[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 407
  • Last Modified:

New PIX515E VPN will not work with My PIX501 VPN Config

I am a novice Cisco tech and I need help.  I have been successful in finding answers I need from experts-exchange for over a year without the need to post.  But now I want to know what I am doing wrong so I can become better.

Scenario: I purchased a Pix515E-UR (w/out 3Des VPN) to replace the PIX501 (w/3Des VPN)
I have been using the VPN on the PIX501 for almost a year and it works fine.  When I took out the 3 in front of the DES to downgrade the encryption, the PIX515 firewall took the entire config from the PIX501 without problem.  I can even connect to the VPN but no access to local resources are available and Transparent tunneling is inactive.

I used the VPN Wizard and setup a fresh VPN.  It worked from our neighbors wireless nework that is wide open and has the same internal subnet as the internal business network.  But when I got home it no longer worked from my 172.30.32.0 network and I soon found out the home users that have 192.168.0.0-192.168.2.0 could not connect either.  Reconfigured it again and same scenario the neighbors network could connect & pass traffic and I could not from home.  I am no good with using the PDM anyway.  I want help in determining my faults w/out Cisco intervention.

OLD WORKING PIX 501 CONFIG W/VPN

PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname pixfirewall
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside_acl permit tcp any host 60.x.x.163 eq 3389
access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 60.x.x.162 255.255.255.240
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool CHPOOL 192.168.2.101-192.168.2.125
pdm location 192.168.1.0 255.255.255.0 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 60.x.x.163 192.168.1.20 netmask 255.255.255.255 0 0
access-group outside_acl in interface outside
route outside 0.0.0.0 0.0.0.0 60.x.x.161 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set CHSET esp-3des esp-sha-hmac
crypto dynamic-map CHMAP 10 set transform-set CHSET
crypto map CHVPN 10 ipsec-isakmp dynamic CHMAP
crypto map CHVPN interface outside
isakmp enable outside
isakmp identity address
isakmp nat-traversal 10
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 6400
vpngroup CHCLIENT address-pool CHPOOL
vpngroup CHCLIENT dns-server 192.168.1.20
vpngroup CHCLIENT wins-server 192.168.1.20
vpngroup CHCLIENT default-domain test.com
vpngroup CHCLIENT split-tunnel 101
vpngroup CHCLIENT idle-time 18000
vpngroup CHCLIENT password ********
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80


NEW PIX515E CONFIG (Allows VPN Connection to Lock but no traffic can pass.)  Internet works

PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
interface ethernet2 auto shutdown
interface ethernet3 auto shutdown
interface ethernet4 auto shutdown
interface ethernet5 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
nameif ethernet3 intf3 security6
nameif ethernet4 intf4 security8
nameif ethernet5 intf5 security10
hostname pixfirewall
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside_access_in permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 101 permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
mtu intf2 1500
mtu intf3 1500
mtu intf4 1500
mtu intf5 1500
ip address outside 60.x.x.163 255.255.255.248
ip address inside 192.168.1.1 255.255.255.0
no ip address intf2
no ip address intf3
no ip address intf4
no ip address intf5
ip audit info action alarm
ip audit attack action alarm
ip local pool CHPOOL 192.168.2.101-192.168.2.125
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address intf2
no failover ip address intf3
no failover ip address intf4
no failover ip address intf5
pdm location 192.168.1.0 255.255.255.0 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 60.x.x.150 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set CHSET esp-des esp-md5-hmac
crypto dynamic-map CHMAP 10 set transform-set CHSET
crypto map CHVPN 10 ipsec-isakmp dynamic CHMAP
crypto map CHVPN interface outside
isakmp enable outside
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 6400
vpngroup CHCLIENT address-pool CHPOOL
vpngroup CHCLIENT dns-server 192.168.1.20
vpngroup CHCLIENT wins-server 192.168.1.20
vpngroup CHCLIENT default-domain test.com
vpngroup CHCLIENT split-tunnel 101
vpngroup CHCLIENT idle-time 18000
vpngroup CHCLIENT password ********
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80


Thanks for your help in advance.
0
tatteredtech
Asked:
tatteredtech
  • 9
  • 6
1 Solution
 
lrmooreCommented:
Add this to your new 515e:
  isakmp nat-traversal 10

Old:
>route outside 0.0.0.0 0.0.0.0 60.x.x.161 1

New:
>route outside 0.0.0.0 0.0.0.0 60.x.x.150 1  <== why do you have a different default gateway?

You don't have them both connected up at the same time, do you?
0
 
tatteredtechAuthor Commented:
Because I have the office PIX 515E setup at my home on static IP and My homePIX501 GW=.150 on another static IP in my home subnet.  I still have the old PIX 501 in place at the office.
0
 
martapCommented:

You should enable Transparent tunneling on your VPN client. IPSEC over UDP should be the chosen tunneling.
0
Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as the high-speed power of the cloud.

 
tatteredtechAuthor Commented:
i did enable transparent over UDP. I am using the Cisco Client V 4.0.3A
0
 
lrmooreCommented:
If you are using XP with SP2, you need to upgrade your client to V 4.05 or 4.6
0
 
tatteredtechAuthor Commented:
I am sorry for not posting sooner.  I do not use XP SP2 on any machine. But I am using XP.  This firewall is giving me so much trouble.  After I posted last I got it to work from 2 of 3 networks.  Took it to the office and put it in production as a x.x.x.2 Firewall and now it connects but still does not pass traffic.
When I right-click the VPN lock at the bottom right after connected it says Transparent Tunnel is Inactive and that LAN access is disabled.  I have transparent tunneling enabled over UDP and allow LAN access is checked.
0
 
lrmooreCommented:
But, did you add this to the PIX?

  isakmp nat-traversal 10
0
 
tatteredtechAuthor Commented:
let me try that.
0
 
tatteredtechAuthor Commented:
it now says "Active on UDP port 4500" when I view statistics on the VPN client.  But still no luck passing traffic.  Do I need to open any ports for this?
0
 
tatteredtechAuthor Commented:
I will raise the points a bit.
0
 
lrmooreCommented:
Is your Local home LAN the same IP subnet as the remote LAN behind the PIX?
Assuming that the remote LAN is 192.168.1.0, what is your home network? Is it also 192.168.1.0 ?
0
 
tatteredtechAuthor Commented:
I have a pix501 at home and the Subnet is 172.30.32.0 255.255.255.0
My Office network is 192.168.1.0
VPN IPPOOL is 192.168.2.0

The kicker is the times I have made it work on the new PIX515 it was from a similiar subnet as the internal office subnet.
My Current PIX501 at the Office that is still in Production as 192.168.1.1 and I can connect from My HOMEPIX501 172.30.32.0 without problem and my home office users connect from 192.168.0.0 & 192.168.1.0.

Right now I have the
PIX501 at IP
ip address outside 60.x.x.162 255.255.255.240
ip address inside 192.168.1.1 255.255.255.0

PIX515 at IP
ip address outside 60.x.x.170 255.255.255.240
ip address inside 192.168.1.2 255.255.255.0

route outside 0.0.0.0 0.0.0.0 60.x.x.161 1
for both
0
 
lrmooreCommented:
Ah, so both are up and running at the same time..
The issue is that if the 501 @ 192.168.1.1 is the internal users/servers' default gateway, then they don't know to send packets destined to the VPN Pool subnet 192.168.2.0 to the "other" PIX. You can't just add a static route on the 501, so you have two options:
Put a static route on each PC/Server on the LAN that you want to get to from the VPN, pointing to 192.168.1.2, OR, change everybody's default gateway from 192.168.1.1 to 192.168.1.2

You may also want to disable proxy arp on the inside of both PIX's
   sysopt noproxyarp inside

0
 
tatteredtechAuthor Commented:
The users are starting to sigh out for the day.  I will shortly switch the internal IP addresses of the Firewalls and let you know.  I appreciate it Irmoore.  I browse posts by your name usually to collect knowledge so I have faith in you and thanks for your time mate.
0
 
tatteredtechAuthor Commented:
Thanks! Irmoore you are my hero!
0
 
lrmooreCommented:
Glad to help!

- Cheers!
0

Featured Post

Cyber Threats to Small Businesses (Part 2)

The evolving cybersecurity landscape presents SMBs with a host of new threats to their clients, their data, and their bottom line. In part 2 of this blog series, learn three quick processes Webroot’s CISO, Gary Hayslip, recommends to help small businesses beat modern threats.

  • 9
  • 6
Tackle projects and never again get stuck behind a technical roadblock.
Join Now