PIX 501 not sending data into ipsec tunnel? (can't find sollution in groups)

Discussion in 'Cisco' started by lowlife123, Feb 20, 2006.

  1. lowlife123

    lowlife123 Guest

    Hi all of you,

    I know this question has been posted in the past, i've read them
    all/most of them :). I've been searching the groups and cisco site for
    days but can't figure this one out so if someone could help: that would
    be great because i'm going nuts over this pix...

    This is the setup

    comp with cisco vpn client <-> internet <-> pix 501 <-> 172.16.1.0/24
    net

    vpn client is version 4.6, pix is version 6.3(4)

    The pix has a public ip (it's on our colocation) and is directly
    connected to a router.

    I am able to connect to the pix with the vpn client but when i ping a
    machine in the 172.16.1.x net it fails.
    Internet connection is still up-and-running when connected to the vpn
    (because of the split-tunel)

    When i turn on icpm trace debugging i see the packets comming from the
    comp and returning from the machine in the 172.16.1 range but the
    replies don't seem to go 'back into the tunnel'. As you can see below
    the local-ip pool is excluded from nat.

    I've debugged all I can think of but it seems like some kind of routing
    issue where the pix drops the echo replies comming from 172.16.1.10 to
    192.168.1.100

    Does anybody have any idea's? Is there something missing in the config?
    I've setup allot of 836/837's with vpn but you don't need to create a
    specific route there ...

    Thanks for your help


    Building configuration...
    : Saved
    :
    PIX Version 6.3(4)
    interface ethernet0 auto
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password 8Ry2YjIyt7RRXU24 encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    hostname pixfirewall
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    access-list 100 permit ip 172.16.1.0 255.255.255.0 192.168.100.0
    255.255.255.0
    pager lines 24
    mtu outside 1500
    mtu inside 1500
    ip address outside [PUBLIC IP] 255.255.255.0
    ip address inside 172.16.1.2 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool mypool 192.168.100.100-192.168.100.200
    pdm history enable
    arp timeout 14400
    nat (inside) 0 access-list 100
    nat (inside) 1 0.0.0.0 0.0.0.0
    route outside 0.0.0.0 0.0.0.0 [PUBLIC ROUTER] 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    crypto ipsec transform-set myset esp-3des esp-md5-hmac
    crypto dynamic-map dynmap 100 set transform-set myset
    crypto map newmap 200 ipsec-isakmp dynamic dynmap
    crypto map newmap interface outside
    isakmp enable outside
    isakmp identity address
    isakmp policy 200 authentication pre-share
    isakmp policy 200 encryption 3des
    isakmp policy 200 hash md5
    isakmp policy 200 group 2
    isakmp policy 200 lifetime 86400
    vpngroup test address-pool mypool
    vpngroup test default-domain test-domain
    vpngroup test split-tunnel 100
    vpngroup test idle-time 1800
    vpngroup test password ********
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    terminal width 80
    Cryptochecksum:d7bfa50e8e18401ba0b1720a3ca3411d
    : end
     
    lowlife123, Feb 20, 2006
    #1
    1. Advertisements

  2. Never use the same ACL for two different purposes. Here you are
    using it for nat 0 access-list and also for split-tunnel .
     
    Walter Roberson, Feb 20, 2006
    #2
    1. Advertisements

  3. lowlife123

    lowlife123 Guest

    thanks for you reply. I've created a new access list:

    access-list 100 permit ip 172.16.1.0 255.255.255.0 192.168.100.0
    255.255.255.0
    access-list vpnsplit permit ip 172.16.1.0 255.255.255.0 192.168.100.0
    255.255.255.0
    nat (inside) 0 access-list 100
    vpngroup test split-tunnel vpnsplit

    but it makes no difference, still no data. Is the access list itself
    good? A misconfigured access list could be a logical explanation.

    I also tried :

    access-list vpnsplit permit ip 172.16.1.0 255.255.255.0 any

    but that made no difference, can't ping the host can't connect to the
    host.

    Have you got any other tips?
     
    lowlife123, Feb 20, 2006
    #3
  4. lowlife123

    Merv Guest

    Merv, Feb 20, 2006
    #4
  5. were is your global 1 ?

    add the command : isakmp nat-t
    Thus enable clients behind NAT to pass traffik.
    I believe this to be your problem
    Does your SHOW VER list the 3des license ?
     
    Martin Bilgrav, Feb 21, 2006
    #5
  6. lowlife123

    lowlife123 Guest

    Thanks for you reply, the ping isn't the only thing that doesn't work.
    A 'simple' telnet doesn't work also. I've tried the stuff listed in the
    cisco document you gave me but that doesn't help. Just as a temp.
    solution i've created a static link between the cisco device behind the
    nat i want to reach and ACL-ed that one. That works fine so it is some
    kind of networking problem.

    The other thing is i've enabled 'sysopt connection permit-ipsec' which
    (correct me if i'm wrong :) means that no ACL's are applied to the
    traffic going into the tunnel.

    I'm going realy nuts over this pix....
     
    lowlife123, Feb 21, 2006
    #6
  7. lowlife123

    lowlife123 Guest

    sorry made a typo/missed some words (need more sleep :)

    "Just as a temp. solution i've created a static link between the cisco
    device behind the nat i want to reach and ACL-ed that one. That works
    fine so it is some kind of networking problem. "

    should be

    "Just as a temp. solution i've created a static link between the cisco
    device behind the PIX and the outside interface of the pix and ACL-ed
    that one.

    That works fine so it is NOT some kind of networking problem. "
     
    lowlife123, Feb 21, 2006
    #7
  8. lowlife123

    lowlife123 Guest

    sorry made a typo/missed some words (need more sleep :)

    "Just as a temp. solution i've created a static link between the cisco
    device behind the nat i want to reach and ACL-ed that one. That works
    fine so it is some kind of networking problem. "

    should be

    "Just as a temp. solution i've created a static link between the cisco
    device behind the PIX and the outside interface of the pix and ACL-ed
    that one.

    That works fine so it is NOT some kind of networking problem. "
     
    lowlife123, Feb 21, 2006
    #8
  9. lowlife123

    lowlife123 Guest

    Thanks for you reply

    i've tried both your suggestions but no luck. Isn't nat-traversal used
    to pass ipsec packages over a nat connection? The pix doesn't nat the
    packages comming from the local net (hence the 'nat inside 0...' line)
    so this shouldn't have any effect should it?

    I also tried another suggestion i got in the mail: selecting an ip-pool
    within the local net instead of a complete other range but no luck
    either.

    3DES enc. is there:

    VPN-DES: Enabled
    VPN-3DES-AES: Enabled

    I've configured allot of cisco (vpn) devices but this one i realy
    starting to drive me nuts, how difficult can it be to set up a vpn
    connection with a pix ? :'(

    I hope someone else has some more suggestions.
     
    lowlife123, Feb 22, 2006
    #9
  10. lowlife123

    lowlife123 Guest

    Hi everybody, i got the pix working and wanted to share the answer with
    you.

    I'm pretty sure the answer is that the pix by default blocks the vpn
    traffic on the outside interface (at least my pix does) and creating an
    access-list which permits the traffic between the local net and the
    ippool solved the problem.

    Below a working config where 172.16.1.0 255.255.255.0 is the local net
    behind the pix and 192.168.100.10-192.168.100.20 is the vpn pool. This
    example works with Cisco VPN client 4.x from winxp to the pix. I am
    able to ping a device behind the pix (just make sure this device has
    the pix as default gateway because the packages will originate from a
    192.168.100 address and thus it needs to send the replys to it's
    default router OR use an ippool from the same subnet) and i am able to
    telnet to this specific cisco device behind the pix :)

    Note: this is just a basic setup, you would want to create more
    security with trimmed down access-lists, extra authentication etc. etc.

    ---
    PIX Version 6.3(4)
    interface ethernet0 auto
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password 8Ry2YjIyt7RRXU24 encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    hostname pixfirewall
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    access-list vpn_no_nat permit ip 172.16.1.0 255.255.255.0 192.168.100.0
    255.255.255.0
    access-list vpn_split_tunnel permit ip 172.16.1.0 255.255.255.0
    192.168.100.0 255.255.255.0
    access-list vpn_allow_traffic permit icmp 192.168.100.0 255.255.255.0
    172.16.1.0 255.255.255.0
    access-list vpn_allow_traffic permit icmp 172.16.1.0 255.255.255.0
    192.168.100.0 255.255.255.0
    access-list vpn_allow_traffic permit ip 192.168.100.0 255.255.255.0
    172.16.1.0 255.255.255.0
    access-list vpn_allow_traffic permit ip 172.16.1.0 255.255.255.0
    192.168.100.0 255.255.255.0
    pager lines 24
    mtu outside 1500
    mtu inside 1500
    ip address outside [YOUR PUBLIC IP HERE] 255.255.255.0
    ip address inside 172.16.1.2 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool ippool 192.168.100.10-192.168.100.20
    pdm history enable
    arp timeout 14400
    nat (inside) 0 access-list vpn_no_nat
    access-group vpn_allow_traffic in interface outside
    route outside 0.0.0.0 0.0.0.0 [YOUR PUBLIC ROUTER HERE] 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    crypto ipsec transform-set vpnset esp-3des esp-md5-hmac
    crypto dynamic-map dynmap 10 set transform-set vpnset
    crypto map remote_vpn 20 ipsec-isakmp dynamic dynmap
    crypto map remote_vpn client configuration address initiate
    crypto map remote_vpn client configuration address respond
    crypto map remote_vpn interface outside
    isakmp enable outside
    isakmp identity address
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption 3des
    isakmp policy 10 hash md5
    isakmp policy 10 group 2
    isakmp policy 10 lifetime 86400
    vpngroup vpnclient address-pool ippool
    vpngroup vpnclient split-tunnel vpn_split_tunnel
    vpngroup vpnclient idle-time 1800
    vpngroup vpnclient password ********
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    terminal width 80
    Cryptochecksum:9859044fd9723646b435be5c883b124e
    : end
    ---
     
    lowlife123, Feb 25, 2006
    #10
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.