Solved

Cisco VPN client passing through a Pix501 to connect to a PIX501

Posted on 2004-10-22
409 Views
Last Modified: 2013-11-16
Hello All.

I have a PIX501 6.3(3). I am trying to connect using the Cisco VPN client to another PIX501. I can connect and authenticate to the PIX, however traffic will not traverse. in the stats I see traffic benig sent however none comes back. Client will connect and ship traffic outside of the PIX.

I have tried the 'isakmp nat-traversal' comand and it still will not work. I do not have the 1-to-1 static option as only have one IP address. I am using port forwarding to get inbound traffic (http, smtp etc.). Do I need to do something here also.

regards

JOe

0
Question by:joe_walsh
    16 Comments
     
    LVL 79

    Expert Comment

    by:lrmoore
    Do you happen to have the same IP subnet on both ends? Is your LAN subnet 192.168.1.x and so is the remote network?

    0
     

    Author Comment

    by:joe_walsh
    Hi.

    I have 172.17.30.x on near end and 192.168.1.x on the far end.

    Regards

    JOe
    0
     

    Author Comment

    by:joe_walsh
    Hi again.

    See config below for info.

    JOe


    : Saved
    : Written by enable_15 at 03:19:24.920 UTC Sat Oct 23 2004
    PIX Version 6.3(3)
    interface ethernet0 auto
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password //JX7RIxWUSz1s4O encrypted
    passwd //JX7RIxWUSz1s4O encrypted
    hostname WSA-Pix
    domain-name wsal.local
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    name 172.17.30.20 WSA-Svr1
    access-list inside_access_in permit ip any any
    access-list inside_access_in permit icmp any any
    access-list inside_access_in permit udp any any
    access-list inside_access_in permit tcp any any
    access-list outside_access_in permit tcp any interface outside eq www
    access-list outside_access_in permit tcp any interface outside eq https
    pager lines 24
    icmp permit any outside
    icmp permit any inside
    mtu outside 1500
    mtu inside 1500
    ip address outside 4.3.2.2 255.255.255.192
    ip address inside 172.17.30.1 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    pdm location 172.17.30.0 255.255.255.255 inside
    pdm location WSA-Svr1 255.255.255.255 inside
    pdm history enable
    arp timeout 14400
    global (outside) 10 interface
    nat (inside) 10 172.17.30.0 255.255.255.0 0 0
    static (inside,outside) tcp interface www WSA-Svr1 www netmask 255.255.255.255 0 0
    static (inside,outside) tcp interface https WSA-Svr1 https netmask 255.255.255.255 0 0
    static (inside,outside) tcp interface domain WSA-Svr1 domain netmask 255.255.255.255 0 0
    static (inside,outside) udp interface domain WSA-Svr1 domain netmask 255.255.255.255 0 0
    access-group outside_access_in in interface outside
    access-group inside_access_in in interface inside
    route outside 0.0.0.0 0.0.0.0 4.3.2.1 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server LOCAL protocol local
    ntp server 134.226.81.3 source inside prefer
    http server enable
    http 172.17.30.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    tftp-server inside 172.17.30.50 /WSAL-Pix/
    floodguard enable
    isakmp nat-traversal 30
    telnet 172.17.30.0 255.255.255.0 inside
    telnet timeout 5
    ssh timeout 5
    management-access inside
    console timeout 0
    dhcpd address 172.17.30.100-172.17.30.120 inside
    dhcpd dns 62.231.32.10 62.231.32.11
    dhcpd lease 3600
    dhcpd ping_timeout 750
    dhcpd enable inside
    terminal width 80
    Cryptochecksum:326a88bc16d29a3a42478f324b51b56e
    : end
    0
     
    LVL 79

    Expert Comment

    by:lrmoore
    Remove this:
       access-group inside_access_in in interface inside

    Default behavior is to permit everything anyway. You acl does not include esp, so you may be blocking that.

    You  might also add:
       fixup protocol esp-ike
    0
     

    Author Comment

    by:joe_walsh
    Helo again.

    Done as suggested, reloaded pix and still similar results.

    See Config fro info.

    : Saved
    : Written by enable_15 at 07:22:26.768 UTC Sat Oct 23 2004
    PIX Version 6.3(3)
    interface ethernet0 auto
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password //JX7RIxWUSz1s4O encrypted
    passwd //JX7RIxWUSz1s4O encrypted
    hostname WSA-Pix
    domain-name wsal.local
    fixup protocol dns maximum-length 512
    fixup protocol esp-ike
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    name 172.17.30.20 WSA-Svr1
    access-list inside_access_in permit ip any any
    access-list inside_access_in permit icmp any any
    access-list inside_access_in permit udp any any
    access-list inside_access_in permit tcp any any
    access-list outside_access_in permit tcp any interface outside eq www
    access-list outside_access_in permit tcp any interface outside eq https
    pager lines 24
    icmp permit any outside
    icmp permit any inside
    mtu outside 1500
    mtu inside 1500
    ip address outside 4.3.2.2 255.255.255.192
    ip address inside 172.17.30.1 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    pdm location 172.17.30.0 255.255.255.255 inside
    pdm location WSA-Svr1 255.255.255.255 inside
    pdm history enable
    arp timeout 14400
    global (outside) 10 interface
    nat (inside) 10 172.17.30.0 255.255.255.0 0 0
    static (inside,outside) tcp interface www WSA-Svr1 www netmask 255.255.255.255 0 0
    static (inside,outside) tcp interface https WSA-Svr1 https netmask 255.255.255.255 0 0
    static (inside,outside) tcp interface domain WSA-Svr1 domain netmask 255.255.255.255 0 0
    static (inside,outside) udp interface domain WSA-Svr1 domain netmask 255.255.255.255 0 0
    access-group outside_access_in in interface outside
    route outside 0.0.0.0 0.0.0.0 4.3.2.1 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server LOCAL protocol local
    ntp server 134.226.81.3 source inside prefer
    http server enable
    http 172.17.30.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    tftp-server inside 172.17.30.50 /WSAL-Pix/
    floodguard enable
    isakmp nat-traversal 30
    telnet 172.17.30.0 255.255.255.0 inside
    telnet timeout 5
    ssh timeout 5
    management-access inside
    console timeout 0
    dhcpd address 172.17.30.100-172.17.30.120 inside
    dhcpd dns 62.231.32.10 62.231.32.11
    dhcpd lease 3600
    dhcpd ping_timeout 750
    dhcpd enable inside
    terminal width 80
    Cryptochecksum:ffe8f9b916c69bb235efa8e01dc7c72d
    : end
    0
     
    LVL 79

    Expert Comment

    by:lrmoore
    There is nothing left on your side that would prevent the connection.
    How do you have the client setup in the Transport tab?
    []Enable Transparent Tunneling
       () UDP
       () TCP

    Play around with those settings.
     Uncheck the Enable Transparent Tunneling box and see what happens.

    What version client? Do you have XP SP2? Did you upgrade the client after SP2?
    0
     
    LVL 79

    Expert Comment

    by:lrmoore
    Perhaps the other end is not setup correctly...

    0
     

    Author Comment

    by:joe_walsh
    Getting closer.

    some more info thtat i should have added at first.

    I am using W2k asa desktop. However.
    I have two far end Pixs with VPN enabled, both of which work outside of my near end pix.

    I have looked ar the config of the far end firewalls. I added the line isakmp nat-traversal to each. bith firewalls are prety much similare in config.

    So.
    See the first config below, thiw now works OK with VPN client
    See second config below, this is not working with VPN client.

    I have tried varying scenarios of Enable Transparent Tunneling still not working.

    So can you see why first config works and second will not.

    JOe

    Config that works OK

    : Saved
    : Written by enable_15 at 16:26:39.361 UTC Sat Oct 23 2004
    PIX Version 6.3(4)
    interface ethernet0 auto
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password //JX7RIxWUSz1s4O encrypted
    passwd //JX7RIxWUSz1s4O encrypted
    hostname Cib-Pix
    domain-name cibenix.local
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    name 82.141.255.10 Doras
    name 82.141.255.9 Geata
    name 82.141.255.8 SA-Net
    name 10.1.101.20 Cibsrv-Lnx
    name 10.1.101.55 Cibsrv00
    name 83.141.66.66 wsal
    object-group service rdp-tcp tcp
      description Remote Desktop Protocol (tcp 3389)
      port-object eq 3389
    access-list inside_access_in permit tcp 10.1.101.0 255.255.255.0 any
    access-list inside_access_in permit ip 10.1.101.0 255.255.255.0 any
    access-list inside_access_in permit icmp 10.1.101.0 255.255.255.0 any
    access-list outside_access_in permit tcp SA-Net 255.255.255.252 host 84.203.136.93 object-group rdp-tcp
    access-list outside_access_in permit tcp host wsal host 84.203.136.93 object-group rdp-tcp
    access-list outside_access_in permit tcp any host 84.203.136.92 eq www
    access-list CIBVPN_splitTunnelAcl permit ip 10.1.101.0 255.255.255.0 any
    access-list inside_outbound_nat0_acl permit ip 10.1.101.0 255.255.255.0 10.1.102.0 255.255.255.0
    access-list outside_cryptomap_dyn_20 permit ip any 10.1.102.0 255.255.255.0
    pager lines 24
    logging on
    logging timestamp
    logging trap errors
    logging device-id hostname
    logging host inside Cibsrv00
    icmp permit any outside
    icmp permit any inside
    mtu outside 1500
    mtu inside 1500
    ip address outside 84.203.136.90 255.255.255.248
    ip address inside 10.1.101.10 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool Cib-Pool 10.1.102.1-10.1.102.254
    pdm location Geata 255.255.255.255 outside
    pdm location Doras 255.255.255.255 outside
    pdm location SA-Net 255.255.255.252 outside
    pdm location Cibsrv-Lnx 255.255.255.255 inside
    pdm location Cibsrv00 255.255.255.255 inside
    pdm location wsal 255.255.255.255 outside
    pdm history enable
    arp timeout 14400
    global (outside) 91 84.203.136.91
    global (outside) 92 84.203.136.92
    global (outside) 93 84.203.136.93
    global (outside) 94 84.203.136.94
    nat (inside) 0 access-list inside_outbound_nat0_acl
    nat (inside) 91 10.1.101.0 255.255.255.0 0 0
    static (inside,outside) 84.203.136.93 Cibsrv00 netmask 255.255.255.255 0 0
    static (inside,outside) 84.203.136.92 Cibsrv-Lnx netmask 255.255.255.255 0 0
    access-group outside_access_in in interface outside
    access-group inside_access_in in interface inside
    route outside 0.0.0.0 0.0.0.0 84.203.136.89 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local
    ntp server 159.134.192.1 source outside prefer
    http server enable
    http Geata 255.255.255.255 outside
    http Doras 255.255.255.255 outside
    http 10.1.101.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    tftp-server inside Cibsrv00 /
    floodguard enable
    sysopt connection permit-ipsec
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
    crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
    crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
    crypto map outside_map interface outside
    isakmp enable outside
    isakmp nat-traversal 20
    isakmp policy 20 authentication pre-share
    isakmp policy 20 encryption 3des
    isakmp policy 20 hash md5
    isakmp policy 20 group 2
    isakmp policy 20 lifetime 86400
    vpngroup CIBVPN address-pool Cib-Pool
    vpngroup CIBVPN dns-server Cibsrv00
    vpngroup CIBVPN wins-server Cibsrv00
    vpngroup CIBVPN default-domain cibenix.local
    vpngroup CIBVPN split-tunnel CIBVPN_splitTunnelAcl
    vpngroup CIBVPN idle-time 1800
    vpngroup CIBVPN password openthedoor
    telnet 10.1.101.0 255.255.255.0 inside
    telnet timeout 5
    ssh Doras 255.255.255.255 outside
    ssh Geata 255.255.255.255 outside
    ssh 10.1.101.0 255.255.255.0 inside
    ssh timeout 5
    console timeout 0
    terminal width 80
    Cryptochecksum:7487508656d451a6e6ac93cd3415522b
    : end


    Config that will not work

    : Saved
    : Written by enable_15 at 15:27:54.970 UTC Sat Oct 23 2004
    PIX Version 6.3(3)
    interface ethernet0 auto
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password //JX7RIxWUSz1s4O encrypted
    passwd //JX7RIxWUSz1s4O encrypted
    hostname PW-Pix
    domain-name promotionalwarehouse.ie
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    name 192.168.1.1 PW-Server
    name 82.141.255.8 WSA-ISDN-Net
    name 83.141.66.66 wsal
    object-group service RDP-tcp tcp
      description Remote Desktop Protocol
      port-object eq 3389
    access-list inside_access_in permit ip any any
    access-list inside_access_in permit tcp any any
    access-list inside_access_in permit icmp any any
    access-list inside_access_in permit tcp any 192.168.2.0 255.255.255.0
    access-list inside_access_in permit ip any 192.168.2.0 255.255.255.0
    access-list outside_access_in permit tcp any host 213.190.144.106 eq smtp
    access-list outside_access_in permit tcp WSA-ISDN-Net 255.255.255.252 host 213.190.144.106 object-group RDP-tcp
    access-list outside_access_in permit tcp host wsal host 213.190.144.106 object-group RDP-tcp
    access-list outside_access_in permit icmp any any
    access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
    access-list inside_outbound_nat0_acl permit ip any 192.168.2.0 255.255.255.0
    access-list outside_cryptomap_dyn_60 permit ip any 192.168.2.0 255.255.255.0
    pager lines 24
    icmp permit any outside
    icmp permit any inside
    mtu outside 1500
    mtu inside 1500
    ip address outside dhcp setroute
    ip address inside 192.168.1.254 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool PW-Pool 192.168.2.1-192.168.2.254
    pdm location PW-Server 255.255.255.255 inside
    pdm location WSA-ISDN-Net 255.255.255.252 outside
    pdm location wsal 255.255.255.255 outside
    pdm logging informational 100
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    global (outside) 11 213.190.144.107
    nat (inside) 0 access-list inside_outbound_nat0_acl
    nat (inside) 11 192.168.1.0 255.255.255.0 0 0
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    static (inside,outside) 213.190.144.106 PW-Server netmask 255.255.255.255 0 0
    access-group outside_access_in in interface outside
    access-group inside_access_in in interface inside
    timeout xlate 0:05:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server LOCAL protocol local
    ntp server 159.134.192.1 source outside prefer
    http server enable
    http WSA-ISDN-Net 255.255.255.252 outside
    http 192.168.1.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    sysopt connection permit-pptp
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto dynamic-map outside_dyn_map 60 match address outside_cryptomap_dyn_60
    crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-MD5
    crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
    crypto map outside_map interface outside
    isakmp enable outside
    isakmp identity address
    isakmp nat-traversal 20
    isakmp policy 20 authentication pre-share
    isakmp policy 20 encryption 3des
    isakmp policy 20 hash md5
    isakmp policy 20 group 2
    isakmp policy 20 lifetime 86400
    vpngroup PWVPN address-pool PW-Pool
    vpngroup PWVPN dns-server PW-Server
    vpngroup PWVPN wins-server PW-Server
    vpngroup PWVPN default-domain promotionalwarehouse.local
    vpngroup PWVPN split-tunnel outside_cryptomap_dyn_60
    vpngroup PWVPN pfs
    vpngroup PWVPN idle-time 1800
    vpngroup PWVPN password openthedoor
    telnet 192.168.1.0 255.255.255.0 inside
    telnet timeout 5
    ssh WSA-ISDN-Net 255.255.255.252 outside
    ssh 192.168.1.0 255.255.255.0 inside
    ssh timeout 5
    console timeout 0
    vpdn group PPTP-VPDN-GROUP accept dialin pptp
    vpdn group PPTP-VPDN-GROUP ppp authentication mschap
    vpdn group PPTP-VPDN-GROUP client configuration address local PW-Pool
    vpdn group PPTP-VPDN-GROUP client configuration dns PW-Server
    vpdn group PPTP-VPDN-GROUP client configuration wins PW-Server
    vpdn group PPTP-VPDN-GROUP pptp echo 60
    vpdn group PPTP-VPDN-GROUP client authentication local
    vpdn username PW password openthedoor
    vpdn enable outside
    dhcpd address 192.168.1.100-192.168.1.130 inside
    dhcpd dns 159.134.237.6
    dhcpd lease 3600
    dhcpd ping_timeout 750
    dhcpd auto_config outside
    terminal width 80
    Cryptochecksum:dadd591996f9dcbf8b72865c7c2b05d7
    : end



    0
     
    LVL 79

    Expert Comment

    by:lrmoore
    >hostname PW-Pix
        >vpngroup PWVPN split-tunnel outside_cryptomap_dyn_60

    Look at the difference in the split tunnel implementation on both sites.
    This one references the same acl that is used by a different process. PIX does not like to use the same acl for more than one process..
    Suggest create another split-tunnel acl:
        access-list split_tunnel_acl permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
        vpngroup PWVPN split-tunnel split_tunnel_acl
    0
     

    Author Comment

    by:joe_walsh
    Done as suggested and reloaded

    No change.

    0
     
    LVL 79

    Expert Comment

    by:lrmoore
    I'm hitting a wall here...
    Can you post both configs so I can compare side-by-side?
    0
     

    Author Comment

    by:joe_walsh
    Hello again

    the Pix that works

    : Saved
    : Written by enable_15 at 22:23:37.553 UTC Mon Oct 25 2004
    PIX Version 6.3(4)
    interface ethernet0 auto
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password //JX7RIxWUSz1s4O encrypted
    passwd //JX7RIxWUSz1s4O encrypted
    hostname Cib-Pix
    domain-name cibenix.local
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    name 82.141.255.10 Doras
    name 82.141.255.9 Geata
    name 82.141.255.8 SA-Net
    name 10.1.101.20 Cibsrv-Lnx
    name 10.1.101.55 Cibsrv00
    name 4.3.2.1 wsal
    object-group service rdp-tcp tcp
      description Remote Desktop Protocol (tcp 3389)
      port-object eq 3389
    access-list inside_access_in permit tcp 10.1.101.0 255.255.255.0 any
    access-list inside_access_in permit ip 10.1.101.0 255.255.255.0 any
    access-list inside_access_in permit icmp 10.1.101.0 255.255.255.0 any
    access-list outside_access_in permit tcp SA-Net 255.255.255.252 host 84.203.136.93 object-group rdp-tcp
    access-list outside_access_in permit tcp host wsal host 84.203.136.93 object-group rdp-tcp
    access-list outside_access_in permit tcp any host 84.203.136.92 eq www
    access-list CIBVPN_splitTunnelAcl permit ip 10.1.101.0 255.255.255.0 any
    access-list inside_outbound_nat0_acl permit ip 10.1.101.0 255.255.255.0 10.1.102.0 255.255.255.0
    access-list outside_cryptomap_dyn_20 permit ip any 10.1.102.0 255.255.255.0
    pager lines 24
    logging on
    logging timestamp
    logging trap errors
    logging device-id hostname
    logging host inside Cibsrv00
    icmp permit any outside
    icmp permit any inside
    mtu outside 1500
    mtu inside 1500
    ip address outside 84.203.136.90 255.255.255.248
    ip address inside 10.1.101.10 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool Cib-Pool 10.1.102.1-10.1.102.254
    pdm location Geata 255.255.255.255 outside
    pdm location Doras 255.255.255.255 outside
    pdm location SA-Net 255.255.255.252 outside
    pdm location Cibsrv-Lnx 255.255.255.255 inside
    pdm location Cibsrv00 255.255.255.255 inside
    pdm location wsal 255.255.255.255 outside
    pdm history enable
    arp timeout 14400
    global (outside) 91 84.203.136.91
    global (outside) 92 84.203.136.92
    global (outside) 93 84.203.136.93
    global (outside) 94 84.203.136.94
    nat (inside) 0 access-list inside_outbound_nat0_acl
    nat (inside) 91 10.1.101.0 255.255.255.0 0 0
    static (inside,outside) 84.203.136.93 Cibsrv00 netmask 255.255.255.255 0 0
    static (inside,outside) 84.203.136.92 Cibsrv-Lnx netmask 255.255.255.255 0 0
    access-group outside_access_in in interface outside
    access-group inside_access_in in interface inside
    route outside 0.0.0.0 0.0.0.0 84.203.136.89 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local
    ntp server 159.134.192.1 source outside prefer
    http server enable
    http Geata 255.255.255.255 outside
    http Doras 255.255.255.255 outside
    http 10.1.101.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    tftp-server inside Cibsrv00 /
    floodguard enable
    sysopt connection permit-ipsec
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
    crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
    crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
    crypto map outside_map interface outside
    isakmp enable outside
    isakmp nat-traversal 20
    isakmp policy 20 authentication pre-share
    isakmp policy 20 encryption 3des
    isakmp policy 20 hash md5
    isakmp policy 20 group 2
    isakmp policy 20 lifetime 86400
    vpngroup CIBVPN address-pool Cib-Pool
    vpngroup CIBVPN dns-server Cibsrv00
    vpngroup CIBVPN wins-server Cibsrv00
    vpngroup CIBVPN default-domain cibenix.local
    vpngroup CIBVPN split-tunnel CIBVPN_splitTunnelAcl
    vpngroup CIBVPN idle-time 1800
    vpngroup CIBVPN password
    telnet 10.1.101.0 255.255.255.0 inside
    telnet timeout 5
    ssh Doras 255.255.255.255 outside
    ssh Geata 255.255.255.255 outside
    ssh 10.1.101.0 255.255.255.0 inside
    ssh timeout 5
    console timeout 0
    terminal width 80
    Cryptochecksum:7487508656d451a6e6ac93cd3415522b
    : end


    hte Pix that will not

    : Saved
    : Written by enable_15 at 21:30:41.597 UTC Mon Oct 25 2004
    PIX Version 6.3(3)
    interface ethernet0 auto
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password //JX7RIxWUSz1s4O encrypted
    passwd //JX7RIxWUSz1s4O encrypted
    hostname PW-Pix
    domain-name promotionalwarehouse.ie
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    name 192.168.1.1 PW-Server
    name 82.141.255.8 WSA-ISDN-Net
    name 4.3.2.1 wsal
    object-group service RDP-tcp tcp
      description Remote Desktop Protocol
      port-object eq 3389
    access-list inside_access_in permit ip any any
    access-list inside_access_in permit tcp any any
    access-list inside_access_in permit icmp any any
    access-list inside_access_in permit tcp any 192.168.2.0 255.255.255.0
    access-list inside_access_in permit ip any 192.168.2.0 255.255.255.0
    access-list outside_access_in permit tcp any host 213.190.144.106 eq smtp
    access-list outside_access_in permit tcp WSA-ISDN-Net 255.255.255.252 host 213.190.144.106 object-group RDP-tcp
    access-list outside_access_in permit tcp host wsal host 213.190.144.106 object-group RDP-tcp
    access-list outside_access_in permit icmp any any
    access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
    access-list inside_outbound_nat0_acl permit ip any 192.168.2.0 255.255.255.0
    access-list outside_cryptomap_dyn_60 permit ip any 192.168.2.0 255.255.255.0
    access-list PWVPN_splitTunnelAcl_1 permit ip 192.168.1.0 255.255.255.0 any
    access-list PWVPN_split_tunnel_acl permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
    pager lines 24
    icmp permit any outside
    icmp permit any inside
    mtu outside 1500
    mtu inside 1500
    ip address outside dhcp setroute
    ip address inside 192.168.1.254 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool PW-Pool 192.168.2.1-192.168.2.254
    pdm location PW-Server 255.255.255.255 inside
    pdm location WSA-ISDN-Net 255.255.255.252 outside
    pdm location wsal 255.255.255.255 outside
    pdm logging informational 100
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    global (outside) 11 213.190.144.107
    nat (inside) 0 access-list inside_outbound_nat0_acl
    nat (inside) 11 192.168.1.0 255.255.255.0 0 0
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    static (inside,outside) 213.190.144.106 PW-Server netmask 255.255.255.255 0 0
    access-group outside_access_in in interface outside
    access-group inside_access_in in interface inside
    timeout xlate 0:05:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server LOCAL protocol local
    ntp server 159.134.192.1 source outside prefer
    http server enable
    http WSA-ISDN-Net 255.255.255.252 outside
    http 192.168.1.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    sysopt connection permit-pptp
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto dynamic-map outside_dyn_map 60 match address outside_cryptomap_dyn_60
    crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-MD5
    crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
    crypto map outside_map interface outside
    isakmp enable outside
    isakmp identity address
    isakmp nat-traversal 20
    isakmp policy 20 authentication pre-share
    isakmp policy 20 encryption 3des
    isakmp policy 20 hash md5
    isakmp policy 20 group 2
    isakmp policy 20 lifetime 86400
    vpngroup PWVPN address-pool PW-Pool
    vpngroup PWVPN dns-server PW-Server
    vpngroup PWVPN wins-server PW-Server
    vpngroup PWVPN default-domain promotionalwarehouse.local
    vpngroup PWVPN split-tunnel PWVPN_split_tunnel_acl
    vpngroup PWVPN pfs
    vpngroup PWVPN idle-time 1800
    vpngroup PWVPN password openthedoor
    telnet 192.168.1.0 255.255.255.0 inside
    telnet timeout 5
    ssh WSA-ISDN-Net 255.255.255.252 outside
    ssh wsal 255.255.255.255 outside
    ssh 192.168.1.0 255.255.255.0 inside
    ssh timeout 5
    console timeout 0
    vpdn username PW password
    vpdn enable outside
    dhcpd address 192.168.1.100-192.168.1.130 inside
    dhcpd dns 159.134.237.6
    dhcpd lease 3600
    dhcpd ping_timeout 750
    dhcpd auto_config outside
    terminal width 80
    Cryptochecksum:7e1fd6c6ab3498d7a7b4398a0f72209b
    : end


    regards

    joe

    0
     
    LVL 79

    Expert Comment

    by:lrmoore
    Suggest (again) that you remove this from both sides.
        >access-group inside_access_in in interface inside

    Remove this (PW-Pix):
     vpngroup PWVPN pfs

    Suggest adding this to Cib-PIX (yeah, I know it's the working side, just a suggestion)
       isakmp identity address





    0
     

    Author Comment

    by:joe_walsh
    Hello again.

    Some additional Info the PW-Pix is behind a ZyXel Prestige 643 ADSL Firewall. I have checked and the box is not doing any firewalling functionality.
    System details are as follows.

    ZyNOS F/W Version: V2.50(AP.5) | 08/26/2002
    DSL F/W Version: Alcatel, Version 3.8.124
    Standard: Multi-Mode

    I am begining to think that this ZyXel box is interfeering with the traffic in some way. however if i place hte VPN client outside of the home PIx all is fine.

    any wat i do apreciate your help. hopfully we arenot going around in circles.

    JOe

    Home PIx config

    Type help or '?' for a list of available commands.
    WSA-Pix>  en
    Password: ****
    Invalid password
    Password: ********
    WSA-Pix# wr t
    Building configuration...
    : Saved
    :
    PIX Version 6.3(3)
    interface ethernet0 auto
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password //JX7RIxWUSz1s4O encrypted
    passwd //JX7RIxWUSz1s4O encrypted
    hostname WSA-Pix
    domain-name wsal.local
    fixup protocol dns maximum-length 512
    fixup protocol esp-ike
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    name 172.17.30.20 WSA-Svr1
    access-list inside_access_in permit ip any any
    access-list inside_access_in permit icmp any any
    access-list inside_access_in permit udp any any
    access-list inside_access_in permit tcp any any
    access-list outside_access_in permit tcp any interface outside eq www
    access-list outside_access_in permit tcp any interface outside eq https
    access-list outside_access_in permit tcp any interface outside eq smtp
    pager lines 24
    icmp permit any outside
    icmp permit any inside
    mtu outside 1500
    mtu inside 1500
    ip address outside 83.141.66.66 255.255.255.192
    ip address inside 172.17.30.1 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    pdm location 172.17.30.0 255.255.255.255 inside
    pdm location WSA-Svr1 255.255.255.255 inside
    pdm history enable
    arp timeout 14400
    global (outside) 10 interface
    nat (inside) 10 172.17.30.0 255.255.255.0 0 0
    static (inside,outside) tcp interface www WSA-Svr1 www netmask 255.255.255.255 0 0
    static (inside,outside) tcp interface smtp WSA-Svr1 smtp netmask 255.255.255.255 0 0
    static (inside,outside) tcp interface https WSA-Svr1 https netmask 255.255.255.255 0 0
    static (inside,outside) tcp interface domain WSA-Svr1 domain netmask 255.255.255.255 0 0
    static (inside,outside) udp interface domain WSA-Svr1 domain netmask 255.255.255.255 0 0
    access-group outside_access_in in interface outside
    route outside 0.0.0.0 0.0.0.0 83.141.66.65 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server LOCAL protocol local
    ntp server 134.226.81.3 source inside prefer
    http server enable
    http 172.17.30.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    tftp-server inside 172.17.30.50 /WSAL-Pix/
    floodguard enable
    isakmp nat-traversal 30
    telnet 172.17.30.0 255.255.255.0 inside
    telnet timeout 5
    ssh timeout 5
    management-access inside
    console timeout 0
    dhcpd address 172.17.30.100-172.17.30.120 inside
    dhcpd dns 62.231.32.10 62.231.32.11
    dhcpd lease 3600
    dhcpd ping_timeout 750
    dhcpd enable inside
    terminal width 80
    Cryptochecksum:ffe8f9b916c69bb235efa8e01dc7c72d


    Far end Pix config that connects with VPN but will not ship traffic.

    PIX Version 6.3(3)
    interface ethernet0 auto
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password //JX7RIxWUSz1s4O encrypted
    passwd //JX7RIxWUSz1s4O encrypted
    hostname PW-Pix
    domain-name promotionalwarehouse.ie
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    name 192.168.1.1 PW-Server
    name 82.141.255.8 WSA-ISDN-Net
    name 83.141.66.66 wsal
    object-group service RDP-tcp tcp
      description Remote Desktop Protocol
      port-object eq 3389
    access-list inside_access_in permit ip any any
    access-list inside_access_in permit tcp any any
    access-list inside_access_in permit icmp any any
    access-list inside_access_in permit tcp any 192.168.2.0 255.255.255.0
    access-list inside_access_in permit ip any 192.168.2.0 255.255.255.0
    access-list outside_access_in permit tcp any host 213.190.144.106 eq smtp
    access-list outside_access_in permit tcp WSA-ISDN-Net 255.255.255.252 host 213.190.144.106 object-group RDP-tcp
    access-list outside_access_in permit tcp host wsal host 213.190.144.106 object-group RDP-tcp
    access-list outside_access_in permit icmp any any
    access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
    access-list inside_outbound_nat0_acl permit ip any 192.168.2.0 255.255.255.0
    access-list outside_cryptomap_dyn_60 permit ip any 192.168.2.0 255.255.255.0
    access-list PWVPN_splitTunnelAcl_1 permit ip 192.168.1.0 255.255.255.0 any
    access-list PWVPN_split_tunnel_acl permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
    pager lines 24
    icmp permit any outside
    icmp permit any inside
    mtu outside 1500
    mtu inside 1500
    ip address outside dhcp setroute
    ip address inside 192.168.1.254 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool PW-Pool 192.168.2.1-192.168.2.254
    pdm location PW-Server 255.255.255.255 inside
    pdm location WSA-ISDN-Net 255.255.255.252 outside
    pdm location wsal 255.255.255.255 outside
    pdm logging informational 100
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    global (outside) 11 213.190.144.107
    nat (inside) 0 access-list inside_outbound_nat0_acl
    nat (inside) 11 192.168.1.0 255.255.255.0 0 0
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    static (inside,outside) 213.190.144.106 PW-Server netmask 255.255.255.255 0 0
    access-group outside_access_in in interface outside
    timeout xlate 0:05:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server LOCAL protocol local
    ntp server 159.134.192.1 source outside prefer
    http server enable
    http WSA-ISDN-Net 255.255.255.252 outside
    http 192.168.1.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    sysopt connection permit-pptp
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto dynamic-map outside_dyn_map 60 match address outside_cryptomap_dyn_60
    crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-MD5
    crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
    crypto map outside_map interface outside
    isakmp enable outside
    isakmp identity address
    isakmp nat-traversal 20
    isakmp policy 20 authentication pre-share
    isakmp policy 20 encryption 3des
    isakmp policy 20 hash md5
    isakmp policy 20 group 2
    isakmp policy 20 lifetime 86400
    vpngroup PWVPN address-pool PW-Pool
    vpngroup PWVPN dns-server PW-Server
    vpngroup PWVPN wins-server PW-Server
    vpngroup PWVPN default-domain promotionalwarehouse.local
    vpngroup PWVPN split-tunnel PWVPN_split_tunnel_acl
    vpngroup PWVPN pfs
    vpngroup PWVPN idle-time 1800
    vpngroup PWVPN password ********
    telnet 192.168.1.0 255.255.255.0 inside
    telnet timeout 5
    ssh WSA-ISDN-Net 255.255.255.252 outside
    ssh wsal 255.255.255.255 outside
    ssh 192.168.1.0 255.255.255.0 inside
    ssh timeout 5
    console timeout 0
    vpdn username PW password *********
    vpdn enable outside
    dhcpd address 192.168.1.100-192.168.1.130 inside
    dhcpd dns 159.134.237.6
    dhcpd lease 3600
    dhcpd ping_timeout 750
    dhcpd auto_config outside
    terminal width 80
    Cryptochecksum:281da03ec6ffe193c2fdf4b086ab0912

    0
     
    LVL 79

    Expert Comment

    by:lrmoore
    >I am begining to think that this ZyXel box is interfeering with the traffic in some way.
    Yeah, I think so too... it appears to be blocking something..

    The config looks OK...

    0
     
    LVL 79

    Accepted Solution

    by:
    0

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone. Privacy Policy Terms of Use

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    Suggested Solutions

    If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
    Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
    This video Micro Tutorial is the second in a two-part series that shows how to create and use custom scanning profiles in Nuance's PaperPort 14.5 (http://www.experts-exchange.com/articles/17490/). But the ability to create custom scanning profiles a…
    how to add IIS SMTP to handle application/Scanner relays into office 365.

    875 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    15 Experts available now in Live!

    Get 1:1 Help Now