Link to home
Start Free TrialLog in
Avatar of welshiv
welshiv

asked on

Configuring Microsoft VPN via Cisco PIX (ver. 5.1(4))

I need to set up a single user (for now) for VPN access. We set up a Windows 2000 server and configured the client and the PIX and tested it and it worked fine. Unfortunately, this caused the Exchange server to stop receiving outside e-mails, so I quickly backed off the added config. Here is what I added that caused the problem:


access-list acl-out permit gre any host 216.xx.xx.xx
access-list acl-out permit tcp any host 216.xx.xx.xx

static (inside,outside) 216.xx.xx.xx 192.168.xx.xx netmask 255.255.255.255 0

access-group acl-out in interface outside

This worked fine, but caused the problem mentioned above. I used the "permit any" statement as opposed to an IP address because we don't have that information for the client as yet. Will simply changing the access-list acl-out statements to permit with a specific IP fix this, or is there something else? And, why would this cause the Exchange server to stop receiving outside e-mail? Thanks.
Avatar of td_miles
td_miles

Is that the full access list ?
Was there previously an ACL applied on the outside interface ?

If that is the full ACL, then yes, inbound SMTP could be blocked, as the ACL doesn't permit it anywhere. If this is part of a larger ACL, then it's hard to say without seeing the full details.

I guess the other question to ask, is the win2k server that is doing th VPN endpoint the same server that Exchange is running on ?

Can you post full config from your PIX (make sure to remove passwords and real IP addresses).
Avatar of welshiv

ASKER

There was no ACL applied before this one and the VPN endpoint is not the same server as the Exchange server. I could post the whole config, but it prints out to 6 pages, so pretty long, but will do if absolutely necessary to resolve.

Here is access list:

access-list 100 permit ip 192.168.xx.xx 255.255.254.0 192.168.xx.xx 255.255.255.0
access-list 100 deny tcp any any eq 1214
access-list 100 deny tcp any any eq 6346
access-list 100 deny tcp any any eq 6347
access-list 100 deny tcp any any eq 6348
access-list 100 deny tcp any any eq 6355
access-list 100 deny udp any any eq 1214
access-list 100 deny udp any any eq 6346
access-list 100 deny udp any any eq 6347
access-list 100 deny udp any any eq 6348
access-list 100 deny udp any any eq 6355
access-list 100 deny tcp any any eq 6699
access-list 100 deny udp any any eq 6699
access-list 100 deny ip any host xx.xx.xx.xx
access-list 110 permit ip 192.168.xx.xx 255.255.254.0 192.168.xx.xx 255.255.255.0
access-list 110 permit ip 192.168.xx.xx 255.255.255.0 192.168.xx.xx  255.255.255.0
access-list nonat permit ip 192.168.xx.xx 255.255.254.0 192.168.xx.xx  255.255.255.0
access-list nonat permit ip 192.168.xx.xx  255.255.254.0 192.168.xx.xx  255.255.255.0
access-list nonat permit ip 192.168.xx.xx 255.255.255.0 192.168.xx.xx  255.255.255.0


Is this enough information?
Can you also include the "static" commands as well. If there was no ACL applied to the outside interface, then to what do the ACL's that you have supplied apply to ?

If there was no ACL on the outside interface, what about conduits ? Something must have been allowing your exchange server to be receiving SMTP from outside ?
Avatar of welshiv

ASKER

Here it is:
nat (inside) 0 access-list nonat
nat (inside) 1 192.168.xx.xx 255.255.254.0 0 0
static (inside,outside) xx.xx.xx.4 192.168.xx.xx  netmask 255.255.255.255 0 0
static (inside,outside) xx.xx.xx.39 192.168.xx.xx netmask 255.255.255.255 0 0
static (inside,outside) xx.xx.xx.49 192.168.xx.xx netmask 255.255.255.255 0 0
static (inside,outside) xx.xx.xx.33 192.168.xx.xx netmask 255.255.255.255 0 0
static (inside,outside) xx.xx.xx.35 192.168.xx.xx netmask 255.255.255.255 0 0
static (inside,outside) xx.xx.xx.19 192.168.xx.xx netmask 255.255.255.255 0 0
static (inside,outside) xx.xx.xx.25 192.168.xx.xx netmask 255.255.255.255 0 0
static (inside,outside) xx.xx.xx.27 192.168.xx.xx netmask 255.255.255.255 0 0
static (inside,outside) xx.xx.xx.28 192.168.xx.xx netmask 255.255.255.255 0 0
static (inside,outside) xx.xx.xx.29 192.168.xx.xx netmask 255.255.255.255 0 0
static (inside,outside) xx.xx.xx.196 192.168.xx.xx netmask 255.255.255.255 0 0
static (inside,outside) xx.xx.xx.197 192.168.xx.xx netmask 255.255.255.255 0 0
static (inside,outside) xx.xx.xx.18 192.168.xx.xx netmask 255.255.255.255 0 0
static (inside,outside) xx.xx.xx.59 192.168.xx.xx netmask 255.255.255.255 0 0
static (inside,outside) xx.xx.xx.43 192.168.xx.xx netmask 255.255.255.255 0 0
static (inside,outside) xx.xx.xx.44 192.168.xx.xx netmask 255.255.255.255 0 0
static (inside,outside) xx.xx.xx.45 192.168.xx.xx netmask 255.255.255.255 0 0
static (inside,outside) xx.xx.xx.30 192.168.xx.xx netmask 255.255.255.255 0 0
static (inside,outside) xx.xx.xx.60 192.168.xx.xx netmask 255.255.255.255 0 0
static (inside,outside) xx.xx.xx.41 192.168.xx.xx netmask 255.255.255.255 0 0
static (inside,outside) xx.xx.xx.42 192.168.xx.xx netmask 255.255.255.255 0 0
static (inside,outside) xx.xx.xx.13 192.168.xx.xx netmask 255.255.255.255 0 0
static (inside,outside) xx.xx.xx.3 192.168.xx.xx netmask 255.255.255.255 0 0
static (inside,outside) xx.xx.xx.188 192.168.xx.xx netmask 255.255.255.255 0 0

conduit permit icmp any any
conduit permit tcp host xx.xx.xx.4 eq www any
conduit permit tcp host xx.xx.xx.4 eq smtp any
conduit permit tcp host xx.xx.xx.4 eq pop3 any
conduit permit tcp host xx.xx.xx.4 eq 443 any
conduit permit tcp host xx.xx.xx.4 eq 389 any
conduit permit tcp host xx.xx.xx.4 eq 3268 any
conduit permit tcp host xx.xx.xx.4 eq 143 any
conduit permit tcp host xx.xx.xx.35 eq www any
conduit permit tcp host xx.xx.xx.39 eq www any
conduit deny tcp host xx.xx.xx.36 eq 139 any
conduit permit tcp host xx.xx.xx.4 eq 1050 any
conduit permit tcp host xx.xx.xx.4 eq 1055 any
conduit permit tcp host xx.xx.xx.4 eq 1060 any
conduit permit tcp host xx.xx.xx.59 eq www any
conduit permit tcp host xx.xx.xx.49 eq 1494 any
conduit permit udp host xx.xx.xx.49 eq 1494 any
conduit permit tcp host xx.xx.xx.27 eq www any
conduit permit tcp host xx.xx.xx.28 eq www any
conduit permit tcp host xx.xx.xx.29 eq ftp any
conduit permit tcp host xx.xx.xx.25 eq www any
conduit permit tcp host xx.xx.xx.19 eq www any
conduit permit tcp host xx.xx.xx.30 eq ftp any
conduit permit tcp host xx.xx.xx.196 any
conduit permit tcp host xx.xx.xx.197 any
conduit permit udp host xx.xx.xx.197 any
conduit permit udp host xx.xx.xx.196 any
conduit permit tcp host xx.xx.xx.18 eq www any
conduit permit tcp host xx.xx.xx.33 eq www any
conduit permit tcp host 192.168.xx.xx eq domain any
conduit permit udp host 192.168.xx.xx eq domain any
conduit permit tcp host 192.168.xx.xx eq domain any
conduit permit udp host 192.168.xx.xx eq domain any
conduit permit tcp host xx.xx.xx.60 range 5000 5050 any
conduit permit ip host xx.xx.xx.60 host xx.xx
conduit permit ip host xx.xx.xx.60 host xx.xx
conduit permit ip host xx.xx.xx.60 host xx.xx
conduit permit ip host xx.xx.xx.60 host xx.xx
conduit permit tcp host xx.xx.xx.60 eq 5001 host xx.xx
conduit permit tcp host xx.xx.xx.60 eq 5001 host xx.xx 25
conduit permit tcp host xx.xx.xx.60 eq 5001 host xx.xx 26
conduit permit tcp host xx.xx.xx.60 eq 5001 host xx.xx
conduit permit tcp host xx.xx.xx.42 eq www any
conduit permit tcp host xx.xx.xx.42 eq smtp any
conduit permit tcp host xx.xx.xx.42 eq pop3 any
conduit permit tcp host xx.xx.xx.42 eq 443 any
conduit permit tcp host xx.xx.xx.42 eq 389 any
conduit permit tcp host xx.xx.xx.42 eq 3268 any
conduit permit tcp host xx.xx.xx.42 eq 143 any
conduit permit tcp host xx.xx.xx.42 eq 1050 any
conduit permit tcp host xx.xx.xx.42 eq 1055 any
conduit permit tcp host xx.xx.xx.42 eq 1060 any
conduit permit tcp host xx.xx.xx.13 eq www any
conduit permit tcp host xx.xx.xx.60 host xx.xx
conduit permit udp host xx.xx.xx.60 host xx.xx  
conduit permit ip host xx.xx.xx.60 host xx.xx
conduit permit tcp host xx.xx.xx.60 gt 1024 host xx.xx  
conduit permit udp host xx.xx.xx.60 gt 1024 host xx.xx
conduit permit tcp host xx.xx.xx.60 eq www host xx.xx
conduit permit tcp host xx.xx.xx.60 eq www host xx.xx
conduit permit tcp host xx.xx.xx.60 host xx.xx
conduit permit tcp host xx.xx.xx.60 eq 5001 host xx.xx
conduit permit tcp host xx.xx.xx.2 eq 1723 any
conduit permit tcp host xx.xx.xx.3 eq 1723 any
conduit permit tcp host xx.xx.xx.188 eq 1723 any
conduit permit tcp host xx.xx.xx.188 eq 47 any
OK, thats what I kinda thought. You can't have both access-list and conduit.

quote:
http://www.cisco.com/warp/public/707/28.html
---------------------
In PIX software versions 5.0.1 and later, ACLs with access groups can be used instead of conduits. Conduits are still available, but the decision should be made whether to use conduits or ACLs. It is not advisable to combine ACLs and conduits on the same configuration. If both are configured, ACLs will take preference over the conduits.
---------------------

So when you applied the access-list you created for the VPN access to the outside interface, it took precedence over all of your conduits (and hence stopped your email, as well as pretty much everything else probably).

So there are two options, add the VPN lines to a conduit or rewrite the conduits as an ACL. ACL is the preferred method, but use whatever you feel most comfortable with. It probably wouldn't be a bad time to review your security and decide if all of the conduits are required still, or if some are redundant. The only reason I say this, is that it look slike a list that has been gradually added to over time and from experience new entries are added, but old ones are not often deleted.
Avatar of welshiv

ASKER

Having never done it, what lines would I use to add the VPN lines to a conduit for now, while I rewrite everything as an ACL? Really appreciate the help.
ASKER CERTIFIED SOLUTION
Avatar of td_miles
td_miles

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of welshiv

ASKER

Thanks for all your help!