Why does my 506 keeps deny vpn-connections.

Discussion in 'Cisco' started by helverlarsen@gmail.com, Mar 27, 2006.

  1. Guest

    Hi
    I am kind of new to Cisco and PIX´s. So I have the following problem.
    The vpn-clients cannot connect. According to the log is because the ACL
    "adgang".

    What is wrong with the following config.

    Hope that there is help out here.

    Yours
    Erik

    PIX Version 6.3(5)
    interface ethernet0 auto
    interface ethernet1 auto
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password 8Ry2YjIyt7RRXU24 encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    hostname pixfirewall
    domain-name ciscopix.com
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    access-list inside_outbound_nat0_acl permit ip any 192.168.3.96
    255.255.255.240
    access-list outside_cryptomap_dyn_20 permit ip any 192.168.3.96
    255.255.255.240
    access-list outside_cryptomap_dyn_40 permit ip any 192.168.3.96
    255.255.255.240
    access-list adgang permit icmp any any
    access-list adgang permit tcp any host 62.60.14.70 eq smtp
    pager lines 24
    mtu outside 1500
    mtu inside 1500
    ip address outside 62.60.14.70 255.255.255.240
    ip address inside 192.168.3.1 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool vpnpool 192.168.3.100-192.168.3.110
    pdm location 192.168.3.5 255.255.255.255 inside
    pdm logging informational 100
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list inside_outbound_nat0_acl
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    static (inside,outside) 62.60.14.70 192.168.3.5 netmask 255.255.255.255
    0 0
    access-group adgang in interface outside
    route outside 0.0.0.0 0.0.0.0 62.60.14.65 1
    timeout xlate 0:05:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout sip-disconnect 0:02:00 sip-invite 0:03:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local
    http server enable
    http 192.168.3.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto dynamic-map outside_dyn_map 20 match address
    outside_cryptomap_dyn_20
    crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
    crypto dynamic-map outside_dyn_map 40 match address
    outside_cryptomap_dyn_40
    crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-MD5
    crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
    crypto map outside_map client authentication LOCAL
    crypto map outside_map interface outside
    isakmp enable outside
    isakmp policy 20 authentication pre-share
    isakmp policy 20 encryption 3des
    isakmp policy 20 hash md5
    isakmp policy 20 group 2
    isakmp policy 20 lifetime 86400
    vpngroup aam address-pool vpnpool
    vpngroup aam dns-server 192.168.3.5
    vpngroup aam idle-time 1800
    vpngroup aam password ********
    telnet 192.168.3.0 255.255.255.0 inside
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    dhcpd address 192.168.3.2-192.168.3.254 inside
    dhcpd lease 3600
    dhcpd ping_timeout 750
    dhcpd auto_config outside
    dhcpd enable inside
    username eriklarsen password qE.UgiY71n5gFZpU encrypted privilege 15
    terminal width 80
    Cryptochecksum:a2ba207bd73bb6944b63227ed4160f71
    : end
    , Mar 27, 2006
    #1
    1. Advertising

  2. In article <>,
    <> wrote:
    >I am kind of new to Cisco and PIX´s. So I have the following problem.
    >The vpn-clients cannot connect. According to the log is because the ACL
    >"adgang".


    >PIX Version 6.3(5)


    >access-list adgang permit icmp any any


    That line would allow the VPN clients to send icmp.

    >ip address outside 62.60.14.70 255.255.255.240


    >access-list adgang permit tcp any host 62.60.14.70 eq smtp


    That line won't work. When the ip address named in an ACL is the
    IP address of an interface, instead of using 'host' followed
    by the IP, you need to use 'interface' followed by the interface name.

    access-list adgang permit tcp any interface outside eq smtp

    >sysopt connection permit-ipsec


    That line says that the interface ACL should be ignored for all
    IPSec packets, so that adgang ACL should not even be touched --
    not unless the packets aren't going throug the VPN for some
    reason.

    >static (inside,outside) 62.60.14.70 192.168.3.5 netmask 255.255.255.255 0 0


    That won't work either. When an interface address appears in
    a static statement, you need to use the keyword 'interface' instead
    of the address:

    static (inside,outside) interface 192.168.3.5 netmask 255.255.255.255 0 0

    But then there is the additional problem that you cannot
    static the entire outside interface IP to an inside IP: you can
    static a public IP *other* than the interface IP:

    static (inside,outside) 62.60.14.71 192.168.3.5 netmask 255.255.255.255 0 0

    or you can static by port:

    static (inside,outside) tcp interface smtp 192.168.3.5 smtp netmask 255.255.255.255 0 0

    >ip local pool vpnpool 192.168.3.100-192.168.3.110


    Your ip pool must not be in the same subnet as your inside addresses,
    or else the PIX will not be able to route the packets back
    to the VPN properly. Fixing this will require changes to several
    other statements.

    >crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20


    >crypto dynamic-map outside_dyn_map 40 match address outside_cryptomap_dyn_40


    Those two ACLs have the same content, so the policy 40 entry is
    redundant.

    >vpngroup aam address-pool vpnpool


    >dhcpd address 192.168.3.2-192.168.3.254 inside


    And notice you overlapped the dhcp pool with the vpn address pool.
    That's not going to matter once you fix the vpn address pool.

    But also notice that you overlapped your dhcp pool with the IP of
    your server 192.168.3.5 . That's going to require fixing the
    dhcpd pool.
    Walter Roberson, Mar 28, 2006
    #2
    1. Advertising

  3. Guest

    Hi Walter

    I am getting there. Thanks for your quick help.

    There only one remaining problem. Port 25 is not open for inbound mail,
    and I can´t figurer out why.

    Could you give me some advise.
    The new config is as follows:

    :
    PIX Version 6.3(5)
    interface ethernet0 auto
    interface ethernet1 auto
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password 8Ry2YjIyt7RRXU24 encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    hostname pixfirewall
    domain-name ciscopix.com
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    access-list inside_outbound_nat0_acl permit ip any 192.168.30.0
    255.255.255.192
    access-list outside_cryptomap_dyn_20 permit ip any 192.168.30.0
    255.255.255.192
    access-list adgang permit tcp any interface outside eq smtp
    pager lines 24
    mtu outside 1500
    mtu inside 1500
    ip address outside 62.60.14.70 255.255.255.240
    ip address inside 192.168.3.1 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool aam 192.168.30.1-192.168.30.50
    pdm logging informational 100
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list inside_outbound_nat0_acl
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    static (inside,outside) tcp interface smtp 192.168.3.5 smtp netmask
    255.255.255.255 0 0
    route outside 0.0.0.0 0.0.0.0 80.160.214.65 1
    timeout xlate 0:05:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout sip-disconnect 0:02:00 sip-invite 0:03:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local
    http server enable
    http 192.168.3.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto dynamic-map outside_dyn_map 20 match address
    outside_cryptomap_dyn_20
    crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
    crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
    crypto map outside_map client authentication LOCAL
    crypto map outside_map interface outside
    isakmp enable outside
    isakmp policy 20 authentication pre-share
    isakmp policy 20 encryption 3des
    isakmp policy 20 hash md5
    isakmp policy 20 group 2
    isakmp policy 20 lifetime 86400
    vpngroup aam address-pool aam
    vpngroup aam dns-server 192.168.3.5 192.168.3.6
    vpngroup aam wins-server 192.168.3.5 192.168.3.6
    vpngroup aam default-domain aa-m
    vpngroup aam idle-time 1800
    vpngroup aam password ********
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    dhcpd address 192.168.3.2-192.168.3.254 inside
    dhcpd lease 3600
    dhcpd ping_timeout 750
    dhcpd auto_config outside
    username eriklarsen password 4OeqnkNPba5Vjnga encrypted privilege 15
    terminal width 80
    Cryptochecksum:ecfd64bf36d2c96afe0d253abe516f4e
    : end
    , Mar 28, 2006
    #3
  4. In article <>,
    <> wrote:
    >There only one remaining problem. Port 25 is not open for inbound mail,
    >and I can´t figurer out why.


    >PIX Version 6.3(5)


    >static (inside,outside) tcp interface smtp 192.168.3.5 smtp netmask 255.255.255.255 0 0


    >dhcpd address 192.168.3.2-192.168.3.254 inside


    You still have the overlap in the dhcp pool -- notice that it
    includes 192.168.3.5 [your server] in the IP range. That could result
    in two hosts ending up with the same IP address.

    Once you fix that, I suggest you turn on logging and see what
    message is produced when you try the connection.

    logging on
    logging timestamp
    logging buffered debugging

    Once that is configured, "show log" to see the last 10 or so
    messages.

    Once you have resolved the issue, you will probably want to
    change "logging buffered" from "debugging" to "notifications"
    so that only more important messages are recorded into the
    in-memory log. It would be a good idea, though, to

    logging trap debugging
    logging host inside 192.168.3.SOMETHING

    and set up a syslog server on 192.168.3.SOMETHING .
    If you don't have a handy Unix host, then the Windows "Kiwi"
    syslog server is okay in the free version and supposedly
    fairly good in the paid version.
    Walter Roberson, Mar 28, 2006
    #4
  5. Guest

    Hi again

    Walter, the syslog server gives the following line:

    03-29-2006 19:43:39 Local4.Critical 192.168.3.1 %PIX-2-106001: Inbound
    TCP connection denied from 62.60.14.78/61510 to 62.60.14.70/25 flags
    SYN on interface outside

    And the PDM complains about not being able to understand the following
    line:

    access-list adgang permit tcp any interface outside eq smtp

    So, it seems that the problem is the access-list.

    A inside telnet on port 25 gives a normal reply from the mail-server.

    ???
    , Mar 29, 2006
    #5
  6. In article <>,
    <> wrote:
    >Walter, the syslog server gives the following line:


    >03-29-2006 19:43:39 Local4.Critical 192.168.3.1 %PIX-2-106001: Inbound TCP connection denied from 62.60.14.78/61510 to 62.60.14.70/25 flags SYN on interface outside


    Ah, somewhere along the way a line got dropped:

    access-group adgang in interface outside
    Walter Roberson, Mar 29, 2006
    #6
  7. Guest

    yeps, that´s it.

    Thank you so much for your help, walter
    , Apr 1, 2006
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Indigo Moon Man

    Why does Mozilla need so many connections?

    Indigo Moon Man, Oct 6, 2003, in forum: Firefox
    Replies:
    5
    Views:
    2,298
    Night_Seer
    Oct 7, 2003
  2. Elise
    Replies:
    6
    Views:
    796
    John Rennie
    May 22, 2004
  3. DataSquid
    Replies:
    1
    Views:
    1,187
    DataSquid
    Jun 17, 2005
  4. Replies:
    1
    Views:
    3,820
    Martin Bilgrav
    Dec 2, 2006
  5. j1344
    Replies:
    0
    Views:
    867
    j1344
    Jul 23, 2009
Loading...

Share This Page