Solved

PIX VPN Mail problem

Posted on 2004-03-29
17
288 Views
Last Modified: 2013-11-16
I have 2 problems!

I have setup ipsec vpn for cisco clients to a pix 515E, with 2 intf.
 
1. Our problem is that the mailserver of the company is on the inside.
Lets say 192.168.0.23.( Inside net 192.168.0.0 255.255.252.0)
It is NATed to a outside adress and the DNS has that record
mail.xxx.com to the NATadress. We have excluded the VPN ipsec network.
We have found out that Exchange doesn´t like Fixup protocol smtp 25/mail guard so we
took it away.
All users on the inside can get mail.But NOT the VPN users. Unless they use a citrix client.
I have routs for the VPN network in all routers. We have a validation problem
between the Exchange and pix, but will start Radius for this later but that is no
solution.
The strange thing we see is that when we try to get DNS from the mailserver it uses
the outside address. But for every other name we get the inside addresses. And everything
points to the pix. Internal DNS 192.168.0.3 is the first in IPsec roules. Outside DNS present
as well, lets say 10.1.1.1.
 
VPN ipsec net 192.168.9.0/27
VPN PPTP net 192.168.9.64/27

PIX Version 6.3(1)

interface ethernet0 100full

interface ethernet1 10baset

interface ethernet2 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 intf2 security4

hostname pix

domain-name xxxx.com

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol pptp 1734

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060
           
fixup protocol skinny 2000

no fixup protocol smtp 25

fixup protocol sqlnet 1521

access-list acl_out permit tcp any host x.x.x.x eq smtp

access-list acl_out permit tcp any host x.x.x.x eq ident

access-list acl_out permit icmp any any

access-list inside_outbound_nat0_acl permit ip any 192.168.10.0 255.255.255.224

access-list inside_outbound_nat0_acl permit ip any 192.168.9.0 255.255.255.224

access-list outside_cryptomap_dyn_20 permit ip any 192.168.9.0 255.255.255.224

mtu outside 1500

mtu inside 1500

mtu intf2 1500

ip address outside x.x.x.x 255.255.255.240

ip address inside 192.168.10.1 255.255.255.0

no ip address intf2

ip audit info action alarm

ip audit attack action alarm

ip local pool RottneipsecPool 192.168.9.10-192.168.9.30

ip local pool RottnepptpPool 192.168.9.70-192.168.9.90

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 1 192.168.4.0 255.255.254.0 0 0

nat (inside) 1 192.168.6.0 255.255.254.0 0 0

nat (inside) 1 192.168.0.0 255.255.252.0 0 0

static (inside,outside) x.x.x.x 192.168.0.23 netmask 255.255.255.255 0 0

access-group acl_out in interface outside

route outside 0.0.0.0 0.0.0.0 x.x.x.x 1

route inside 192.168.0.0 255.255.252.0 192.168.10.254 1

route inside 192.168.4.0 255.255.254.0 192.168.10.254 1

route inside 192.168.6.0 255.255.254.0 192.168.10.254 1

timeout xlate 3:00:00

             
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

             
crypto map outside_map client authentication LOCAL

crypto map outside_map interface outside

isakmp enable outside

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption 3des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

vpngroup RottneVPN address-pool RottneipsecPool

vpngroup RottneVPN dns-server 192.168.0.3 10.1.1.1

vpngroup RottneVPN wins-server 192.168.0.3

vpngroup RottneVPN default-domain rottne.com

vpngroup RottneVPN idle-time 1800

vpngroup RottneVPN password ********

vpdn group RottnePPTP accept dialin pptp

vpdn group RottnePPTP ppp authentication chap

vpdn group RottnePPTP ppp authentication mschap

             
vpdn group RottnePPTP ppp encryption mppe auto

vpdn group RottnePPTP client configuration address local RottnepptpPool

vpdn group RottnePPTP client configuration dns 10.1.1.1 192.168.0.3

vpdn group RottnePPTP client configuration wins 192.168.0.3

vpdn group RottnePPTP pptp echo 40

vpdn group RottnePPTP client authentication local


 
2. And our pptp users cant ping anything on the inside. But this is probably because
we separated the two pools and there not excluded in NAT but we must fix the ipsec issue first.


 
0
Comment
Question by:steff66
  • 7
  • 6
  • 2
  • +1
17 Comments
 
LVL 23

Expert Comment

by:Tim Holman
ID: 10723860
Use of the 'alias' command will enable internal users to use the external mail address & DNS record.  This will intercept the outgoing DNS request, and send back the internal IP address, instead of the external one.

0
 
LVL 1

Author Comment

by:steff66
ID: 10724170
The case is that alias isn´t supported in pix 6.3. The PDM says so any way. They want you to use the new NAT commands for this but this doesn´t help the VPN users. The mailserver is on the inside. But for some reason all services dns names points to the internal ip´s except for the mailserver that for some reason gets an external.
The cuestion is from were. It must be the pix. We have now tried to take away the fixup as i mentioned.
ANd we have  made some changes. But please if anyone knows anything I don´t please commant...
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 10776068
vpngroup RottneVPN dns-server 192.168.0.3 10.1.1.1
vpngroup RottneVPN default-domain rottne.com

If your mail server does not end in rottne.com, then DNS requests from your VPN client will be sent out to the Internet DNS servers, which is why they're getting an external resolution.

Split tunnelling will probably help you -

access-list split permit ip any 192.168.9.0 255.255.255.224
vpngroup RottneVPN split-tunnel split
vpngroup RottneVPN split-dns rottne.com
0
 
LVL 1

Author Comment

by:steff66
ID: 10781260
For ipsec users all works for a few days. My problem now is my secound problem. The PPTP users who uses the same pool now as the IPsec users can login but cant ping anything, cant do anything after login.
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 10782740
You need access lists stating that anything from your INTERNAL network can access the VPN POOLS, and is NOT NATted so add this:

access-list inside_outbound_nat0_acl permit ip 192.168.10.0 255.255.255.0 192.168.9.0 255.255.255.128

Also, you need these to open up IPSEC and PPTP ports on the PIX.  Use these comands (saves you doing access lists):

sysopt connection permit-ipsec
sysopt connection permit-pptp

and... have you  a PPTP username & password ?

vpdn username cisco password *********

and have you enabled PPTP on the outside ?

vpdn enable outside

If you could post up a full config, this would help.

I've got most of this from here:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080093f89.shtml

PS - You could do with PIX 6.3(3) !!
0
 
LVL 1

Author Comment

by:steff66
ID: 10782990
As U say that isn´t the full config. And all that U say is already there. The IPsec works and now we use the same netpool for both. Have tried different but doesn´t help.

AS i Wrote we can login but can ping anything.
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 10783510
Also, your crypto dyn map conflicts with your IP pools... ?
Could you post up the whole config please ?  Just make sure you hide the external Internet address and password hashes (they're reversible) so even if this falls into the wrong hands, they won't be able to do anything with it..  ;)
0
 
LVL 1

Author Comment

by:steff66
ID: 10784082
This is it...almost :o)

PIX Version 6.3(1)

interface ethernet0 100full

interface ethernet1 10baset

interface ethernet2 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 intf2 security4


hostname pix

domain-name xxxx.com

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol pptp 1734

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

no fixup protocol smtp 25

fixup protocol sqlnet 1521

names

access-list acl_out permit tcp any host xxxx eq smtp

access-list acl_out permit tcp any host xxxx eq ident

access-list acl_out permit icmp any any

access-list acl_out permit tcp any host xxxx eq telnet

access-list inside_outbound_nat0_acl permit ip any 192.168.10.0 255.255.255.224

access-list inside_outbound_nat0_acl permit ip any 192.168.9.0 255.255.255.224

access-list outside_cryptomap_dyn_20 permit ip any 192.168.9.0 255.255.255.224


pager lines 24
             
logging trap warnings

logging host outside 10.1.1.2

mtu outside 1500

mtu inside 1500

mtu intf2 1500

ip address outside xxxx 255.255.255.240

ip address inside 192.168.10.1 255.255.255.0

no ip address intf2

ip audit info action alarm

ip audit attack action alarm

ip local pool RottneipsecPool 192.168.9.10-192.168.9.30

ip local pool RottnepptpPool 192.168.9.70-192.168.9.90

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 1 192.168.4.0 255.255.254.0 0 0

nat (inside) 1 192.168.6.0 255.255.254.0 0 0

nat (inside) 1 192.168.0.0 255.255.252.0 0 0

static (inside,outside) xxxx  192.168.0.23 netmask 255.255.255.255 0 0

static (inside,outside) xxxx 192.168.10.254 netmask 255.255.255.255 0 0

access-group acl_out in interface outside

route outside 0.0.0.0 0.0.0.0 217.10.105.94 1

route inside 192.168.0.0 255.255.252.0 192.168.10.254 1

route inside 192.168.4.0 255.255.254.0 192.168.10.254 1

route inside 192.168.6.0 255.255.254.0 192.168.10.254 1

timeout xlate 3:00:00

             
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

sysopt connection permit-pptp

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

             
crypto map outside_map client authentication LOCAL

crypto map outside_map interface outside

isakmp enable outside

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption 3des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

vpngroup RottneVPN address-pool RottneipsecPool

vpngroup RottneVPN dns-server 192.168.0.3 10.1.1.1

vpngroup RottneVPN wins-server 192.168.0.3

vpngroup RottneVPN default-domain xxx.com

vpngroup RottneVPN idle-time 1800

vpngroup RottneVPN password ********

telnet 192.168.0.0 255.255.255.0 inside

telnet timeout 5


ssh timeout 30

console timeout 0

vpdn group RottnePPTP accept dialin pptp

vpdn group RottnePPTP ppp authentication chap

vpdn group RottnePPTP ppp authentication mschap

             
vpdn group RottnePPTP ppp encryption mppe auto

vpdn group RottnePPTP client configuration address local RottnepptpPool

vpdn group RottnePPTP client configuration dns 10.1.1.1 192.168.0.3

vpdn group RottnePPTP client configuration wins 192.168.0.3

vpdn group RottnePPTP pptp echo 40

vpdn group RottnePPTP client authentication local

vpdn username hli82 password *********

vpdn username admin password *********

vpdn username stefan password *********

vpdn username cljclj password *********

vpdn enable outside

username rax47 password xxxxx encrypted privilege 5

username uan59 password xxxxx encrypted privilege 5

username admin password xxxxxx encrypted privilege 15

username hans password xxxxx encrypted privilege 15

username cljclj password xxxx encrypted privilege 5

terminal width 80


0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 
LVL 1

Author Comment

by:steff66
ID: 10784093
But i see now that this wasn´t the latest
We have the same pool for both groups on the latest but we have tried both
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 10785195
Is there a route on your INTERNAL network pointing requests for clients in your VPN pool back to the PIX ?
0
 
LVL 1

Author Comment

by:steff66
ID: 10787093
Yes there is.
And the thing is that it works for the ipsec users.
I have routed all the /24 net of the pool users back to the pix.
0
 
LVL 23

Accepted Solution

by:
Tim Holman earned 250 total points
ID: 10796495
These need to be changed from 'any' to the internal network of your PIX:

access-list inside_outbound_nat0_acl permit ip any 192.168.10.0 255.255.255.224

access-list inside_outbound_nat0_acl permit ip any 192.168.9.0 255.255.255.224

Also, does GRE and TCP port 1723 have a clear run between you and the firewall ?

PPTP uses GRE / port 1723, whereas IPSEC uses TCP/UDP port 500, so if one's working and the other isn't, could be something as simple as a blocked port upstream ?

There's a more precise document on how to set all this up here:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080143a5d.shtml

...but you seem to have followed the steps in this anyway (except from the access-lists above).

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 10807703
Are you still working on this? Do you need more information?
0
 
LVL 1

Author Comment

by:steff66
ID: 10810993
Still working on it! But as always, this isn´t all I do so time is limited for this problem.
Yes please if you have anything useful.
And thanx Tim I will look in to that accesslist tip.
0
 
LVL 19

Expert Comment

by:nodisco
ID: 15658574
No comment has been added to this question in more than 21 days, so it is now classified as abandoned..
I will leave the following recommendation for this question in the Cleanup topic area:
Delete - Refund

Any objections should be posted here in the next 4 days. After that time, the question will be closed.

nodisco
EE Cleanup Volunteer
0
 
LVL 19

Expert Comment

by:nodisco
ID: 15660350
Change to:

No comment has been added to this question in more than 21 days, so it is now classified as abandoned..
I will leave the following recommendation for this question in the Cleanup topic area:
Accept - tim_holman

Any objections should be posted here in the next 4 days. After that time, the question will be closed.

nodisco
EE Cleanup Volunteer
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

I recently updated from an old PIX platform to the new ASA platform.  While upgrading, I was tremendously confused about how the VPN and AnyConnect licensing works.  It turns out that the ASA has 3 different VPN licensing schemes. "site-to-site" …
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
This video discusses moving either the default database or any database to a new volume.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now