tkawika
asked on
Site to Site PIX Exchange issues???
I have a remote office that I have setup a 3DES IPSEC Site to Site VPN using PIX 501's. The tunnel comes up great. The issue is that with Exchange or Server access is one way. From the remote site I can receive email and access files from the server, but I cannot send email or put/place files back on the server with any consistency (most of the time never). My work around was to setup a PPTP session with each workstation back to the Main server. This works but I would like to use the Site to Site vpn. I will post configs if needed. Than you in advance.
ASKER
Remote Office Config
Building configuration...
: Saved
:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password XXXXXXXXXXXXXX encrypted
passwd XXXXXXXXXXXXX encrypted
hostname was
domain-name XXXX.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.1.0 anc
access-list inside_outbound_nat0_acl permit ip 192.168.20.0 255.255.255.0 anc 255.255.255.0
access-list outside_cryptomap_20 permit ip 192.168.20.0 255.255.255.0 anc 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside pppoe setroute
ip address inside 192.168.20.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location anc 255.255.255.0 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.20.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community @#sdfasdgfUG&67
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 209.xxx.xxx.100
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
isakmp enable outside
isakmp key XXXXXXX address 209.xxx.xxx.100 netmask 255.255.255.255 no-xauth no-config-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
telnet timeout 5
ssh xxx.xxx.xxx.xxx 255.255.255.255 outside
ssh timeout 5
console timeout 0
vpdn group pppoe_group request dialout pppoe
vpdn group pppoe_group localname accessak@mtaonline.net
vpdn group pppoe_group ppp authentication pap
vpdn username xxxxxx@xxx.net password XXXXXXXX
dhcpd address 192.168.20.100-192.168.20.
dhcpd dns 192.168.1.10
dhcpd wins 192.168.1.10
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:xxxxxxxxxxx
: end
[OK]
Building configuration...
: Saved
:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password XXXXXXXXXXXXXX encrypted
passwd XXXXXXXXXXXXX encrypted
hostname was
domain-name XXXX.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.1.0 anc
access-list inside_outbound_nat0_acl permit ip 192.168.20.0 255.255.255.0 anc 255.255.255.0
access-list outside_cryptomap_20 permit ip 192.168.20.0 255.255.255.0 anc 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside pppoe setroute
ip address inside 192.168.20.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location anc 255.255.255.0 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.20.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community @#sdfasdgfUG&67
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 209.xxx.xxx.100
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
isakmp enable outside
isakmp key XXXXXXX address 209.xxx.xxx.100 netmask 255.255.255.255 no-xauth no-config-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
telnet timeout 5
ssh xxx.xxx.xxx.xxx 255.255.255.255 outside
ssh timeout 5
console timeout 0
vpdn group pppoe_group request dialout pppoe
vpdn group pppoe_group localname accessak@mtaonline.net
vpdn group pppoe_group ppp authentication pap
vpdn username xxxxxx@xxx.net password XXXXXXXX
dhcpd address 192.168.20.100-192.168.20.
dhcpd dns 192.168.1.10
dhcpd wins 192.168.1.10
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:xxxxxxxxxxx
: end
[OK]
Do you have a WINS server at each site? Are they replicating their data with each other?
What happens if you try to do "net view \\ipaddress" from a prompt?
Are the clients XP? Have you enabled NetBIOS over TCP on them?
What about the servers? What OS are they?
What happens if you try to do "net view \\ipaddress" from a prompt?
Are the clients XP? Have you enabled NetBIOS over TCP on them?
What about the servers? What OS are they?
Are you running active directory?
If you are then you need to make sure every machine is using the DNS on the main domain controller. AD uses DNS for lookups so if you don't have the DNS server configured correctly machines cant find each other.
If you are not running AD or don't have all machines on the domain then set up a WINS server for all nachines to use.
If you are then you need to make sure every machine is using the DNS on the main domain controller. AD uses DNS for lookups so if you don't have the DNS server configured correctly machines cant find each other.
If you are not running AD or don't have all machines on the domain then set up a WINS server for all nachines to use.
ASKER
Wins is setup on main site server and DHCP on the Remote PIX hands out both DNS and WINS. There isn't a server at the remote location. Machines are part of the AD. Server is running SBS 2000 SP4. No Netbios is not running and yes the clients are running XP.
Thanks for the responses...
Thanks for the responses...
It would be worth enabling NBT (NetBIOS over TCP) as a test. I have seen issues in the past with WindowsXP machines not being able to access resources across a "WAN" link (including VPN) when NBT was not enabled. And, with this protocol, WINS is a necessity. Make sure that the machine functioning as the WINS server lists itself, and -=only=- itself, as the Primary AND Secondary WINS server.
ASKER
Enabled NBT. No effect... All ok with the WINS server...
The part that appears odd is that the communications *appears* one way. In reality, there is two way communications happening because at least some of the traffic is TCP-based. It sounds like there might be something else in the way that is filtering packets.
Check for the following:
Windows Clients running a firewall software program? Or, XP running with the firewall service enabled on the NIC?
A router passing the traffic that may have access-lists to filter traffic.
Try turning the monitor level logging on the PIX up to debug, shell in, and run a "terminal monitor" to see if packets are being discarded for any reason.
You could also try debugging IPSEC.
One other thing of note - I have been told by Cisco engineers that setting up some components of the PIX software through the PDM causes issues as it doesn't complete the configuration. They did tell me that it was VPN-related sections of the configuration, but that's all I know for sure.
Check for the following:
Windows Clients running a firewall software program? Or, XP running with the firewall service enabled on the NIC?
A router passing the traffic that may have access-lists to filter traffic.
Try turning the monitor level logging on the PIX up to debug, shell in, and run a "terminal monitor" to see if packets are being discarded for any reason.
You could also try debugging IPSEC.
One other thing of note - I have been told by Cisco engineers that setting up some components of the PIX software through the PDM causes issues as it doesn't complete the configuration. They did tell me that it was VPN-related sections of the configuration, but that's all I know for sure.
ASKER
Hello all. We fixed it. For sh!ts and giggles we swapped out the PIX and applied the config to it and it works. We are sending the "Broken PIX" back. As the old addage goes. "Check Hardware first, then software" How true is that? I appreciate all the comments and help.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password XXXXXXXXXXXXX encrypted
passwd XXXXXXXXXXXX encrypted
hostname anc
domain-name anc.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.20.0 was
access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 was 255.255.255.0
access-list outside_cryptomap_20 permit ip 192.168.1.0 255.255.255.0 was 255.255.255.0
access-list acl-out permit gre any host 209.xxx.xxx.226
access-list acl-out permit tcp any host 209.xxx.xxx.226 eq pptp
access-list acl-out permit tcp any host 209.xxx.xxx.226 eq smtp
access-list acl-out permit tcp any host 209.xxx.xxx.226 eq pop3
access-list acl-out permit tcp any host 209.xxx.xxx.226 eq www
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside pppoe setroute
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location was 255.255.255.0 outside
pdm location 192.168.1.10 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 209.xxx.xxx.226 192.168.1.10 netmask 255.255.255.255 0 0
access-group acl-out in interface outside
conduit permit icmp any any
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 64.xxx.xxx.3
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 64.xxx.xxx.3 netmask 255.255.255.255 no-xauth no-config-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
telnet 192.168.1.10 255.255.255.255 inside
telnet timeout 5
ssh 209.xxx.xxx.8 255.255.255.255 outside
ssh timeout 5
console timeout 0
vpdn group pppoe_group request dialout pppoe
vpdn group pppoe_group localname xxxxxxxx@xxx.net
vpdn group pppoe_group ppp authentication pap
vpdn username xxxxxxx@xxx.net password *********
terminal width 80
Cryptochecksum:XXXXXXXXXXX
: end