Cisco PIX 501 - VPNC connections blocked from internal lan to externalend-point

Hi,

Support question here.

I have a Cisco PIX 501 that won't let a VPNC connection past. It will
allow the client to authenticate with an end-point, but won't actually
pass the packets. I know this is the problem point, because I swapped
the PIX out with a off the shelf Asus router and it worked without a hitch.


Below is the version, configuration and the client VPNC configuration.
I wonder if some one would kindly run their eyes over it and point out
some VPN related mistakes:


SH VERSION
Cisco PIX Firewall Version 6.3(5)
Cisco PIX Device Manager Version 3.0(1)

Compiled on Thu 04-Aug-05 21:40 by morlee

pixie up 2 mins 35 secs

Hardware: PIX-501, 16 MB RAM, CPU Am5x86 133 MHz
Flash E28F640J3 @ 0x3000000, 8MB
BIOS Flash E28F640J3 @ 0xfffd8000, 128KB

0: ethernet0: address is 000e.847c.7e6d, irq 9
1: ethernet1: address is 000e.847c.7e6e, irq 10
Licensed Features:
Failover: Disabled
VPN-DES: Enabled
VPN-3DES-AES: Enabled
Maximum Physical Interfaces: 2
Maximum Interfaces: 2
Cut-through Proxy: Enabled
Guards: Enabled
URL-filtering: Enabled
Inside Hosts: 50
Throughput: Unlimited
IKE peers: 10

This PIX has a Restricted (R) license.

SH RUNNING
# sh run
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password REMOVED encrypted
passwd REMOVED encrypted
hostname REMOVED
domain-name REMOVED.co.uk
fixup protocol dns maximum-length 4096
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list out2in deny ip 192.168.0.0 255.255.0.0 any
access-list out2in deny ip 172.16.0.0 255.240.0.0 any
access-list out2in deny ip 10.0.0.0 255.0.0.0 any
access-list out2in deny ip 127.0.0.0 255.0.0.0 any
access-list out2in permit icmp any any echo-reply
access-list out2in permit icmp any any unreachable
access-list out2in permit icmp any any time-exceeded
pager lines 24
logging on
logging timestamp
logging console emergencies
logging monitor debugging
logging buffered debugging
logging history debugging
icmp permit any unreachable outside
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 10.90.90.1 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip audit name attack_policy attack action alarm drop reset
ip audit name info_policy info action alarm
ip audit interface outside info_policy
ip audit interface outside attack_policy
ip audit info action alarm
ip audit attack action alarm drop
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 10.90.90.0 255.255.255.0 0 0
access-group out2in in interface outside
timeout xlate 1:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
ntp server 217.127.2.161 source outside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
fragment chain 1 outside
telnet timeout 60
ssh 10.90.90.0 255.255.255.0 inside
ssh timeout 60
console timeout 0
dhcpd address 10.90.90.100-10.90.90.200 inside
dhcpd dns 10.90.80.1 4.2.2.3
dhcpd lease 28800
dhcpd ping_timeout 750
dhcpd domain blah.local
dhcpd auto_config outside
dhcpd enable inside
terminal width 80

VPNC CLIENT PROFILE
# cat /etc/vpnc/tt.conf
IPSec gateway 62.12.12.12 # changed for obvious reasons
IPSec ID VTL-VPN
IPSec secret yadayadayada # changed for obvious reasons
IKE Authmode psk
Xauth username b-jones # changed for obvious reasons
#Xauth password
Domain ourad # changed for obvious reasons

 

Here are the logs on the PIX during the session set-up and an ICMP ping
to a known router on the other side of the VPN:


### VPNC sets up the connection : vpnc --dpd-idle 0 tt
302015: Built outbound UDP connection 40 for outside:62.12.12.12/500
(62.58.16.86/500) to inside:10.90.90.100/500 (10.90.80.105/3)
710005: UDP request discarded from 62.12.12.12/500 to outside:10.90.80.105/2

### PINGs are sent, and lost
305006: portmap translation creation failed for protocol 50 src
inside:10.90.90.100 dst outside:62.12.12.12
305006: portmap translation creation failed for protocol 50 src
inside:10.90.90.100 dst outside:62.12.12.12
305006: portmap translation creation failed for protocol 50 src
inside:10.90.90.100 dst outside:62.12.12.12
305006: portmap translation creation failed for protocol 50 src
inside:10.90.90.100 dst outside:62.12.12.12

 

It looks like the PIX is blocking ESP (IP protocol 50), which is
generally required in order for IPSec to work properly. You probably
need to enable NAT traversal on your IPSec client so that it can
encapsulate the traffic in TCP or UDP and help it work correctly with
NAT.

 

Thank-you very much - The problem solved.

Added *fixup protocol esp-ike* to the config,

Added *NAT Traversal Mode cisco-udp* to the VPNC config file.

All is well.

 

Thank-you very much - The problem solved.

Added *fixup protocol esp-ike* to the config,

Added *NAT Traversal Mode cisco-udp* to the VPNC config file.

All is well.