• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 247
  • Last Modified:

Another PIX problem

I am having a nightmare with this issue.

Clients running Cisco VPN Client Version 3 are having problem with IP connectivity once a Tunnel is established. I have checked the routes and they seems o.k

That leaves ACLs, but I have the sysopt coonection permit ipsec command on the PIX. This command is supposed to allow IPSEC traffic to bypass ACL right??

I try to replicate the issue on my network. VPN client connects, but no IP connectivity but when I used the new sysopt ipsec pl-compatible, IP connectivity was o.k suggestion again that at least on my network routing is fine.

VPN connection + IP connectivity should work without this sexy command. Sysopt ipsec pl-compatible. I dont want to deploy this command on customers network because I bypass PIX ASA etc.

Everyone, any suggestion.

Frustrated Chrisi
0
chrisi_uk
Asked:
chrisi_uk
  • 4
1 Solution
 
lrmooreCommented:
What version PIX OS? 6.x?
Yes, sysopt permit ipsec bypasses acls, but not nat. sysopt pl-compatible bypasses nat and ASA
To get around it, you need to use a nat 0 setup, example:

inside LAN = 192.168.223.0
VPN IPpool = 192.168.234.0

access-list no_nat permit ip 192.168.223.0 192.168.234.0
nat (inside)0 access-list no_nat

0
 
chrisi_ukAuthor Commented:
Thanks Irmoore,

I am using ver 6.1 (2) and I already have the nat ) implemented. Below is my config: Saved
:
PIX Version 6.1(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pix1
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list dmzinbound permit icmp any host 200.1.1.99
access-list dmzinbound permit tcp any host 200.1.1.99
access-list dmzinbound permit udp any host 200.1.1.99
access-list nonat permit ip 10.48.66.0 255.255.254.0 10.48.67.0 255.255.255.0
access-list inbound permit ip host 10.48.67.1 host 192.168.10.3
access-list inbound permit tcp host 10.48.67.1 host 192.168.10.3 eq 3389
pager lines 24
logging on
logging buffered debugging
interface ethernet0 10baset
interface ethernet1 10full
interface ethernet2 10full
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside 200.1.1.1 255.255.255.0
ip address inside 10.48.66.18 255.255.254.0
ip address dmz 127.0.0.1 255.255.255.255
ip audit info action alarm
ip audit attack action alarm
ip local pool ippool 10.48.67.1-10.48.67.20
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
failover ip address dmz 0.0.0.0
pdm history enable
arp timeout 14400
global (outside) 1 200.1.1.100-200.1.1.110
global (outside) 2 200.1.1.111-200.1.1.120
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz) 2 0.0.0.0 0.0.0.0 0 0
static (dmz,outside) 200.1.1.99 10.48.66.99 netmask 255.255.255.255 0 0
static (inside,outside) 200.1.1.121 10.48.66.102 netmask 255.255.255.255 0 0
access-group dmzinbound in interface dmz
route inside 192.168.10.0 255.255.255.0 10.48.66.19 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server AuthInBound protocol tacacs+
aaa-server AuthInBound (inside) host 10.48.66.102 cisco timeout 10
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map mymap 20 set transform-set myset
crypto map chris 20 ipsec-isakmp dynamic mymap
crypto map chris client configuration address initiate
crypto map chris client configuration address respond
crypto map chris interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup vpn3 address-pool ippool
vpngroup vpn3 idle-time 1800
vpngroup vpn3 password ********
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:90c8fbcded5ddf0215c29a2acfe09978
: end
[OK]

Regards
Chris
0
 
lrmooreCommented:
>ip address dmz 127.0.0.1 255.255.255.255

I hope you don't have anything connected to this interface..

>access-list nonat permit ip 10.48.66.0 255.255.254.0 10.48.67.0 255.255.255.0

Part of the problem may be that your IPPOOL for VPN is a subset of the local LAN
10.48.66.0 255.255.254.0 includes addresses through 10.48.67.254 and could be why you have routing issues, but not a problem establishing the connection.
I like to setup the VPN ippool as a totally separate subnet, say 192.168.122.0. That way, the no_nat acl makes sense
Also, the VPN client's local LAN interface cannot be on the same 10.48.66.0 network.

I also don't see this command in your config. It is mandatory:

sysopt connection permit-ipsec

0
The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

 
lrmooreCommented:
How's it going, Chris, any luck?
0
 
CleanupPingCommented:
chrisi_uk:
This old question needs to be finalized -- accept an answer, split points, or get a refund.  For information on your options, please click here-> http:/help/closing.jsp#1 
EXPERTS:
Post your closing recommendations!  No comment means you don't care.
0
 
lrmooreCommented:
RECOMMENDATION: Points awarded to: lrmoore
0

Featured Post

Managing Security & Risk at the Speed of Business

Gartner Research VP, Neil McDonald & AlgoSec CTO, Prof. Avishai Wool, discuss the business-driven approach to automated security policy management, its benefits and how to align security policy management with business processes to address today's security challenges.

  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now