Solved

IPSEC Client passthrough behavior...Linksys vs Cisco Pix

Posted on 2004-08-31
18
572 Views
Last Modified: 2013-11-16
At home, I have a Linksys BEFVP41 router.  I am using a NetGear ProSave VPN client on my laptop to create an end-to-end VPN connection between my laptop and a Netgear VPN router located elsewhere.  So my Linksys router merely needs to allow IPSEC passthrough.  At home, my laptop is not set up in any special way and the router performs NAT for every device on the home network.  I can connect to the remote VPN router with no problems.

At work, I have a Cisco Pix.  Presently, I must assign my laptop a public ip address (using static) in order to make a similar VPN conection from there (I have access-list statements to permit ah and esp any-any).  I'd like it work work like the Linky at home.  That is, no special setup required.

How can I do it?
0
Comment
Question by:Quetzal
18 Comments
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
It depends on the PIX OS version. You need at least 6.3 and then you can enable nat-transparency

!
isakmp nat-transparency
!


0
 
LVL 11

Author Comment

by:Quetzal
Comment Utility
You are a Pix god....thx, I'll try it today.  Thanks for the quick reply.
0
 
LVL 11

Author Comment

by:Quetzal
Comment Utility
Do you mean isakmp nat-traversal?  I don't have nat-transparency on 6.3(3).
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
Yes, sorry. Not enough coffee yet this morning.

isakmp nat-traversal
0
 
LVL 11

Author Comment

by:Quetzal
Comment Utility
That did not work. What's the best way to figure out what's going on?
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
Hmmmm... that should have worked...

Your client is set to enable transparent tunneling checked? Using UDP?
0
 
LVL 11

Author Comment

by:Quetzal
Comment Utility
The ProSafe client doesn't have such a setting.  All I can say is that it works with my Linky without any special setup.
0
 
LVL 11

Expert Comment

by:PennGwyn
Comment Utility
Hmmm.  You're permitting ah, but I'm pretty sure AH and NAT don't mix.  I bet that's why it works with a public address.  Can you try just using ESP?

0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 11

Author Comment

by:Quetzal
Comment Utility
Increased the points, because this isn't looking too easy...

I removed the AH access-list because my client is using ESP.  Still won't work unless the laptop is assigned a public ip.
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
I'd have to see your PIX config. It should just work.
Do you have fixup protocol esp-ike enabled?
0
 
LVL 1

Expert Comment

by:tevens
Comment Utility
Quetzal,

You're missing the permit for ISAKMP in your ACL.  ISAKMP runs on UDP port 500.   ISAKMP is the key exchange (IKE) that facilitates the auth and ESP tunnel establishment.

---Tim
0
 
LVL 11

Author Comment

by:Quetzal
Comment Utility
Here is my config:

PIX Version 6.3(3)
interface ethernet0 10full
interface ethernet1 10full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxx encrypted
passwd xxx encrypted
hostname Pix-AA
domain-name company.corp
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.20.100 potoroo_int
name 192.168.20.101 ningaui_int
name 192.168.20.200 tuan_int
name 192.168.20.201 kultarr_int
name 192.168.20.7 wingnut_int
name 22.222.222.145 synergy_gateway
name 255.255.255.240 synergy_subnet
name 22.222.222.146 pix_outside
name 22.222.222.147 kultarr_ext
name 22.222.222.148 wingnut_ext
name 22.222.222.151 test1_ext
access-list 103 permit icmp any any
access-list 103 permit tcp any host wingnut_ext eq 6521
access-list 103 permit udp any host wingnut_ext eq 6522
access-list 103 permit tcp any host kultarr_ext eq 7521
access-list 103 permit udp any host kultarr_ext eq 7522
access-list 103 permit tcp any any eq 6891
access-list 103 permit tcp any any eq 6892
access-list 103 permit tcp any any eq 6893
access-list 103 permit tcp any any eq 6894
access-list 103 permit tcp any any eq aol
access-list 103 permit tcp any any eq 3389
access-list 103 permit gre any host kultarr_ext
access-list 103 permit tcp any host kultarr_ext eq pptp
access-list 103 permit gre any any
access-list 103 permit tcp any any eq pptp
access-list 103 permit tcp any host 22.222.222.152
access-list 103 permit tcp any any eq ldap
access-list 103 permit tcp any any eq 522
access-list 103 permit tcp any any eq 1503
access-list 103 permit tcp any any eq 1731
access-list 103 permit tcp any any eq h323
access-list 103 permit esp any any
access-list 103 permit ah any any
access-list 103 permit tcp any host 22.222.222.155
access-list nonat permit ip 192.168.20.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list nonat permit ip 192.168.20.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list nonat permit ip 192.168.20.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list nonat permit ip 192.168.20.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list nonat permit ip 192.168.20.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list 101 permit ip 192.168.20.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list 102 permit ip 192.168.20.0 255.255.255.0 192.168.50.0 255.255.255.0
pager lines 24
logging monitor emergencies
logging trap debugging
logging host inside kultarr_int
mtu outside 1500
mtu inside 1500
ip address outside pix_outside 255.255.255.240
ip address inside 192.168.20.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool sca1 192.168.20.50-192.168.20.59
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) kultarr_ext kultarr_int netmask 255.255.255.255 0 0
static (inside,outside) wingnut_ext wingnut_int netmask 255.255.255.255 0 0
static (inside,outside) 22.222.222.153 192.168.20.71 netmask 255.255.255.255 0 0
static (inside,outside) 22.222.222.154 192.168.20.72 netmask 255.255.255.255 0 0
static (inside,outside) 22.222.222.155 192.168.20.70 netmask 255.255.255.255 0 0
static (inside,outside) 22.222.222.152 192.168.20.65 netmask 255.255.255.255 0 0
access-group 103 in interface outside
route outside 0.0.0.0 0.0.0.0 synergy_gateway 1
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server inside kultarr_int .
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto ipsec transform-set home-set esp-des esp-md5-hmac
crypto map newmap 10 ipsec-isakmp
crypto map newmap 10 match address 101
crypto map newmap 10 set peer 2.2.2.2
crypto map newmap 10 set transform-set myset
crypto map newmap 20 ipsec-isakmp
crypto map newmap 20 match address 102
crypto map newmap 20 set peer 1.1.1.1
crypto map newmap 20 set transform-set myset
crypto map newmap interface outside
isakmp enable outside
isakmp key ******** address 1.1.1.1 netmask 255.255.248.0
isakmp key ******** address 2.2.2.2 netmask 255.255.255.0
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 60
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
console timeout 0
vpdn group sca accept dialin pptp
vpdn group sca ppp authentication mschap
vpdn group sca client configuration address local sca1
vpdn group sca client configuration dns potoroo_int
vpdn group sca client configuration wins potoroo_int
vpdn group sca pptp echo 60
vpdn group sca client authentication local
vpdn username koala password *********
vpdn username company password *********
vpdn enable outside
dhcpd dns 3.3.3.3 4.4.4.4
dhcpd wins potoroo_int 192.168.10.2
dhcpd lease 100000
dhcpd ping_timeout 750
dhcpd domain company.corp
dhcpd auto_config outside
dhcprelay server potoroo_int inside
terminal width 80
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
Comment Utility
What are the settings on the VPN client that set the encryption type and the hash? Something similar to your transform set on a PIX. If it uses AH anywhere, as PennGwynn noted, it won't work without a 1-1 static nat.
But then, it shouldn't work through the Linksys at home either...

Last gasp - try enabling
   sysopt ipsec pl-compatible

Best way to troubleshoot - set your PDM log level to informational, and use the PDM log. keep it open while attempting the Vpn connection.
Else, setup a syslog server and analyze the logs..

0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
How's it going? Have you found a solution? Do you need more information?
Can you close this question?

http://www.experts-exchange.com/help.jsp#hs5

Thanks for attending to this long-forgotten question.

<-8}
0
 
LVL 11

Author Comment

by:Quetzal
Comment Utility
lrmoore, sorry for such a long delay...too many things to do and too few hours...but this question is still on my mind.   Can you stand to work with me once more on this?
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
Go for it!
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

Have you experienced traffic destined through a Cisco ASA firewall disappears and you do not know if the traffic stops in the firewall or somewhere else? The solution is the capture feature. This feature was released in 6.2(1) and works in all firew…
I recently updated from an old PIX platform to the new ASA platform.  While upgrading, I was tremendously confused about how the VPN and AnyConnect licensing works.  It turns out that the ASA has 3 different VPN licensing schemes. "site-to-site" …
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now