Solved

Configuring Microsoft VPN via Cisco PIX (ver. 5.1(4))

Posted on 2003-11-10
8
1,065 Views
Last Modified: 2013-11-16
I need to set up a single user (for now) for VPN access. We set up a Windows 2000 server and configured the client and the PIX and tested it and it worked fine. Unfortunately, this caused the Exchange server to stop receiving outside e-mails, so I quickly backed off the added config. Here is what I added that caused the problem:


access-list acl-out permit gre any host 216.xx.xx.xx
access-list acl-out permit tcp any host 216.xx.xx.xx

static (inside,outside) 216.xx.xx.xx 192.168.xx.xx netmask 255.255.255.255 0

access-group acl-out in interface outside

This worked fine, but caused the problem mentioned above. I used the "permit any" statement as opposed to an IP address because we don't have that information for the client as yet. Will simply changing the access-list acl-out statements to permit with a specific IP fix this, or is there something else? And, why would this cause the Exchange server to stop receiving outside e-mail? Thanks.
0
Comment
Question by:welshiv
  • 4
  • 4
8 Comments
 
LVL 13

Expert Comment

by:td_miles
ID: 9719549
Is that the full access list ?
Was there previously an ACL applied on the outside interface ?

If that is the full ACL, then yes, inbound SMTP could be blocked, as the ACL doesn't permit it anywhere. If this is part of a larger ACL, then it's hard to say without seeing the full details.

I guess the other question to ask, is the win2k server that is doing th VPN endpoint the same server that Exchange is running on ?

Can you post full config from your PIX (make sure to remove passwords and real IP addresses).
0
 

Author Comment

by:welshiv
ID: 9719639
There was no ACL applied before this one and the VPN endpoint is not the same server as the Exchange server. I could post the whole config, but it prints out to 6 pages, so pretty long, but will do if absolutely necessary to resolve.

Here is access list:

access-list 100 permit ip 192.168.xx.xx 255.255.254.0 192.168.xx.xx 255.255.255.0
access-list 100 deny tcp any any eq 1214
access-list 100 deny tcp any any eq 6346
access-list 100 deny tcp any any eq 6347
access-list 100 deny tcp any any eq 6348
access-list 100 deny tcp any any eq 6355
access-list 100 deny udp any any eq 1214
access-list 100 deny udp any any eq 6346
access-list 100 deny udp any any eq 6347
access-list 100 deny udp any any eq 6348
access-list 100 deny udp any any eq 6355
access-list 100 deny tcp any any eq 6699
access-list 100 deny udp any any eq 6699
access-list 100 deny ip any host xx.xx.xx.xx
access-list 110 permit ip 192.168.xx.xx 255.255.254.0 192.168.xx.xx 255.255.255.0
access-list 110 permit ip 192.168.xx.xx 255.255.255.0 192.168.xx.xx  255.255.255.0
access-list nonat permit ip 192.168.xx.xx 255.255.254.0 192.168.xx.xx  255.255.255.0
access-list nonat permit ip 192.168.xx.xx  255.255.254.0 192.168.xx.xx  255.255.255.0
access-list nonat permit ip 192.168.xx.xx 255.255.255.0 192.168.xx.xx  255.255.255.0


Is this enough information?
0
 
LVL 13

Expert Comment

by:td_miles
ID: 9719681
Can you also include the "static" commands as well. If there was no ACL applied to the outside interface, then to what do the ACL's that you have supplied apply to ?

If there was no ACL on the outside interface, what about conduits ? Something must have been allowing your exchange server to be receiving SMTP from outside ?
0
 

Author Comment

by:welshiv
ID: 9719728
Here it is:
nat (inside) 0 access-list nonat
nat (inside) 1 192.168.xx.xx 255.255.254.0 0 0
static (inside,outside) xx.xx.xx.4 192.168.xx.xx  netmask 255.255.255.255 0 0
static (inside,outside) xx.xx.xx.39 192.168.xx.xx netmask 255.255.255.255 0 0
static (inside,outside) xx.xx.xx.49 192.168.xx.xx netmask 255.255.255.255 0 0
static (inside,outside) xx.xx.xx.33 192.168.xx.xx netmask 255.255.255.255 0 0
static (inside,outside) xx.xx.xx.35 192.168.xx.xx netmask 255.255.255.255 0 0
static (inside,outside) xx.xx.xx.19 192.168.xx.xx netmask 255.255.255.255 0 0
static (inside,outside) xx.xx.xx.25 192.168.xx.xx netmask 255.255.255.255 0 0
static (inside,outside) xx.xx.xx.27 192.168.xx.xx netmask 255.255.255.255 0 0
static (inside,outside) xx.xx.xx.28 192.168.xx.xx netmask 255.255.255.255 0 0
static (inside,outside) xx.xx.xx.29 192.168.xx.xx netmask 255.255.255.255 0 0
static (inside,outside) xx.xx.xx.196 192.168.xx.xx netmask 255.255.255.255 0 0
static (inside,outside) xx.xx.xx.197 192.168.xx.xx netmask 255.255.255.255 0 0
static (inside,outside) xx.xx.xx.18 192.168.xx.xx netmask 255.255.255.255 0 0
static (inside,outside) xx.xx.xx.59 192.168.xx.xx netmask 255.255.255.255 0 0
static (inside,outside) xx.xx.xx.43 192.168.xx.xx netmask 255.255.255.255 0 0
static (inside,outside) xx.xx.xx.44 192.168.xx.xx netmask 255.255.255.255 0 0
static (inside,outside) xx.xx.xx.45 192.168.xx.xx netmask 255.255.255.255 0 0
static (inside,outside) xx.xx.xx.30 192.168.xx.xx netmask 255.255.255.255 0 0
static (inside,outside) xx.xx.xx.60 192.168.xx.xx netmask 255.255.255.255 0 0
static (inside,outside) xx.xx.xx.41 192.168.xx.xx netmask 255.255.255.255 0 0
static (inside,outside) xx.xx.xx.42 192.168.xx.xx netmask 255.255.255.255 0 0
static (inside,outside) xx.xx.xx.13 192.168.xx.xx netmask 255.255.255.255 0 0
static (inside,outside) xx.xx.xx.3 192.168.xx.xx netmask 255.255.255.255 0 0
static (inside,outside) xx.xx.xx.188 192.168.xx.xx netmask 255.255.255.255 0 0

conduit permit icmp any any
conduit permit tcp host xx.xx.xx.4 eq www any
conduit permit tcp host xx.xx.xx.4 eq smtp any
conduit permit tcp host xx.xx.xx.4 eq pop3 any
conduit permit tcp host xx.xx.xx.4 eq 443 any
conduit permit tcp host xx.xx.xx.4 eq 389 any
conduit permit tcp host xx.xx.xx.4 eq 3268 any
conduit permit tcp host xx.xx.xx.4 eq 143 any
conduit permit tcp host xx.xx.xx.35 eq www any
conduit permit tcp host xx.xx.xx.39 eq www any
conduit deny tcp host xx.xx.xx.36 eq 139 any
conduit permit tcp host xx.xx.xx.4 eq 1050 any
conduit permit tcp host xx.xx.xx.4 eq 1055 any
conduit permit tcp host xx.xx.xx.4 eq 1060 any
conduit permit tcp host xx.xx.xx.59 eq www any
conduit permit tcp host xx.xx.xx.49 eq 1494 any
conduit permit udp host xx.xx.xx.49 eq 1494 any
conduit permit tcp host xx.xx.xx.27 eq www any
conduit permit tcp host xx.xx.xx.28 eq www any
conduit permit tcp host xx.xx.xx.29 eq ftp any
conduit permit tcp host xx.xx.xx.25 eq www any
conduit permit tcp host xx.xx.xx.19 eq www any
conduit permit tcp host xx.xx.xx.30 eq ftp any
conduit permit tcp host xx.xx.xx.196 any
conduit permit tcp host xx.xx.xx.197 any
conduit permit udp host xx.xx.xx.197 any
conduit permit udp host xx.xx.xx.196 any
conduit permit tcp host xx.xx.xx.18 eq www any
conduit permit tcp host xx.xx.xx.33 eq www any
conduit permit tcp host 192.168.xx.xx eq domain any
conduit permit udp host 192.168.xx.xx eq domain any
conduit permit tcp host 192.168.xx.xx eq domain any
conduit permit udp host 192.168.xx.xx eq domain any
conduit permit tcp host xx.xx.xx.60 range 5000 5050 any
conduit permit ip host xx.xx.xx.60 host xx.xx
conduit permit ip host xx.xx.xx.60 host xx.xx
conduit permit ip host xx.xx.xx.60 host xx.xx
conduit permit ip host xx.xx.xx.60 host xx.xx
conduit permit tcp host xx.xx.xx.60 eq 5001 host xx.xx
conduit permit tcp host xx.xx.xx.60 eq 5001 host xx.xx 25
conduit permit tcp host xx.xx.xx.60 eq 5001 host xx.xx 26
conduit permit tcp host xx.xx.xx.60 eq 5001 host xx.xx
conduit permit tcp host xx.xx.xx.42 eq www any
conduit permit tcp host xx.xx.xx.42 eq smtp any
conduit permit tcp host xx.xx.xx.42 eq pop3 any
conduit permit tcp host xx.xx.xx.42 eq 443 any
conduit permit tcp host xx.xx.xx.42 eq 389 any
conduit permit tcp host xx.xx.xx.42 eq 3268 any
conduit permit tcp host xx.xx.xx.42 eq 143 any
conduit permit tcp host xx.xx.xx.42 eq 1050 any
conduit permit tcp host xx.xx.xx.42 eq 1055 any
conduit permit tcp host xx.xx.xx.42 eq 1060 any
conduit permit tcp host xx.xx.xx.13 eq www any
conduit permit tcp host xx.xx.xx.60 host xx.xx
conduit permit udp host xx.xx.xx.60 host xx.xx  
conduit permit ip host xx.xx.xx.60 host xx.xx
conduit permit tcp host xx.xx.xx.60 gt 1024 host xx.xx  
conduit permit udp host xx.xx.xx.60 gt 1024 host xx.xx
conduit permit tcp host xx.xx.xx.60 eq www host xx.xx
conduit permit tcp host xx.xx.xx.60 eq www host xx.xx
conduit permit tcp host xx.xx.xx.60 host xx.xx
conduit permit tcp host xx.xx.xx.60 eq 5001 host xx.xx
conduit permit tcp host xx.xx.xx.2 eq 1723 any
conduit permit tcp host xx.xx.xx.3 eq 1723 any
conduit permit tcp host xx.xx.xx.188 eq 1723 any
conduit permit tcp host xx.xx.xx.188 eq 47 any
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 
LVL 13

Expert Comment

by:td_miles
ID: 9719771
OK, thats what I kinda thought. You can't have both access-list and conduit.

quote:
http://www.cisco.com/warp/public/707/28.html
---------------------
In PIX software versions 5.0.1 and later, ACLs with access groups can be used instead of conduits. Conduits are still available, but the decision should be made whether to use conduits or ACLs. It is not advisable to combine ACLs and conduits on the same configuration. If both are configured, ACLs will take preference over the conduits.
---------------------

So when you applied the access-list you created for the VPN access to the outside interface, it took precedence over all of your conduits (and hence stopped your email, as well as pretty much everything else probably).

So there are two options, add the VPN lines to a conduit or rewrite the conduits as an ACL. ACL is the preferred method, but use whatever you feel most comfortable with. It probably wouldn't be a bad time to review your security and decide if all of the conduits are required still, or if some are redundant. The only reason I say this, is that it look slike a list that has been gradually added to over time and from experience new entries are added, but old ones are not often deleted.
0
 

Author Comment

by:welshiv
ID: 9724418
Having never done it, what lines would I use to add the VPN lines to a conduit for now, while I rewrite everything as an ACL? Really appreciate the help.
0
 
LVL 13

Accepted Solution

by:
td_miles earned 250 total points
ID: 9726724
You should only need to add two lines:

conduit permit esp any host 216.x.x.x
conduit permit udp any eq isakmp host 216.x.x.x

You may need to add a third line to permit gre, but shouldn't be necessary, as you're not doing GRE tunnels (are you ?):

conduit permit gre any host 216.x.x.x

For an example of what you are trying to achieve and the relevant config of the PIX, see the following link. It is a situation where they are setting up a VPN between two Cisco routers, where one of them is behind a PIX firewall using a static NAT.
http://www.cisco.com/warp/public/707/ipsecnat.html
0
 

Author Comment

by:welshiv
ID: 9726888
Thanks for all your help!
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Suggested Solutions

If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now