?
Solved

PIX 501 Site to Site VPN

Posted on 2005-03-16
19
Medium Priority
?
301 Views
Last Modified: 2013-11-16
Hello,
I posted a question regarding site to site vpn in a test lab
http://www.experts-exchange.com/Security/Firewalls/Q_21340331.html

We have now gone live but we cannot see the other end of the VPN.

We are on 192.168.3.x and the remote site is on 192.168.1.x. The VPN tunnel is created and when we type

show cry is sa

Total     : 1
Embryonic : 0
        dst               src        state     pending     created
    x.x.x.25     192.168.6.1    QM_IDLE         0           1


We have plugged the PIX into a Netgear ADSL Router and set the PIX as the DMZ. We get Internet connectvity and everything. The Netgear has a Public WAN Address and then has a private LAN Address and the outside of the PIX is a private address
Please help..
0
Comment
Question by:Flexology
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 13
  • 3
  • 3
19 Comments
 
LVL 9

Accepted Solution

by:
jjoseph_x earned 2000 total points
ID: 13557831
Just to check:

On both ends, the client machines can ping their respective local PIXes?

What are their default gateways?  On both sides, that could to be the PIXes (unless you have setup routes).
0
 

Author Comment

by:Flexology
ID: 13557931
Both can ping the inside and outside address of the PIX and the gateway address. The current routes are
outside 0.0.0.0 0.0.0.0 192.168.6.10 1 DHCP static
inside 192.168.3.0 255.255.255.0 192.168.3.1 1 CONNECT static
outside 192.168.6.0 255.255.255.0 192.168.6.1 1 CONNECT static

on the PIX that is 192.168.3.1 inside & 192.168.6.1 outside connected to a ADSL router with an inside of 192.168.6.10 and an outside of x.x.x116
0
 
LVL 9

Expert Comment

by:jjoseph_x
ID: 13558385
Actually, I meant to ask whether the PIXes are the default gateways for the client computers.
0
Get real performance insights from real users

Key features:
- Total Pages Views and Load times
- Top Pages Viewed and Load Times
- Real Time Site Page Build Performance
- Users’ Browser and Platform Performance
- Geographic User Breakdown
- And more

 

Author Comment

by:Flexology
ID: 13558421
Yes they have
0
 

Author Comment

by:Flexology
ID: 13558594
I think it's a routing problem and I need to put a route from 192.168.3.0 255.255.255.0 to 192.168.1.0 but when I try and do it it says route already exists. The outside of the PIX is DHCP from the Netgear ADSL Router.
0
 
LVL 9

Expert Comment

by:jjoseph_x
ID: 13558597
You configuration looks okay (I looked at the previous question).

I think that the problem might be the route outside statement (outside 192.168.6.0 255.255.255.0 192.168.6.1 1 CONNECT static).

In your case, If the PIXes are the default gateways then you only need the outside 0.0.0.0 0.0.0.0 statement.
0
 

Author Comment

by:Flexology
ID: 13558961
I haven't put any statements in so this one was created automatically. shall i just do...

no outside 192.168.6.0 255.255.255.0 192.168.6.1 1 CONNECT static
0
 
LVL 3

Expert Comment

by:j3ggs
ID: 13559524
These pix's are behind adsl routers right? And they have private addresses, which means that they are not visible on the net. Is the ADSL box nating the PIX outside address?

If so then you will need to set the tunnel endpoints as the outside ADSL address, otherwise how are these boxes going to route to each other, the ADSL box will send your 192.168.x.x outbound, but where do you think the internet first hop is going to send it?

regards

j3ggs
0
 

Author Comment

by:Flexology
ID: 13559658
Yes it's NAT'ing the pix address. the end points are setup as the public IP address e.g. the WAN side of the ADSL router.
0
 

Author Comment

by:Flexology
ID: 13559672
The pix has IP of 192.168.3.1 on the inside and 192.168.6.1 on the outside which is DHCP . The ADSL router LAN is 192.168.6.10 and the WAN is 212.x.x.x as a public IP
0
 
LVL 3

Expert Comment

by:j3ggs
ID: 13559748
cool, sorry just thought I would ask that question.

I am not sure though if it will work as you are nating that packets as they go out. This would modify the packet, and hence would be dropped at the other end as the packet has been tampered with....

Check out this link, it explains a way round it (NAT Transparecny), though this is for IOS VPN:

http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_feature_guide09186a0080110bca.html#wp1027129

there is probably a resolution for PIX 501's.

regards

j3ggs

PS apologies if this has already been covered!
0
 

Author Comment

by:Flexology
ID: 13563003
When I do a route do I need to put in the outside of the PIX or do I need to put the WAN Side of the router

PIX is inside 192.168.3.1 and outside 192.168.6.1
The ADSL Router is LAN 192.168.3.10 & WAN 212.x.x.x

i've put in these routes

        outside 0.0.0.0 0.0.0.0 192.168.6.10 1 DHCP static
        outside 192.168.1.0 255.255.255.0 192.168.6.10 0 OTHER static
        outside 192.168.1.0 255.255.255.0 192.168.6.1 1 OTHER static
        inside 192.168.3.0 255.255.255.0 192.168.3.1 1 CONNECT static
        outside 192.168.6.0 255.255.255.0 192.168.6.1 1 CONNECT static

but still I can't ping 192.168.1.1 (a server) but the VPN tunnel creates itself
0
 

Author Comment

by:Flexology
ID: 13563087
Is it better if I disable NAT on the ADSL router and get a Public IP for the PIX??
0
 
LVL 3

Expert Comment

by:j3ggs
ID: 13563614
Hi There,

In terms of your routes, these seem a little odd.. Surely your ADSL address should be on the same subnet as your pix outside address? - the routes look fine though (sorry)

In terms of NAT, yep if you put the public address on the ADSL router, and get the router to be transparant (this is what I have at home, I have an adsl modem (NOT router), and it does nothing in terms of IP, it just pumps packets out on to the ADSL network)..... then it will probably all come up. If it was working in a lab environment then you should be able to change outside IP's, change the tunnel endpoints and away you go!

However, you say the tunnel is up? If this is the case, dont try ping as it is blocked by default, try telnet or something else that is permitted.

regards

j3ggs

PS If you post your configs and a little diagram I am sure that would help us all out!!
0
 

Author Comment

by:Flexology
ID: 13563686
My PIX Inside address is 192.168.3.1 and it's outside address is 192.168.6.1. The PIX outside interface is connected to an ADSL router which has a LAN IP of 192.168.6.10 and the WAN IP is a public address. We are trying to connect our headoffice which has a PIX also. That inside address is 192.168.1.200 and it's outside address is a public WAN IP. Since I last posted we've tried a few things and these are the routes on my PIX

So here to get to the "Internet" it goes through the following interafaces

192.168.3.1 (PIX Inside)
192.168.6.1 (PIX Outside)
192.168.6.10 (ADSL LAN)
212.x.x.x (ADSL WAN)

In theory to get to our headoffice it should (with the VPN up) go through..

192.168.3.1
192.168.6.1
192.168.1.200
192.168.1.x

which i think should be solved by

outside 192.168.1.0 255.255.255.0 192.168.1.200 1 OTHER static at our end

outside 192.168.3.0  255.255.255.0 192.168.3.1 1 OTHER static at the headoffice end

These are the route statements on our PIX

outside 0.0.0.0 0.0.0.0 192.168.6.10 1 DHCP static
outside 192.168.1.0 255.255.255.0 192.168.1.200 1 OTHER static
inside 192.168.3.0 255.255.255.0 192.168.3.1 1 CONNECT static
outside 192.168.6.0 255.255.255.0 192.168.6.1 1 CONNECT static

And these are the routes on the Head Office PIX

outside 0.0.0.0 0.0.0.0 62.173.74.25 1 OTHER static
outside 62.x.x.24 255.255.255.252 62.x.x.26 1 CONNECT static
inside 172.31.0.0 255.255.0.0 192.168.1.254 1 OTHER static
inside 192.168.1.0 255.255.255.0 192.168.1.200 1 CONNECT static
outside 192.168.2.0  255.255.255.0 192.168.2.1 1 OTHER static
outside 192.168.3.0  255.255.255.0 192.168.3.1 1 OTHER static
0
 

Author Comment

by:Flexology
ID: 13563718
Our PIX Config

show config

: Saved

: Written by enable_15 at 10:01:51.483 UTC Thu Mar 17 2005

PIX Version 6.3(4)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

hostname our-office

domain-name ciscopix.com

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

<--- More --->
             
names

access-list inside_outbound_nat0_acl permit ip any 192.168.3.48 255.255.255.240

access-list inside_outbound_nat0_acl permit ip 192.168.3.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list outside_cryptomap_20 permit ip 192.168.3.0 255.255.255.0 192.168.1.0 255.255.255.0

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside dhcp setroute

ip address inside 192.168.3.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool VPN-POOL 192.168.3.50-192.168.3.60

pdm location 192.168.3.48 255.255.255.240 outside

pdm location 192.168.1.0 255.255.255.0 outside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

route outside 192.168.1.0 255.255.255.0 192.168.1.200 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

<--- More --->
             
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http 192.168.3.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

sysopt connection permit-pptp

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto map outside_map 20 ipsec-isakmp

crypto map outside_map 20 match address outside_cryptomap_20

crypto map outside_map 20 set peer 62.x.x.x

crypto map outside_map 20 set transform-set ESP-DES-MD5

crypto map outside_map interface outside

<--- More --->
             
isakmp enable outside

isakmp key ******** address 62.x.x.x netmask 255.255.255.255 no-xauth no-config-mode

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

vpdn group PPTP-VPDN-GROUP accept dialin pptp

vpdn group PPTP-VPDN-GROUP ppp authentication pap

vpdn group PPTP-VPDN-GROUP ppp authentication chap

vpdn group PPTP-VPDN-GROUP ppp authentication mschap

vpdn group PPTP-VPDN-GROUP ppp encryption mppe auto

vpdn group PPTP-VPDN-GROUP client configuration address local VPN-POOL

vpdn group PPTP-VPDN-GROUP pptp echo 60

vpdn group PPTP-VPDN-GROUP client authentication local

vpdn username xxxx.Remote password *****

vpdn enable outside

dhcpd address 192.168.3.2-192.168.3.33 inside

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

<--- More --->
             
dhcpd enable inside

terminal width 80

Cryptochecksum:d6d3c6e8c089379b21d2425d94689375


our-office(config)#
0
 

Author Comment

by:Flexology
ID: 13565337
If i do show cry is sa it says the source IP is 192.168.6.1 which is the outside of the PIX here and it's destination is the outside PIX at the head office

So does the VPN intiate and terminate on the outside interface and therefore what is the next hop gateway..

Is it the inside of the remote site or the outside of the remote site

e.g to route between our network here 192.168.3.0 and the head office network 192.168.1.1
route outside 192.168.1.0 255.255.255.0 192.168.1.200  (192.168.1.200 is the inside of the remote pix)
or
route outside 192.168.1.0 255.255.255.0 x.x.x.x  (x.x.x.x is the outside of the remote pix)

0
 

Author Comment

by:Flexology
ID: 13572955
OK. We have public IP's for the PIX's and have disabled NAT on the router. Just to clarify the routing statements

To connect to the head office (192.168.1.0) from our office we do

route outside 192.168.1.0 255.255.255.0 x.x.x.x 1 (x.x.x.x is our outside address on our pix - public IP)

To connect to the our office (192.168.3.0) from the head office we do

route outside 192.168.3.0 255.255.255.0 y.y.y.y 1 (y.y.y.y is their outside address on the pix - public IP)

I'm confused to the next hop.. With the tunnel up surely the next hop is thier local lan.... and should the route statement be route inside 192.168.1.0 255.255.255.0 192.168.1.20 1 (192.168.1.20 is their inside interface PIX)
route inside 192.168.3.0 255.255.255.0 192.168.3.1 1 (192.168.3.1 is our inside interface PIX)
0
 

Author Comment

by:Flexology
ID: 13616940
The gateway was wrong. D'oh
0

Featured Post

Ransomware Attacks Keeping You Up at Night?

Will your organization be ransomware's next victim?  The good news is that these attacks are predicable and therefore preventable. Learn more about how you can  stop a ransomware attacks before encryption takes place with our Ransomware Prevention Kit!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Concerto Cloud Services, a provider of fully managed private, public and hybrid cloud solutions, announced today it was named to the 20 Coolest Cloud Infrastructure Vendors Of The 2017 Cloud  (http://www.concertocloud.com/about/in-the-news/2017/02/0…
There’s a movement in Information Technology (IT), and while it’s hard to define, it is gaining momentum. Some call it “stream-lined IT;” others call it “thin-model IT.”
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses
Course of the Month13 days, 23 hours left to enroll

800 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question