Solved

Site to Site PIX Exchange issues???

Posted on 2004-08-10
11
211 Views
Last Modified: 2013-11-16
I have a remote office that I have setup a 3DES IPSEC Site to Site VPN using PIX 501's.  The tunnel comes up great.  The issue is that with Exchange or Server access is one way.  From the remote site I can receive email and access files from the server, but I cannot send email or put/place files back on the server with any consistency (most of the time never).  My work around was to setup a PPTP session with each workstation back to the Main server.  This works but I would like to use the Site to Site vpn.  I will post configs if needed.  Than you in advance.
0
Comment
Question by:tkawika
11 Comments
 

Author Comment

by:tkawika
Comment Utility
Main Office Config...

PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password XXXXXXXXXXXXX encrypted
passwd XXXXXXXXXXXX encrypted
hostname anc
domain-name anc.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.20.0 was
access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 was 255.255.255.0
access-list outside_cryptomap_20 permit ip 192.168.1.0 255.255.255.0 was 255.255.255.0
access-list acl-out permit gre any host 209.xxx.xxx.226
access-list acl-out permit tcp any host 209.xxx.xxx.226 eq pptp
access-list acl-out permit tcp any host 209.xxx.xxx.226 eq smtp
access-list acl-out permit tcp any host 209.xxx.xxx.226 eq pop3
access-list acl-out permit tcp any host 209.xxx.xxx.226 eq www
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside pppoe setroute
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location was 255.255.255.0 outside
pdm location 192.168.1.10 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 209.xxx.xxx.226 192.168.1.10 netmask 255.255.255.255 0 0
access-group acl-out in interface outside
conduit permit icmp any any
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 64.xxx.xxx.3
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 64.xxx.xxx.3 netmask 255.255.255.255 no-xauth no-config-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
telnet 192.168.1.10 255.255.255.255 inside
telnet timeout 5
ssh 209.xxx.xxx.8 255.255.255.255 outside
ssh timeout 5
console timeout 0
vpdn group pppoe_group request dialout pppoe
vpdn group pppoe_group localname xxxxxxxx@xxx.net
vpdn group pppoe_group ppp authentication pap
vpdn username xxxxxxx@xxx.net password *********
terminal width 80
Cryptochecksum:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
: end
0
 

Author Comment

by:tkawika
Comment Utility
Remote Office Config

Building configuration...
: Saved
:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password XXXXXXXXXXXXXX encrypted
passwd XXXXXXXXXXXXX encrypted
hostname was
domain-name XXXX.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.1.0 anc
access-list inside_outbound_nat0_acl permit ip 192.168.20.0 255.255.255.0 anc 255.255.255.0
access-list outside_cryptomap_20 permit ip 192.168.20.0 255.255.255.0 anc 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside pppoe setroute
ip address inside 192.168.20.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location anc 255.255.255.0 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.20.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community @#sdfasdgfUG&67
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 209.xxx.xxx.100
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
isakmp enable outside
isakmp key XXXXXXX address 209.xxx.xxx.100 netmask 255.255.255.255 no-xauth no-config-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
telnet timeout 5
ssh xxx.xxx.xxx.xxx 255.255.255.255 outside
ssh timeout 5
console timeout 0
vpdn group pppoe_group request dialout pppoe
vpdn group pppoe_group localname accessak@mtaonline.net
vpdn group pppoe_group ppp authentication pap
vpdn username xxxxxx@xxx.net password XXXXXXXX
dhcpd address 192.168.20.100-192.168.20.131 inside
dhcpd dns 192.168.1.10
dhcpd wins 192.168.1.10
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
: end
[OK]
0
 
LVL 12

Expert Comment

by:mburdick
Comment Utility
Do you have a WINS server at each site? Are they replicating their data with each other?

What happens if you try to do "net view \\ipaddress" from a prompt?

Are the clients XP? Have you enabled NetBIOS over TCP on them?

What about the servers? What OS are they?
0
 
LVL 36

Expert Comment

by:grblades
Comment Utility
Are you running active directory?
If you are then you need to make sure every machine is using the DNS on the main domain controller. AD uses DNS for lookups so if you don't have the DNS server configured correctly machines cant find each other.

If you are not running AD or don't have all machines on the domain then set up a WINS server for all nachines to use.
0
 

Author Comment

by:tkawika
Comment Utility
Wins is setup on main site server and DHCP on the Remote PIX hands out both DNS and WINS.  There isn't a server at the remote location.  Machines are part of the AD.  Server is running SBS 2000 SP4.  No Netbios is not running and yes the clients are running XP.

Thanks for the responses...

 
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 
LVL 12

Expert Comment

by:mburdick
Comment Utility
It would be worth enabling NBT (NetBIOS over TCP) as a test. I have seen issues in the past with WindowsXP machines not being able to access resources across a "WAN" link (including VPN) when NBT was not enabled. And, with this protocol, WINS is a necessity. Make sure that the machine functioning as the WINS server lists itself, and -=only=- itself, as the Primary AND Secondary WINS server.
0
 

Author Comment

by:tkawika
Comment Utility
Enabled NBT.  No effect...  All ok with the WINS server...
0
 
LVL 12

Expert Comment

by:mburdick
Comment Utility
The part that appears odd is that the communications *appears* one way. In reality, there is two way communications happening because at least some of the traffic is TCP-based. It sounds like there might be something else in the way that is filtering packets.

Check for the following:

Windows Clients running a firewall software program? Or, XP running with the firewall service enabled on the NIC?

A router passing the traffic that may have access-lists to filter traffic.

Try turning the monitor level logging on the PIX up to debug, shell in, and run a "terminal monitor" to see if packets are being discarded for any reason.

You could also try debugging IPSEC.

One other thing of note - I have been told by Cisco engineers that setting up some components of the PIX software through the PDM causes issues as it doesn't complete the configuration. They did tell me that it was VPN-related sections of the configuration, but that's all I know for sure.
0
 

Author Comment

by:tkawika
Comment Utility
Hello all.  We fixed it.  For sh!ts and giggles we swapped out the PIX and applied the config to it and it works.  We are sending the "Broken PIX" back.  As the old addage goes.  "Check Hardware first, then software"  How true is that?  I appreciate all the comments and help.
0
 

Accepted Solution

by:
CetusMOD earned 0 total points
Comment Utility
PAQed with points refunded (500)

CetusMOD
Community Support Moderator
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now