Cisco 515 VPN Traffic can not ping internal hosts

Discussion in 'Cisco' started by cpritcha, May 17, 2006.

  1. cpritcha

    cpritcha Guest

    I am trying to get clients runnign Cisco VPN software to connect to my
    internal network. currently the clients can connect and authenticate ok

    but can't see anything on the inside network.

    PIX Version 6.3(1)
    interface ethernet0 100full
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password Gn7cdoayw6QM/xoG encrypted
    passwd Gn7cdoayw6QM/xoG encrypted
    hostname PIX515e
    domain-name rockeagle
    clock timezone EST -5
    clock summer-time EDT recurring
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol ils 389
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    names
    name 168.24.225.12 Relabserver
    name 168.24.225.19 Steve
    name 168.24.225.21 Tina
    name 168.24.225.20 Tandberg
    name 168.24.224.0 Rockeagle
    name 168.24.225.11 Userfiles
    name 168.24.225.18 Cory
    access-list outside_access_in remark FTP access to Userfiles
    access-list outside_access_in permit tcp any host Userfiles eq ftp
    access-list outside_access_in remark Full TCP access to Tandberg
    access-list outside_access_in permit tcp any host Tandberg
    access-list outside_access_in remark Full TCP access to Tandberg for
    h323
    access-list outside_access_in permit tcp any host Tandberg eq h323
    access-list outside_access_in remark Full UDP access to Tandberg
    access-list outside_access_in remark
    access-list outside_access_in permit udp any host Tandberg
    access-list outside_access_in remark Full http access to Userfiles
    access-list outside_access_in permit tcp any host Userfiles eq www
    access-list outside_access_in remark Full ftp access to Relabserver
    access-list outside_access_in permit tcp any host Relabserver eq ftp
    access-list outside_access_in remark WWW access to Relabserver
    access-list outside_access_in remark
    access-list outside_access_in permit tcp any host Relabserver eq www
    access-list outside_access_in remark Allow tcp traffic to Tandberg for
    range 5555 to 5599
    access-list outside_access_in remark
    access-list outside_access_in permit tcp any host Tandberg range 5555
    5599
    access-list outside_access_in remark Allow tcp traffic to Tandberg for
    range 3230 to 3235
    access-list outside_access_in remark
    access-list outside_access_in permit tcp any host Tandberg range 3230
    3235
    access-list outside_access_in remark Allow udp traffic to Tandberg for
    range 2325 to 2387
    access-list outside_access_in remark
    access-list outside_access_in permit udp any host Tandberg range 2325
    2387
    access-list outside_access_in remark Allow udp traffic to Tandberg for
    range 3220 to 3247
    access-list outside_access_in remark
    access-list outside_access_in permit udp any host Tandberg range 3220
    3247
    access-list outside_access_in remark FTP access to Tina
    access-list outside_access_in permit tcp any host Tina eq ftp
    access-list outside_access_in remark PPTP for VPN to RELABSERVER
    access-list outside_access_in permit tcp any host Relabserver eq pptp
    access-list outside_access_in remark GRE for VPN on RELABSERVER
    access-list outside_access_in permit tcp any host Relabserver eq 47
    access-list outside_access_in remark PCAnywhere access to Userfiles
    access-list outside_access_in permit tcp any host Userfiles eq
    pcanywhere-data
    access-list outside_access_in permit esp any any
    access-list outside_access_in permit gre any any
    access-list outside_access_in permit tcp any eq pptp host Relabserver
    access-list inside_outbound_nat0_acl permit ip any 168.24.224.240
    255.255.255.240
    access-list outside_cryptomap_dyn_20 permit ip any 168.24.224.240
    255.255.255.240
    pager lines 24
    mtu outside 1500
    mtu inside 1500
    ip address outside 168.24.192.141 255.255.255.248
    ip address inside 168.24.224.1 255.255.254.0
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool VPN Cory
    ip local pool Steve Steve
    ip local pool VPNAdd 168.24.224.245-168.24.224.249
    failover
    failover timeout 0:00:00
    failover poll 15
    failover ip address outside 168.24.192.142
    failover ip address inside 168.24.224.2
    pdm location Rockeagle 255.255.254.0 inside
    pdm location Userfiles 255.255.255.255 inside
    pdm location Relabserver 255.255.255.255 inside
    pdm location Cory 255.255.255.255 inside
    pdm location Steve 255.255.255.255 inside
    pdm location Tina 255.255.255.255 inside
    pdm location 168.24.225.0 255.255.255.0 inside
    pdm location Tandberg 255.255.255.255 inside
    pdm location 192.168.1.1 255.255.255.255 inside
    pdm location 192.168.1.0 255.255.255.0 inside
    pdm location 72.152.146.187 255.255.255.255 outside
    pdm location 128.192.83.0 255.255.255.0 outside
    pdm location 168.24.224.240 255.255.255.240 outside
    pdm logging informational 100
    pdm history enable
    arp timeout 14400
    nat (inside) 0 access-list inside_outbound_nat0_acl
    static (inside,outside) Relabserver Relabserver netmask 255.255.255.255
    0 0
    static (inside,outside) Rockeagle Rockeagle netmask 255.255.254.0 0 0
    access-group outside_access_in in interface outside
    route outside 0.0.0.0 0.0.0.0 168.24.192.137 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server LOCAL protocol local
    ntp server 132.163.4.101 source outside
    http server enable
    http 72.152.146.187 255.255.255.255 outside
    http 128.192.83.0 255.255.255.0 outside
    http Rockeagle 255.255.254.0 inside
    http 192.168.1.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community rockeagle
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    sysopt connection permit-pptp
    sysopt connection permit-l2tp
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto dynamic-map inside_dyn_map 20 set transform-set ESP-3DES-MD5
    crypto dynamic-map outside_dyn_map 20 match address
    outside_cryptomap_dyn_20
    crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
    crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
    crypto map outside_map interface outside
    isakmp enable outside
    isakmp policy 20 authentication pre-share
    isakmp policy 20 encryption 3des
    isakmp policy 20 hash md5
    isakmp policy 20 group 2
    isakmp policy 20 lifetime 86400
    vpngroup state address-pool VPNAdd
    vpngroup state dns-server Userfiles 128.192.110.221
    vpngroup state wins-server Userfiles 128.192.1.31
    vpngroup state default-domain rockeagle
    vpngroup state idle-time 1800
    vpngroup state password ********
    telnet 72.152.146.186 255.255.255.255 outside
    telnet Rockeagle 255.255.254.0 inside
    telnet timeout 5
    ssh 72.152.146.186 255.255.255.255 outside
    ssh timeout 5
    management-access inside
    console timeout 0
    vpdn username a password *********
    vpdn username b password *********
    vpdn enable outside
    dhcprelay server Userfiles inside
    dhcprelay enable outside
    terminal width 80
    Cryptochecksum:1e38b95a71ebb4117009e37fdb1495e8
    : end
     
    cpritcha, May 17, 2006
    #1
    1. Advertisements

  2. You should upgrade, there are known security problems in 6.3(1),
    6.3(3), and 6.3(5). You can get a free upgrade at least as far as
    6.3(4) even if you do not have a support contract.
    For the purpose of debugging this problem, we can ignore that ACL
    since you have sysopt connection permit-ipsec in effect.
    Okay, those are appropriate for the case where the VPN clients will
    have IPs in the range 168.24.224.240 -> .255
    And there we hit the problem. In order for your nat0 and dyn_20 to work,
    your VPN clients have to have IPs in the 168.24.224 range, but that's
    the same range you have for your inside IPs. That isn't going to work:
    when the outgoing packets for those clients hit the inside interface,
    the PIX would see that they are destined to part of the inside interface
    IP range and would drop the packets.
    You do not use those two pools.
    You do not have pptp or l2tp defined so you might as get rid of the
    latter two of those.
    It is unusual these days to use 3DES with MD5: there are known
    collision attacks on MD5 that reduce its theoretical security.
    As per above, 3DES + MD5 is unusual these days. If you are at 6.3(1)
    and you can use 3DES, your license also allows you to use AES
    (note: use group 5 for AES). You could put AES-128/SHA and 3DES/SHA
    as higher priority (lower policy numbers) than your 3DES/MD5, and
    thereby get the increased security for systems that support it while
    not affecting connections to any devices that don't support those two.

    As discussed above, your VPN address pool must not be part of the
    same IP range as your inside interface. Use one of the private IP ranges.
    You designate an external dns server, but your default domain is
    "rockeagle" instead of a qualified domain name. Will the external dns
    server know how to resolve "rockeagle" as a top-level domain?
    That can complicate matters: in order to use a management-access
    properly, you need a distinct tunnel with a different transport-mode .
    I don't know if the VPN client is able to negotiate those tunnels
    automatically.
     
    Walter Roberson, May 17, 2006
    #2
    1. Advertisements

  3. cpritcha

    cpritcha Guest

    Thanks for the info. I don't know very much about pix firewalls and
    don't have a budget to hire a Cisco expert. What commands would you
    suggest to fix my problems.
     
    cpritcha, May 17, 2006
    #3
  4. cpritcha

    cpritcha Guest

    Thanks for the info. I don't know very much about pix firewalls and
    don't have a budget to hire a Cisco expert. What commands would you
    suggest to fix my problems.
     
    cpritcha, May 17, 2006
    #4
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.