PIX 501 to 1760 VPN allowing one way traffic only

Discussion in 'Cisco' started by Paul, Dec 6, 2004.

  1. Paul

    Paul Guest

    Having a few issues connecting a PIX 501 to a Cisco 1760. The 1760 has
    been configured as a VPN server and has for months been working fine
    for remote users with the Cisco VPN Client software. I'm trying to get
    a "site to site" VPN working and have run into a brick wall. I'll paste
    the PIX and 1760 configs below. The network behind the 1760 is
    10.10.10.x and the PIX dhcpd is giving out IPs in the 192.168.100.x

    The tunnel "seems" ok as I can ping between sites and can map drives on
    machines behind the PIX from a host behind the 1760 - I can even VNC
    into a host behind the PIX from one behind the 1760. I can't, however,
    initiate anything from any host behind the PIX.

    Does anyone have any ideas?

    PIX config:
    PIX Version 6.3(1)
    interface ethernet0 auto
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password xxxxx encrypted
    passwd xxxxx encrypted
    hostname pixfirewall
    domain-name xxxxx
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol ils 389
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    pager lines 24
    logging timestamp
    logging trap debugging
    logging host inside
    mtu outside 1500
    mtu inside 1500
    ip address outside x.x.x.x x.x.x.x
    ip address inside
    ip audit info action alarm
    ip audit attack action alarm
    arp timeout 14400
    route outside x.x.x.x (1760 public ip) 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server LOCAL protocol local
    no snmp-server location
    no snmp-server contact
    no snmp-server enable traps
    floodguard enable
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    dhcpd address inside
    dhcpd lease 3600
    dhcpd ping_timeout 750
    dhcpd option 150 ip
    dhcpd enable inside
    vpnclient server x.x.x.x (1760 public ip)
    vpnclient mode network-extension-mode
    vpnclient vpngroup xxxxx password xxxxx
    vpnclient username xxxxx password xxxxx
    vpnclient enable
    terminal width 80

    1760 Config:
    version 12.3
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    hostname xxxx
    enable password xxxx
    username xxxx password 0 xxxx

    aaa new-model
    aaa authentication login userauthen local
    aaa authorization network groupauthor local
    aaa session-id common
    ip subnet-zero
    ip domain name xxxx
    ip cef
    ip audit notify log
    ip audit po max-events 100
    ip ssh time-out 60
    ip ssh authentication-retries 2
    no ftp-server write-enable
    no voice hpi capture buffer
    no voice hpi capture destination
    crypto isakmp policy 3
    encr 3des
    authentication pre-share
    group 2
    crypto isakmp client configuration group xxxx
    key 0 xxxx
    domain xxxx
    pool xxxx
    crypto isakmp client configuration group xxxx
    key 0 xxxx
    domain xxxx
    pool xxxx
    crypto ipsec transform-set myset esp-3des esp-sha-hmac
    crypto dynamic-map dynmap 10
    set transform-set myset
    crypto map clientmap client authentication list userauthen
    crypto map clientmap isakmp authorization list groupauthor
    crypto map clientmap client configuration address respond
    crypto map clientmap 10 ipsec-isakmp dynamic dynmap
    interface FastEthernet0/0
    ip address x.x.x.x (outside 1700 interface)
    ip nat outside
    speed auto
    crypto map clientmap
    interface FastEthernet0/1
    no ip address
    interface FastEthernet0/2
    no ip address
    interface FastEthernet0/3
    no ip address
    interface FastEthernet0/4
    no ip address
    interface Vlan1
    ip address
    ip nat inside
    ip policy route-map nonat
    ip local pool ippool
    ip local pool IPPOOL1
    ip default-gateway x.x.x.x
    ip nat inside source list 120 interface FastEthernet0/0 overload

    (snip a lot of static routes that aren't connected with this)

    ip classless
    ip route x.x.x.x (gateway)
    no ip http server
    no ip http secure-server
    ip access-list extended addr-pool
    ip access-list extended default-domain
    ip access-list extended firewall
    ip access-list extended idletime
    ip access-list extended include-local-lan
    ip access-list extended key-exchange
    ip access-list extended protocol
    ip access-list extended save-password
    ip access-list extended service
    ip access-list extended timeout
    ip access-list extended tunnel-password
    access-list 10 permit
    access-list 11 permit
    access-list 120 deny ip
    access-list 120 permit ip any
    snmp-server community public RO 10
    snmp-server enable traps tty
    line con 0
    line aux 0
    line vty 0 4
    password xxxx
    transport input ssh
    Paul, Dec 6, 2004
    1. Advertisements

  2. :Having a few issues connecting a PIX 501 to a Cisco 1760. The 1760 has
    :been configured as a VPN server and has for months been working fine
    :for remote users with the Cisco VPN Client software. I'm trying to get
    :a "site to site" VPN working and have run into a brick wall.

    Although you should in theory be able to get your approach to work,
    I would suggest that you would be better off using the full
    crypto map approach on the 501 instead of relying on vpnclient
    with network-extension mode. If you use the full crypto map setup,

    The problem you are having sounds similar to what would happen if
    the [automatically generated] access lists were not symmetric.
    Configuring a crypto map on the 501 would allow you to give the ACL
    explicitly, and the crypto dynamic map on the 1760 should then
    automatically "mirror" that. There's a bit more certainty in that
    approach, rather than counting on the EzVPN software to be sure
    to negotiate the right ACLs with the right netmasks.

    In particular, you indicate that the 1760 is running with a 10.10.10.x
    network, by which I take it you mean 10.10.10/24. For all PIX
    before PIX 6.3(4), the exchanged ACLs may be "classful" -- i.e.,
    that the PIX would assume that the 10.10.10.x IP it gets from the
    other end should be a Class A address in the 10/8 network. That's going
    to lead to ARPs to the wrong place and so on. 6.3(4) offers some
    control over the netmask used; I notice you are running 6.3(1).

    Speaking of 6.3(1), that version has some security holes in it,
    and 6.3(2) had a nasty bug in it, and 6.3(3) had a security hole
    as well, so you should upgrade to 6.3(4). The update from 6.3(1)
    to 6.3(4) is free even if you do not have a support contract;
    for more information, google cisco.com for "PIX Security Advisory"
    and look through the first one or two of those for information on
    how to qualify for the update.
    Walter Roberson, Dec 6, 2004
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.