Solved

IPSEC Client passthrough behavior...Linksys vs Cisco Pix

Posted on 2004-08-31
18
624 Views
Last Modified: 2013-11-16
At home, I have a Linksys BEFVP41 router.  I am using a NetGear ProSave VPN client on my laptop to create an end-to-end VPN connection between my laptop and a Netgear VPN router located elsewhere.  So my Linksys router merely needs to allow IPSEC passthrough.  At home, my laptop is not set up in any special way and the router performs NAT for every device on the home network.  I can connect to the remote VPN router with no problems.

At work, I have a Cisco Pix.  Presently, I must assign my laptop a public ip address (using static) in order to make a similar VPN conection from there (I have access-list statements to permit ah and esp any-any).  I'd like it work work like the Linky at home.  That is, no special setup required.

How can I do it?
0
Comment
Question by:Quetzal
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
18 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 11940742
It depends on the PIX OS version. You need at least 6.3 and then you can enable nat-transparency

!
isakmp nat-transparency
!


0
 
LVL 11

Author Comment

by:Quetzal
ID: 11940813
You are a Pix god....thx, I'll try it today.  Thanks for the quick reply.
0
 
LVL 11

Author Comment

by:Quetzal
ID: 11941039
Do you mean isakmp nat-traversal?  I don't have nat-transparency on 6.3(3).
0
Retailers - Is your network secure?

With the prevalence of social media & networking tools, for retailers, reputation is critical. Have you considered the impact your network security could have in your customer's experience? Learn more in our Retail Security Resource Kit Today!

 
LVL 79

Expert Comment

by:lrmoore
ID: 11941109
Yes, sorry. Not enough coffee yet this morning.

isakmp nat-traversal
0
 
LVL 11

Author Comment

by:Quetzal
ID: 11941260
That did not work. What's the best way to figure out what's going on?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 11941739
Hmmmm... that should have worked...

Your client is set to enable transparent tunneling checked? Using UDP?
0
 
LVL 11

Author Comment

by:Quetzal
ID: 11943381
The ProSafe client doesn't have such a setting.  All I can say is that it works with my Linky without any special setup.
0
 
LVL 11

Expert Comment

by:PennGwyn
ID: 11943928
Hmmm.  You're permitting ah, but I'm pretty sure AH and NAT don't mix.  I bet that's why it works with a public address.  Can you try just using ESP?

0
 
LVL 11

Author Comment

by:Quetzal
ID: 11944635
Increased the points, because this isn't looking too easy...

I removed the AH access-list because my client is using ESP.  Still won't work unless the laptop is assigned a public ip.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 11952648
I'd have to see your PIX config. It should just work.
Do you have fixup protocol esp-ike enabled?
0
 
LVL 1

Expert Comment

by:tevens
ID: 11990369
Quetzal,

You're missing the permit for ISAKMP in your ACL.  ISAKMP runs on UDP port 500.   ISAKMP is the key exchange (IKE) that facilitates the auth and ESP tunnel establishment.

---Tim
0
 
LVL 11

Author Comment

by:Quetzal
ID: 12168401
Here is my config:

PIX Version 6.3(3)
interface ethernet0 10full
interface ethernet1 10full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxx encrypted
passwd xxx encrypted
hostname Pix-AA
domain-name company.corp
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.20.100 potoroo_int
name 192.168.20.101 ningaui_int
name 192.168.20.200 tuan_int
name 192.168.20.201 kultarr_int
name 192.168.20.7 wingnut_int
name 22.222.222.145 synergy_gateway
name 255.255.255.240 synergy_subnet
name 22.222.222.146 pix_outside
name 22.222.222.147 kultarr_ext
name 22.222.222.148 wingnut_ext
name 22.222.222.151 test1_ext
access-list 103 permit icmp any any
access-list 103 permit tcp any host wingnut_ext eq 6521
access-list 103 permit udp any host wingnut_ext eq 6522
access-list 103 permit tcp any host kultarr_ext eq 7521
access-list 103 permit udp any host kultarr_ext eq 7522
access-list 103 permit tcp any any eq 6891
access-list 103 permit tcp any any eq 6892
access-list 103 permit tcp any any eq 6893
access-list 103 permit tcp any any eq 6894
access-list 103 permit tcp any any eq aol
access-list 103 permit tcp any any eq 3389
access-list 103 permit gre any host kultarr_ext
access-list 103 permit tcp any host kultarr_ext eq pptp
access-list 103 permit gre any any
access-list 103 permit tcp any any eq pptp
access-list 103 permit tcp any host 22.222.222.152
access-list 103 permit tcp any any eq ldap
access-list 103 permit tcp any any eq 522
access-list 103 permit tcp any any eq 1503
access-list 103 permit tcp any any eq 1731
access-list 103 permit tcp any any eq h323
access-list 103 permit esp any any
access-list 103 permit ah any any
access-list 103 permit tcp any host 22.222.222.155
access-list nonat permit ip 192.168.20.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list nonat permit ip 192.168.20.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list nonat permit ip 192.168.20.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list nonat permit ip 192.168.20.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list nonat permit ip 192.168.20.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list 101 permit ip 192.168.20.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list 102 permit ip 192.168.20.0 255.255.255.0 192.168.50.0 255.255.255.0
pager lines 24
logging monitor emergencies
logging trap debugging
logging host inside kultarr_int
mtu outside 1500
mtu inside 1500
ip address outside pix_outside 255.255.255.240
ip address inside 192.168.20.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool sca1 192.168.20.50-192.168.20.59
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) kultarr_ext kultarr_int netmask 255.255.255.255 0 0
static (inside,outside) wingnut_ext wingnut_int netmask 255.255.255.255 0 0
static (inside,outside) 22.222.222.153 192.168.20.71 netmask 255.255.255.255 0 0
static (inside,outside) 22.222.222.154 192.168.20.72 netmask 255.255.255.255 0 0
static (inside,outside) 22.222.222.155 192.168.20.70 netmask 255.255.255.255 0 0
static (inside,outside) 22.222.222.152 192.168.20.65 netmask 255.255.255.255 0 0
access-group 103 in interface outside
route outside 0.0.0.0 0.0.0.0 synergy_gateway 1
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server inside kultarr_int .
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto ipsec transform-set home-set esp-des esp-md5-hmac
crypto map newmap 10 ipsec-isakmp
crypto map newmap 10 match address 101
crypto map newmap 10 set peer 2.2.2.2
crypto map newmap 10 set transform-set myset
crypto map newmap 20 ipsec-isakmp
crypto map newmap 20 match address 102
crypto map newmap 20 set peer 1.1.1.1
crypto map newmap 20 set transform-set myset
crypto map newmap interface outside
isakmp enable outside
isakmp key ******** address 1.1.1.1 netmask 255.255.248.0
isakmp key ******** address 2.2.2.2 netmask 255.255.255.0
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 60
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
console timeout 0
vpdn group sca accept dialin pptp
vpdn group sca ppp authentication mschap
vpdn group sca client configuration address local sca1
vpdn group sca client configuration dns potoroo_int
vpdn group sca client configuration wins potoroo_int
vpdn group sca pptp echo 60
vpdn group sca client authentication local
vpdn username koala password *********
vpdn username company password *********
vpdn enable outside
dhcpd dns 3.3.3.3 4.4.4.4
dhcpd wins potoroo_int 192.168.10.2
dhcpd lease 100000
dhcpd ping_timeout 750
dhcpd domain company.corp
dhcpd auto_config outside
dhcprelay server potoroo_int inside
terminal width 80
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 12169681
What are the settings on the VPN client that set the encryption type and the hash? Something similar to your transform set on a PIX. If it uses AH anywhere, as PennGwynn noted, it won't work without a 1-1 static nat.
But then, it shouldn't work through the Linksys at home either...

Last gasp - try enabling
   sysopt ipsec pl-compatible

Best way to troubleshoot - set your PDM log level to informational, and use the PDM log. keep it open while attempting the Vpn connection.
Else, setup a syslog server and analyze the logs..

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 13703134
How's it going? Have you found a solution? Do you need more information?
Can you close this question?

http://www.experts-exchange.com/help.jsp#hs5

Thanks for attending to this long-forgotten question.

<-8}
0
 
LVL 11

Author Comment

by:Quetzal
ID: 14274041
lrmoore, sorry for such a long delay...too many things to do and too few hours...but this question is still on my mind.   Can you stand to work with me once more on this?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 14320154
Go for it!
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
On Feb. 28, Amazon’s Simple Storage Service (S3) went down after an employee issued the wrong command during a debugging exercise. Among those affected were big names like Netflix, Spotify and Expedia.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question