• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 890
  • Last Modified:

Access VPN Tunnel

I have established a VPN tunnel between our two facilities and I'm unable to figure out how to access that tunnel.  In my main building I have a Cisco Pix Firewall 506e with a T1 connection on one domain, and the other facilitiy has a 501 Pix Firewall with ASDL on another domain.  In both facilities we are using Windows Server 2003.  I have been doing some investigation and I'm wondering if I need to install ISA to the servers which both are domain controllers.  I can't figure out how too access the tunnel to send data back and forth does anyone have any ideas?  I can post both firewall configurations if needed.
0
Chuck Finly
Asked:
Chuck Finly
  • 4
  • 3
  • 3
  • +1
1 Solution
 
Technicon-SGCommented:
Sounds like you are not advertising the routes...Try a traceroute to the other network and see if the traffic is bound to the PIX.  If not we might have some work to do :-)
0
 
Chuck FinlyAuthor Commented:
Ok tried the tracert command to the other server and nothing came back.
0
 
Technicon-SGCommented:
Can you post the IP addresses for your network?  The machines cannot be on the same subnet...ie...

Lan in site 1 - 10.1.1.x/255.255.255.0
Lan in site 2 - 10.1.1.x/255.255.255.0

If this is the case the 2 sites will not be able to route to each other.  The Lans need to be on different subnets...ie...

Lan in site 1 - 10.1.1.X/255.255.255.0
Lan in site 2 - 10.1.2.x/255.255.255.0
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
Technicon-SGCommented:
And perhaps a diagram...
0
 
magicommincCommented:
You don't need ISA to have VPN tunnel work, and if you also use PIX at each site for Internet access, you need to have a proper access-list and nat (inside) 0 at both sides, once your traffic match the access-list, that will actually trigger the tunnel setup. I suspect you are missing something here, if you like, post your configure here and what we can help.
0
 
Chuck FinlyAuthor Commented:
The network IP's are as follows:
Main Facilitiy - 192.9.200.0 255.255.255.0
Second Facility - 192.9.201.0 255.255.255.0

Main Facility uses pix firewall 506 with inside interface 192.9.200.0 and the gateway is 192.9.200.1

Second Facility uses pix firewall 501 with inside interface 192.9.201.0 and the gateway is 192.9.201.250

Configuration for main facility on the 506 pix:

PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password OVSo.acKpmVsziLD encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
domain-name ciscopix.com
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.9.201.0 Centerline
access-list inside_outbound_nat0_acl permit ip 192.9.200.0 255.255.255.0 Centerline 255.255.255.0
access-list inbound permit tcp any host 207.148.204.46 eq pptp
access-list inbound permit gre any host 207.148.204.46
access-list inbound permit tcp any host 207.148.204.45 eq 3389
access-list inbound permit tcp any host 207.148.204.42 eq 3389
access-list outside_access_in permit gre any host 207.148.204.46
access-list outside_access_in permit tcp any host 207.148.204.46 eq pptp
access-list outside_access_in permit gre any host 207.148.204.42
access-list outside_access_in permit tcp any host 207.148.204.42 eq pptp
access-list outside_access_in permit tcp any host 207.148.204.46 eq ftp
access-list outside_cryptomap_20 permit ip 192.9.200.0 255.255.255.0 Centerline 255.255.255.0
access-list inside_nat0_outbound permit ip 192.9.200.0 255.255.255.0 Centerline 255.255.255.0
pager lines 24
logging monitor debugging
mtu outside 1500
mtu inside 1500
ip address outside 207.148.204.42 255.255.255.248
ip address inside 192.9.200.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.9.200.66 255.255.255.255 inside
pdm location 192.9.200.82 255.255.255.255 inside
pdm location 192.9.200.99 255.255.255.255 inside
pdm location 192.9.200.100 255.255.255.255 inside
pdm location Centerline 255.255.255.0 outside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 192.9.200.66 255.255.255.255 0 0
nat (inside) 1 192.9.200.0 255.255.255.0 0 0
static (inside,outside) tcp interface 3389 192.9.200.66 3389 netmask 255.255.255.255 0 0
static (inside,outside) 207.148.204.45 192.9.200.82 netmask 255.255.255.255 0 0
static (inside,outside) 207.148.204.46 192.9.200.100 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 207.148.204.41 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa authentication http console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 outside
http 192.9.200.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 68.21.61.28
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
crypto map inside_map interface inside
isakmp enable outside
isakmp key ******** address 68.21.61.28 netmask 255.255.255.255
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 1
isakmp policy 20 lifetime 1000
telnet 0.0.0.0 0.0.0.0 inside
telnet 192.9.200.1 255.255.255.255 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 30
console timeout 0
dhcpd address 192.9.200.20-192.9.200.98 inside
dhcpd dns 207.148.192.11 207.148.192.12
dhcpd lease 3600
dhcpd ping_timeout 750
username admin password LcpMPJoC7XEXTM5v encrypted privilege 15
username gary1355 password pm6J2WE6UM5K7Dgn encrypted privilege 15
vpnclient server 68.21.61.28
vpnclient mode network-extension-mode
vpnclient vpngroup true password ********
vpnclient username true password ********
terminal width 80
Cryptochecksum:5c16883a4bf1b87a98391f843e475171
: end

Second Facility Configuration:

PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.9.200.0 True
name 192.9.201.76 FTP-WWW_Server
access-list outside_access_in permit tcp any host 10.10.10.3 eq pptp
access-list outside_access_in permit gre any host 10.10.10.3
access-list outside_access_in permit tcp any host 10.10.10.4 eq ftp
access-list outside_access_in permit tcp any host 10.10.10.4 eq www
access-list inbound permit tcp any host 10.10.10.3 eq pptp
access-list inbound permit gre any host 10.10.10.3
access-list inside_outbound_nat0_acl permit ip 192.9.201.0 255.255.255.0 True 255.255.255.0
access-list outside_cryptomap_20 permit ip 192.9.201.0 255.255.255.0 True 255.255.255.0
access-list inside_nat0_outbound permit ip 192.9.201.0 255.255.255.0 True 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 10.10.10.2 255.255.255.0
ip address inside 192.9.201.250 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.9.201.1 255.255.255.255 inside
pdm location 192.9.201.0 255.255.255.0 inside
pdm location 192.168.1.0 255.255.255.0 inside
pdm location 192.9.201.200 255.255.255.255 inside
pdm location True 255.255.255.0 outside
pdm location 207.148.204.42 255.255.255.255 outside
pdm location 207.148.204.43 255.255.255.255 outside
pdm location FTP-WWW_Server 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 10.10.10.3 192.9.201.200 netmask 255.255.255.255 0 0
static (inside,outside) 10.10.10.4 FTP-WWW_Server netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 10.10.10.1 1
route inside 192.9.201.250 255.255.255.255 207.148.204.42 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.9.201.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 207.148.204.42
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
crypto map inside_map interface inside
isakmp enable outside
isakmp key ******** address 207.148.204.42 netmask 255.255.255.255
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 1
isakmp policy 20 lifetime 1000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.9.201.60-192.9.201.100 inside
dhcpd dns 4.2.2.2
dhcpd lease 3600
dhcpd ping_timeout 750
vpnclient server 207.148.204.42
vpnclient mode network-extension-mode
vpnclient vpngroup TRUE-CDE password ********
vpnclient username administrator password ********
vpnclient management tunnel 207.148.204.42 255.255.255.255
terminal width 80
Cryptochecksum:082014a5b3ac9f56808c5408aac4c256
: end
0
 
lrmooreCommented:
Can you post result of these PIX commands:
sho cry is sa
sho cry ip sa

And result of "C:\>route print" from one PC at Centerline and one PC at True

0
 
lrmooreCommented:
>I have been doing some investigation and I'm wondering if I need to install ISA to the servers which both are domain controllers.
Absolutely should not be necessary

0
 
Chuck FinlyAuthor Commented:
This is the pix results from True (Main Facility):

Result of firewall command: "sho cry is sa"
 
Total     : 1
Embryonic : 0
        dst               src        state     pending     created
  207.148.204.42      68.21.61.28    QM_IDLE         0           0

Result of firewall command: "sho cry ip sa"
 
interface: outside
    Crypto map tag: outside_map, local addr. 207.148.204.42
   local  ident (addr/mask/prot/port): (192.9.200.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (Centerline/255.255.255.0/0/0)
   current_peer: 68.21.61.28:500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 16614, #pkts encrypt: 16614, #pkts digest 16614
    #pkts decaps: 1185, #pkts decrypt: 1185, #pkts verify 1185
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
    #send errors 297, #recv errors 0
     local crypto endpt.: 207.148.204.42, remote crypto endpt.: 68.21.61.28
     path mtu 1500, ipsec overhead 56, media mtu 1500
     current outbound spi: abe8e346
     inbound esp sas:
      spi: 0xb0b18dd9(2964426201)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 4, crypto map: outside_map
        sa timing: remaining key lifetime (k/sec): (4608000/15308)
        IV size: 8 bytes
        replay detection support: Y
     inbound ah sas:
     inbound pcp sas:
     outbound esp sas:
      spi: 0xabe8e346(2884166470)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 3, crypto map: outside_map
        sa timing: remaining key lifetime (k/sec): (4607994/15308)
        IV size: 8 bytes
        replay detection support: Y
     outbound ah sas:
     outbound pcp sas:
interface: inside
    Crypto map tag: inside_map, local addr. 192.9.200.1

The pix results from Centerline:

Result of firewall command: "show cry is sa"
 
Total     : 1
Embryonic : 0
        dst               src        state     pending     created
  207.148.204.42       10.10.10.2    QM_IDLE         0           0

Result of firewall command: "show cry ip sa"
 
interface: outside
    Crypto map tag: outside_map, local addr. 10.10.10.2
   local  ident (addr/mask/prot/port): (192.9.201.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (True/255.255.255.0/0/0)
   current_peer: 207.148.204.42:500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 1135, #pkts encrypt: 1135, #pkts digest 1135
    #pkts decaps: 5114, #pkts decrypt: 5114, #pkts verify 5114
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0
     local crypto endpt.: 10.10.10.2, remote crypto endpt.: 207.148.204.42
     path mtu 1500, ipsec overhead 56, media mtu 1500
     current outbound spi: b0b18dd9
     inbound esp sas:
      spi: 0xabe8e346(2884166470)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 3, crypto map: outside_map
        sa timing: remaining key lifetime (k/sec): (4607993/15157)
        IV size: 8 bytes
        replay detection support: Y
     inbound ah sas:
     inbound pcp sas:
     outbound esp sas:
      spi: 0xb0b18dd9(2964426201)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 4, crypto map: outside_map
        sa timing: remaining key lifetime (k/sec): (4608000/15157)
        IV size: 8 bytes
        replay detection support: Y
     outbound ah sas:
     outbound pcp sas:
interface: inside
    Crypto map tag: inside_map, local addr. 192.9.201.250

print route from True side:

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 0d 61 96 de 17 ...... Marvell Yukon Gigabit Ethernet 10/100/1000Base-T
 Adapter, Copper RJ-45 - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.9.200.1    192.9.200.66       10
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
      192.9.200.0    255.255.255.0     192.9.200.66    192.9.200.66       10
     192.9.200.66  255.255.255.255        127.0.0.1       127.0.0.1       10
    192.9.200.255  255.255.255.255     192.9.200.66    192.9.200.66       10
      192.9.201.0    255.255.255.0    192.9.200.160    192.9.200.66       1
   207.148.204.41  255.255.255.255      192.9.200.1    192.9.200.66       1
        224.0.0.0        240.0.0.0     192.9.200.66    192.9.200.66       10
  255.255.255.255  255.255.255.255     192.9.200.66    192.9.200.66       1
Default Gateway:       192.9.200.1
===========================================================================
Persistent Routes:
  Network Address          Netmask  Gateway Address  Metric
   207.148.204.41  255.255.255.255      192.9.200.1       1
      192.9.201.0    255.255.255.0    192.9.200.160       1

Print route from Centerline side:

IPv4 Route Table
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x10003 ...00 11 43 58 a9 87 ...... Intel(R) PRO/1000 XT Network Connection
===========================================================================
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0    192.9.201.250    192.9.201.200     20
        127.0.0.0        255.0.0.0        127.0.0.1        127.0.0.1      1
      192.9.200.0    255.255.255.0    192.9.201.160    192.9.201.200      1
    192.9.200.101  255.255.255.255    192.9.201.160    192.9.201.200      1
      192.9.201.0    255.255.255.0    192.9.201.200    192.9.201.200     20
    192.9.201.200  255.255.255.255        127.0.0.1        127.0.0.1     20
    192.9.201.255  255.255.255.255    192.9.201.200    192.9.201.200     20
        224.0.0.0        240.0.0.0    192.9.201.200    192.9.201.200     20
  255.255.255.255  255.255.255.255    192.9.201.200    192.9.201.200      1
Default Gateway:     192.9.201.250
===========================================================================
Persistent Routes:
  Network Address          Netmask  Gateway Address  Metric
      192.9.200.0    255.255.255.0    192.9.201.160       1


As you can see we currently have a persistent route to each facility.  That route is a fractional T1 line that is between both buildings.  The fractional line is what I'm trying to replace.


0
 
lrmooreCommented:
>Persistent Routes:
>  192.9.201.0    255.255.255.0    192.9.200.160       1

>Network Address          Netmask  Gateway Address  Metric
      192.9.200.0    255.255.255.0    192.9.201.160       1
As long as you have these persistent routes configured, you'll never get traffic over the VPN tunnel..
Remove the route statements from these two machines and then see if they can still ping each other.
0
 
magicommincCommented:
"As you can see we currently have a persistent route to each facility.  That route is a fractional T1 line that is between both buildings.  The fractional line is what I'm trying to replace."
-VPN traffic should be handled by PIX, not your servers, all those persistent routes between 192.9.200.0 and 192.9.200.0 should be removed from those servers. servers use PIX as their default gateway, which in turn handles at the VPN tunnel and pass traffic by trigger Access-list: crypto encrypt traffic traffic that matches ACL:outside_cryptomap_20. you also definded no nat for all your VPN traffic, should be good to go.
...
access-list inside_nat0_outbound permit ip 192.9.200.0 255.255.255.0 Centerline 255.255.255.0
access-list outside_cryptomap_20 permit ip 192.9.200.0 255.255.255.0 Centerline 255.255.255.0
...
nat (inside) 0 access-list inside_nat0_outbound
...
crypto map outside_map 20 match address outside_cryptomap_20
0
 
Chuck FinlyAuthor Commented:
Thank you for all of your help, as soon as I removed the persistent routes everything started to work.  Again, Thank you.
0

Featured Post

Upgrade your Question Security!

Add Premium security features to your question to ensure its privacy or anonymity. Learn more about your ability to control Question Security today.

  • 4
  • 3
  • 3
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now