Solved

VPN from outside of ISP with PIX 506E

Posted on 2004-09-24
4
339 Views
Last Modified: 2010-04-12
I have a PIX 506E.  I can establish a VPN from inside and outside my ISP, but when I am outside the ISP, I cannot access the network I am VPNed into.  For example, I can ping and vnc to a server when I am using the same ISP, but when I am establishing the VPN through another ISP I cannot ping or vnc to the server.  I also gave the VPN client total access to all network nodes, but for some reason I am only able to access the server.  Any ideas would be much appreciated.  I need this established soon for an outside software vendor to do some remote troubleshooting.  I'll post the config as soon as I can.
0
Comment
Question by:fletchman
  • 2
  • 2
4 Comments
 

Author Comment

by:fletchman
ID: 12145868
Here is my config:

PIX Version 6.3(3)                  
interface ethernet0 auto                        
interface ethernet1 auto                        
nameif ethernet0 outside security0                                  
nameif ethernet1 inside security100                                  
enable password /v2a6EDy6zMfLXc6 encrypted                                          
passwd /v2a6EDy6zMfLXc6 encrypted                                
hostname justice                
domain-name rose.net                    
fixup protocol dns maximum-length 512                                    
fixup protocol ftp 21                    
fixup protocol h323 h225 1720                            
fixup protocol h323 ras 1718-1719                                
fixup protocol http 80                      
fixup protocol rsh 514                      
fixup protocol rtsp 554                      
fixup protocol sip 5060                      
fixup protocol sip udp 5060                          
fixup protocol skinny 2000                          
fixup protocol smtp 25                      
fixup protocol sqlnet 1521                          
fixup protocol tftp 69                      
names    
access-list Support_splitTunnelAcl permit ip any any                                                    
access-list inside_outbound_nat0_acl permit ip any 10.0.1.0 255.255.255.240                                                                          
access-list outside_cryptomap_dyn_20 permit ip any 10.0.1.0 255.255.255.240                                                                          
pager lines 24              
mtu outside 1500                
mtu inside 1500              
ip address outside 172.19.200.2 255.255.0.0                                          
ip address inside 10.0.0.254 255.255.255.0                                          
ip audit info action alarm                          
ip audit attack action alarm                            
ip local pool Support 10.0.1.2-10.0.1.10                                        
pdm location 10.0.0.1 255.255.255.255 inside                                            
pdm logging informational 100                            
pdm history enable                  
arp timeout 14400                
global (outside) 1 interface                            
nat (inside) 0 access-list inside_outbound_nat0_acl                                                  
nat (inside) 1 0.0.0.0 0.0.0.0 0 0                                  
static (inside,outside) tcp interface pcanywhere-data 10.0.0.1 pcanywhere-                                                                        
etmask 255.255.255.255 0 0                          
static (inside,outside) udp interface 5631 10.0.0.1 5631 netmask 255.255.255.255                                                                                
 0 0    
static (inside,outside) tcp interface 5632 10.0.0.1 5632 netmask 255.255.255.255                                                                                
 0 0    
static (inside,outside) udp interface pcanywhere-status 10.0.0.1 pcanywhere-stat                                                                                
us netmask 255.255.255.255 0 0                              
route outside 0.0.0.0 0.0.0.0 172.19.1.1 1                                          
timeout xlate 0:05:00                    
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00                                                                            
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00                                                              
timeout uauth 0:05:00 absolute                              
aaa-server TACACS+ protocol tacacs+                                  
aaa-server RADIUS protocol radius                                
aaa-server LOCAL protocol local                              
http server enable                  
http 10.0.0.0 255.255.255.0 inside                                  
no snmp-server location                      
no snmp-server contact                      
snmp-server community public                            
no snmp-server enable traps                          
floodguard enable                
sysopt connection permit-ipsec                              
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac                                                          
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20                                                                            
crypto dynamic-map outside_dyn_map 20 set                                      
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 5
isakmp policy 20 lifetime 86400
vpngroup Support address-pool Support
vpngroup Support dns-server 10.0.0.1 10.0.0.1
vpngroup Support wins-server 10.0.0.1 10.0.0.1
vpngroup Support default-domain jail
vpngroup Support split-tunnel Support_splitTunnelAcl
vpngroup Support idle-time 1800
vpngroup Support password ********
telnet 10.0.0.0 255.255.255.0 inside
telnet timeout 15
ssh timeout 5
console timeout 0
username sds8828 password EyeLWAkMkzGJkPKP encrypted privilege 15
terminal width 80
Cryptochecksum:09ace9a4e7f36dfc4d858bddf187d577
: end
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12145931
>ip address outside 172.19.200.2 255.255.0.0  
Is this the real IP? You get a private IP address from your ISP? If so, this is your biggest problem. Nowhere outside the same ISP can you get routed to this IP address...

0
 

Author Comment

by:fletchman
ID: 12146027
The public IP is 64.39.130.219.  I just emailed the ISP to see what the subnet and gateway will be for me to set it up that way.  I know the 172.19.200.2 shouldn't work.  The ISP is routing all of the traffic that is pointed to 64.39.130.219 to 172.19.200.2.  I use it on 3COM VPNs, and it works fine.  I'm wondering if I need to put in some kind of ACL to allow the authenticated traffic outside of the ISP or what.  
I think I'm reading your last sentence correctly.  Even if I authenticate, when I try to ping or vnc the traffic doesn't know where to go, huh?
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 12146199
Picture is clearer now. ISP NAT's your private IP to a Public IP. No access-restrictions of any kind on the ISP end?

A couple of suggestions:
   >isakmp policy 20 group 5  <== DES normally only uses Group 1 or 2

i would make this acl more specific:
>access-list inside_outbound_nat0_acl permit ip any 10.0.1.0 255.255.255.240    
to:
access-list inside_outbound_nat0_acl permit ip 10.0.0.0 255.255.255.0 10.0.1.0 255.255.255.240    

Same here:
>access-list outside_cryptomap_dyn_20 permit ip any 10.0.1.0 255.255.255.240  
 access-list outside_cryptomap_dyn_20 permit ip 10.0.0.0 255.255.255.0 10.0.1.0 255.255.255.240  

Change:
>access-list Support_splitTunnelAcl permit ip any any      
to:
access-list Support_splitTunnelAcl permit ip 10.0.0.0 255.255.255.0 any          

 >ip address inside 10.0.0.254
Make sure that all of your internal hosts point to this IP as their default gateway...
   
You can try adding this also..
  sysopt ipsec pl-compatible
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Join & Write a Comment

For a while, I have wanted to connect my HTC Incredible to my corporate network to take advantage of the phone's powerful capabilities. I searched online and came up with varied answers from "it won't work" to super complicated statements that I did…
If you use NetMotion Mobility on your PC and plan to upgrade to Windows 10, it may not work unless you take these steps.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now