Pix Point to Point VPN

Discussion in 'Cisco' started by marcosbarrera@gmail.com, Jan 31, 2007.

  1. Guest

    I'm at a loss. I've tried to get this Point to Point VPN setup from
    our home office to our colo'd server and I can't seem to figure out
    why it isn't working. Any help would be greatly appreciated. IPs have
    been changed to protect the innocent.

    Marcos

    Home Office External IP: 66.66.66.66 provided by dsl dhcp
    Home Office Internal IP: 192.168.3.x

    Colo External IP: 55.55.55.55
    Colo Internal IP: 192.168.50.x

    Home Office Pix Config:

    PIX Version 6.3(4)
    interface ethernet0 auto
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password securepassword
    passwd securepassword
    hostname HOME-PIX
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol pptp 1723
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    access-list outside_access_in permit tcp any any eq pptp
    access-list outside_access_in permit gre any any
    access-list nonat permit ip 192.168.3.0 255.255.255.0 192.168.50.0
    255.255.255.0
    access-list corp permit ip 192.168.3.0 255.255.255.0 192.168.50.0
    255.255.255.0
    pager lines 24
    mtu outside 1500
    mtu inside 1500
    ip address outside dhcp setroute
    ip address inside 192.168.3.1 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    pdm logging informational 100
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list nonat
    nat (inside) 1 192.168.3.0 255.255.255.0 0 0
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    static (inside,outside) tcp interface 47 192.168.3.2 47 netmask
    255.255.255.255 0 0
    timeout xlate 0:05:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local
    http server enable
    http 192.168.3.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    crypto ipsec transform-set strong esp-3des esp-md5-hmac
    crypto map vpn 10 ipsec-isakmp
    crypto map vpn 10 match address colo
    crypto map vpn 10 set peer 55.55.55.55
    crypto map vpn 10 set transform-set strong
    crypto map vpn interface outside
    isakmp enable outside
    isakmp key 12345 address 55.55.55.55 netmask 255.255.255.255
    isakmp identity address
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption 3des
    isakmp policy 10 hash md5
    isakmp policy 10 group 2
    isakmp policy 10 lifetime 86400
    telnet 192.168.3.0 255.255.255.0 inside
    telnet timeout 15
    ssh timeout 5
    console timeout 0
    dhcpd address 192.168.3.2-192.168.3.33 inside
    dhcpd dns 208.67.222.222 208.67.220.220
    dhcpd lease 3600
    dhcpd ping_timeout 750
    dhcpd auto_config outside
    dhcpd enable inside
    terminal width 80

    COLO Pix Config:

    PIX Version 6.3(5)
    interface ethernet0 auto
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password securepassword
    passwd securepassword
    hostname COLOFW
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    no fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    access-list inbound permit icmp any any
    access-list inbound permit tcp any host 55.55.55.55 eq https
    access-list inbound permit tcp any host 55.55.55.55 eq pptp
    access-list inbound permit tcp any host 55.55.55.55 eq www
    access-list inbound permit tcp any host 55.55.55.55 eq 444
    access-list inbound permit tcp any host 55.55.55.55 eq smtp
    access-list inbound permit gre any host 55.55.55.55
    access-list inbound permit tcp any host 55.55.55.56 eq ftp
    access-list inbound permit tcp any host 55.55.55.56 eq ftp-data
    access-list inbound permit tcp any host 55.55.55.55 eq 4125
    access-list inbound permit tcp any host 55.55.55.56 eq domain
    access-list inbound permit udp any host 55.55.55.56 eq domain
    access-list nonat permit ip 192.168.50.0 255.255.255.0 192.168.3.0
    255.255.255.0
    access-list corp permit ip 192.168.50.0 255.255.255.0 192.168.3.0
    255.255.255.0
    pager lines 24
    mtu outside 1500
    mtu inside 1500
    ip address outside 55.55.55.55 255.255.255.240
    ip address inside 192.168.50.1 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    pdm logging informational 100
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list nonat
    nat (inside) 1 192.168.50.0 255.255.255.0 0 0
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    static (inside,outside) 55.55.55.55 192.168.50.55 netmask
    255.255.255.255 0 0
    static (inside,outside) 55.55.55.56 192.168.50.56 netmask
    255.255.255.255 0 0
    access-group inbound in interface outside
    route outside 0.0.0.0 0.0.0.0 55.55.55.54 1
    timeout xlate 0:05:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout sip-disconnect 0:02:00 sip-invite 0:03:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local
    http server enable
    http 192.168.50.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    crypto ipsec transform-set strong esp-3des esp-md5-hmac
    crypto map vpn 10 ipsec-isakmp
    crypto map vpn 10 match address corp
    crypto map vpn 10 set peer 66.66.66.66
    crypto map vpn 10 set transform-set strong
    crypto map vpn interface outside
    isakmp enable outside
    isakmp key 12345 address 66.66.66.66 netmask 255.255.255.255
    isakmp identity address
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption 3des
    isakmp policy 10 hash md5
    isakmp policy 10 group 2
    isakmp policy 10 lifetime 86400
    telnet 192.168.50.0 255.255.255.0 inside
    telnet timeout 15
    ssh timeout 5
    console timeout 0
    terminal width 80
    , Jan 31, 2007
    #1
    1. Advertising

  2. In article <>,
    <> wrote:
    >I'm at a loss. I've tried to get this Point to Point VPN setup from
    >our home office to our colo'd server and I can't seem to figure out
    >why it isn't working.


    >Home Office External IP: 66.66.66.66 provided by dsl dhcp
    >Home Office Internal IP: 192.168.3.x


    >Colo External IP: 55.55.55.55
    >Colo Internal IP: 192.168.50.x


    >Home Office Pix Config:


    >PIX Version 6.3(4)


    It would be better to upgrade that to 6.3(5)112 because of the
    known security problems in 6.3(4) and 6.3(5)[original]

    >access-list outside_access_in permit tcp any any eq pptp
    >access-list outside_access_in permit gre any any
    >access-list nonat permit ip 192.168.3.0 255.255.255.0 192.168.50.0 255.255.255.0
    >access-list corp permit ip 192.168.3.0 255.255.255.0 192.168.50.0 255.255.255.0


    >ip address outside dhcp setroute
    >ip address inside 192.168.3.1 255.255.255.0


    >global (outside) 1 interface
    >nat (inside) 0 access-list nonat
    >nat (inside) 1 192.168.3.0 255.255.255.0 0 0
    >nat (inside) 1 0.0.0.0 0.0.0.0 0 0


    Note that 0.0.0.0 0.0.0.0 includes 192.168.3.0 255.255.255.0, so
    the first nat 1 is redundant. (My recommendation would be to
    get rid of the nat 1 0.0.0.0)

    >static (inside,outside) tcp interface 47 192.168.3.2 47 netmask 255.255.255.255 0 0


    You appear to have tried to pass through gre, IP protocol 47.
    Unfortunately for you, GRE is not a TCP port. In order to get GRE
    through, you would have to static (inside,outside) the entire IP, but
    you as there is no way to static just a single protocol. You cannot,
    though, static the entire IP when the interface address is involved.

    What just -might- work is

    access-list gre_acl permit 47 any host 192.168.3.2
    static (inside,outside) interface access-list gre_acl

    I do not have a PIX available to test this with, so I do not know if
    it will accept a protocol in that context.

    >sysopt connection permit-ipsec
    >crypto ipsec transform-set strong esp-3des esp-md5-hmac


    At one point, I had found documentation that 3DES MD5 was not
    supported... or was it DES SHA that wasn't supported? I can't find
    the relevant documentation at the moment. It wouldn't hurt to
    expand your transform sets and isakmp to include 3DES SHA.
    For that matter, consider using AES-128 SHA Group 5 as your
    highest priority: it is faster and more secure than 3DES.

    >crypto map vpn 10 ipsec-isakmp
    >crypto map vpn 10 match address colo


    There is no access-list named 'colo' in what you showed.


    >crypto map vpn 10 set peer 55.55.55.55
    >crypto map vpn 10 set transform-set strong


    >dhcpd address 192.168.3.2-192.168.3.33 inside


    Earlier you defined 192.168.3.2 to be the target IP of a static.
    Do you really want 192.168.3.2 to be whatever random host on your
    network happens to be assigned that IP by the PIX DHCP daemon?
    It would seem to make more sense to start your address list from
    192.168.3.3 .


    It is not, by the way, immediately obvious as to why you are
    staticing 47 or permiting inward pptp and gre. You would only
    want to use those if you are using a host-to-host VPN from some remote
    machine to a server at your home office. These things are not
    needed for a site-to-site PIX VPN, and they are also (for different
    reasons) unneeded if you are using a host-to-host VPN out from the
    inside to the outside.


    >COLO Pix Config:


    >PIX Version 6.3(5)


    >access-list inbound permit icmp any any


    Do you really want to permit random hosts on the Internet to
    send you ICMP Network Redirects, and thereby sending your traffic
    on to their equipment?? If not, then you should restrict the icmp
    access only to those protocols that you want to go through --
    icmp unreachable, icmp time-exceeded, and possibly icmp echo-reply .

    >access-list inbound permit tcp any host 55.55.55.55 eq https
    >access-list inbound permit tcp any host 55.55.55.55 eq pptp

    [...]
    >access-list inbound permit gre any host 55.55.55.55


    >ip address outside 55.55.55.55 255.255.255.240


    You have defined 55.55.55.55 as your external IP address. You
    cannot directly reference your external IP address in an access-list:
    you must instead use the phrase 'interface outside', such as

    access-list inbound permit tcp any interface outside eq https


    >access-list inbound permit tcp any host 55.55.55.56 eq ftp
    >access-list inbound permit tcp any host 55.55.55.56 eq ftp-data


    You never need to specifically permit in tcp-data, not unless you
    have turned off the ftp fixup.

    >access-list nonat permit ip 192.168.50.0 255.255.255.0 192.168.3.0 255.255.255.0
    >access-list corp permit ip 192.168.50.0 255.255.255.0 192.168.3.0 255.255.255.0


    >ip address outside 55.55.55.55 255.255.255.240
    >ip address inside 192.168.50.1 255.255.255.0


    >global (outside) 1 interface
    >nat (inside) 0 access-list nonat
    >nat (inside) 1 192.168.50.0 255.255.255.0 0 0
    >nat (inside) 1 0.0.0.0 0.0.0.0 0 0


    See above comments about redundant nats. (I would delete the 0.0.0.0 one)

    >static (inside,outside) 55.55.55.55 192.168.50.55 netmask 255.255.255.255 0 0


    You have defined 55.55.55.55 as your external IP address. You cannot
    static the entire external IP address. The policy static I described
    above -might- work.

    >static (inside,outside) 55.55.55.56 192.168.50.56 netmask 255.255.255.255 0 0


    >crypto ipsec transform-set strong esp-3des esp-md5-hmac


    See above comments about SHA and AES.

    >crypto map vpn 10 ipsec-isakmp
    >crypto map vpn 10 match address corp
    >crypto map vpn 10 set peer 66.66.66.66
    >crypto map vpn 10 set transform-set strong
    >crypto map vpn interface outside


    Your home office configuration defined the home office IP as being
    provided by the ISP via dhcp. Unless that is really a static IP
    that will not change, you need to reconfigure the crypto map setup
    on the colo. You need to use a dynamic-map and you need to import
    that dynamic map into your crypto map. A dynamic map must be
    configured any time that the device will be the contacted by
    other hosts that do not have fixed IP addresses.

    >isakmp key 12345 address 66.66.66.66 netmask 255.255.255.255


    As per the above, unless the dhcp'd IP address is really a static
    IP in disguise, you should not be locking in that specific IP into
    the isakmp key.


    As discussed above, there is no obvious reason for you to specifically
    permit pptp and gre: those are used for host-to-host VPNs, not
    for site-to-site VPNs.
    Walter Roberson, Jan 31, 2007
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. GVB
    Replies:
    1
    Views:
    2,793
    Martin Bilgrav
    Feb 6, 2004
  2. Tom
    Replies:
    4
    Views:
    663
  3. Marko Uusitalo
    Replies:
    1
    Views:
    1,500
    Frank Durham
    Apr 11, 2005
  4. Svenn
    Replies:
    3
    Views:
    722
    Svenn
    Mar 13, 2006
  5. David Sudjiman
    Replies:
    0
    Views:
    1,065
    David Sudjiman
    Jun 8, 2006
Loading...

Share This Page