PIX VPN Client connects but not traffic passes through

Discussion in 'Cisco' started by rambur, Apr 24, 2007.

  1. rambur

    rambur Guest

    I have a client with a PIX 501, version 6.3(4). For some reason that
    I've not been able to figure out, the VPN client that I've created for
    them will connect , but traffic will not pass through the PIX. The
    client is set to use group and user authentication, but it immediately
    connects without prompting for user authentication, which is also
    strange. Any advice is greatly appreciated. The config is posted
    below. The VPN client in question is the one listed as "magellan" and
    the internal IP that I ideally would like to connect to is
    192.168.100.79, but I can't get to any IP; not even the internal IP of
    the PX. All help is greatly appreciated.


    PIX Version 6.3(4)
    interface ethernet0 10baset
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password xxxxxxxxxxxxxxxx encrypted
    passwd xxxxxxxxxxxxxx encrypted
    hostname pix
    domain-name cisco.com
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    access-list inside-outside permit tcp any interface outside eq
    pcanywhere-data
    access-list inside-outside permit udp any interface outside eq
    pcanywhere-status
    access-list inside-outside permit tcp any interface outside eq https
    access-list inside-outside permit tcp any host 192.168.100.42 eq 5800
    access-list inside-outside permit tcp any host 192.168.100.42 eq 5900
    access-list inside-outside permit tcp any host 192.168.100.59 eq 5801
    access-list inside-outside permit tcp any host 192.168.100.59 eq 5901
    access-list inside-outside permit tcp any host 192.168.100.61 eq 5802
    access-list inside-outside permit tcp any host 192.168.100.61 eq 5902
    access-list inside-outside permit tcp any host 192.168.100.62 eq 5803
    access-list inside-outside permit tcp any host 192.168.100.62 eq 5903
    access-list inside-outside permit tcp any host 192.168.100.63 eq 5804
    access-list inside-outside permit tcp any host 192.168.100.63 eq 5904
    access-list inside-outside permit tcp any host 192.168.100.161 eq 5805
    access-list inside-outside permit tcp any host 192.168.100.161 eq 5905
    access-list inside-outside permit tcp any host 192.168.100.64 eq 5806
    access-list inside-outside permit tcp any host 192.168.100.64 eq 5906
    access-list inside-outside permit tcp any host 192.168.100.65 eq 5807
    access-list inside-outside permit tcp any host 192.168.100.65 eq 5907
    access-list inside-outside permit tcp any interface outside eq 4125
    access-list inside-outside permit tcp any interface outside eq 3389
    access-list mri permit ip host 192.168.100.76 host 172.16.4.8
    access-list mri permit ip host 192.168.100.76 host 172.16.4.10
    access-list mri permit ip host 192.168.100.79 host 172.16.4.8
    access-list mri permit ip host 192.168.100.79 host 172.16.4.10
    access-list mri permit ip host 192.168.100.80 host 172.16.4.8
    access-list mri permit ip host 192.168.100.80 host 172.16.4.10
    access-list 100 permit ip host 192.168.100.76 host 172.16.4.10
    access-list 100 permit ip host 192.168.100.76 host 172.16.4.8
    access-list 100 permit ip host 192.168.100.79 host 172.16.4.10
    access-list 100 permit ip host 192.168.100.79 host 172.16.4.8
    access-list 100 permit ip host 192.168.100.80 host 172.16.4.10
    access-list 100 permit ip host 192.168.100.80 host 172.16.4.8
    access-list GEMED permit ip host xx.xx.xx.xx xx.xx.xx.xx 255.255.0.0
    access-list GEMED permit ip host xx.xx.xx.xx xx.xx.xx.xx 255.255.0.0
    access-list (inside,outside) permit tcp any host 192.168.100.79 eq
    5731
    access-list (inside,outside) permit udp any host 192.168.100.79 eq
    5732
    pager lines 120
    logging on
    logging console alerts
    logging monitor debugging
    mtu outside 1500
    mtu inside 1500
    ip address outside 209.161.xx.xx 255.255.255.252
    ip address inside 192.168.100.1 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool vpnclients 192.168.200.1-192.168.200.10
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list mri
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    static (inside,outside) tcp interface 3389 192.168.100.11 3389 netmask
    255.255.2
    55.255 0 0
    static (inside,outside) tcp interface https 192.168.100.11 https
    netmask 255.255
    ..255.255 0 0
    static (inside,outside) udp interface pcanywhere-status 192.168.100.31
    pcanywher
    e-status netmask 255.255.255.255 0 0
    static (inside,outside) tcp interface pcanywhere-data 192.168.100.31
    pcanywhere-
    data netmask 255.255.255.255 0 0
    static (inside,outside) tcp 209.xx.xx.xx 5800 192.168.100.42 5800
    netmask 255.
    255.255.255 0 0
    static (inside,outside) tcp 209.xx.xx.xx 5900 192.168.100.42 5900
    netmask 255.
    255.255.255 0 0
    static (inside,outside) tcp 209.xx.xx.xx 5801 192.168.100.59 5801
    netmask 255.
    255.255.255 0 0
    static (inside,outside) tcp 209.xx.xx.xx 5901 192.168.100.59 5901
    netmask 255.
    255.255.255 0 0
    static (inside,outside) tcp 209.xx.xx.xx 5802 192.168.100.61 5802
    netmask 255.
    255.255.255 0 0
    static (inside,outside) tcp 209.xx.xx.xx 5902 192.168.100.61 5902
    netmask 255.
    255.255.255 0 0
    static (inside,outside) tcp 209.xx.xx.xx 5803 192.168.100.62 5803
    netmask 255.
    255.255.255 0 0
    static (inside,outside) tcp 209.xx.xx.xx 5903 192.168.100.62 5903
    netmask 255.
    255.255.255 0 0
    static (inside,outside) tcp 209.xx.xx.xx 5804 192.168.100.63 5804
    netmask 255.
    255.255.255 0 0
    static (inside,outside) tcp 209.xx.xx.xx 5904 192.168.100.63 5904
    netmask 255.
    255.255.255 0 0
    static (inside,outside) tcp 209.xx.xx.xx 5805 192.168.100.161 5805
    netmask 255
    ..255.255.255 0 0
    static (inside,outside) tcp 209.xx.xx.xx 5905 192.168.100.161 5905
    netmask 255
    ..255.255.255 0 0
    static (inside,outside) tcp 209.xx.xx.xx 5806 192.168.100.64 5806
    netmask 255.
    255.255.255 0 0
    static (inside,outside) tcp 209.xx.xx.xx 5906 192.168.100.64 5906
    netmask 255.
    255.255.255 0 0
    static (inside,outside) tcp 209.xx.xx.xx 5807 192.168.100.65 5807
    netmask 255.
    255.255.255 0 0
    static (inside,outside) tcp 209.xx.xx.xx 5907 192.168.100.65 5907
    netmask 255.
    255.255.255 0 0
    static (inside,outside) tcp interface 5731 192.168.100.79 5731 netmask
    255.255.2
    55.255 0 0
    static (inside,outside) udp interface 5732 192.168.100.79 5732 netmask
    255.255.2
    55.255 0 0
    static (inside,outside) 10.77.xx.xx 192.168.100.76 netmask
    255.255.255.255 0 0
    static (inside,outside) 10.77.xx.xx 192.168.100.77 netmask
    255.255.255.255 0 0
    static (inside,outside) 142.179.xx.xx 192.168.100.79 netmask
    255.255.255.255 0
    0
    access-group inside-outside in interface outside
    route outside 0.0.0.0 0.0.0.0 209.xx.xx.xx 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local
    http server enable
    http 209.xx.xx.xx 255.255.255.0 outside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    no floodguard enable
    sysopt connection permit-ipsec
    crypto ipsec transform-set AAADES esp-3des esp-md5-hmac
    crypto dynamic-map dyn20 20 set transform-set AAADES
    crypto map shmem 10 ipsec-isakmp
    crypto map shmem 10 match address GEMED
    crypto map shmem 10 set peer xx.xx.xx.xx
    crypto map shmem 10 set transform-set AAADES
    crypto map shmem 10 set security-association lifetime seconds 3600
    kilobytes 460
    8000
    crypto map shmem 15 ipsec-isakmp
    crypto map shmem 15 match address mri
    crypto map shmem 15 set peer xx.xx.xx.xx
    crypto map shmem 15 set transform-set AAADES
    crypto map shmem 20 ipsec-isakmp dynamic dyn20
    crypto map shmem interface outside
    isakmp enable outside
    isakmp key ******** address xx.xx.xx.xx netmask 255.255.255.255
    isakmp key ******** address xx.xx.xx.xx netmask 255.255.255.255
    isakmp identity address
    isakmp keepalive 10 3
    isakmp client configuration address-pool local vpnclients outside
    isakmp policy 9 authentication pre-share
    isakmp policy 9 encryption 3des
    isakmp policy 9 hash md5
    isakmp policy 9 group 2
    isakmp policy 9 lifetime 86400
    vpngroup ortho-tech address-pool vpnclients
    vpngroup ortho-tech dns-server 209.xx.xx.xx 209.xx.xx.xx
    vpngroup ortho-tech idle-time 1800
    vpngroup ortho-tech password ********
    vpngroup magellan-group address-pool vpnclients
    vpngroup magellan-group dns-server 209.xx.xx.xx 209.xx.xx.xx
    vpngroup magellan-group idle-time 1800
    vpngroup magellan-group password ********
    ssh xx.xx.xx.xx 255.255.255.255 outside
    ssh xx.xx.xx.xx 255.255.255.255 inside
    ssh timeout 60
    console timeout 0
    username support password xxxxxxxxxxxxxxxxxx encrypted privilege 2
    username magellan password xxxxxxxxxxxxxxxxx encrypted privilege 2
    terminal width 80
    Cryptochecksum:6b3e1c6136fff01a48f2d8ccfea4ac8f
    : end
     
    rambur, Apr 24, 2007
    #1
    1. Advertisements

  2. Try:

    isakmp nat-traversal 20


    http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/gl.htm#wp1027312
     
    Jyri Korhonen, Apr 24, 2007
    #2
    1. Advertisements

  3. rambur

    rambur Guest

    rambur, Apr 25, 2007
    #3
  4. You can only ever ping the interface "closest" to you; since
    you are connecting to the outside interface, you would be
    able to ping the outside interface (if the VPN allowed it), but
    not the remote inside interface.

    There is an exception to this: if you specifically declare that
    a VPN connection is for management access, then you can
    ping it. This requires a seperate VPN.

    http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/mr.htm#wp1137951
     
    Walter Roberson, Apr 25, 2007
    #4
  5. You re-use the access-list "mri" there. You used it for
    nat 0 access-list, and you used it for crypto map match address.
    Never reuse an access-list: the PIX manipulates access-lists
    internally and if you use an access-list twice, the internal
    manipulation for one use will cause problems with the other use.

    Your address-pool for magellan is 'vpnclients', which is 192.168.200.* .
    That range is outside your internal IP range, which is good -- a
    lot of people make the mistake of using an internal range, which
    leads to routing and proxy-arp problems, which you have avoided.
    However, your nat 0 access-list is only for 172.16.4.x so
    the traffic to 192.168.200.* will -not- be exempt from NAT. Your
    'nat'/'global' statements are going to kick in and PAT the internal
    192.168.100.x source IPs to the interface IP; your special static PAT
    for 192.168.100.79 may also come into play, but that PAT's to
    the external IP as well. And it isn't until *after* NAT processing
    that the VPN comes in to play.

    Thus, in order to have a chance of reaching 192.168.100.79, you will
    have to address the interface IP, and it'd only work for those two
    particular ports (and not for ping.)


    Recommended solution: copy the current contents of the 'mri' ACL
    into a new access list for use with nat (inside) 0 access-list .
    Add lines to that new ACL that exempt 192.168.100.* to 192.168.200.*
    from NAT.

    Addendum: you may wish to make cleaner access-lists by using
    a few object-group's. For example, your mri ACL runs through all
    combinations of three different sources and two different destinations;
    if you had an object-group that listed the three sources, and
    another object group that listed the three destinations, then the
    entire access-list would simplify down to a single statement, e.g.,

    access-list mri permit ip object-group mriInternalTargets object-group mriRemoteSources
     
    Walter Roberson, Apr 25, 2007
    #5
  6. rambur

    rambur Guest

    rambur, Apr 25, 2007
    #6
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.