Doogienz
asked on
Cisco VPN Client to PIX 501 Behind NAT Router
I have a PIX 501 behind a Linksys AG241 (ADSL2 capable ADSL router). I've had no problems in the past configuring remote VPN access but this one seems above me and the other Cisco guy at work, so here it is. Basically the Router is set to forward all appropriate ports to the PIX, 500 etc, and IP Sec passthrough is enabled on the Linksys.
Incoming and outgoing works 100% for the local lan. But the remote VPN is not working correctly at all, are able to connect and authenticate, sh cry is sa shows a correct connection and everything seems to be correct... but can't ping anything nor connect to any service behind the pix, although am able to ping everything from the PIX.
Very basic config, this pix as stated is behind a LInksys Router, its internal interface is 172.16.10.254 (gateway for outside pix interface). Here's the configuration.
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ********* encrypted
passwd ******* encrypted
hostname someplace
domain-name somedomain.com
clock timezone NZST 12
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list investdev_splitTunnelAcl permit ip 10.65.26.0 255.255.255.0 any
access-list inside_outbound_nat0_acl permit ip 10.65.26.0 255.255.255.0 10.65.10.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 10.65.26.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list outside_cryptomap_dyn_20 permit ip any 192.168.10.0 255.255.255.0
pager lines 24
logging on
logging console debugging
logging monitor debugging
mtu outside 1500
mtu inside 1500
ip address outside 172.16.10.1 255.255.255.0
ip address inside 10.65.26.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnusers 192.168.10.1-192.168.10.25
pdm location 10.65.26.0 255.255.255.0 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 172.16.10.254 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authorization command LOCAL
ntp server 203.97.100.254 source outside
http server enable
http 10.65.26.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication LOCAL
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup investdev address-pool vpnusers
vpngroup investdev dns-server 202.27.184.5 203.96.152.4
vpngroup investdev default-domain somedomain.co.nz
vpngroup investdev split-tunnel investdev_splitTunnelAcl
vpngroup investdev idle-time 1800
vpngroup investdev password ********
telnet 10.65.26.1 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
management-access inside
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
username dgenus password 7AbYD.pMG1LnXte/ encrypted privilege 15
username Invesdev password OIjEF4wI3mIklXLR encrypted privilege 5
privilege show level 0 command version
privilege show level 0 command curpriv
privilege show level 3 command pdm
privilege show level 3 command blocks
privilege show level 3 command ssh
privilege configure level 3 command who
privilege show level 3 command isakmp
privilege show level 3 command ipsec
privilege show level 3 command vpdn
privilege show level 3 command local-host
privilege show level 3 command interface
privilege show level 3 command ip
privilege configure level 3 command ping
privilege show level 3 command uauth
privilege configure level 5 mode enable command configure
privilege show level 5 command running-config
privilege show level 5 command privilege
privilege show level 5 command clock
privilege show level 5 command ntp
privilege show level 5 mode configure command logging
privilege show level 5 command fragment
terminal width 80
Hope that's enough info.. more can be provided.
Incoming and outgoing works 100% for the local lan. But the remote VPN is not working correctly at all, are able to connect and authenticate, sh cry is sa shows a correct connection and everything seems to be correct... but can't ping anything nor connect to any service behind the pix, although am able to ping everything from the PIX.
Very basic config, this pix as stated is behind a LInksys Router, its internal interface is 172.16.10.254 (gateway for outside pix interface). Here's the configuration.
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ********* encrypted
passwd ******* encrypted
hostname someplace
domain-name somedomain.com
clock timezone NZST 12
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list investdev_splitTunnelAcl permit ip 10.65.26.0 255.255.255.0 any
access-list inside_outbound_nat0_acl permit ip 10.65.26.0 255.255.255.0 10.65.10.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 10.65.26.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list outside_cryptomap_dyn_20 permit ip any 192.168.10.0 255.255.255.0
pager lines 24
logging on
logging console debugging
logging monitor debugging
mtu outside 1500
mtu inside 1500
ip address outside 172.16.10.1 255.255.255.0
ip address inside 10.65.26.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnusers 192.168.10.1-192.168.10.25
pdm location 10.65.26.0 255.255.255.0 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 172.16.10.254 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authorization command LOCAL
ntp server 203.97.100.254 source outside
http server enable
http 10.65.26.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication LOCAL
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup investdev address-pool vpnusers
vpngroup investdev dns-server 202.27.184.5 203.96.152.4
vpngroup investdev default-domain somedomain.co.nz
vpngroup investdev split-tunnel investdev_splitTunnelAcl
vpngroup investdev idle-time 1800
vpngroup investdev password ********
telnet 10.65.26.1 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
management-access inside
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
username dgenus password 7AbYD.pMG1LnXte/ encrypted privilege 15
username Invesdev password OIjEF4wI3mIklXLR encrypted privilege 5
privilege show level 0 command version
privilege show level 0 command curpriv
privilege show level 3 command pdm
privilege show level 3 command blocks
privilege show level 3 command ssh
privilege configure level 3 command who
privilege show level 3 command isakmp
privilege show level 3 command ipsec
privilege show level 3 command vpdn
privilege show level 3 command local-host
privilege show level 3 command interface
privilege show level 3 command ip
privilege configure level 3 command ping
privilege show level 3 command uauth
privilege configure level 5 mode enable command configure
privilege show level 5 command running-config
privilege show level 5 command privilege
privilege show level 5 command clock
privilege show level 5 command ntp
privilege show level 5 mode configure command logging
privilege show level 5 command fragment
terminal width 80
Hope that's enough info.. more can be provided.
So VPN Client users can connect, but then can't do anything?
The PIX config looks OK..
One question - What is the internal LAN hosts' default gateway? Is it the PIX inside ip?
ip address inside 10.65.26.1 255.255.255.0
The PIX config looks OK..
One question - What is the internal LAN hosts' default gateway? Is it the PIX inside ip?
ip address inside 10.65.26.1 255.255.255.0
ASKER
Correct.. all hosts use the inside interface 10.65.26.1 as the gateway. You can connect via vpn, but then nada... can't ping anything, can't ping the vpn user either from internal.
>can't ping the vpn user either from internal.
That's expected. The VPN client has a built-in firewall that is enabled whenever the VPN is active.
Try this:
no access-list investdev_splitTunnelAcl permit ip 10.65.26.0 255.255.255.0 any
no vpngroup investdev split-tunnel investdev_splitTunnelAcl
access-list splitTunnelAcl permit ip 10.65.26.0 255.255.255.0 192.168.10.0 255.255.255.0
vpngroup investdev split-tunnel splitTunnelAcl
That's expected. The VPN client has a built-in firewall that is enabled whenever the VPN is active.
Try this:
no access-list investdev_splitTunnelAcl permit ip 10.65.26.0 255.255.255.0 any
no vpngroup investdev split-tunnel investdev_splitTunnelAcl
access-list splitTunnelAcl permit ip 10.65.26.0 255.255.255.0 192.168.10.0 255.255.255.0
vpngroup investdev split-tunnel splitTunnelAcl
ASKER
Okay, more success... can ping internal hosts, can telnet to ports on exchange server and get responses, but Outlook and RDP refuse to connect. What's the best way to debug on a PIX what's happening here??
Netbios Name resolution for Outlook. Try using an LMHOSTS file for Outlook. Just need the two DC entries and the mailserver entry..
How to Write an LMHOSTS File for Domain Validation and Other Name Resolution Issues
http://support.microsoft.com/support/kb/articles/Q180/0/94.ASP
For RDP are you connecting by hostname or by IP address?
How to Write an LMHOSTS File for Domain Validation and Other Name Resolution Issues
http://support.microsoft.com/support/kb/articles/Q180/0/94.ASP
For RDP are you connecting by hostname or by IP address?
ASKER
RDP is by IP. We've also tried using outlook via IP to the exchange server as well. Yet to get remote user to try LMHOSTS, will do that asap.
Exchange/Outlook combo has some legacy dependencies on NetBios.
RDP "should" work by IP. There is nothing in the PIX that will prevent it. Your config is almost identical to mine and I have no problems whatsover using RDP, and I "had" to use LMHOSTS file for Exchange.
One alternative might be to have the user set the client for "enable start before logon" on the client. This requires that the workstation be joined to the domain first.
Is this client XP / SP2? What version client? SP2 requires 4.05 or 4.6 client..
RDP "should" work by IP. There is nothing in the PIX that will prevent it. Your config is almost identical to mine and I have no problems whatsover using RDP, and I "had" to use LMHOSTS file for Exchange.
One alternative might be to have the user set the client for "enable start before logon" on the client. This requires that the workstation be joined to the domain first.
Is this client XP / SP2? What version client? SP2 requires 4.05 or 4.6 client..
ASKER
Okay, no problems. Client is XP SP2/1 (tried on multiple machines from different locations). Both using 4.0.5 client. This is frustrating as hell cause I've gone through all the hoops and a near identical config works on eight other pixes I've configured. Including another setup behind a NAT router.
Have you tried putting the PIX IP in as the DMZ host on the Linksys ?
ASKER
No haven't as of yet. We're actually going to try putting in another router or two to verify that isn't the cause of the issues. We don't think it is as we've disabled everything and fairly much everything is forwarded, and everything works correctly in that aspect.
Will give that a try.
Will give that a try.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks, that last answer was the 'win' :D
All going thanks to all who participated, I'd never used that command before, and have done a couple of similar installs that had worked.
Just this one decided not too.
All going thanks to all who participated, I'd never used that command before, and have done a couple of similar installs that had worked.
Just this one decided not too.
thanks artthegeek, I was having the same problem but found this solution which fixed it :)
happy to help :)
Assuming you have two site-to-site VPN tunnels from this PIX, one to 10.65.10.0/24, other one for 192.168.10.0/24 and you also have ACLs for those two remote sites:
access-list inside_outbound_nat0_acl permit ip 10.65.26.0 255.255.255.0 10.65.10.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 10.65.26.0 255.255.255.0 192.168.10.0 255.255.255.0
But I don't see anythere in this PIX config that you are refering to, try to put these in:
crypto map outside_map 10 ipsec-isakmp
crypto map outside_map 10 match address inside_outbound_nat0_acl
crypto map outside_map 10 set peer <10.10.65.10.0 network's external IP>
crypto map outside_map 10 set transform-set ESP-3DES-MD5
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address inside_outbound_nat0_acl
crypto map outside_map 20 set peer <192.168.10.0 network's external IP>
crypto map outside_map 20 set transform-set ESP-3DES-MD5
If you just want to provide users from other two location a VPN access (not site-to-site VPN), then the configure would be a little different but similar, either way you need to trigger the VPN by refering those ACLs.