Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 415
  • Last Modified:

VPN Access to Routed network behind PIX

I have a network 10.10.20.0/24.  I have VPN tunnels set up from clients to this network, they are assigned 10.254.254.0/24 addresses.  This works with no problems.  I have a dual homed Novell server 10.10.20.3 and 192.168.95.150 with a UNIX server at 192.168.95.24.  Here is the problem, I can make my VPN connection, but I cant PING the UNIX server.  If I SSH into the PIX I am able to ping the UNIX server.  Clients on the 10.10.20.0 network can connect with no problems, so I know that routing on the Novell server is working.  How do I configure the PIX to handle this?
0
snowsurfer
Asked:
snowsurfer
  • 5
  • 4
1 Solution
 
lrmooreCommented:
Make sure that 192.168.95.0 255.255.255.0 is included in your nat_0 acl:

access-list nat_0 permit ip 192.168.95.0 255.255.255.0 10.254.254.0 255.255.255.0
0
 
snowsurferAuthor Commented:
I tried that yesterday.  No luck.  I am wondering if the Novell server that is routing may be altering the packet in a way that the PIX doesnt like
0
 
lrmooreCommented:
Does the Novell server (I hat calling a server a router, though Novell is better at it than Microsoft) have a route to the 10.254.254.0 subnet? I would assume so if you can access the Novell server itself from a VPN client...
If you can ping it from the PIX, it makes sense that you could ping it from the VPN client if the nat-0 acl is correct, split-tunnel acl (if used) is correct, and routing is OK...
0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 
snowsurferAuthor Commented:
I am going to have to check on the routing on the Novell server, another team works on that.

"If you can ping it from the PIX, it makes sense that you could ping it from the VPN client if the nat-0 acl is correct, split-tunnel acl (if used) is correct, and routing is OK..."

Thats my problem, I dont understand where it is breaking down.  When connected to the PIX with SSH I can ping all the way through.  When connected with the VPN client I can ping as far as the Novell server.
0
 
lrmooreCommented:
Do you have a split-tunnel acl applied to the vpngroup in the PIX?
Can you post your complete PIX config?
0
 
snowsurferAuthor Commented:
Here is the config with some privacy items stripped and ip addresses modified

PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ security50

fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 100 permit ip 10.10.20.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list 100 permit ip 10.10.20.0 255.255.255.0 10.254.254.0 255.255.255.0
access-list 100 permit ip 192.168.95.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list 100 permit ip host 192.168.0.3 host 10.10.20.8
access-list 100 permit tcp host 192.168.0.3 host 10.10.20.8 eq ftp
access-list 100 permit ip 192.168.0.0 255.255.255.0 10.10.20.0 255.255.255.0
access-list 100 permit ip 192.168.95.0 255.255.255.0 10.254.254.0 255.255.255.0
access-list outside_in permit tcp any host 200.200.200.200 eq smtp
access-list outside_in permit tcp any host 200.200.200.200 eq www
access-list outside_in permit tcp any host 200.200.200.200 eq ftp
access-list outside_in permit tcp any host 200.200.200.200 eq telnet
access-list outside_in permit udp any host 200.200.200.200 eq bootps
access-list outside_in permit udp any host 200.200.200.200 eq bootpc
access-list outside_in permit udp any host 200.200.200.200 eq tftp
access-list outside_in permit udp any host 200.200.200.200 eq 5004
access-list outside_in permit udp any host 200.200.200.200 eq 5005
access-list outside_in permit tcp any host 200.200.200.200 eq 5566
access-list outside_in permit udp any host 200.200.200.200 eq 5567
access-list outside_in permit udp any host 200.200.200.200 eq 5568
access-list outside_in permit tcp any host 200.200.200.200 eq 8080
access-list outside_in permit tcp any host 200.200.200.200 eq https
access-list split_tunnel permit ip 10.10.20.0 255.255.255.0 10.254.254.0 255.255.255.0
access-list split_tunnel permit ip 192.168.0.0 255.255.255.0 10.254.254.0 255.255.255.0
access-list split_tunnel permit ip 192.168.95.0 255.255.255.0 10.254.254.0 255.255.255.0
access-list dmz_in permit ip host 192.168.0.3 host 10.10.20.8
access-list dmz_in permit ip 192.168.0.0 255.255.255.0 any
access-list dmz_in permit ip host 200.200.200.200 any
pager lines 256
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
ip address outside 200.200.200.200 255.255.255.252
ip address inside 10.10.20.2 255.255.255.0
ip address DMZ 192.168.0.1 255.255.255.0

ip local pool testPool 10.254.254.10-10.254.254.254
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 100
nat (inside) 1 10.10.20.0 255.255.255.0 0 0
nat (inside) 1 10.254.254.0 255.255.255.0 0 0
nat (DMZ) 0 access-list 100
nat (DMZ) 1 192.168.0.0 255.255.255.0 0 0
static (DMZ,outside) tcp interface smtp 192.168.0.2 smtp netmask 255.255.255.255 0 0
static (DMZ,outside) tcp interface www 192.168.0.3 www netmask 255.255.255.255 0 0
static (DMZ,outside) tcp interface ftp 192.168.0.3 ftp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface telnet 10.10.20.10 telnet netmask 255.255.255.255 0 0
static (inside,outside) udp interface bootps 10.10.20.10 bootps netmask 255.255.255.255 0 0
static (inside,outside) udp interface bootpc 10.10.20.10 bootpc netmask 255.255.255.255 0 0
static (inside,outside) udp interface tftp 10.10.20.10 tftp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface www 10.10.20.10 www netmask 255.255.255.255 0 0
static (inside,outside) udp interface 5004 10.10.20.10 5004 netmask 255.255.255.255 0 0
static (inside,outside) udp interface 5005 10.10.20.10 5005 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 5566 10.10.20.10 5566 netmask 255.255.255.255 0 0
static (inside,outside) udp interface 5567 10.10.20.10 5567 netmask 255.255.255.255 0 0
static (inside,outside) udp interface 5568 10.10.20.10 5568 netmask 255.255.255.255 0 0
static (DMZ,outside) tcp interface 8080 192.168.0.2 8080 netmask 255.255.255.255 0 0
static (DMZ,outside) tcp interface https 192.168.0.2 https netmask 255.255.255.255 0 0
static (inside,DMZ) 10.10.20.8 10.10.20.8 netmask 255.255.255.255 0 0
access-group outside_in in interface outside
access-group dmz_in in interface DMZ
conduit permit icmp any any
route outside 0.0.0.0 0.0.0.0 200.200.200.201 1
route inside 192.168.95.0 255.255.255.0 10.10.20.3 1
timeout xlate 3:00:00
timeout conn 4:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute

floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set testset esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set tesset
crypto map testmap 10 ipsec-isakmp dynamic dynmap
crypto map testmap interface outside
isakmp enable outside
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup test address-pool testPool
vpngroup test dns-server 192.168.0.2
vpngroup test wins-server 10.10.20.4
vpngroup test split-tunnel split_tunnel
vpngroup test idle-time 1800
vpngroup test password ********
telnet 10.10.20.0 255.255.255.0 inside
telnet timeout 20
ssh timeout 60
console timeout 0
terminal width 80
0
 
lrmooreCommented:
The only thing I can see is your icmp conduit
>conduit permit icmp any any

It doesn't like it when you try to use both a conduit and access-lists...

Shot in the dark, but you can try turning off proxy arp on the inside interface:

sysopt noproxyarp inside

and add
 sysopt ipsec pl-compatible

0
 
snowsurferAuthor Commented:
Ill take a look, but I dont think the sysopt commands will work, Ill try posting a case to TAC
0
 
snowsurferAuthor Commented:
I re-added the access-list nat_0 permit ip 192.168.95.0 255.255.255.0 10.254.254.0 255.255.255.0
today and it still didnt work, while troubleshooting we were playing with split tunnel, I removed split tunnel from my vpngroup with no chnage, when I added it back in all of a sudden everyhting started working.

For lrmoore being the only help, LRWINS
0

Featured Post

Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

  • 5
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now