Configuring Microsoft VPN via Cisco PIX (ver. 5.1(4))

I need to set up a single user (for now) for VPN access. We set up a Windows 2000 server and configured the client and the PIX and tested it and it worked fine. Unfortunately, this caused the Exchange server to stop receiving outside e-mails, so I quickly backed off the added config. Here is what I added that caused the problem:


access-list acl-out permit gre any host 216.xx.xx.xx
access-list acl-out permit tcp any host 216.xx.xx.xx

static (inside,outside) 216.xx.xx.xx 192.168.xx.xx netmask 255.255.255.255 0

access-group acl-out in interface outside

This worked fine, but caused the problem mentioned above. I used the "permit any" statement as opposed to an IP address because we don't have that information for the client as yet. Will simply changing the access-list acl-out statements to permit with a specific IP fix this, or is there something else? And, why would this cause the Exchange server to stop receiving outside e-mail? Thanks.
welshivAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

td_milesCommented:
Is that the full access list ?
Was there previously an ACL applied on the outside interface ?

If that is the full ACL, then yes, inbound SMTP could be blocked, as the ACL doesn't permit it anywhere. If this is part of a larger ACL, then it's hard to say without seeing the full details.

I guess the other question to ask, is the win2k server that is doing th VPN endpoint the same server that Exchange is running on ?

Can you post full config from your PIX (make sure to remove passwords and real IP addresses).
0
welshivAuthor Commented:
There was no ACL applied before this one and the VPN endpoint is not the same server as the Exchange server. I could post the whole config, but it prints out to 6 pages, so pretty long, but will do if absolutely necessary to resolve.

Here is access list:

access-list 100 permit ip 192.168.xx.xx 255.255.254.0 192.168.xx.xx 255.255.255.0
access-list 100 deny tcp any any eq 1214
access-list 100 deny tcp any any eq 6346
access-list 100 deny tcp any any eq 6347
access-list 100 deny tcp any any eq 6348
access-list 100 deny tcp any any eq 6355
access-list 100 deny udp any any eq 1214
access-list 100 deny udp any any eq 6346
access-list 100 deny udp any any eq 6347
access-list 100 deny udp any any eq 6348
access-list 100 deny udp any any eq 6355
access-list 100 deny tcp any any eq 6699
access-list 100 deny udp any any eq 6699
access-list 100 deny ip any host xx.xx.xx.xx
access-list 110 permit ip 192.168.xx.xx 255.255.254.0 192.168.xx.xx 255.255.255.0
access-list 110 permit ip 192.168.xx.xx 255.255.255.0 192.168.xx.xx  255.255.255.0
access-list nonat permit ip 192.168.xx.xx 255.255.254.0 192.168.xx.xx  255.255.255.0
access-list nonat permit ip 192.168.xx.xx  255.255.254.0 192.168.xx.xx  255.255.255.0
access-list nonat permit ip 192.168.xx.xx 255.255.255.0 192.168.xx.xx  255.255.255.0


Is this enough information?
0
td_milesCommented:
Can you also include the "static" commands as well. If there was no ACL applied to the outside interface, then to what do the ACL's that you have supplied apply to ?

If there was no ACL on the outside interface, what about conduits ? Something must have been allowing your exchange server to be receiving SMTP from outside ?
0
Managing Security Policy in a Changing Environment

The enterprise network environment is evolving rapidly as companies extend their physical data centers to embrace cloud computing and software-defined networking. This new reality means that the challenge of managing the security policy is much more dynamic and complex.

welshivAuthor Commented:
Here it is:
nat (inside) 0 access-list nonat
nat (inside) 1 192.168.xx.xx 255.255.254.0 0 0
static (inside,outside) xx.xx.xx.4 192.168.xx.xx  netmask 255.255.255.255 0 0
static (inside,outside) xx.xx.xx.39 192.168.xx.xx netmask 255.255.255.255 0 0
static (inside,outside) xx.xx.xx.49 192.168.xx.xx netmask 255.255.255.255 0 0
static (inside,outside) xx.xx.xx.33 192.168.xx.xx netmask 255.255.255.255 0 0
static (inside,outside) xx.xx.xx.35 192.168.xx.xx netmask 255.255.255.255 0 0
static (inside,outside) xx.xx.xx.19 192.168.xx.xx netmask 255.255.255.255 0 0
static (inside,outside) xx.xx.xx.25 192.168.xx.xx netmask 255.255.255.255 0 0
static (inside,outside) xx.xx.xx.27 192.168.xx.xx netmask 255.255.255.255 0 0
static (inside,outside) xx.xx.xx.28 192.168.xx.xx netmask 255.255.255.255 0 0
static (inside,outside) xx.xx.xx.29 192.168.xx.xx netmask 255.255.255.255 0 0
static (inside,outside) xx.xx.xx.196 192.168.xx.xx netmask 255.255.255.255 0 0
static (inside,outside) xx.xx.xx.197 192.168.xx.xx netmask 255.255.255.255 0 0
static (inside,outside) xx.xx.xx.18 192.168.xx.xx netmask 255.255.255.255 0 0
static (inside,outside) xx.xx.xx.59 192.168.xx.xx netmask 255.255.255.255 0 0
static (inside,outside) xx.xx.xx.43 192.168.xx.xx netmask 255.255.255.255 0 0
static (inside,outside) xx.xx.xx.44 192.168.xx.xx netmask 255.255.255.255 0 0
static (inside,outside) xx.xx.xx.45 192.168.xx.xx netmask 255.255.255.255 0 0
static (inside,outside) xx.xx.xx.30 192.168.xx.xx netmask 255.255.255.255 0 0
static (inside,outside) xx.xx.xx.60 192.168.xx.xx netmask 255.255.255.255 0 0
static (inside,outside) xx.xx.xx.41 192.168.xx.xx netmask 255.255.255.255 0 0
static (inside,outside) xx.xx.xx.42 192.168.xx.xx netmask 255.255.255.255 0 0
static (inside,outside) xx.xx.xx.13 192.168.xx.xx netmask 255.255.255.255 0 0
static (inside,outside) xx.xx.xx.3 192.168.xx.xx netmask 255.255.255.255 0 0
static (inside,outside) xx.xx.xx.188 192.168.xx.xx netmask 255.255.255.255 0 0

conduit permit icmp any any
conduit permit tcp host xx.xx.xx.4 eq www any
conduit permit tcp host xx.xx.xx.4 eq smtp any
conduit permit tcp host xx.xx.xx.4 eq pop3 any
conduit permit tcp host xx.xx.xx.4 eq 443 any
conduit permit tcp host xx.xx.xx.4 eq 389 any
conduit permit tcp host xx.xx.xx.4 eq 3268 any
conduit permit tcp host xx.xx.xx.4 eq 143 any
conduit permit tcp host xx.xx.xx.35 eq www any
conduit permit tcp host xx.xx.xx.39 eq www any
conduit deny tcp host xx.xx.xx.36 eq 139 any
conduit permit tcp host xx.xx.xx.4 eq 1050 any
conduit permit tcp host xx.xx.xx.4 eq 1055 any
conduit permit tcp host xx.xx.xx.4 eq 1060 any
conduit permit tcp host xx.xx.xx.59 eq www any
conduit permit tcp host xx.xx.xx.49 eq 1494 any
conduit permit udp host xx.xx.xx.49 eq 1494 any
conduit permit tcp host xx.xx.xx.27 eq www any
conduit permit tcp host xx.xx.xx.28 eq www any
conduit permit tcp host xx.xx.xx.29 eq ftp any
conduit permit tcp host xx.xx.xx.25 eq www any
conduit permit tcp host xx.xx.xx.19 eq www any
conduit permit tcp host xx.xx.xx.30 eq ftp any
conduit permit tcp host xx.xx.xx.196 any
conduit permit tcp host xx.xx.xx.197 any
conduit permit udp host xx.xx.xx.197 any
conduit permit udp host xx.xx.xx.196 any
conduit permit tcp host xx.xx.xx.18 eq www any
conduit permit tcp host xx.xx.xx.33 eq www any
conduit permit tcp host 192.168.xx.xx eq domain any
conduit permit udp host 192.168.xx.xx eq domain any
conduit permit tcp host 192.168.xx.xx eq domain any
conduit permit udp host 192.168.xx.xx eq domain any
conduit permit tcp host xx.xx.xx.60 range 5000 5050 any
conduit permit ip host xx.xx.xx.60 host xx.xx
conduit permit ip host xx.xx.xx.60 host xx.xx
conduit permit ip host xx.xx.xx.60 host xx.xx
conduit permit ip host xx.xx.xx.60 host xx.xx
conduit permit tcp host xx.xx.xx.60 eq 5001 host xx.xx
conduit permit tcp host xx.xx.xx.60 eq 5001 host xx.xx 25
conduit permit tcp host xx.xx.xx.60 eq 5001 host xx.xx 26
conduit permit tcp host xx.xx.xx.60 eq 5001 host xx.xx
conduit permit tcp host xx.xx.xx.42 eq www any
conduit permit tcp host xx.xx.xx.42 eq smtp any
conduit permit tcp host xx.xx.xx.42 eq pop3 any
conduit permit tcp host xx.xx.xx.42 eq 443 any
conduit permit tcp host xx.xx.xx.42 eq 389 any
conduit permit tcp host xx.xx.xx.42 eq 3268 any
conduit permit tcp host xx.xx.xx.42 eq 143 any
conduit permit tcp host xx.xx.xx.42 eq 1050 any
conduit permit tcp host xx.xx.xx.42 eq 1055 any
conduit permit tcp host xx.xx.xx.42 eq 1060 any
conduit permit tcp host xx.xx.xx.13 eq www any
conduit permit tcp host xx.xx.xx.60 host xx.xx
conduit permit udp host xx.xx.xx.60 host xx.xx  
conduit permit ip host xx.xx.xx.60 host xx.xx
conduit permit tcp host xx.xx.xx.60 gt 1024 host xx.xx  
conduit permit udp host xx.xx.xx.60 gt 1024 host xx.xx
conduit permit tcp host xx.xx.xx.60 eq www host xx.xx
conduit permit tcp host xx.xx.xx.60 eq www host xx.xx
conduit permit tcp host xx.xx.xx.60 host xx.xx
conduit permit tcp host xx.xx.xx.60 eq 5001 host xx.xx
conduit permit tcp host xx.xx.xx.2 eq 1723 any
conduit permit tcp host xx.xx.xx.3 eq 1723 any
conduit permit tcp host xx.xx.xx.188 eq 1723 any
conduit permit tcp host xx.xx.xx.188 eq 47 any
0
td_milesCommented:
OK, thats what I kinda thought. You can't have both access-list and conduit.

quote:
http://www.cisco.com/warp/public/707/28.html
---------------------
In PIX software versions 5.0.1 and later, ACLs with access groups can be used instead of conduits. Conduits are still available, but the decision should be made whether to use conduits or ACLs. It is not advisable to combine ACLs and conduits on the same configuration. If both are configured, ACLs will take preference over the conduits.
---------------------

So when you applied the access-list you created for the VPN access to the outside interface, it took precedence over all of your conduits (and hence stopped your email, as well as pretty much everything else probably).

So there are two options, add the VPN lines to a conduit or rewrite the conduits as an ACL. ACL is the preferred method, but use whatever you feel most comfortable with. It probably wouldn't be a bad time to review your security and decide if all of the conduits are required still, or if some are redundant. The only reason I say this, is that it look slike a list that has been gradually added to over time and from experience new entries are added, but old ones are not often deleted.
0
welshivAuthor Commented:
Having never done it, what lines would I use to add the VPN lines to a conduit for now, while I rewrite everything as an ACL? Really appreciate the help.
0
td_milesCommented:
You should only need to add two lines:

conduit permit esp any host 216.x.x.x
conduit permit udp any eq isakmp host 216.x.x.x

You may need to add a third line to permit gre, but shouldn't be necessary, as you're not doing GRE tunnels (are you ?):

conduit permit gre any host 216.x.x.x

For an example of what you are trying to achieve and the relevant config of the PIX, see the following link. It is a situation where they are setting up a VPN between two Cisco routers, where one of them is behind a PIX firewall using a static NAT.
http://www.cisco.com/warp/public/707/ipsecnat.html
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
welshivAuthor Commented:
Thanks for all your help!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.