a_hilboll
asked on
PIX-to-PIX Site-to-Site VPN connection works only in one direction
Hi,
I'm running into some VPN-configuration-problem which is driving me nuts.
Headquarters PIX 515 E
Remote Site PIX 501
Roadwarriors wich Cisco VPN Client 4 on WinXP
The VPN client configuration works just fine.
When setting up the Site-to-Site VPN between Headquarters and the remote site, I have the following problem:
The connection FROM the remote site TO headquarters is working just fine, i.e. I can browse the network neighbourhood, access any computer at headquarters, even the mailserver which is located in a dmz.
However, I cannot connect FROM headquarters TO the remote site. The headquarters PIX tells me something like "access from 192.168.135.55 to 192.168.185.55 denied by access-list inside_if", so I figure the headquarters PIX does not understand it is supposed to encrypt the traffic.
How can that be, when the VPN-connection works fine in the other direction? I don't get it.
inside_if is the access-list applied to the inside interface; it does only contain permit statements. But this should not touch my problem since I'm using sysopt connection permit-ipsec.
Below are some configuration sniplets.
I'd really appreciate if anyone could help me.
Thanks!
Andreas
PIX 515 (headquarters)
PIX Version 6.3(1)
access-list inside_outbound_nat0_acl permit ip 192.168.135.0 255.255.255.0 192.168.145.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip any 192.168.135.128 255.255.255.128
access-list inside_outbound_nat0_acl permit ip 192.168.135.0 255.255.255.0 192.168.185.0 255.255.255.0
access-list roadwarrior_splitTunnelAcl
access-list roadwarrior_splitTunnelAcl
access-list outside_cryptomap_dyn_10 permit ip any 192.168.135.128 255.255.255.128
access-list outside_cryptomap_dyn_10 permit ip any 192.168.180.0 255.255.255.0
access-list outside_cryptomap_dyn_10 permit ip any 192.168.170.0 255.255.255.0
access-list dmz_outbound_nat0_acl permit ip host 192.168.145.2 192.168.185.0 255.255.255.0
access-list outside_cryptomap_20 permit ip 192.168.135.0 255.255.255.0 192.168.185.0 255.255.255.0
access-list outside_cryptomap_20 permit ip host 192.168.145.2 192.168.185.0 255.255.255.0
ip local pool warriorpool 192.168.135.180-192.168.13
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz) 0 access-list dmz_outbound_nat0_acl
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 10 match address outside_cryptomap_dyn_10
crypto dynamic-map outside_dyn_map 10 set transform-set ESP-3DES-MD5
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set pfs group2
crypto map outside_map 20 set peer [remote PIX IP]
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address [remote PIX IP] netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption aes-256
isakmp policy 30 hash md5
isakmp policy 30 group 5
isakmp policy 30 lifetime 86400
vpngroup roadwarrior address-pool warriorpool
vpngroup roadwarrior split-tunnel roadwarrior_splitTunnelAcl
vpngroup roadwarrior idle-time 1800
vpngroup roadwarrior password ********
PIX 501 (remote site)
PIX Version 6.3(1)
access-list inside_outbound_nat0_acl permit ip 192.168.185.0 255.255.255.0 192.168.135.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 192.168.185.0 255.255.255.0 host 192.168.145.2
access-list outside_cryptomap_20 permit ip 192.168.185.0 255.255.255.0 192.168.135.0 255.255.255.0
access-list outside_cryptomap_20 permit ip 192.168.185.0 255.255.255.0 host 192.168.145.2
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer [headquarters PIX IP]
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address [headquarters PIX IP] netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption aes-256
isakmp policy 20 hash md5
isakmp policy 20 group 5
isakmp policy 20 lifetime 86400
I'm running into some VPN-configuration-problem which is driving me nuts.
Headquarters PIX 515 E
Remote Site PIX 501
Roadwarriors wich Cisco VPN Client 4 on WinXP
The VPN client configuration works just fine.
When setting up the Site-to-Site VPN between Headquarters and the remote site, I have the following problem:
The connection FROM the remote site TO headquarters is working just fine, i.e. I can browse the network neighbourhood, access any computer at headquarters, even the mailserver which is located in a dmz.
However, I cannot connect FROM headquarters TO the remote site. The headquarters PIX tells me something like "access from 192.168.135.55 to 192.168.185.55 denied by access-list inside_if", so I figure the headquarters PIX does not understand it is supposed to encrypt the traffic.
How can that be, when the VPN-connection works fine in the other direction? I don't get it.
inside_if is the access-list applied to the inside interface; it does only contain permit statements. But this should not touch my problem since I'm using sysopt connection permit-ipsec.
Below are some configuration sniplets.
I'd really appreciate if anyone could help me.
Thanks!
Andreas
PIX 515 (headquarters)
PIX Version 6.3(1)
access-list inside_outbound_nat0_acl permit ip 192.168.135.0 255.255.255.0 192.168.145.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip any 192.168.135.128 255.255.255.128
access-list inside_outbound_nat0_acl permit ip 192.168.135.0 255.255.255.0 192.168.185.0 255.255.255.0
access-list roadwarrior_splitTunnelAcl
access-list roadwarrior_splitTunnelAcl
access-list outside_cryptomap_dyn_10 permit ip any 192.168.135.128 255.255.255.128
access-list outside_cryptomap_dyn_10 permit ip any 192.168.180.0 255.255.255.0
access-list outside_cryptomap_dyn_10 permit ip any 192.168.170.0 255.255.255.0
access-list dmz_outbound_nat0_acl permit ip host 192.168.145.2 192.168.185.0 255.255.255.0
access-list outside_cryptomap_20 permit ip 192.168.135.0 255.255.255.0 192.168.185.0 255.255.255.0
access-list outside_cryptomap_20 permit ip host 192.168.145.2 192.168.185.0 255.255.255.0
ip local pool warriorpool 192.168.135.180-192.168.13
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz) 0 access-list dmz_outbound_nat0_acl
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 10 match address outside_cryptomap_dyn_10
crypto dynamic-map outside_dyn_map 10 set transform-set ESP-3DES-MD5
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set pfs group2
crypto map outside_map 20 set peer [remote PIX IP]
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address [remote PIX IP] netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption aes-256
isakmp policy 30 hash md5
isakmp policy 30 group 5
isakmp policy 30 lifetime 86400
vpngroup roadwarrior address-pool warriorpool
vpngroup roadwarrior split-tunnel roadwarrior_splitTunnelAcl
vpngroup roadwarrior idle-time 1800
vpngroup roadwarrior password ********
PIX 501 (remote site)
PIX Version 6.3(1)
access-list inside_outbound_nat0_acl permit ip 192.168.185.0 255.255.255.0 192.168.135.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 192.168.185.0 255.255.255.0 host 192.168.145.2
access-list outside_cryptomap_20 permit ip 192.168.185.0 255.255.255.0 192.168.135.0 255.255.255.0
access-list outside_cryptomap_20 permit ip 192.168.185.0 255.255.255.0 host 192.168.145.2
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer [headquarters PIX IP]
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address [headquarters PIX IP] netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption aes-256
isakmp policy 20 hash md5
isakmp policy 20 group 5
isakmp policy 20 lifetime 86400
ASKER
> Only bypasses outside interface access-lists, not outbound from inside hosts
So what do I do to explicitly permit outbound ipsec traffic?
However, even when I added access-list inside_if permit ip any any, it didn't work. No message in syslog then, obviously.
Without the permit any any, the exact error message was something like
"access from udp 192.168.135.55 eq 137 to 192.168.185.55 eq 137 denied by access-list inside_if".
I thought the Cisco Docs said that traffic from inside to outside was always permitted by default unless it is explicitly denied?
access-list inside_if only contains permit statements from inside to outside (and to dmz). However, no specific rule to permit ipsec outbound traffic.
Any ideas?
Thanks,
Andreas
So what do I do to explicitly permit outbound ipsec traffic?
However, even when I added access-list inside_if permit ip any any, it didn't work. No message in syslog then, obviously.
Without the permit any any, the exact error message was something like
"access from udp 192.168.135.55 eq 137 to 192.168.185.55 eq 137 denied by access-list inside_if".
I thought the Cisco Docs said that traffic from inside to outside was always permitted by default unless it is explicitly denied?
access-list inside_if only contains permit statements from inside to outside (and to dmz). However, no specific rule to permit ipsec outbound traffic.
Any ideas?
Thanks,
Andreas
ASKER
PS: Sorry, but I can't post the exact contents of inside_if right now, since I'm already at home (getting late in Europe...). If needed I can do so tomorrow. However, I don't see why this should matter since the problem still exists with an "access-list inside_if permit ip any any" statement...
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for the answer; I'll try first thing tomorrow morning.
ASKER
So, I tested, and after some trial-and-error, it's working fine.
In fact, I had two problems at the same time:
The access-list denied the outbound ipsec traffic (here I have to say that Cisco's docs are not that great: in the command reference, as for sysopt connection permit-ipsec, it says that ipsec traffic will pass through any access-lists, not just through the one applied to the interface where the tunnel is terminating.)
The second problem was that for some reason, my laptop, which I used as the only machine connected to the inside interface of the remote site pix, did not answer any requests, even though I have no personal firewall installed. So no wonder I didn't get a response. I figured this one out by counting the ipsec packages on the remote site pix, noting that there were packages being decrypted, but none encrypted (after I permitted ipsec traffic on the main pix).
Thanks a lot!
ANdreas
In fact, I had two problems at the same time:
The access-list denied the outbound ipsec traffic (here I have to say that Cisco's docs are not that great: in the command reference, as for sysopt connection permit-ipsec, it says that ipsec traffic will pass through any access-lists, not just through the one applied to the interface where the tunnel is terminating.)
The second problem was that for some reason, my laptop, which I used as the only machine connected to the inside interface of the remote site pix, did not answer any requests, even though I have no personal firewall installed. So no wonder I didn't get a response. I figured this one out by counting the ipsec packages on the remote site pix, noting that there were packages being decrypted, but none encrypted (after I permitted ipsec traffic on the main pix).
Thanks a lot!
ANdreas
> I have no personal firewall installed.
But, do you have the Cisco VPN client installed? IT has a personal firewall built-in
Glad you're working!
But, do you have the Cisco VPN client installed? IT has a personal firewall built-in
Glad you're working!
ASKER
> But, do you have the Cisco VPN client installed? IT has a personal firewall built-in
You're right, I do have the Cisco VPN Client installed. Thanks again!
You're right, I do have the Cisco VPN Client installed. Thanks again!
Only bypasses outside interface access-lists, not outbound from inside hosts
I don't see your access-list inside_if anywhere in the config snippits you've posted..