Solved

VPN remote access through pix 515e firewall

Posted on 2004-08-04
5
482 Views
Last Modified: 2010-04-11
                  Hello all

   This is the scenero: I have easy vpn set up on my pix Me and my boss and both connect and map to the inside address's of my servers. I am useing dsl/linksys router and a dsl modem.
    Wendy and friends over in Bala PA. are shareing office space as well as bandwith to get out to the internet. When I use the cisco vpn client over there with the same exact setup as i have at home she cant map to any servers inside address. I went to the pdm on the pix( i kkow pdm is for wimps) and checked to see if I cansee her over the ipsec vpn's and ike sa's. all looks well there includeing  decap/endcap and qm_idle for the ike sa.

my guess is because we have version 6.2(2) not 6.3 we dont have that handy nat transparency thing. But it seems like a cop out.

0
Comment
Question by:briankeegan
  • 3
5 Comments
 
LVL 1

Expert Comment

by:rader19
ID: 11725138
OK I have a couple questions for you. Do you have sysopt ipsec pl-compatible in your PIX? Also What type of license do you have for your PIX (How many ipsec tunnels are you allowed)? If you go to a command window and run show isakmp sa what do you get? If you could post the config but clean it up for security reasons.
0
 
LVL 1

Author Comment

by:briankeegan
ID: 11727518
Hello rader19
      I have the pl-compatble command in. vpn works from home for me fine I even map to the inside address(192.168.30.10)
I have unlimited ike peers and throuput as well as unlimited hosts. I saw her pabala6 yesteray in the pdm (same as the show command) as qm_idle for the ike sa.
0
 
LVL 1

Author Comment

by:briankeegan
ID: 11727750
bloomPix# show run
: Saved
:
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security10
enable password 2k9J.wpKv3oHMoTS encrypted
passwd H9lE/QgkAWLTcSC/ encrypted
hostname bloomPix
domain-name med-act-svcs.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
names
name 207.41.173.194 moises
name 192.168.30.10 bloomfield
name 192.168.31.42 LouiseB
name 167.206.229.178 KenJ
name 68.194.62.58 LouiseB-Home
name 207.156.182.195 EdMendez
name 192.168.31.6 Wantagh2
name 192.168.31.5 Wantagh1
name 192.168.31.20 JoePC
name 207.202.92.200 MASJCMC
name 207.156.182.196 EdMendez1
name 24.47.246.159 JoeHome
name 205.231.238.2 Meridian
name 68.196.193.203 RayT-Home
name 68.38.253.206 Nor-Home
name 67.82.176.34 GinaK-Home
name 209.66.57.100 PABALA1
name 209.66.57.102 PABala3
name 209.66.57.101 PABala2
name 209.66.57.103 PABala4
name 209.66.57.105 PABala6
name 209.66.57.104 PAbala5
name 68.195.161.115 DinaHome1
name 69.33.129.190 CTI
name 68.36.28.177 Nor-Home1
name 68.37.72.18 Nor
name 138.88.164.189 RandySpringer
name 198.181.235.49 Columbia-VPN
name 156.111.224.180 Columbia-VPN1
name 20.137.68.46 SVCMC
name 10.20.30.45 nor-on-the-road
name 68.196.203.149 RayT-Home1
name 138.89.42.147 Ray-Home-DSL
name 138.89.109.45 rayt
name 4.20.73.2 SNCH-VPN
name 192.168.31.25 Terri_Rahn
name 192.168.31.32 Kristen_Golder
name 192.168.31.31 Debbie_S
name 141.153.178.13 RayTHome
name 138.89.43.175 RayTHome1
name 138.89.49.77 raythome
name 192.168.30.14 Bloomfield4
name 67.80.95.110 KEN
name 24.186.58.101 TerriRahn-Home
name 141.153.209.4 raythome1
name 24.46.197.247 joehome
name 141.153.188.111 RayTAtHome
object-group service public tcp
  description ftp-smtp-pop-www
  port-object eq ftp
  port-object eq pop3
  port-object eq ftp-data
  port-object eq www
  port-object eq https
  port-object eq smtp
object-group service domain tcp-udp
  description dns
  port-object eq domain
access-list compiled
access-list outside_access_in permit tcp any host xxx.xxx.xxx.11 object-group pub
lic
access-list outside_access_in permit tcp any host xxx.xxx.xxx.14 object-group pub
lic
access-list outside_access_in permit tcp any host xxx.xxx.xxx.2 eq telnet
access-list outside_access_in permit udp any any object-group domain
access-list outside_access_in permit ip host moises any
access-list outside_access_in permit ip host KEN any
access-list outside_access_in permit ip host RandySpringer any
access-list outside_access_in permit ip host joehome any
access-list outside_access_in permit ip host PABALA1 any
access-list outside_access_in permit ip host PABala2 any
access-list outside_access_in permit ip host PABala3 any
access-list outside_access_in permit ip host PABala4 any
access-list outside_access_in permit ip host PAbala5 any
access-list outside_access_in permit ip host PABala6 any
access-list outside_access_in permit ip host 69.141.116.59 any
access-list outside_access_in permit ip host nor-on-the-road any
access-list outside_access_in permit ip host MASJCMC any
access-list outside_access_in permit ip host LouiseB-Home any
access-list outside_access_in permit ip host DinaHome1 any
access-list outside_access_in permit ip host SVCMC any
access-list outside_access_in permit ip host Meridian any
access-list outside_access_in permit ip host EdMendez1 any
access-list outside_access_in permit ip host GinaK-Home any
access-list outside_access_in permit ip host TerriRahn-Home any
access-list outside_access_in permit ip host CTI any
access-list outside_access_in permit ip host SNCH-VPN any
access-list outside_access_in permit ip host RayTAtHome any
access-list inside_outbound_nat0_acl permit ip any 192.168.200.0 255.255.255.0
access-list medical_splitTunnelAcl permit ip 192.168.30.0 255.255.255.0 any
access-list medical_splitTunnelAcl permit ip 192.168.31.0 255.255.255.0 any
access-list 100 permit ip 192.168.31.0 255.255.255.0 host Columbia-VPN
access-list 100 permit ip 192.168.30.0 255.255.255.0 host Columbia-VPN
access-list no-nat permit ip 192.168.31.0 255.255.255.0 host Columbia-VPN
access-list no-nat permit ip 192.168.30.0 255.255.255.0 192.168.200.0 255.255.25
5.0
access-list no-nat permit ip 192.168.30.0 255.255.255.0 host Columbia-VPN
access-list inside_nat0_outbound permit ip 192.168.30.0 255.255.255.0 192.168.40
.0 255.255.255.0
access-list inside_nat0_outbound permit ip 192.168.30.0 255.255.255.0 host Colum
bia-VPN
access-list inside_nat0_outbound permit ip 192.168.31.0 255.255.255.0 host Colum
bia-VPN
access-list medical_splittunnelac1 permit ip 192.168.31.0 255.255.255.0 192.168.
200.0 255.255.255.0
pager lines 24
logging on
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside xxx.xxx.xxx.8 255.255.255.0
ip address inside 192.168.30.1 255.255.255.0
ip address intf2 127.0.0.1 255.255.255.255
ip verify reverse-path interface outside
ip audit info action alarm
ip audit attack action alarm
ip local pool 200pool 192.168.200.2-192.168.200.254
pdm location 192.168.30.125 255.255.255.255 inside
pdm location bloomfield 255.255.255.255 inside
pdm location Bloomfield4 255.255.255.255 inside
pdm location 192.168.30.7 255.255.255.255 inside
pdm location 192.168.30.21 255.255.255.255 inside
pdm location 192.168.30.22 255.255.255.255 inside
pdm location 192.168.30.23 255.255.255.255 inside
pdm location 192.168.30.24 255.255.255.255 inside
pdm location 192.168.30.25 255.255.255.255 inside
pdm location moises 255.255.255.255 outside
pdm location 192.168.31.0 255.255.255.0 inside
pdm location 192.168.15.0 255.255.255.0 inside
pdm location 192.168.16.0 255.255.255.0 inside
pdm location 192.168.17.0 255.255.255.0 inside
pdm location 192.168.10.0 255.255.255.0 inside
pdm location 192.168.11.0 255.255.255.0 inside
pdm location 192.168.12.0 255.255.255.0 inside
pdm location 192.168.20.0 255.255.255.0 inside
pdm location 192.168.30.2 255.255.255.255 inside
pdm location LouiseB 255.255.255.255 inside
pdm location Wantagh2 255.255.255.255 inside
pdm location 192.168.31.55 255.255.255.255 inside
pdm location JoePC 255.255.255.255 inside
pdm location 192.168.32.1 255.255.255.255 inside
pdm location 192.168.32.0 255.255.255.0 inside
pdm location 192.168.100.0 255.255.255.0 inside
pdm location 192.168.30.36 255.255.255.255 inside
pdm location KenJ 255.255.255.255 outside
pdm location LouiseB-Home 255.255.255.255 outside
pdm location EdMendez 255.255.255.255 outside
pdm location Wantagh1 255.255.255.255 inside
pdm location MASJCMC 255.255.255.255 outside
pdm location EdMendez1 255.255.255.255 outside
pdm location 192.168.31.21 255.255.255.255 inside
pdm location 192.168.31.22 255.255.255.255 inside
pdm location 192.168.31.23 255.255.255.255 inside
pdm location 192.168.31.24 255.255.255.255 inside
pdm location 192.168.30.95 255.255.255.255 inside
pdm location Terri_Rahn 255.255.255.255 inside
pdm location 192.168.31.26 255.255.255.255 inside
pdm location 192.168.31.27 255.255.255.255 inside
pdm location JoeHome 255.255.255.255 outside
pdm location 192.168.31.28 255.255.255.255 inside
pdm location 192.168.200.0 255.255.255.0 outside
pdm location Meridian 255.255.255.255 outside
pdm location RayT-Home 255.255.255.255 outside
pdm location Nor-Home 255.255.255.255 outside
pdm location 192.168.30.52 255.255.255.255 inside
pdm location GinaK-Home 255.255.255.255 outside
pdm location 192.168.30.20 255.255.255.255 inside
pdm location 192.168.31.4 255.255.255.255 inside
pdm location PABALA1 255.255.255.255 outside
pdm location PABala2 255.255.255.255 outside
pdm location PABala3 255.255.255.255 outside
pdm location PABala4 255.255.255.255 outside
pdm location PAbala5 255.255.255.255 outside
pdm location PABala6 255.255.255.255 outside
pdm location DinaHome1 255.255.255.255 outside
pdm location CTI 255.255.255.255 outside
pdm location Nor-Home1 255.255.255.255 outside
pdm location 192.168.31.29 255.255.255.255 inside
pdm location Nor 255.255.255.255 outside
pdm location RandySpringer 255.255.255.255 outside
pdm location 192.168.30.45 255.255.255.255 inside
pdm location Columbia-VPN 255.255.255.255 outside
pdm location Columbia-VPN1 255.255.255.255 outside
pdm location 206.126.161.134 255.255.255.255 outside
pdm location SVCMC 255.255.255.255 outside
pdm location 200.9.49.66 255.255.255.255 outside
pdm location 206.126.161.161 255.255.255.255 outside
pdm location nor-on-the-road 255.255.255.255 outside
pdm location RayT-Home1 255.255.255.255 outside
pdm location 69.141.116.59 255.255.255.255 outside
pdm location Ray-Home-DSL 255.255.255.255 outside
pdm location rayt 255.255.255.255 outside
pdm location SNCH-VPN 255.255.255.255 outside
pdm location 192.168.31.30 255.255.255.255 inside
pdm location Debbie_S 255.255.255.255 inside
pdm location Kristen_Golder 255.255.255.255 inside
pdm location RayTHome 255.255.255.255 outside
pdm location RayTHome1 255.255.255.255 outside
pdm location raythome 255.255.255.255 outside
pdm location 192.168.31.0 255.255.255.0 outside
pdm location 192.168.40.0 255.255.255.0 inside
pdm location 192.168.200.0 255.255.255.0 inside
pdm location 192.168.40.0 255.255.255.0 outside
pdm location KEN 255.255.255.255 outside
pdm location TerriRahn-Home 255.255.255.255 outside
pdm location raythome1 255.255.255.255 outside
pdm location joehome 255.255.255.255 outside
pdm location RayTAtHome 255.255.255.255 outside
pdm logging critical 100
pdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
static (inside,outside) xxx.xxx.xxx.11 bloomfield netmask 255.255.255.255 0 0
static (inside,outside) xxx.xxx.xxx.14 Bloomfield4 netmask 255.255.255.255 0 0
static (inside,outside) xxx.xxx.xxx.9 192.168.30.36 netmask 255.255.255.255 0 0
static (inside,outside) xxx.xxx.xxx.7 192.168.30.7 netmask 255.255.255.255 0 0
static (inside,outside) xxx.xxx.xxx.20 192.168.30.20 netmask 255.255.255.255 0 0

static (inside,outside) xxx.xxx.xxx.21 192.168.30.21 netmask 255.255.255.255 0 0

static (inside,outside) xxx.xxx.xxx.22 192.168.30.22 netmask 255.255.255.255 0 0

static (inside,outside) xxx.xxx.xxx.23 192.168.30.23 netmask 255.255.255.255 0 0

static (inside,outside) xxx.xxx.xxx.24 192.168.30.24 netmask 255.255.255.255 0 0

static (inside,outside) xxx.xxx.xxx.25 192.168.30.25 netmask 255.255.255.255 0 0

static (inside,outside) xxx.xxx.xxx.2 192.168.30.2 netmask 255.255.255.255 0 0
static (inside,outside) xxx.xxx.xxx.222 192.168.31.28 netmask 255.255.255.255 0 0

static (inside,outside) xxx.xxx.xxx.194 Wantagh1 netmask 255.255.255.255 0 0
static (inside,outside) xxx.xxx.xxx.193 Wantagh2 netmask 255.255.255.255 0 0
static (inside,outside) xxx.xxx.xxx.204 192.168.31.55 netmask 255.255.255.255 0 0

static (inside,outside) xxx.xxx.xxx.243 JoePC netmask 255.255.255.255 0 0
static (inside,outside) xxx.xxx.xxx.31 192.168.31.21 netmask 255.255.255.255 0 0

static (inside,outside) xxx.xxx.xxx.32 192.168.31.22 netmask 255.255.255.255 0 0

static (inside,outside) xxx.xxx.xxx.33 192.168.31.23 netmask 255.255.255.255 0 0

static (inside,outside) xxx.xxx.xxx.34 192.168.31.24 netmask 255.255.255.255 0 0

static (inside,outside) xxx.xxx.xxx.36 Terri_Rahn netmask 255.255.255.255 0 0
static (inside,outside) xxx.xxx.xxx.37 192.168.31.26 netmask 255.255.255.255 0 0

static (inside,outside) xxx.xxx.xxx.38 192.168.31.27 netmask 255.255.255.255 0 0

static (inside,outside) xxx.xxx.xxx.39 192.168.31.29 netmask 255.255.255.255 0 0

static (inside,outside) xxx.xxx.xxx.40 192.168.31.30 netmask 255.255.255.255 0 0

static (inside,outside) xxx.xxx.xxx.41 Debbie_S netmask 255.255.255.255 0 0
static (inside,outside) xxx.xxx.xxx.42 Kristen_Golder netmask 255.255.255.255 0 0

static (inside,outside) xxx.xxx.xxx.26 192.168.30.52 netmask 255.255.255.255 0 0

static (inside,outside) xxx.xxx.xxx.18 192.168.30.45 netmask 255.255.255.255 0 0

static (inside,outside) xxx.xxx.xxx.239 192.168.31.4 netmask 255.255.255.255 0 0

access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.1 1
route inside 192.168.10.0 255.255.255.0 192.168.30.2 1
route inside 192.168.11.0 255.255.255.0 192.168.30.2 1
route inside 192.168.12.0 255.255.255.0 192.168.30.2 1
route inside 192.168.15.0 255.255.255.0 192.168.30.2 1
route inside 192.168.16.0 255.255.255.0 192.168.30.2 1
route inside 192.168.17.0 255.255.255.0 192.168.30.2 1
route inside 192.168.20.0 255.255.255.0 192.168.30.2 1
route inside 192.168.31.0 255.255.255.0 192.168.30.2 1
route inside 192.168.32.0 255.255.255.0 192.168.30.2 1
route inside 192.168.100.0 255.255.255.0 192.168.30.2 1
route inside 192.168.200.0 255.255.255.0 192.168.30.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.30.125 255.255.255.255 inside
http 192.168.30.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt ipsec pl-compatible
no sysopt route dnat
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set MAS-IDX esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-DES-MD5
crypto map MAS-IDX 1 ipsec-isakmp
crypto map MAS-IDX 1 match address 100
crypto map MAS-IDX 1 set peer Columbia-VPN1
crypto map MAS-IDX 1 set transform-set MAS-IDX
crypto map MAS-IDX 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map MAS-IDX interface outside
isakmp enable outside
isakmp key ******** address Columbia-VPN1 netmask 255.255.255.255 no-xauth no-co
nfig-mode
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 3600
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
isakmp policy 40 authentication pre-share
isakmp policy 40 encryption 3des
isakmp policy 40 hash sha
isakmp policy 40 group 2
isakmp policy 40 lifetime 86400
isakmp policy 50 authentication pre-share
isakmp policy 50 encryption 3des
isakmp policy 50 hash sha
isakmp policy 50 group 1
isakmp policy 50 lifetime 86400
vpngroup medical address-pool 200pool
vpngroup medical dns-server bloomfield 205.171.3.65
vpngroup medical wins-server Bloomfield4 bloomfield
vpngroup medical default-domain med-act-svcs.com
vpngroup medical split-tunnel medical_splitTunnelAcl
vpngroup medical idle-time 1800
vpngroup medical password ********
telnet 192.168.30.0 255.255.255.0 inside
telnet 192.168.32.1 255.255.255.255 inside
telnet 192.168.32.1 255.255.255.255 intf2
telnet timeout 30
ssh 206.126.161.134 255.255.255.255 outside
ssh 200.9.49.66 255.255.255.255 outside
ssh 206.126.161.161 255.255.255.255 outside
ssh timeout 30
terminal width 80
Cryptochecksum:8f4e3b7d84da5cfbcee5177dc64d6ed1
: end
bloomPix# write mem
Building configuration...
Cryptochecksum: 8f4e3b7d 84da5cfb cee5177d c64d6ed1
[OK]
0
 
LVL 4

Accepted Solution

by:
periferral earned 500 total points
ID: 11878195
Hi Brian
  I assume that when you connect from the Bala PA office, you are getting natted by some device. As you mentioned, you will need the 6.3 NAT Traversal feature to get this to work. I'm guessing at home, you are either not getting NATted or you are getting static NATted and hence everything works fine. Your options are
1. 6.3 with NAT traversal and enable NAT-T on the VPN client.
2. If you have access to the intermediate device in Bala PA, do a static PAT for the machine that is connecting using the VPN Client.
3. Use another headend like a VPN Concentrator rather than PIX since it supports NAT-T

  Hit me back if you got questions
0
 
LVL 1

Author Comment

by:briankeegan
ID: 11881429
last night I FINALLY got the smartnet hence the 6.3 upgrade and everything is fine now thanks all
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Suggested Solutions

Short answer to this question: there is no effective WiFi manager in iOS devices as seen in Windows WiFi or Macbook OSx WiFi management, but this article will try and provide some amicable solutions to better suite your needs.
If your business is like most, chances are you still need to maintain a fax infrastructure for your staff. It’s hard to believe that a communication technology that was thriving in the mid-80s could still be an essential part of your team’s modern I…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now