PIX 501 :VPN client traffic does not pass down VPN tunnel to remote subnet..

Discussion in 'Cisco' started by Tim Fortea, Oct 22, 2004.

  1. Tim Fortea

    Tim Fortea Guest

    Dear All,

    I have two identical PIX 501 6.3(3) units that operate a VPN Tunnel between
    two sites, Paris (192.168.1.0) and Berlin (192.168.2.0). The tunnel is fine
    and works like a charm. Any device on the 1.0 subnet can ping any device on
    the 2.0 subnet and vice-versa.

    My problem is VPN clients that connect in to the 'primary' VPN in Paris. You
    can connect, that works, you get an IP address from the Paris VPN pool
    (192.168.254.240/), say 192.168.254.241, auth works, you can ping devices on
    the Paris subnet (192.168.1.0) but you can't ping devices on the Berlin
    subnet.

    I have had a look at a similar post not so long ago but couldn't quite crack
    it. I am sure it is either the ACL for sending 'interesting' traffic from
    the vpn clinet down the tunnel to Berlin is wrong, or the routing
    information for the VPN pool is wrong, or the subnet for the VPN pool should
    be on a byte border and not 255.255.255.248, I just don't know. The
    configurations for the firewalls follow with all the ususal changes.. All
    comments and help are really genuinely appreciated. Anyone with PIX
    experience will just look at this blurt out the answer!

    Please start blurting!

    Thanks in advance,

    Regards,

    Tim

    Here's Paris' config.. followed by Berlin..

    ----------------------------------------------------
    Result of firewall command show running-config

    Saved

    PIX Version 6.3(3)
    interface ethernet0 auto
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password ************ encrypted
    passwd ************ encrypted
    hostname paris_firewall
    domain-name mydomain.tld
    clock timezone CEST 1
    clock summer-time CEDT recurring last Sun Mar 200 last Sun Oct 300
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol pptp 1723
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    name 213.173.176.148 www_smtp
    name 192.168.1.10 paris_server
    name 192.168.1.0 paris_network
    name 192.168.2.0 berlin_network
    name 192.168.254.240 PPTP_Pool
    access-list inside_outbound_nat0_acl permit ip any PPTP_Pool 255.255.255.248
    access-list inside_outbound_nat0_acl permit ip paris_network 255.255.255.0
    berlin_network 255.255.255.0
    access-list outside_access_in permit tcp any host www_smtp eq https
    access-list outside_access_in permit tcp any host www_smtp eq smtp
    access-list outside_cryptomap_20 permit ip paris_network 255.255.255.0
    berlin_network 255.255.255.0
    pager lines 24
    logging on
    logging buffered notifications
    icmp deny any outside
    icmp permit any inside
    mtu outside 1500
    mtu inside 1500
    ip address outside aaa.bbb.ccc.ddd 255.255.255.248
    ip address inside 192.168.1.1 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool PPTP_Pool 192.168.254.241-192.168.254.246
    pdm location paris_server 255.255.255.255 inside
    pdm location PPTP_Pool 255.255.255.248 outside
    pdm location www_smtp 255.255.255.255 outside
    pdm location berlin_network 255.255.255.0 outside
    pdm location berlin_network 255.255.255.0 inside
    pdm location 192.168.254.0 255.255.255.0 inside
    pdm location PPTP_Pool 255.255.255.248 inside
    pdm logging notifications 512
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list inside_outbound_nat0_acl
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    static (inside,outside) www_smtp paris_server netmask 255.255.255.255 0 0
    access-group outside_access_in in interface outside
    route outside 0.0.0.0 0.0.0.0 www.xxx.yyy.zzz 1
    timeout xlate 00500
    timeout conn 10000 half-closed 01000 udp 00200 rpc 01000 h225 10000
    timeout h323 00500 mgcp 00500 sip 03000 sip_media 00200
    timeout uauth 00500 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server RADIUS (inside) host paris_server ********* timeout 10
    aaa-server LOCAL protocol local
    ntp server 194.42.48.120 source outside
    ntp server paris_server source inside prefer
    http server enable
    http paris_network 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    sysopt connection permit-pptp
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto map outside_map 20 ipsec-isakmp
    crypto map outside_map 20 match address outside_cryptomap_20
    crypto map outside_map 20 set peer eee.fff.ggg.hhh.iii
    crypto map outside_map 20 set transform-set ESP-3DES-MD5
    crypto map outside_map interface outside
    isakmp enable outside
    isakmp key address eee.fff.ggg.hhh.iii netmask 255.255.255.255 no-xauth
    no-config-mode
    isakmp policy 20 authentication pre-share
    isakmp policy 20 encryption 3des
    isakmp policy 20 hash md5
    isakmp policy 20 group 2
    isakmp policy 20 lifetime 86400
    telnet paris_network 255.255.255.0 inside
    telnet timeout 5
    ssh timeout 5
    console timeout 10
    vpdn group PPTP-VPDN-GROUP accept dialin pptp
    vpdn group PPTP-VPDN-GROUP ppp authentication mschap
    vpdn group PPTP-VPDN-GROUP ppp encryption mppe auto
    vpdn group PPTP-VPDN-GROUP client configuration address local PPTP_Pool
    vpdn group PPTP-VPDN-GROUP client configuration dns paris_server
    vpdn group PPTP-VPDN-GROUP client configuration wins paris_server
    vpdn group PPTP-VPDN-GROUP client authentication aaa RADIUS
    vpdn group PPTP-VPDN-GROUP client accounting RADIUS
    vpdn group PPTP-VPDN-GROUP pptp echo 60
    vpdn enable outside
    terminal width 80
    Cryptochecksum70a271087ea8d0a330a016a38788b52a
    end
    ----------------------------------------------------


    ----------------------------------------------------
    Result of firewall command: "show running-config"

    : Saved
    :
    PIX Version 6.3(3)
    interface ethernet0 auto
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password ************ encrypted
    passwd ************** encrypted
    hostname berlin_firewall
    domain-name mydomain.tld
    clock timezone GMT/BST 0
    clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol pptp 1723
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    name 192.168.1.0 paris_network
    name 192.168.2.0 berlin_network
    name 192.168.1.10 paris_server
    access-list inside_outbound_nat0_acl permit ip berlin_network 255.255.255.0
    paris_network 255.255.255.0
    access-list inside_outbound_nat0_acl permit ip any 192.168.253.240
    255.255.255.248
    access-list outside_cryptomap_20 permit ip berlin_network 255.255.255.0
    paris_network 255.255.255.0
    pager lines 24
    logging on
    icmp deny any outside
    icmp permit any inside
    mtu outside 1500
    mtu inside 1500
    ip address outside eee.fff.ggg.hhh.iii 255.255.255.248
    ip address inside 192.168.2.1 255.255.255.0
    ip verify reverse-path interface outside
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool PPTP_Pool 192.168.253.241-192.168.253.246
    pdm location paris_network 255.255.255.0 outside
    pdm location paris_server 255.255.255.255 inside
    pdm location 192.168.253.240 255.255.255.248 outside
    pdm location berlin_server 255.255.255.255 inside
    pdm logging informational 100
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list inside_outbound_nat0_acl
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    route outside 0.0.0.0 0.0.0.0 sss.ttt.uuu.vvv 1
    timeout xlate 0:05:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server RADIUS (inside) host paris_server ********* timeout 10
    aaa-server LOCAL protocol local
    ntp server berlin_server source inside prefer
    ntp server 130.159.196.118 source outside
    http server enable
    http paris_server 255.255.255.255 inside
    http berlin_server 255.255.255.255 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    sysopt connection permit-pptp
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto map outside_map 20 ipsec-isakmp
    crypto map outside_map 20 match address outside_cryptomap_20
    crypto map outside_map 20 set peer aaa.bbb.ccc.ddd
    crypto map outside_map 20 set transform-set ESP-3DES-MD5
    crypto map outside_map interface outside
    isakmp enable outside
    isakmp key ******** address aaa.bbb.ccc.ddd netmask 255.255.255.255 no-xauth
    no-config-mode
    isakmp policy 20 authentication pre-share
    isakmp policy 20 encryption 3des
    isakmp policy 20 hash md5
    isakmp policy 20 group 2
    isakmp policy 20 lifetime 86400
    telnet paris_server 255.255.255.255 inside
    telnet berlin_server 255.255.255.255 inside
    telnet timeout 5
    ssh timeout 5
    console timeout 20
    vpdn group PPTP-VPDN-GROUP accept dialin pptp
    vpdn group PPTP-VPDN-GROUP ppp authentication mschap
    vpdn group PPTP-VPDN-GROUP ppp encryption mppe auto
    vpdn group PPTP-VPDN-GROUP client configuration address local PPTP_Pool
    vpdn group PPTP-VPDN-GROUP client configuration dns berlin_server
    paris_server
    vpdn group PPTP-VPDN-GROUP client authentication aaa RADIUS
    vpdn group PPTP-VPDN-GROUP client accounting RADIUS
    vpdn group PPTP-VPDN-GROUP pptp echo 60
    vpdn enable outside
    terminal width 80
    Cryptochecksum:0b2573cb5a1603dfa3a4562e8d2c82b6
    : end
     
    Tim Fortea, Oct 22, 2004
    #1
    1. Advertisements

  2. :I have two identical PIX 501 6.3(3) units that operate a VPN Tunnel between
    :two sites, Paris (192.168.1.0) and Berlin (192.168.2.0). The tunnel is fine
    :and works like a charm. Any device on the 1.0 subnet can ping any device on
    :the 2.0 subnet and vice-versa.

    :My problem is VPN clients that connect in to the 'primary' VPN in Paris. You
    :can connect, that works, you get an IP address from the Paris VPN pool
    :(192.168.254.240/), say 192.168.254.241, auth works, you can ping devices on
    :the Paris subnet (192.168.1.0) but you can't ping devices on the Berlin
    :subnet.

    You can't do that with the 501. The PIX will never send packets
    back out the same [logical] interface that they came in on, even if
    they came in over a VPN. Your VPN clients are coming from 'outside',
    and your remote PIX is coming from 'outside', so the two cannot
    talk together.

    If it were the 506/506e model and you were running 6.3(4), or if
    it were the 515/515E, 520, 525, or 535, then there would be
    the possibility [depending on network topology] of having two
    different 802.1Q vlans (aka logical interfaces) on the outward-facing
    PIX physical interface. The PIX is happy to route between different
    vlans on the same physical interface, but the 501 does not have any
    vlan support.

    Some people have said that PIX 7.0 will allow sending packets
    back out the same interface. PIX 7.0 is now late, and I do not have
    the beta, so I do not know how that will work.
     
    Walter Roberson, Oct 22, 2004
    #2
    1. Advertisements

  3. Tim Fortea

    PES Guest

    Your config is not possible with the current pix. You cannot send packets
    out the same interface they came in on.
     
    PES, Oct 23, 2004
    #3
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.