Solved

VPN Access to Routed network behind PIX

Posted on 2004-09-20
9
385 Views
Last Modified: 2013-11-16
I have a network 10.10.20.0/24.  I have VPN tunnels set up from clients to this network, they are assigned 10.254.254.0/24 addresses.  This works with no problems.  I have a dual homed Novell server 10.10.20.3 and 192.168.95.150 with a UNIX server at 192.168.95.24.  Here is the problem, I can make my VPN connection, but I cant PING the UNIX server.  If I SSH into the PIX I am able to ping the UNIX server.  Clients on the 10.10.20.0 network can connect with no problems, so I know that routing on the Novell server is working.  How do I configure the PIX to handle this?
0
Comment
Question by:snowsurfer
  • 5
  • 4
9 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 125 total points
ID: 12107784
Make sure that 192.168.95.0 255.255.255.0 is included in your nat_0 acl:

access-list nat_0 permit ip 192.168.95.0 255.255.255.0 10.254.254.0 255.255.255.0
0
 
LVL 5

Author Comment

by:snowsurfer
ID: 12114358
I tried that yesterday.  No luck.  I am wondering if the Novell server that is routing may be altering the packet in a way that the PIX doesnt like
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12114547
Does the Novell server (I hat calling a server a router, though Novell is better at it than Microsoft) have a route to the 10.254.254.0 subnet? I would assume so if you can access the Novell server itself from a VPN client...
If you can ping it from the PIX, it makes sense that you could ping it from the VPN client if the nat-0 acl is correct, split-tunnel acl (if used) is correct, and routing is OK...
0
 
LVL 5

Author Comment

by:snowsurfer
ID: 12115150
I am going to have to check on the routing on the Novell server, another team works on that.

"If you can ping it from the PIX, it makes sense that you could ping it from the VPN client if the nat-0 acl is correct, split-tunnel acl (if used) is correct, and routing is OK..."

Thats my problem, I dont understand where it is breaking down.  When connected to the PIX with SSH I can ping all the way through.  When connected with the VPN client I can ping as far as the Novell server.
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 
LVL 79

Expert Comment

by:lrmoore
ID: 12115442
Do you have a split-tunnel acl applied to the vpngroup in the PIX?
Can you post your complete PIX config?
0
 
LVL 5

Author Comment

by:snowsurfer
ID: 12117621
Here is the config with some privacy items stripped and ip addresses modified

PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ security50

fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 100 permit ip 10.10.20.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list 100 permit ip 10.10.20.0 255.255.255.0 10.254.254.0 255.255.255.0
access-list 100 permit ip 192.168.95.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list 100 permit ip host 192.168.0.3 host 10.10.20.8
access-list 100 permit tcp host 192.168.0.3 host 10.10.20.8 eq ftp
access-list 100 permit ip 192.168.0.0 255.255.255.0 10.10.20.0 255.255.255.0
access-list 100 permit ip 192.168.95.0 255.255.255.0 10.254.254.0 255.255.255.0
access-list outside_in permit tcp any host 200.200.200.200 eq smtp
access-list outside_in permit tcp any host 200.200.200.200 eq www
access-list outside_in permit tcp any host 200.200.200.200 eq ftp
access-list outside_in permit tcp any host 200.200.200.200 eq telnet
access-list outside_in permit udp any host 200.200.200.200 eq bootps
access-list outside_in permit udp any host 200.200.200.200 eq bootpc
access-list outside_in permit udp any host 200.200.200.200 eq tftp
access-list outside_in permit udp any host 200.200.200.200 eq 5004
access-list outside_in permit udp any host 200.200.200.200 eq 5005
access-list outside_in permit tcp any host 200.200.200.200 eq 5566
access-list outside_in permit udp any host 200.200.200.200 eq 5567
access-list outside_in permit udp any host 200.200.200.200 eq 5568
access-list outside_in permit tcp any host 200.200.200.200 eq 8080
access-list outside_in permit tcp any host 200.200.200.200 eq https
access-list split_tunnel permit ip 10.10.20.0 255.255.255.0 10.254.254.0 255.255.255.0
access-list split_tunnel permit ip 192.168.0.0 255.255.255.0 10.254.254.0 255.255.255.0
access-list split_tunnel permit ip 192.168.95.0 255.255.255.0 10.254.254.0 255.255.255.0
access-list dmz_in permit ip host 192.168.0.3 host 10.10.20.8
access-list dmz_in permit ip 192.168.0.0 255.255.255.0 any
access-list dmz_in permit ip host 200.200.200.200 any
pager lines 256
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
ip address outside 200.200.200.200 255.255.255.252
ip address inside 10.10.20.2 255.255.255.0
ip address DMZ 192.168.0.1 255.255.255.0

ip local pool testPool 10.254.254.10-10.254.254.254
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 100
nat (inside) 1 10.10.20.0 255.255.255.0 0 0
nat (inside) 1 10.254.254.0 255.255.255.0 0 0
nat (DMZ) 0 access-list 100
nat (DMZ) 1 192.168.0.0 255.255.255.0 0 0
static (DMZ,outside) tcp interface smtp 192.168.0.2 smtp netmask 255.255.255.255 0 0
static (DMZ,outside) tcp interface www 192.168.0.3 www netmask 255.255.255.255 0 0
static (DMZ,outside) tcp interface ftp 192.168.0.3 ftp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface telnet 10.10.20.10 telnet netmask 255.255.255.255 0 0
static (inside,outside) udp interface bootps 10.10.20.10 bootps netmask 255.255.255.255 0 0
static (inside,outside) udp interface bootpc 10.10.20.10 bootpc netmask 255.255.255.255 0 0
static (inside,outside) udp interface tftp 10.10.20.10 tftp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface www 10.10.20.10 www netmask 255.255.255.255 0 0
static (inside,outside) udp interface 5004 10.10.20.10 5004 netmask 255.255.255.255 0 0
static (inside,outside) udp interface 5005 10.10.20.10 5005 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 5566 10.10.20.10 5566 netmask 255.255.255.255 0 0
static (inside,outside) udp interface 5567 10.10.20.10 5567 netmask 255.255.255.255 0 0
static (inside,outside) udp interface 5568 10.10.20.10 5568 netmask 255.255.255.255 0 0
static (DMZ,outside) tcp interface 8080 192.168.0.2 8080 netmask 255.255.255.255 0 0
static (DMZ,outside) tcp interface https 192.168.0.2 https netmask 255.255.255.255 0 0
static (inside,DMZ) 10.10.20.8 10.10.20.8 netmask 255.255.255.255 0 0
access-group outside_in in interface outside
access-group dmz_in in interface DMZ
conduit permit icmp any any
route outside 0.0.0.0 0.0.0.0 200.200.200.201 1
route inside 192.168.95.0 255.255.255.0 10.10.20.3 1
timeout xlate 3:00:00
timeout conn 4:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute

floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set testset esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set tesset
crypto map testmap 10 ipsec-isakmp dynamic dynmap
crypto map testmap interface outside
isakmp enable outside
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup test address-pool testPool
vpngroup test dns-server 192.168.0.2
vpngroup test wins-server 10.10.20.4
vpngroup test split-tunnel split_tunnel
vpngroup test idle-time 1800
vpngroup test password ********
telnet 10.10.20.0 255.255.255.0 inside
telnet timeout 20
ssh timeout 60
console timeout 0
terminal width 80
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12117738
The only thing I can see is your icmp conduit
>conduit permit icmp any any

It doesn't like it when you try to use both a conduit and access-lists...

Shot in the dark, but you can try turning off proxy arp on the inside interface:

sysopt noproxyarp inside

and add
 sysopt ipsec pl-compatible

0
 
LVL 5

Author Comment

by:snowsurfer
ID: 12117841
Ill take a look, but I dont think the sysopt commands will work, Ill try posting a case to TAC
0
 
LVL 5

Author Comment

by:snowsurfer
ID: 12138407
I re-added the access-list nat_0 permit ip 192.168.95.0 255.255.255.0 10.254.254.0 255.255.255.0
today and it still didnt work, while troubleshooting we were playing with split tunnel, I removed split tunnel from my vpngroup with no chnage, when I added it back in all of a sudden everyhting started working.

For lrmoore being the only help, LRWINS
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Suggested Solutions

To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
This video discusses moving either the default database or any database to a new volume.
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now