Solved

PIX-to-PIX Site-to-Site VPN connection works only in one direction

Posted on 2004-04-07
8
855 Views
Last Modified: 2013-11-16
Hi,

I'm running into some VPN-configuration-problem which is driving me nuts.

Headquarters PIX 515 E
Remote Site PIX 501
Roadwarriors wich Cisco VPN Client 4 on WinXP

The VPN client configuration works just fine.
When setting up the Site-to-Site VPN between Headquarters and the remote site, I have the following problem:
The connection FROM the remote site TO headquarters is working just fine, i.e. I can browse the network neighbourhood, access any computer at headquarters, even the mailserver which is located in a dmz.
However, I cannot connect FROM headquarters TO the remote site. The headquarters PIX tells me something like "access from 192.168.135.55 to 192.168.185.55 denied by access-list inside_if", so I figure the headquarters PIX does not understand it is supposed to encrypt the traffic.
How can that be, when the VPN-connection works fine in the other direction? I don't get it.
inside_if is the access-list applied to the inside interface; it does only contain permit statements. But this should not touch my problem since I'm using sysopt connection permit-ipsec.

Below are some configuration sniplets.

I'd really appreciate if anyone could help me.

Thanks!
Andreas

PIX 515 (headquarters)

PIX Version 6.3(1)
access-list inside_outbound_nat0_acl permit ip 192.168.135.0 255.255.255.0 192.168.145.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip any 192.168.135.128 255.255.255.128
access-list inside_outbound_nat0_acl permit ip 192.168.135.0 255.255.255.0 192.168.185.0 255.255.255.0
access-list roadwarrior_splitTunnelAcl permit ip 192.168.135.0 255.255.255.0 any
access-list roadwarrior_splitTunnelAcl permit ip host [external IP of Mailserver standing in DMZ; needed for access from Software Clients] any
access-list outside_cryptomap_dyn_10 permit ip any 192.168.135.128 255.255.255.128
access-list outside_cryptomap_dyn_10 permit ip any 192.168.180.0 255.255.255.0
access-list outside_cryptomap_dyn_10 permit ip any 192.168.170.0 255.255.255.0
access-list dmz_outbound_nat0_acl permit ip host 192.168.145.2 192.168.185.0 255.255.255.0
access-list outside_cryptomap_20 permit ip 192.168.135.0 255.255.255.0 192.168.185.0 255.255.255.0
access-list outside_cryptomap_20 permit ip host 192.168.145.2 192.168.185.0 255.255.255.0
ip local pool warriorpool 192.168.135.180-192.168.135.189
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz) 0 access-list dmz_outbound_nat0_acl
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 10 match address outside_cryptomap_dyn_10
crypto dynamic-map outside_dyn_map 10 set transform-set ESP-3DES-MD5
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set pfs group2
crypto map outside_map 20 set peer [remote PIX IP]
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address [remote PIX IP] netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption aes-256
isakmp policy 30 hash md5
isakmp policy 30 group 5
isakmp policy 30 lifetime 86400
vpngroup roadwarrior address-pool warriorpool
vpngroup roadwarrior split-tunnel roadwarrior_splitTunnelAcl
vpngroup roadwarrior idle-time 1800
vpngroup roadwarrior password ********


PIX 501 (remote site)

PIX Version 6.3(1)
access-list inside_outbound_nat0_acl permit ip 192.168.185.0 255.255.255.0 192.168.135.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 192.168.185.0 255.255.255.0 host 192.168.145.2
access-list outside_cryptomap_20 permit ip 192.168.185.0 255.255.255.0 192.168.135.0 255.255.255.0
access-list outside_cryptomap_20 permit ip 192.168.185.0 255.255.255.0 host 192.168.145.2
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer [headquarters PIX IP]
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address [headquarters PIX IP] netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption aes-256
isakmp policy 20 hash md5
isakmp policy 20 group 5
isakmp policy 20 lifetime 86400
0
Comment
Question by:a_hilboll
  • 5
  • 3
8 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 10778131
>sysopt connection permit-ipsec
Only bypasses outside interface access-lists, not outbound from inside hosts

I don't see your access-list inside_if anywhere in the config snippits you've posted..


0
 

Author Comment

by:a_hilboll
ID: 10778403
> Only bypasses outside interface access-lists, not outbound from inside hosts
So what do I do to explicitly permit outbound ipsec traffic?

However, even when I added access-list inside_if permit ip any any, it didn't work. No message in syslog then, obviously.

Without the permit any any, the exact error message was something like
"access from udp 192.168.135.55 eq 137  to 192.168.185.55 eq 137 denied by access-list inside_if".

I thought the Cisco Docs said that traffic from inside to outside was always permitted by default unless it is explicitly denied?

access-list inside_if only contains permit statements from inside to outside (and to dmz). However, no specific rule to permit ipsec outbound traffic.

Any ideas?

Thanks,
Andreas
0
 

Author Comment

by:a_hilboll
ID: 10778476
PS: Sorry, but I can't post the exact contents of inside_if right now, since I'm already at home (getting late in Europe...). If needed I can do so tomorrow. However, I don't see why this should matter since the problem still exists with an "access-list inside_if permit ip any any" statement...
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 400 total points
ID: 10778480
>I thought the Cisco Docs said that traffic from inside to outside was always permitted by default unless it is explicitly denied?
Only with the default config of no outbound access-list. Once you apply a single permit, then you end up with an implicit deny everything not expressly permitted.
Try removing the acl from the inside:
no access-group inside_if in interface inside

If it now works, then you can add appropriate statements like:

access-list inside_if permit ip 192.168.135.0 255.255.255.0 192.168.185.0 255.255.255.0
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:a_hilboll
ID: 10778499
Thanks for the answer; I'll try first thing tomorrow morning.
0
 

Author Comment

by:a_hilboll
ID: 10783122
So, I tested, and after some trial-and-error, it's working fine.
In fact, I had two problems at the same time:
The access-list denied the outbound ipsec traffic (here I have to say that Cisco's docs are not that great: in the command reference, as for sysopt connection permit-ipsec, it says that ipsec traffic will pass through any access-lists, not just through the one applied to the interface where the tunnel is terminating.)
The second problem was that for some reason, my laptop, which I used as the only machine connected to the inside interface of the remote site pix, did not answer any requests, even though  I have no personal firewall installed. So no wonder I didn't get a response. I figured this one out by counting the ipsec packages on the remote site pix, noting that there were packages being decrypted, but none encrypted (after I permitted ipsec traffic on the main pix).
Thanks a lot!
ANdreas
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 10783641
> I have no personal firewall installed.
But, do you have the Cisco VPN client installed? IT has a personal firewall built-in

Glad you're working!

0
 

Author Comment

by:a_hilboll
ID: 10783873
> But, do you have the Cisco VPN client installed? IT has a personal firewall built-in

You're right, I do have the Cisco VPN Client installed. Thanks again!
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
This is about downgrading PIX Version 8.0(4) & ASDM 6.1(5) to PIX 7.2(4) and ASDM 5.2(4) but with only 64MB RAM and 16MB flash. Background: You have a Cisco Pix 515E which was running on PIX 7.2(4) and its supporting ASDM 5.2(4) without any i…
This video discusses moving either the default database or any database to a new volume.
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

26 Experts available now in Live!

Get 1:1 Help Now