PIX 501 :VPN client traffic does not pass down VPN tunnel to remote subnet..

Dear All,

I have two identical PIX 501 6.3(3) units that operate a VPN Tunnel between
two sites, Paris (192.168.1.0) and Berlin (192.168.2.0). The tunnel is fine
and works like a charm. Any device on the 1.0 subnet can ping any device on
the 2.0 subnet and vice-versa.

My problem is VPN clients that connect in to the 'primary' VPN in Paris. You
can connect, that works, you get an IP address from the Paris VPN pool
(192.168.254.240/), say 192.168.254.241, auth works, you can ping devices on
the Paris subnet (192.168.1.0) but you can't ping devices on the Berlin
subnet.

I have had a look at a similar post not so long ago but couldn't quite crack
it. I am sure it is either the ACL for sending 'interesting' traffic from
the vpn clinet down the tunnel to Berlin is wrong, or the routing
information for the VPN pool is wrong, or the subnet for the VPN pool should
be on a byte border and not 255.255.255.248, I just don't know. The
configurations for the firewalls follow with all the ususal changes.. All
comments and help are really genuinely appreciated. Anyone with PIX
experience will just look at this blurt out the answer!

Please start blurting!

Thanks in advance,

Regards,

Tim

Here's Paris' config.. followed by Berlin..

----------------------------------------------------
Result of firewall command show running-config

Saved

PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ************ encrypted
passwd ************ encrypted
hostname paris_firewall
domain-name mydomain.tld
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 200 last Sun Oct 300
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 213.173.176.148 www_smtp
name 192.168.1.10 paris_server
name 192.168.1.0 paris_network
name 192.168.2.0 berlin_network
name 192.168.254.240 PPTP_Pool
access-list inside_outbound_nat0_acl permit ip any PPTP_Pool 255.255.255.248
access-list inside_outbound_nat0_acl permit ip paris_network 255.255.255.0
berlin_network 255.255.255.0
access-list outside_access_in permit tcp any host www_smtp eq https
access-list outside_access_in permit tcp any host www_smtp eq smtp
access-list outside_cryptomap_20 permit ip paris_network 255.255.255.0
berlin_network 255.255.255.0
pager lines 24
logging on
logging buffered notifications
icmp deny any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside aaa.bbb.ccc.ddd 255.255.255.248
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool PPTP_Pool 192.168.254.241-192.168.254.246
pdm location paris_server 255.255.255.255 inside
pdm location PPTP_Pool 255.255.255.248 outside
pdm location www_smtp 255.255.255.255 outside
pdm location berlin_network 255.255.255.0 outside
pdm location berlin_network 255.255.255.0 inside
pdm location 192.168.254.0 255.255.255.0 inside
pdm location PPTP_Pool 255.255.255.248 inside
pdm logging notifications 512
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) www_smtp paris_server netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 www.xxx.yyy.zzz 1
timeout xlate 00500
timeout conn 10000 half-closed 01000 udp 00200 rpc 01000 h225 10000
timeout h323 00500 mgcp 00500 sip 03000 sip_media 00200
timeout uauth 00500 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host paris_server ********* timeout 10
aaa-server LOCAL protocol local
ntp server 194.42.48.120 source outside
ntp server paris_server source inside prefer
http server enable
http paris_network 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer eee.fff.ggg.hhh.iii
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
isakmp enable outside
isakmp key address eee.fff.ggg.hhh.iii netmask 255.255.255.255 no-xauth
no-config-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
telnet paris_network 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 10
vpdn group PPTP-VPDN-GROUP accept dialin pptp
vpdn group PPTP-VPDN-GROUP ppp authentication mschap
vpdn group PPTP-VPDN-GROUP ppp encryption mppe auto
vpdn group PPTP-VPDN-GROUP client configuration address local PPTP_Pool
vpdn group PPTP-VPDN-GROUP client configuration dns paris_server
vpdn group PPTP-VPDN-GROUP client configuration wins paris_server
vpdn group PPTP-VPDN-GROUP client authentication aaa RADIUS
vpdn group PPTP-VPDN-GROUP client accounting RADIUS
vpdn group PPTP-VPDN-GROUP pptp echo 60
vpdn enable outside
terminal width 80
Cryptochecksum70a271087ea8d0a330a016a38788b52a
end
----------------------------------------------------


----------------------------------------------------
Result of firewall command: "show running-config"

: Saved
:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ************ encrypted
passwd ************** encrypted
hostname berlin_firewall
domain-name mydomain.tld
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.1.0 paris_network
name 192.168.2.0 berlin_network
name 192.168.1.10 paris_server
access-list inside_outbound_nat0_acl permit ip berlin_network 255.255.255.0
paris_network 255.255.255.0
access-list inside_outbound_nat0_acl permit ip any 192.168.253.240
255.255.255.248
access-list outside_cryptomap_20 permit ip berlin_network 255.255.255.0
paris_network 255.255.255.0
pager lines 24
logging on
icmp deny any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside eee.fff.ggg.hhh.iii 255.255.255.248
ip address inside 192.168.2.1 255.255.255.0
ip verify reverse-path interface outside
ip audit info action alarm
ip audit attack action alarm
ip local pool PPTP_Pool 192.168.253.241-192.168.253.246
pdm location paris_network 255.255.255.0 outside
pdm location paris_server 255.255.255.255 inside
pdm location 192.168.253.240 255.255.255.248 outside
pdm location berlin_server 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 sss.ttt.uuu.vvv 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host paris_server ********* timeout 10
aaa-server LOCAL protocol local
ntp server berlin_server source inside prefer
ntp server 130.159.196.118 source outside
http server enable
http paris_server 255.255.255.255 inside
http berlin_server 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer aaa.bbb.ccc.ddd
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address aaa.bbb.ccc.ddd netmask 255.255.255.255 no-xauth
no-config-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
telnet paris_server 255.255.255.255 inside
telnet berlin_server 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 20
vpdn group PPTP-VPDN-GROUP accept dialin pptp
vpdn group PPTP-VPDN-GROUP ppp authentication mschap
vpdn group PPTP-VPDN-GROUP ppp encryption mppe auto
vpdn group PPTP-VPDN-GROUP client configuration address local PPTP_Pool
vpdn group PPTP-VPDN-GROUP client configuration dns berlin_server
paris_server
vpdn group PPTP-VPDN-GROUP client authentication aaa RADIUS
vpdn group PPTP-VPDN-GROUP client accounting RADIUS
vpdn group PPTP-VPDN-GROUP pptp echo 60
vpdn enable outside
terminal width 80
Cryptochecksum:0b2573cb5a1603dfa3a4562e8d2c82b6
: end

 

:I have two identical PIX 501 6.3(3) units that operate a VPN Tunnel between
:two sites, Paris (192.168.1.0) and Berlin (192.168.2.0). The tunnel is fine
:and works like a charm. Any device on the 1.0 subnet can ping any device on
:the 2.0 subnet and vice-versa.

:My problem is VPN clients that connect in to the 'primary' VPN in Paris. You
:can connect, that works, you get an IP address from the Paris VPN pool
192.168.254.240/), say 192.168.254.241, auth works, you can ping devices on
:the Paris subnet (192.168.1.0) but you can't ping devices on the Berlin
:subnet.

You can't do that with the 501. The PIX will never send packets
back out the same [logical] interface that they came in on, even if
they came in over a VPN. Your VPN clients are coming from 'outside',
and your remote PIX is coming from 'outside', so the two cannot
talk together.

If it were the 506/506e model and you were running 6.3(4), or if
it were the 515/515E, 520, 525, or 535, then there would be
the possibility [depending on network topology] of having two
different 802.1Q vlans (aka logical interfaces) on the outward-facing
PIX physical interface. The PIX is happy to route between different
vlans on the same physical interface, but the 501 does not have any
vlan support.

Some people have said that PIX 7.0 will allow sending packets
back out the same interface. PIX 7.0 is now late, and I do not have
the beta, so I do not know how that will work.

 

Your config is not possible with the current pix. You cannot send packets
out the same interface they came in on.