 501 <-> PIX 501 - Problem contating private networks on theinside

    In article <s_3Sd.2780$Mw3.1042@amstwist00>, Andre <> wrote:
    :Walter Roberson wrote:

    You should trim what you quote.

    :This is from the debug log on PIX2:
    :"6 Feb 20 2005 18:21:18 302013: Built inbound TCP connection 201 for
    :eek:utside: <PIX1-PRIVATE>/2000 (<PIX1-PRIVATE>/2000) to inside:
    :<PIX2-PRIVATE>/3389 (<PIX2-PRIVATE>/3389)"

    :It looks like it gets a request from PIX1 to connect to the server.. but
    :nothing happens. Maybe its something im just not getting? this is my
    :first time with pix+vpn so im still a newbie.

    show route

    I see that you have ip address outside dhcp setroute
    but you should double-check that you have a route set for 0.0.0.0 0.0.0.0.
    --
    History is a pile of debris -- Laurie Anderson
    Walter Roberson, Feb 20, 2005
    #4
  5. Re: PIX 501 <-> PIX 501 - Problem contating private networks on theinside

    In article <cvajc7$kn1$>,
    Walter Roberson <-cnrc.gc.ca> wrote:
    :I see that you have ip address outside dhcp setroute
    :but you should double-check that you have a route set for 0.0.0.0 0.0.0.0.

    Check too on PIX2-PRIVATE to be sure that it has the PIX2 inside IP
    set as its default gateway.

    You can use 'debug packet' against the inside interface on PIX2 to
    see if anything is returning from the inside device.
    --
    Is "meme" descriptive or perscriptive? Does the knowledge that
    memes exist not subtly encourage the creation of more memes?
    -- A Child's Garden Of Memes
    Walter Roberson, Feb 20, 2005
    #5
  6. Andre

    Andre Guest

    Re: PIX 501 <-> PIX 501 - Problem contating private networks on theinside

    Walter Roberson wrote:
    > In article <cvajc7$kn1$>,
    > Walter Roberson <-cnrc.gc.ca> wrote:
    > :I see that you have ip address outside dhcp setroute
    > :but you should double-check that you have a route set for 0.0.0.0 0.0.0.0.
    >
    > Check too on PIX2-PRIVATE to be sure that it has the PIX2 inside IP
    > set as its default gateway.
    >
    > You can use 'debug packet' against the inside interface on PIX2 to
    > see if anything is returning from the inside device.


    Im going to try your suggestions. But to put all the cards on the table
    i have stripped configurations from both pix's. Wich is attached to this
    message. There is 3 PIX's involved in this configuration. The complete
    configuration we need is 3 VPN tunnels; PIX1<->PIX3 and PIX1<->PIX2.

    Below is the ipaddressees involved in the configurations. Hope this will
    clear some things up. And maybe you can provide a solution from the
    configurations. BTW: Addresses are fake...

    PIX1:
    ....PUBLIC : 201.0.0.181, 201.0.0.180, 201.0.0.182
    ....PRIVATE: 10.0.0.0, 10.0.0.2

    PIX2:
    ....PUBLIC : 203.0.0.25
    ....PRIVATE: 172.16.0.0

    PIX3:
    ....PUBLIC : 202.0.0.0, 202.0.0.59, 202.0.0.21, 202.0.0.247
    ....PRIVATE: 10.7.20.0


    Thanks!
    Andre

    PIX2 (CISCO PIX 501 - PIX Version 6.3(4))
    ---------------------------------------------------------
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol icmp error
    fixup protocol ils 389
    fixup protocol pptp 1723
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    access-list inside_outbound_nat0_acl permit ip 172.16.0.0 255.255.255.0 10.0.0.0 255.255.255.0
    access-list outside_cryptomap_20 permit ip 172.16.0.0 255.255.255.0 10.0.0.0 255.255.255.0
    mtu outside 1500
    mtu inside 1500
    ip address outside dhcp setroute
    ip address inside 172.16.0.1 255.255.255.0
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list inside_outbound_nat0_acl
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    timeout xlate 0:05:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local
    floodguard enable
    sysopt connection permit-ipsec
    crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto map outside_map 20 ipsec-isakmp
    crypto map outside_map 20 match address outside_cryptomap_20
    crypto map outside_map 20 set peer 201.0.0.182
    crypto map outside_map 20 set transform-set ESP-DES-MD5
    crypto map outside_map interface outside
    isakmp enable outside
    isakmp key ******** address 201.0.0.182 netmask 255.255.255.255 no-xauth no-config-mode
    isakmp policy 20 authentication pre-share
    isakmp policy 20 encryption des
    isakmp policy 20 hash md5
    isakmp policy 20 group 2
    isakmp policy 20 lifetime 86400
    telnet 0.0.0.0 0.0.0.0 inside
    dhcpd address 172.16.0.2-172.16.0.33 inside
    dhcpd lease 3600
    dhcpd ping_timeout 750
    dhcpd auto_config outside
    dhcpd enable inside


    PIX1 (CISCO PIX 501 - PIX Version 6.3(1))
    ---------------------------------------------------------
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol ils 389
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    names
    name 202.0.0.0 PIX3_2
    name 201.0.0.180 Outside
    name 202.0.0.59 PIX3_1
    access-list inside_outbound_nat0_acl permit ip 10.0.0.0 255.255.255.0 host PIX3_1
    access-list inside_outbound_nat0_acl permit ip 10.0.0.0 255.255.255.0 172.16.0.0 255.255.255.0
    access-list outside_cryptomap_20 permit ip 10.0.0.0 255.255.255.0 host PIX3_1
    access-list outside_cryptomap_40 permit ip 10.0.0.0 255.255.255.0 172.16.0.0 255.255.255.0
    mtu outside 1500
    mtu inside 1500
    ip address outside 201.0.0.182 255.255.255.252
    ip address inside 10.0.0.2 255.255.255.0
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list inside_outbound_nat0_acl
    nat (inside) 0 0.0.0.0 0.0.0.0 0 0
    route outside 0.0.0.0 0.0.0.0 201.0.0.181 1
    timeout xlate 0:05:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server LOCAL protocol local
    floodguard enable
    sysopt connection permit-ipsec
    crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto map inside_map interface inside
    crypto map outside_map 20 ipsec-isakmp
    crypto map outside_map 20 match address outside_cryptomap_20
    crypto map outside_map 20 set peer 202.0.0.247
    crypto map outside_map 20 set transform-set ESP-DES-MD5
    crypto map outside_map 40 ipsec-isakmp
    crypto map outside_map 40 match address outside_cryptomap_40
    crypto map outside_map 40 set peer 203.0.0.25
    crypto map outside_map 40 set transform-set ESP-DES-MD5
    crypto map outside_map interface outside
    isakmp enable outside
    isakmp key ******** address 202.0.0.247 netmask 255.255.255.255 no-xauth no-config-mode
    isakmp key ******** address 203.0.0.25 netmask 255.255.255.255 no-xauth no-config-mode
    isakmp policy 20 authentication pre-share
    isakmp policy 20 encryption des
    isakmp policy 20 hash md5
    isakmp policy 20 group 2
    isakmp policy 20 lifetime 86400
    telnet 202.0.0.21 255.255.255.255 outside
    telnet 203.0.0.25 255.255.255.255 outside
    telnet 172.16.0.0 255.255.255.0 outside
    telnet 10.0.0.0 255.255.255.0 inside
    dhcpd lease 3600
    dhcpd ping_timeout 750
    Andre, Feb 20, 2005
    #6
  7. Re: PIX 501 <-> PIX 501 - Problem contating private networks on theinside

    In article <kQ4Sd.2793$Mw3.1964@amstwist00>, Andre <> wrote:
    :pIX2 (CISCO PIX 501 - PIX Version 6.3(4))

    :ip address outside dhcp setroute

    If you have a fixed IP address for PIX2, then you should use it, and you should have a
    'route' statement to set the default route towards the router.

    If you do ot have a fixed IP address for PIX2, then you will need to use a
    crypto dynamic-map on PIX1 to receive the connections. A PIX with a dynamic
    IP cannot reliably be the responder for a VPN connection.
    --
    Feep if you love VT-52's.
    Walter Roberson, Feb 20, 2005
    #7
  8. Andre

    Andre Guest

    Re: PIX 501 <-> PIX 501 - Problem contating private networks on theinside

    Walter Roberson wrote:
    > In article <kQ4Sd.2793$Mw3.1964@amstwist00>, Andre <> wrote:
    > :pIX2 (CISCO PIX 501 - PIX Version 6.3(4))
    >
    > :ip address outside dhcp setroute
    >
    > If you have a fixed IP address for PIX2, then you should use it, and you should have a
    > 'route' statement to set the default route towards the router.
    >
    > If you do ot have a fixed IP address for PIX2, then you will need to use a
    > crypto dynamic-map on PIX1 to receive the connections. A PIX with a dynamic
    > IP cannot reliably be the responder for a VPN connection.


    Sorry for not mentioning this before... but im running it in a test
    envrionment. Wich means that im sitting at home with my DSL connection.
    Wich doesnt have a fixed address. I know about the crypto dynamic-map
    setting, but figure i didnt care to use it since the PIX2 is only at my
    temp location(home) and my home DSL ip only changes every 3-4 months.

    Thanks for the info! But if im not mistaken since i have no problem
    getting them to bind an ike/ipsec tunnel with eacother i shouldnt have
    to care about the crypto dynamic just yet. Hopefully i can get this
    working soon.. getting very frustrated. Wich is why i am VERY gratefull
    for your help! :)

    Andre
    Andre, Feb 20, 2005
    #8
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. 12.or.us
    Replies:
    1
    Views:
    3,836
    Walter Roberson
    Dec 7, 2004
  2. HMV

    Re: How to keep your private files private

    HMV, Feb 21, 2006, in forum: Computer Support
    Replies:
    0
    Views:
    491
  3. Steve

    Re: How to keep your private files private

    Steve, Feb 21, 2006, in forum: Computer Support
    Replies:
    1
    Views:
    489
  4. John Holmes

    Re: How to keep your private files private

    John Holmes, Feb 21, 2006, in forum: Computer Support
    Replies:
    0
    Views:
    440
    John Holmes
    Feb 21, 2006
  5. RG
    Replies:
    2
    Views:
    979
    Roman
    Nov 27, 2007
Loading...

Share This Page