Cisco PIX 501 - VPNC connections blocked from internal lan to externalend-point

Discussion in 'Cisco' started by ziikell101, Jun 26, 2010.

  1. ziikell101

    ziikell101 Guest

    Hi,

    Support question here.

    I have a Cisco PIX 501 that won't let a VPNC connection past. It will
    allow the client to authenticate with an end-point, but won't actually
    pass the packets. I know this is the problem point, because I swapped
    the PIX out with a off the shelf Asus router and it worked without a hitch.


    Below is the version, configuration and the client VPNC configuration.
    I wonder if some one would kindly run their eyes over it and point out
    some VPN related mistakes:


    SH VERSION
    Cisco PIX Firewall Version 6.3(5)
    Cisco PIX Device Manager Version 3.0(1)

    Compiled on Thu 04-Aug-05 21:40 by morlee

    pixie up 2 mins 35 secs

    Hardware: PIX-501, 16 MB RAM, CPU Am5x86 133 MHz
    Flash E28F640J3 @ 0x3000000, 8MB
    BIOS Flash E28F640J3 @ 0xfffd8000, 128KB

    0: ethernet0: address is 000e.847c.7e6d, irq 9
    1: ethernet1: address is 000e.847c.7e6e, irq 10
    Licensed Features:
    Failover: Disabled
    VPN-DES: Enabled
    VPN-3DES-AES: Enabled
    Maximum Physical Interfaces: 2
    Maximum Interfaces: 2
    Cut-through Proxy: Enabled
    Guards: Enabled
    URL-filtering: Enabled
    Inside Hosts: 50
    Throughput: Unlimited
    IKE peers: 10

    This PIX has a Restricted (R) license.

    SH RUNNING
    # sh run
    : Saved
    :
    PIX Version 6.3(5)
    interface ethernet0 auto
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password REMOVED encrypted
    passwd REMOVED encrypted
    hostname REMOVED
    domain-name REMOVED.co.uk
    fixup protocol dns maximum-length 4096
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    access-list out2in deny ip 192.168.0.0 255.255.0.0 any
    access-list out2in deny ip 172.16.0.0 255.240.0.0 any
    access-list out2in deny ip 10.0.0.0 255.0.0.0 any
    access-list out2in deny ip 127.0.0.0 255.0.0.0 any
    access-list out2in permit icmp any any echo-reply
    access-list out2in permit icmp any any unreachable
    access-list out2in permit icmp any any time-exceeded
    pager lines 24
    logging on
    logging timestamp
    logging console emergencies
    logging monitor debugging
    logging buffered debugging
    logging history debugging
    icmp permit any unreachable outside
    mtu outside 1500
    mtu inside 1500
    ip address outside dhcp setroute
    ip address inside 10.90.90.1 255.255.255.0
    ip verify reverse-path interface outside
    ip verify reverse-path interface inside
    ip audit name attack_policy attack action alarm drop reset
    ip audit name info_policy info action alarm
    ip audit interface outside info_policy
    ip audit interface outside attack_policy
    ip audit info action alarm
    ip audit attack action alarm drop
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 1 10.90.90.0 255.255.255.0 0 0
    access-group out2in in interface outside
    timeout xlate 1:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout sip-disconnect 0:02:00 sip-invite 0:03:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local
    ntp server 217.127.2.161 source outside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    fragment chain 1 outside
    telnet timeout 60
    ssh 10.90.90.0 255.255.255.0 inside
    ssh timeout 60
    console timeout 0
    dhcpd address 10.90.90.100-10.90.90.200 inside
    dhcpd dns 10.90.80.1 4.2.2.3
    dhcpd lease 28800
    dhcpd ping_timeout 750
    dhcpd domain blah.local
    dhcpd auto_config outside
    dhcpd enable inside
    terminal width 80

    VPNC CLIENT PROFILE
    # cat /etc/vpnc/tt.conf
    IPSec gateway 62.12.12.12 # changed for obvious reasons
    IPSec ID VTL-VPN
    IPSec secret yadayadayada # changed for obvious reasons
    IKE Authmode psk
    Xauth username b-jones # changed for obvious reasons
    #Xauth password
    Domain ourad # changed for obvious reasons
     
    ziikell101, Jun 26, 2010
    #1
    1. Advertisements

  2. ziikell101

    ziikell101 Guest

    Here are the logs on the PIX during the session set-up and an ICMP ping
    to a known router on the other side of the VPN:


    ### VPNC sets up the connection : vpnc --dpd-idle 0 tt
    302015: Built outbound UDP connection 40 for outside:62.12.12.12/500
    (62.58.16.86/500) to inside:10.90.90.100/500 (10.90.80.105/3)
    710005: UDP request discarded from 62.12.12.12/500 to outside:10.90.80.105/2

    ### PINGs are sent, and lost
    305006: portmap translation creation failed for protocol 50 src
    inside:10.90.90.100 dst outside:62.12.12.12
    305006: portmap translation creation failed for protocol 50 src
    inside:10.90.90.100 dst outside:62.12.12.12
    305006: portmap translation creation failed for protocol 50 src
    inside:10.90.90.100 dst outside:62.12.12.12
    305006: portmap translation creation failed for protocol 50 src
    inside:10.90.90.100 dst outside:62.12.12.12
     
    ziikell101, Jun 26, 2010
    #2
    1. Advertisements

  3. ziikell101

    Scott Lowe Guest


    It looks like the PIX is blocking ESP (IP protocol 50), which is
    generally required in order for IPSec to work properly. You probably
    need to enable NAT traversal on your IPSec client so that it can
    encapsulate the traffic in TCP or UDP and help it work correctly with
    NAT.
     
    Scott Lowe, Jun 27, 2010
    #3
  4. ziikell101

    ziikell101 Guest

    Thank-you very much - The problem solved.

    Added *fixup protocol esp-ike* to the config,

    Added *NAT Traversal Mode cisco-udp* to the VPNC config file.

    All is well.
     
    ziikell101, Jun 27, 2010
    #4
  5. ziikell101

    ziikell101 Guest

    Thank-you very much - The problem solved.

    Added *fixup protocol esp-ike* to the config,

    Added *NAT Traversal Mode cisco-udp* to the VPNC config file.

    All is well.
     
    ziikell101, Jun 27, 2010
    #5
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.