Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

PIX 501 to 506 VPN tunnel outside VPN clients have no access

Posted on 2005-04-14
5
Medium Priority
?
295 Views
Last Modified: 2013-11-16
Hey everyone, this is my first post here.  I'm having problems with the setup on a PIX 506 firewall.  I'm not really a firewall guy so bear with me.  I have setup a site to site VPN tunnel from our remote office to our main office.  The remote office is running a PIX 501, and the PIX 506 is at the main office.  There are no problems with the tunnel.  The problem lies in remote PPTP access.  Before I set the tunnel up we were able to VPN into the network via PPTP connections.  Ever since the tunnel was setup however the PPTP clients can connect to the main office but once they're connected to the 506 they cannot access anything.  Here is the config for the PIX 506 at the main office.  I know this config needs cleaning up, so sorry for the mess.  Oh and yes we are using 206.122.205.0/24 as our internal NAT IP range.  We also have a second router (cisco 806) behind the firewall, just FYI in case any of the ip routing seems confusing.  This is done becaise we need to route to an EDS Cisco 2500 router in our building for access to our mainframe..

_________________________________________________________________________________________________________
PIX Version 6.3(2)
interface ethernet0 10baset
interface ethernet1 10baset
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ************ encrypted
passwd ************ encrypted
hostname pixfirewall
domain-name ciscopix.com
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol dns maximum-length 1500
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol smtp 110
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
object-group service TermServ tcp
  port-object range 3389 3389
object-group network MetroStar
  description MetroStar Systems Group
  network-object MetroStar 255.255.255.255
access-list mail permit icmp any any
access-list outside_cryptomap_1 permit ip 206.122.205.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list inbound permit icmp any any
access-list inbound permit ip 10.254.254.0 255.255.255.0 any
access-list inbound permit tcp any interface outside eq https
access-list inbound permit tcp any interface outside eq 1099
access-list inbound permit tcp host MetroStar interface outside eq ftp
access-list inbound permit tcp host MetroStar interface outside eq telnet
access-list inbound permit tcp any host 208.255.180.131 eq smtp
access-list inbound permit tcp any host 208.255.180.130 eq www
access-list inbound permit tcp any host 208.255.180.134 eq https
access-list 102 permit ip 206.122.205.0 255.255.255.0 10.254.254.0 255.255.255.0
access-list 102 permit ip 192.168.0.0 255.255.255.0 10.254.254.0 255.255.255.0
access-list 102 permit ip 206.122.205.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list 101 permit ip 206.122.205.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 101 permit ip 206.122.205.0 255.255.255.0 10.254.254.0 255.255.255.0
access-list 101 permit ip 192.168.0.0 255.255.255.0 10.254.254.0 255.255.255.0
pager lines 24
logging timestamp
logging trap critical
logging history critical
mtu outside 1500
mtu inside 1500
ip address outside 208.255.180.130 255.255.255.192
ip address inside 192.168.0.20 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip audit info action alarm
ip audit attack action alarm
ip local pool pptp 10.254.254.2-10.254.254.253
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface www web www netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 1099 web 1099 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface https web https netmask 255.255.255.255 0 0
static (inside,outside) tcp interface ftp web ftp netmask 255.255.255.255 0 0
static (inside,outside) tcp 208.255.180.134 https BizTalk_Server https netmask 255.255.255.255 0 0
static (inside,outside) tcp interface telnet EDS telnet netmask 255.255.255.255 0 0
static (inside,outside) 208.255.180.131 Spam_Server netmask 255.255.255.255 0 0
access-group inbound in interface outside
route outside 0.0.0.0 0.0.0.0 208.255.180.129 1
route inside 206.122.205.0 255.255.255.0 192.168.0.20 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa authorization command LOCAL
http server enable
http 206.122.205.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
auth-prompt prompt prompt|accept "Welcome"
crypto ipsec transform-set chevelle esp-des esp-md5-hmac
crypto ipsec transform-set toyota esp-des esp-md5-hmac
crypto map transam 1 ipsec-isakmp
crypto map transam 1 match address outside_cryptomap_1
crypto map transam 1 set peer 12.172.54.25
crypto map transam 1 set transform-set chevelle
crypto map bmw 1 ipsec-isakmp
crypto map bmw 1 match address 101
crypto map bmw 1 set peer 63.89.24.213
crypto map bmw 1 set transform-set toyota
crypto map bmw interface outside
isakmp enable outside
isakmp key ******** address 63.89.24.213 netmask 255.255.255.255
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 86400
telnet 206.122.205.51 255.255.255.255 inside
telnet 206.122.205.126 255.255.255.255 inside
telnet 206.122.205.172 255.255.255.255 inside
telnet 206.122.205.0 255.255.255.0 inside
telnet 206.122.205.150 255.255.255.255 inside
telnet timeout 20
ssh 0.0.0.0 0.0.0.0 outside
ssh 206.122.205.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
vpdn group 1 accept dialin pptp
vpdn group 1 ppp authentication pap
vpdn group 1 ppp authentication chap
vpdn group 1 ppp authentication mschap
vpdn group 1 ppp encryption mppe 40
vpdn group 1 client configuration address local pptp
vpdn group 1 pptp echo 60
vpdn group 1 client authentication local
vpdn username webtrends password *********
vpdn username aafmaa password *********
vpdn username wlincoln password *********
vpdn enable outside
privilege show level 0 command version
privilege show level 0 command curpriv
privilege show level 3 command pdm
privilege show level 3 command blocks
privilege show level 3 command ssh
privilege configure level 3 command who
privilege show level 3 command isakmp
privilege show level 3 command ipsec
privilege show level 3 command vpdn
privilege show level 3 command local-host
privilege show level 3 command interface
privilege show level 3 command ip
privilege configure level 3 command ping
privilege configure level 5 mode enable command configure
privilege show level 5 command running-config
privilege show level 5 command privilege
privilege show level 5 command clock
privilege show level 5 command ntp
terminal width 80
Cryptochecksum:3ccc9fdcca71688c4367c63eaab4f693
: end
_________________________________________________

Thanks again guys.  I found a topic on here where the person was having a similar issue, but I still seem to be missing something.
0
Comment
Question by:horuscg
  • 2
3 Comments
 

Author Comment

by:horuscg
ID: 13783633
Bump. :(
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 2000 total points
ID: 13790065
One problem that you have is that you now have two separate processes using the same acl

access-list 101 permit ip 206.122.205.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 101 permit ip 206.122.205.0 255.255.255.0 10.254.254.0 255.255.255.0
access-list 101 permit ip 192.168.0.0 255.255.255.0 10.254.254.0 255.255.255.0
nat (inside) 0 access-list 101  <== NAT
crypto map bmw 1 match address 101 <== and CRYPTO MAP

Suggest the following, assuming that 192.168.2.0 is the far end LAN over the site-site VPN tunnel:
Keep access-list 101 as is..

access-list 103 permit ip 206.122.205.0 255.255.255.0 192.168.2.0 255.255.255.0
crypto map bmw 1 match address 103
 re-apply the crypto map anytime you make changes to it
crypto map bmw interface outside
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 14354277
Are you still working on this?
Have you found a solution?
Do you need more information?

This question will be classified as abandoned soon if we don't get some feedback from you.

Can you close out this question? See here for details:
http://www.experts-exchange.com/help.jsp#hs5

Thanks for your attention!
0

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
With just a little bit of  SQL and VBA, many doors open to cool things like synchronize a list box to display data relevant to other information on a form.  If you have never written code or looked at an SQL statement before, no problem! ...  give i…
Suggested Courses

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question