PIX problems

Discussion in 'Cisco' started by Doug, Jan 7, 2004.

  1. Doug

    Doug Guest

    I have configured several PIXs w/VPN with no problem (I cheat and use the
    PDM to configure them instead of the command line but that's all we've
    needed so far). I have just installed two new PIX 501 boxes. ALMOST
    everything works fine. From the inside out, there are no problems.
    Connecting from the outside in, VPN client to PIX, is no problem either -
    VPN connects every time. Doing anything over the VPN does not work. We
    have configured the PIX to hand out addresses to VPN clients. It hands out
    the correct addresses but the incorrect subnet masks. For example, the
    inside at this location is 10.0.5.0/24. When VPN clients connect,they are
    given a 10.0.5.x address from the pool but with only an 8-bit mask instead
    of 24. Through the PDM, I can find no way to configure the mask that is
    given to the clients. We have the same type of addressing schemes at other
    locations where we've used the 501 and haven't had any of these issues. I
    have blown these away and reconfigured several times and can't see anything
    that I'm doing differently now as opposed to the other boxes that are
    working.

    Does anyone know what I'm missing?

    Thanks for any ideas,

    Doug
    Doug, Jan 7, 2004
    #1
    1. Advertising

  2. Doug

    RM Guest

    Doug, in PDM choose the file menu and take a snap shot of the
    configuration. Paste into a text file, marl out all of the public ip
    addresses and send it to me or post, I can look at the config and tell you
    where the issue is.

    -D

    "Doug" <> wrote in message
    news:...
    > I have configured several PIXs w/VPN with no problem (I cheat and use the
    > PDM to configure them instead of the command line but that's all we've
    > needed so far). I have just installed two new PIX 501 boxes. ALMOST
    > everything works fine. From the inside out, there are no problems.
    > Connecting from the outside in, VPN client to PIX, is no problem either -
    > VPN connects every time. Doing anything over the VPN does not work. We
    > have configured the PIX to hand out addresses to VPN clients. It hands

    out
    > the correct addresses but the incorrect subnet masks. For example, the
    > inside at this location is 10.0.5.0/24. When VPN clients connect,they are
    > given a 10.0.5.x address from the pool but with only an 8-bit mask instead
    > of 24. Through the PDM, I can find no way to configure the mask that is
    > given to the clients. We have the same type of addressing schemes at

    other
    > locations where we've used the 501 and haven't had any of these issues. I
    > have blown these away and reconfigured several times and can't see

    anything
    > that I'm doing differently now as opposed to the other boxes that are
    > working.
    >
    > Does anyone know what I'm missing?
    >
    > Thanks for any ideas,
    >
    > Doug
    >
    >
    RM, Jan 8, 2004
    #2
    1. Advertising

  3. Doug,

    I have seen this before as you have either. Can you post you configuration
    (change any public addresses to protect yourself before posting and I'll
    tell you what it is.


    Regards,

    Scott.
    \|/
    (o o)
    ---------------------oOOO--(_)--OOOo----------------------
    Out the 100Base-T, off the firewall, through the router, down
    the T1, over the leased line, off the bridge, nothing but Net.
    (Use ROT13 to see my email address)
    .oooO Oooo.
    ----------------------( )---( )-----------------------
    \ ( ) /
    \_) (_/


    "Doug" <> wrote in message
    news:...
    > I have configured several PIXs w/VPN with no problem (I cheat and use the
    > PDM to configure them instead of the command line but that's all we've
    > needed so far). I have just installed two new PIX 501 boxes. ALMOST
    > everything works fine. From the inside out, there are no problems.
    > Connecting from the outside in, VPN client to PIX, is no problem either -
    > VPN connects every time. Doing anything over the VPN does not work. We
    > have configured the PIX to hand out addresses to VPN clients. It hands

    out
    > the correct addresses but the incorrect subnet masks. For example, the
    > inside at this location is 10.0.5.0/24. When VPN clients connect,they are
    > given a 10.0.5.x address from the pool but with only an 8-bit mask instead
    > of 24. Through the PDM, I can find no way to configure the mask that is
    > given to the clients. We have the same type of addressing schemes at

    other
    > locations where we've used the 501 and haven't had any of these issues. I
    > have blown these away and reconfigured several times and can't see

    anything
    > that I'm doing differently now as opposed to the other boxes that are
    > working.
    >
    > Does anyone know what I'm missing?
    >
    > Thanks for any ideas,
    >
    > Doug
    >
    >
    scott enwright, Jan 8, 2004
    #3
  4. Doug

    Doug Guest

    Thanks for the replies guys,

    Here's the confige (names and addresses have been changed to protect the
    innocent - or nearly so ;)

    PIX Version 6.3(1)

    interface ethernet0 auto

    interface ethernet1 100full

    nameif ethernet0 outside security0

    nameif ethernet1 inside security100

    enable password xxxxxxxxxxxx encrypted

    passwd xxxxxxxxxxxx encrypted

    hostname edgar

    domain-name edgar.com

    fixup protocol ftp 21

    fixup protocol h323 h225 1720

    fixup protocol h323 ras 1718-1719

    fixup protocol http 80

    fixup protocol ils 389

    fixup protocol rsh 514

    fixup protocol rtsp 554

    fixup protocol sip 5060

    fixup protocol sip udp 5060

    fixup protocol skinny 2000

    fixup protocol smtp 25

    fixup protocol sqlnet 1521

    names

    access-list inside_outbound_nat0_acl permit ip 10.0.5.0 255.255.255.0
    10.0.5.64 255.255.255.224

    access-list inside_outbound_nat0_acl permit ip any 10.0.5.48 255.255.255.240

    access-list outside_cryptomap_dyn_20 permit ip any 10.0.5.48 255.255.255.240

    pager lines 24

    mtu outside 1500

    mtu inside 1500

    ip address outside xxx.xxx.xxx.xxx 255.255.255.252

    ip address inside 10.0.5.254 255.255.255.0

    ip audit info action alarm

    ip audit attack action alarm

    ip local pool mypool 10.0.5.50-10.0.5.60

    pdm location xxx.xxx.xxx.xxx 255.255.255.255 outside

    pdm location 10.0.5.0 255.255.255.0 inside

    pdm location 10.0.5.64 255.255.255.224 outside

    pdm logging informational 100

    pdm history enable

    arp timeout 14400

    global (outside) 1 interface

    nat (inside) 0 access-list inside_outbound_nat0_acl

    nat (inside) 1 0.0.0.0 0.0.0.0 0 0

    route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1

    timeout xlate 0:05:00

    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00

    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

    timeout uauth 0:05:00 absolute

    aaa-server TACACS+ protocol tacacs+

    aaa-server RADIUS protocol radius

    aaa-server LOCAL protocol local

    http server enable

    http xxx.xxx.xxx.xxx 255.255.255.255 outside

    http 10.0.5.0 255.255.255.0 inside

    no snmp-server location

    no snmp-server contact

    snmp-server community public

    no snmp-server enable traps

    floodguard enable

    sysopt connection permit-ipsec

    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

    crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20

    crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5

    crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

    crypto map outside_map interface outside

    isakmp enable outside

    isakmp policy 20 authentication pre-share

    isakmp policy 20 encryption 3des

    isakmp policy 20 hash md5

    isakmp policy 20 group 2

    isakmp policy 20 lifetime 86400

    vpngroup myvpn address-pool mypool

    vpngroup myvpn wins-server 10.0.5.100

    vpngroup myvpn idle-time 1800

    vpngroup myvpn password ********

    telnet xxx.xxx.xxx.xxx 255.255.255.255 outside

    telnet timeout 5

    ssh timeout 5

    console timeout 0

    dhcpd lease 3600

    dhcpd ping_timeout 750

    terminal width 80



    Doug



    "scott enwright" <> wrote in message
    news:f19Lb.751$...
    > Doug,
    >
    > I have seen this before as you have either. Can you post you

    configuration
    > (change any public addresses to protect yourself before posting and I'll
    > tell you what it is.
    >
    >
    > Regards,
    >
    > Scott.
    > \|/
    > (o o)
    > ---------------------oOOO--(_)--OOOo----------------------
    > Out the 100Base-T, off the firewall, through the router, down
    > the T1, over the leased line, off the bridge, nothing but Net.
    > (Use ROT13 to see my email address)
    > .oooO Oooo.
    > ----------------------( )---( )-----------------------
    > \ ( ) /
    > \_) (_/
    >
    >
    > "Doug" <> wrote in message
    > news:...
    > > I have configured several PIXs w/VPN with no problem (I cheat and use

    the
    > > PDM to configure them instead of the command line but that's all we've
    > > needed so far). I have just installed two new PIX 501 boxes. ALMOST
    > > everything works fine. From the inside out, there are no problems.
    > > Connecting from the outside in, VPN client to PIX, is no problem

    either -
    > > VPN connects every time. Doing anything over the VPN does not work. We
    > > have configured the PIX to hand out addresses to VPN clients. It hands

    > out
    > > the correct addresses but the incorrect subnet masks. For example, the
    > > inside at this location is 10.0.5.0/24. When VPN clients connect,they

    are
    > > given a 10.0.5.x address from the pool but with only an 8-bit mask

    instead
    > > of 24. Through the PDM, I can find no way to configure the mask that is
    > > given to the clients. We have the same type of addressing schemes at

    > other
    > > locations where we've used the 501 and haven't had any of these issues.

    I
    > > have blown these away and reconfigured several times and can't see

    > anything
    > > that I'm doing differently now as opposed to the other boxes that are
    > > working.
    > >
    > > Does anyone know what I'm missing?
    > >
    > > Thanks for any ideas,
    > >
    > > Doug
    > >
    > >

    >
    >
    Doug, Jan 8, 2004
    #4
  5. Doug,

    I believe the PIX is chaning the subnet mask because the VPN pool of IP
    addresses is from the same range as the inside interface is. Change the
    Pool of IP Address out of the 10.0.5.0/24 range. You will also need to
    change the


    These are the command that need some fixing:
    1. ip local pool mypool 10.0.5.50-10.0.5.60
    2. access-list inside_outbound_nat0_acl permit ip 10.0.5.0 255.255.255.0
    10.0.5.64 255.255.255.224
    3. access-list inside_outbound_nat0_acl permit ip any 10.0.5.48
    255.255.255.240
    4. access-list outside_cryptomap_dyn_20 permit ip any 10.0.5.48
    255.255.255.240

    I'd try and reallocate the pool for the VPN and see if that changes all four
    of these lines. If you made the VPN IP Pool 'mypool' range from
    10.0.6.1-10.0.6.254 you could see if the rest all change along with it.

    Regards,

    Scott.
    \|/
    (o o)
    ---------------------oOOO--(_)--OOOo----------------------
    Out the 100Base-T, off the firewall, through the router, down
    the T1, over the leased line, off the bridge, nothing but Net.
    (Use ROT13 to see my email address)
    .oooO Oooo.
    ----------------------( )---( )-----------------------
    \ ( ) /
    \_) (_/


    "Doug" <> wrote in message
    news:...
    > Thanks for the replies guys,
    >
    > Here's the confige (names and addresses have been changed to protect the
    > innocent - or nearly so ;)
    >
    > PIX Version 6.3(1)
    >
    > interface ethernet0 auto
    >
    > interface ethernet1 100full
    >
    > nameif ethernet0 outside security0
    >
    > nameif ethernet1 inside security100
    >
    > enable password xxxxxxxxxxxx encrypted
    >
    > passwd xxxxxxxxxxxx encrypted
    >
    > hostname edgar
    >
    > domain-name edgar.com
    >
    > fixup protocol ftp 21
    >
    > fixup protocol h323 h225 1720
    >
    > fixup protocol h323 ras 1718-1719
    >
    > fixup protocol http 80
    >
    > fixup protocol ils 389
    >
    > fixup protocol rsh 514
    >
    > fixup protocol rtsp 554
    >
    > fixup protocol sip 5060
    >
    > fixup protocol sip udp 5060
    >
    > fixup protocol skinny 2000
    >
    > fixup protocol smtp 25
    >
    > fixup protocol sqlnet 1521
    >
    > names
    >
    > access-list inside_outbound_nat0_acl permit ip 10.0.5.0 255.255.255.0
    > 10.0.5.64 255.255.255.224
    >
    > access-list inside_outbound_nat0_acl permit ip any 10.0.5.48

    255.255.255.240
    >
    > access-list outside_cryptomap_dyn_20 permit ip any 10.0.5.48

    255.255.255.240
    >
    > pager lines 24
    >
    > mtu outside 1500
    >
    > mtu inside 1500
    >
    > ip address outside xxx.xxx.xxx.xxx 255.255.255.252
    >
    > ip address inside 10.0.5.254 255.255.255.0
    >
    > ip audit info action alarm
    >
    > ip audit attack action alarm
    >
    > ip local pool mypool 10.0.5.50-10.0.5.60
    >
    > pdm location xxx.xxx.xxx.xxx 255.255.255.255 outside
    >
    > pdm location 10.0.5.0 255.255.255.0 inside
    >
    > pdm location 10.0.5.64 255.255.255.224 outside
    >
    > pdm logging informational 100
    >
    > pdm history enable
    >
    > arp timeout 14400
    >
    > global (outside) 1 interface
    >
    > nat (inside) 0 access-list inside_outbound_nat0_acl
    >
    > nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    >
    > route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
    >
    > timeout xlate 0:05:00
    >
    > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    > 1:00:00
    >
    > timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    >
    > timeout uauth 0:05:00 absolute
    >
    > aaa-server TACACS+ protocol tacacs+
    >
    > aaa-server RADIUS protocol radius
    >
    > aaa-server LOCAL protocol local
    >
    > http server enable
    >
    > http xxx.xxx.xxx.xxx 255.255.255.255 outside
    >
    > http 10.0.5.0 255.255.255.0 inside
    >
    > no snmp-server location
    >
    > no snmp-server contact
    >
    > snmp-server community public
    >
    > no snmp-server enable traps
    >
    > floodguard enable
    >
    > sysopt connection permit-ipsec
    >
    > crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    >
    > crypto dynamic-map outside_dyn_map 20 match address

    outside_cryptomap_dyn_20
    >
    > crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
    >
    > crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
    >
    > crypto map outside_map interface outside
    >
    > isakmp enable outside
    >
    > isakmp policy 20 authentication pre-share
    >
    > isakmp policy 20 encryption 3des
    >
    > isakmp policy 20 hash md5
    >
    > isakmp policy 20 group 2
    >
    > isakmp policy 20 lifetime 86400
    >
    > vpngroup myvpn address-pool mypool
    >
    > vpngroup myvpn wins-server 10.0.5.100
    >
    > vpngroup myvpn idle-time 1800
    >
    > vpngroup myvpn password ********
    >
    > telnet xxx.xxx.xxx.xxx 255.255.255.255 outside
    >
    > telnet timeout 5
    >
    > ssh timeout 5
    >
    > console timeout 0
    >
    > dhcpd lease 3600
    >
    > dhcpd ping_timeout 750
    >
    > terminal width 80
    >
    >
    >
    > Doug
    >
    >
    >
    > "scott enwright" <> wrote in message
    > news:f19Lb.751$...
    > > Doug,
    > >
    > > I have seen this before as you have either. Can you post you

    > configuration
    > > (change any public addresses to protect yourself before posting and I'll
    > > tell you what it is.
    > >
    > >
    > > Regards,
    > >
    > > Scott.
    > > \|/
    > > (o o)
    > > ---------------------oOOO--(_)--OOOo----------------------
    > > Out the 100Base-T, off the firewall, through the router, down
    > > the T1, over the leased line, off the bridge, nothing but Net.
    > > (Use ROT13 to see my email address)
    > > .oooO Oooo.
    > > ----------------------( )---( )-----------------------
    > > \ ( ) /
    > > \_) (_/
    > >
    > >
    > > "Doug" <> wrote in message
    > > news:...
    > > > I have configured several PIXs w/VPN with no problem (I cheat and use

    > the
    > > > PDM to configure them instead of the command line but that's all we've
    > > > needed so far). I have just installed two new PIX 501 boxes. ALMOST
    > > > everything works fine. From the inside out, there are no problems.
    > > > Connecting from the outside in, VPN client to PIX, is no problem

    > either -
    > > > VPN connects every time. Doing anything over the VPN does not work.

    We
    > > > have configured the PIX to hand out addresses to VPN clients. It

    hands
    > > out
    > > > the correct addresses but the incorrect subnet masks. For example,

    the
    > > > inside at this location is 10.0.5.0/24. When VPN clients connect,they

    > are
    > > > given a 10.0.5.x address from the pool but with only an 8-bit mask

    > instead
    > > > of 24. Through the PDM, I can find no way to configure the mask that

    is
    > > > given to the clients. We have the same type of addressing schemes at

    > > other
    > > > locations where we've used the 501 and haven't had any of these

    issues.
    > I
    > > > have blown these away and reconfigured several times and can't see

    > > anything
    > > > that I'm doing differently now as opposed to the other boxes that are
    > > > working.
    > > >
    > > > Does anyone know what I'm missing?
    > > >
    > > > Thanks for any ideas,
    > > >
    > > > Doug
    > > >
    > > >

    > >
    > >

    >
    >
    scott enwright, Jan 9, 2004
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Richard

    PIX to PIX to PIX meshed VPN

    Richard, Nov 13, 2003, in forum: Cisco
    Replies:
    1
    Views:
    583
    Richard
    Nov 15, 2003
  2. Remco Bressers
    Replies:
    1
    Views:
    494
    Jyri Korhonen
    Nov 21, 2003
  3. Bill F
    Replies:
    1
    Views:
    420
    Walter Roberson
    Nov 25, 2003
  4. GVB
    Replies:
    1
    Views:
    2,752
    Martin Bilgrav
    Feb 6, 2004
  5. AlanP
    Replies:
    3
    Views:
    915
    Mirek
    Apr 7, 2004
Loading...

Share This Page