?
Solved

Pix 515e to Cisco soho 91 VPN problems

Posted on 2005-05-10
14
Medium Priority
?
1,420 Views
Last Modified: 2010-08-05
Hi,

I hope someone can help me with this most vexing problem

I am trying to create a VPN between a soho 91 into a Pix 515e using the following config:

SOHO 91:


Router#show run
Building configuration...

Current configuration : 1752 bytes
!
version 12.3
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
no logging buffered
!
no aaa new-model
ip subnet-zero
ip name-server 192.168.254.254
ip dhcp excluded-address 10.10.10.1
!
ip dhcp pool CLIENT
   import all
   network 10.10.10.0 255.255.255.0
   default-router 10.10.10.1
   lease 0 2
!
partition flash 2 6 2
!

crypto isakmp key nw hostname HOSTNAME
!
crypto isakmp client configuration group crws-client
 acl 199
!
crypto isakmp peer address X.X.X.X
 set aggressive-mode password nw
 set aggressive-mode client-endpoint fqdn HOSTNAME
!
!
!
!
!
crypto ipsec client ezvpn crws-client
 connect auto
 group nw key nw
 mode client
 peer HOSTNAME
!
!
!
!
interface Ethernet0
 ip address 10.10.10.1 255.255.255.0
 no cdp enable
 crypto ipsec client ezvpn crws-client inside
 hold-queue 32 in
!
interface Ethernet1
 ip address dhcp client-id Ethernet1
 duplex auto
 no cdp enable
 crypto ipsec client ezvpn crws-client
!
ip classless
ip http server
no ip http secure-server
!
!
access-list 23 permit 10.10.10.0 0.0.0.255
access-list 199 permit ip 192.168.2.0 0.0.0.255 any
no cdp run
!
control-plane
!
!
line con 0
 exec-timeout 120 0
 no modem enable
 transport preferred all
 transport output all
 stopbits 1
 speed 115200
line aux 0
 transport preferred all
 transport output all
line vty 0 4
 access-class 23 in
 exec-timeout 120 0
 login local
 length 0
 transport preferred all
 transport input all
 transport output all
!
scheduler max-task-time 5000
!
end

Router#


I am new to this and have had to set up the aggressive mode to even make the crypto tunnel come up. When the 'show crypto isakmp sa' command is issued, it shows the 'QM_IDLE' for the remote peer but i cannot communicate with the remote network in any way.

if I set up Cisco VPN client v4.6.00.00.45 on a local machine then that can ping the remote network with no problems.

PIX CONFIG:

Result of firewall command: "sh conf"
 
: Saved
: Written by enable_15 at 20:31:24.277 UTC Mon May 9 2005
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password XXXXXXXXXXXXXXXXXX encrypted
passwd XXXXXXXXXXXXXXXXXX encrypted
hostname pix
domain-name example.com
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
access-list outside_access_in permit udp any interface outside eq domain log
access-list outside_access_in permit tcp any interface outside eq 3389 log
access-list outside_access_in permit tcp any host xxx.xxx.xxx.xxx eq smtp log
access-list outside_access_in permit tcp any interface outside eq www
access-list outside_access_in deny tcp any any
access-list inside_access_in permit tcp host 192.168.2.1 any eq smtp log
access-list inside_access_in deny tcp 192.168.2.0 255.255.255.0 any eq smtp log
access-list inside_access_in permit ip 192.168.2.0 255.255.255.0 any log
access-list inside_outbound_nat0_acl permit ip 192.168.2.0 255.255.255.0 192.168.2.180 255.255.255.252
access-list nw_splitTunnelAcl permit ip 192.168.2.0 255.255.255.0 any
access-list outside_cryptomap_dyn_20 permit ip any 192.168.2.180 255.255.255.252
pager lines 24
logging trap informational
logging host inside 192.168.2.5
mtu outside 1500
mtu inside 1500
ip address outside xxx.xxx.xxx.xxx 255.255.255.248
ip address inside 192.168.2.253 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool DL 192.168.2.180-192.168.2.183
pdm location 192.168.2.253 255.255.255.255 inside
pdm location 192.168.2.1 255.255.255.255 inside
pdm location 192.168.2.5 255.255.255.255 inside
pdm location 192.168.2.140 255.255.255.255 inside
pdm location 192.168.254.200 255.255.255.255 inside
pdm location 192.168.2.3 255.255.255.255 inside
pdm location TESTSPAM 255.255.255.255 inside
pdm location SPAM_GATE 255.255.255.255 inside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 8000 192.168.2.1 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface smtp SPAM_GATE smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 3389 192.168.2.5 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface www 192.168.2.1 www netmask 255.255.255.255 0 0
static (inside,outside) udp interface domain 192.168.2.1 domain netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 213.249.136.17 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.254.200 255.255.255.255 inside
http 192.168.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server inside 192.168.2.252 \
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup nw address-pool DL
vpngroup nw split-tunnel nw_splitTunnelAcl
vpngroup nw idle-time 1800
vpngroup nw password ********
telnet 192.168.2.5 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:e5600fed5953aab3ced7ede4624a780a
 

The fact that the software vpn client works makes me think that the problem lies with the soho. i have tried to manually configure the system and i have used the crws which isn't much help.


Any assistance would be gratefully received.



Thanks







0
Comment
Question by:stevenhill
  • 7
  • 7
14 Comments
 
LVL 10

Accepted Solution

by:
plemieux72 earned 2000 total points
ID: 13974562
So you want the site-to-site VPN as well as remote access VPN to both the PIX and the SOHO?  I wouldn't use EzVPN for that.  

Just use regular crypto maps.  Also, it's important to note that the SOHO router will be the one initiating the VPN tunnel since it has a dynamic public IP address.

Here what the config should look like.  I am only including the VPN-specific commands.  You will have to delete some of your existing commands.  This config includes split-tunneling for both.  It also turns on NAT and the IOS firewall (CBAC) in the SOHO to protect the inside network.

PIX -
ip local pool vpnpool 172.16.2.1-172.16.2.50
access-list acl_split_tunnel permit ip 192.168.2.0 255.255.255.0 172.16.2.0 255.255.255.0
access-list acl_no_nat permit ip 192.168.2.0 255.255.255.0 10.10.10.0 255.255.255.0
nat (inside) 0 access-list acl_no_nat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac  
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication local
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0 no-xauth no-config-mode
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup nw address-pool vpnpool
vpngroup nw dns-server 192.168.2.40 192.168.2.41
vpngroup nw default-domain yourcompany.com
vpngroup nw split-tunnel acl_split_tunnel
vpngroup nw split-dns yourcompany.com
vpngroup nw idle-time 1800
vpngroup nw password ********
username johndoe password 2bldd1N335oHKraK encrypted privilege 15


SOHO -
username janedoe secret 51$ddwm$.Xw2yYM/NBcyjCSj
aaa new-model
!
!
aaa authentication login client_auth local
aaa authorization network group_author local

ip inspect audit-trail
ip inspect udp idle-time 15
ip inspect dns-timeout 7
ip inspect tcp idle-time 1800
ip inspect tcp finwait-time 1
ip inspect name cbac_in_to_out cuseeme timeout 3600
ip inspect name cbac_in_to_out ftp timeout 3600
ip inspect name cbac_in_to_out h323 timeout 3600
ip inspect name cbac_in_to_out netshow timeout 3600
ip inspect name cbac_in_to_out rcmd timeout 3600
ip inspect name cbac_in_to_out realaudio timeout 3600
ip inspect name cbac_in_to_out rtsp timeout 3600
ip inspect name cbac_in_to_out smtp timeout 3600
ip inspect name cbac_in_to_out sqlnet timeout 3600
ip inspect name cbac_in_to_out streamworks timeout 3600
ip inspect name cbac_in_to_out tcp timeout 3600
ip inspect name cbac_in_to_out tftp timeout 30
ip inspect name cbac_in_to_out udp timeout 15
ip inspect name cbac_in_to_out vdolive timeout 3600
ip inspect name cbac_in_to_out fragment maximum 256 timeout 1

crypto isakmp policy 5
 encr des
 hash md5
 authentication pre-share
 group 2
!
crypto isakmp policy 10
 encr des
 authentication pre-share
 group 2
crypto isakmp key E]FAFeCNs33cK\]UOb\TWhAAB address x.x.x.x no-xauth
!
crypto isakmp client configuration group nw
 key cde33e3de`L[Ua_WFYKfQYF]RiOG]
 domain yourcompany.com
 pool vpn_pool
 acl acl_crypto_vpn_clients
!
!
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
!
crypto dynamic-map dynmap 10
 set transform-set ESP-DES-MD5
!
!
crypto map CRYPTO_MAP client authentication list client_auth
crypto map CRYPTO_MAP isakmp authorization list group_author
crypto map CRYPTO_MAP client configuration address respond
crypto map CRYPTO_MAP 10 ipsec-isakmp
 set peer x.x.x.x
 set transform-set ESP-DES-SHA
 match address acl_crypto_sohosite_pixsite
crypto map CRYPTO_MAP 110 ipsec-isakmp dynamic dynmap

interface Ethernet1
 crypto map CRYPTO_MAP
 ip inspect cbac_in_to_out out
 ip access-group acl_cbac in

ip local pool vpn_pool 172.16.10.1 172.16.10.254
ip nat inside source route-map no_nat interface Ethernet1 overload

ip access-list extended acl_cbac
 permit icmp any any packet-too-big
 permit icmp any any echo-reply
 permit icmp any any time-exceeded
 permit icmp any any traceroute
 permit icmp any any unreachable
 permit esp any any
 permit udp any any eq isakmp
 permit udp any any eq non500-isakmp
ip access-list extended acl_crypto_vpn_clients
 permit ip 10.10.10.0 0.0.0.255 172.16.10.0 0.0.0.255
ip access-list extended acl_crypto_sohosite_pixsite
 permit ip 10.10.10.0 0.0.0.255 192.168.2.0 0.0.0.255
ip access-list extended acl_nat
 deny   ip 10.10.10.0 0.0.0.255 192.168.2.0 0.0.0.255
 deny   ip 10.10.10.0 0.0.0.255 172.16.10.0 0.0.0.255
 permit ip 10.10.10.0 0.0.0.255 any

route-map no_nat permit 10
 match ip address acl_nat


Good luck, let me know how you do.
0
 

Author Comment

by:stevenhill
ID: 13976695
Thanks very much for your response. I really appreciate the detail

I have entered the configs as listed but am still suffering as the soho doesn't seem to attempt to bring up the connection. i have set debugging on the ipsec, isakmp and vpn but no details are appearing.

the show crypto ipsec sa command shows the following

interface: Ethernet1
    Crypto map tag: crypto_map, local addr. 192.168.254.209

   protected vrf:
   local  ident (addr/mask/prot/port): (10.10.10.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
   current_peer: 213.249.136.19:500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 192.168.254.209, remote crypto endpt.: 213.249.136.19
     path mtu 1500, media mtu 1500
     current outbound spi: 0

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:


but the show crypto isakmp sa shows nothing


The configs of the devices are below. I am sure to an expert there are blinding errors but i'm afraid im still flying a little blind.









Result of firewall command: "show run"
 
: Saved
:
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password PASSWORD encrypted
passwd PASSWORD encrypted
hostname pix
domain-name DOMAIN.COM
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
names
name 192.168.2.136 TESTSPAM
name 192.168.2.199 SPAM_GATE
access-list outside_access_in permit udp any interface outside eq domain log
access-list outside_access_in permit tcp any interface outside eq 3389 log
access-list outside_access_in permit tcp any host PIX IP ADDRESS eq smtp log
access-list outside_access_in permit tcp any interface outside eq www
access-list outside_access_in deny tcp any any
access-list inside_access_in permit tcp host 192.168.2.1 any eq smtp log
access-list inside_access_in deny tcp 192.168.2.0 255.255.255.0 any eq smtp log
access-list inside_access_in permit ip 192.168.2.0 255.255.255.0 any log
access-list inside_outbound_nat0_acl permit ip 192.168.2.0 255.255.255.0 192.168.2.180 255.255.255.252
access-list nw_splitTunnelAcl permit ip 192.168.2.0 255.255.255.0 any
access-list outside_cryptomap_dyn_20 permit ip any 192.168.2.180 255.255.255.252
access-list acl_split_tunnel permit ip 192.168.2.0 255.255.255.0 172.16.2.0 255.255.255.0
access-list acl_no_nat permit ip 192.168.2.0 255.255.255.0 10.10.10.0 255.255.255.0
pager lines 24
logging trap informational
logging host inside 192.168.2.5
mtu outside 1500
mtu inside 1500
ip address outside PIX IP ADDRESS 255.255.255.248
ip address inside 192.168.2.253 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool DL 192.168.2.180-192.168.2.183
ip local pool vpnpool 172.16.2.1-172.16.2.50
pdm location 213.249.136.20 255.255.255.255 outside
pdm location 192.168.2.253 255.255.255.255 inside
pdm location 192.168.2.1 255.255.255.255 inside
pdm location 192.168.2.5 255.255.255.255 inside
pdm location 192.168.2.140 255.255.255.255 inside
pdm location 192.168.254.200 255.255.255.255 inside
pdm location 192.168.2.3 255.255.255.255 inside
pdm location TESTSPAM 255.255.255.255 inside
pdm location SPAM_GATE 255.255.255.255 inside
pdm location 192.168.2.180 255.255.255.252 outside
pdm location 10.10.10.0 255.255.255.0 outside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list acl_no_nat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 8000 192.168.2.1 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface smtp SPAM_GATE smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 3389 192.168.2.5 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface www 192.168.2.1 www netmask 255.255.255.255 0 0
static (inside,outside) udp interface domain 192.168.2.1 domain netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 213.249.136.17 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.254.200 255.255.255.255 inside
http 192.168.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server inside 192.168.2.252 \
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0 no-xauth no-config-mode
isakmp key ******** address SOHO IP(STATIC) netmask 255.255.255.255
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup nw address-pool vpnpool
vpngroup nw dns-server 192.168.2.40 192.168.2.41
vpngroup nw default-domain DOMAIN.COM
vpngroup nw split-tunnel acl_split_tunnel
vpngroup nw split-dns DOMAIN.COM
vpngroup nw idle-time 1800
vpngroup nw password ********
telnet 192.168.2.5 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
username USERNAME password PASSWORD encrypted privilege 2
terminal width 80
Cryptochecksum:e5600fed5953aab3ced7ede4624a780a
: end





Soho

show run
Building configuration...

Current configuration : 3532 bytes
!
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
username johndoe password PASSWORD encrypted privilege 5
username janedoe secret 5 PASSWORDD.
username CRWS_Bijoy privilege 15 password 0 PASSWORD
aaa new-model
!
!
aaa authentication login client_auth local
aaa authorization network group_author local
aaa session-id common
ip subnet-zero
ip name-server 192.168.254.254
!
!
ip inspect audit-trail
ip inspect udp idle-time 15
ip inspect dns-timeout 7
ip inspect tcp idle-time 1800
ip inspect tcp finwait-time 1
ip inspect name cbac_in_to_out cuseeme timeout 3600
ip inspect name cbac_in_to_out ftp timeout 3600
ip inspect name cbac_in_to_out h323 timeout 3600
ip inspect name cbac_in_to_out rcmd timeout 3600
ip inspect name cbac_in_to_out realaudio timeout 3600
ip inspect name cbac_in_to_out rtsp timeout 3600
ip inspect name cbac_in_to_out smtp timeout 3600
ip inspect name cbac_in_to_out sqlnet timeout 3600
ip inspect name cbac_in_to_out streamworks timeout 3600
ip inspect name cbac_in_to_out tcp timeout 3600
ip inspect name cbac_in_to_out tftp timeout 30
ip inspect name cbac_in_to_out udp timeout 15
ip inspect name cbac_in_to_out vdolive timeout 3600
ip inspect name cbac_in_to_out fragment maximum 256 timeout 1
!
!
partition flash 2 6 2
!
!
!
!
crypto isakmp policy 5
 hash md5
 authentication pre-share
 group 2
!
crypto isakmp policy 10
 authentication pre-share
 group 2
crypto isakmp key nw address PIX IP ADDRESS no-xauth
!
crypto isakmp client configuration group nw
 key KEY
 domain DOMAIN.COM
 pool vpn_pool
 acl acl_crypto_vpn_clients
!
!
crypto ipsec transform-set esp-des-md5 esp-des esp-md5-hmac
!
crypto dynamic-map dynmap 10
 set transform-set esp-des-md5
!
!
crypto map crypto_map client authentication list client_auth
crypto map crypto_map isakmp authorization list group_author
crypto map crypto_map client configuration address respond
crypto map crypto_map 10 ipsec-isakmp
 set peer PIX IP ADDRESS
 match address acl_crypto_sohosite_pixsite
crypto map crypto_map 110 ipsec-isakmp dynamic dynmap
!
!
!
interface Ethernet0
 ip address 10.10.10.2 255.0.0.0
!
interface Ethernet1
 ip address dhcp
 ip access-group acl_cbac in
 ip inspect cbac_in_to_out out
 duplex auto
 crypto map crypto_map
!
ip local pool vpn_pool 172.16.10.1 172.16.10.254
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.254.254
ip http server
no ip http secure-server
ip nat inside source route-map no_nat interface Ethernet1 overload
!
!
ip access-list extended acl_cbac
 permit icmp any any packet-too-big
 permit icmp any any echo-reply
 permit icmp any any time-exceeded
 permit icmp any any traceroute
 permit icmp any any unreachable
 permit esp any any
 permit udp any any eq isakmp
 permit udp any any eq non500-isakmp
ip access-list extended acl_crypto_sohosite_pixsite
 permit ip 10.10.10.0 0.0.0.255 192.168.2.0 0.0.0.255
ip access-list extended acl_crypto_vpn_clients
 permit ip 10.10.10.0 0.0.0.255 172.16.10.0 0.0.0.255
ip access-list extended acl_nat
 deny   ip 10.10.10.0 0.0.0.255 192.168.2.0 0.0.0.255
 deny   ip 10.10.10.0 0.0.0.255 172.16.10.0 0.0.0.255
 permit ip 10.10.10.0 0.0.0.255 any
route-map no_nat permit 10
 match ip address acl_nat
!
!
control-plane
!
!
line con 0
 no modem enable
 transport preferred all
 transport output all
 speed 115200
line aux 0
line vty 0 4
!
scheduler max-task-time 5000
!
end

Thanks again for your help, plemieux72



0
 
LVL 10

Expert Comment

by:plemieux72
ID: 13976993
In your sh cry ipsec sa command, this line shows a private IP address (192.168.254.209) trying to connect to a public one (213.249.136.19)...

local crypto endpt.: 192.168.254.209, remote crypto endpt.: 213.249.136.19

Unless I am missing something, this will not work.  First, have you confirmed you can browse the Internet from BOTH sites?  If so, the SOHO should be able to make a connection to the PIX using both public IP addresses.

At the SOHO site, is the router connected directly onto the Internet or does the traffic bound for the the other site have to go through another router or firewall via a second private network?
0
What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

 

Author Comment

by:stevenhill
ID: 14013808
Hi,

perhaps that's the problem. i am using the soho though a home internet connection that uses NAT.. i guess that will stop it working.

to be honest, i couldn't connect to the net through the soho when it was NAT'd so i will have a go at connecting it straight out and see if we get anywhere.

at the pix end it connects just fine.


thanks again for your help. i'm sure i will be back when i sort it or don't.


Cheers
0
 
LVL 10

Expert Comment

by:plemieux72
ID: 14014729
If you need any help in configuring NAT on the SOHO, I've done several of mine and have a good working config with CBAC that works just great (including the remote access VPN and site-to-site VPN).  Let me know.
0
 

Author Comment

by:stevenhill
ID: 14054640
Hi

Sorry to drag this out so much..

I have got the soho working and that will connect to the internet. i have attempted to bring up the tunnel with the 'tunnel' command.

this seems to do nothing.

however, i have managed to get the Cisco software VPN client working from another machine. That can connect to the pix ok and i can ping machines on the remote network.

the pix config is below

Result of firewall command: "SHOW RUN"
 
: Saved
:
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password XXXXX encrypted
passwd XXXXX encrypted
hostname pix
domain-name HOST.COM
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
names
name 192.168.2.136 TESTSPAM
name 192.168.2.199 SPAM_GATE
access-list outside_access_in permit udp any interface outside eq domain log
access-list outside_access_in permit tcp any interface outside eq 3389 log
access-list outside_access_in permit tcp any host 213.249.136.19 eq smtp log
access-list outside_access_in permit tcp any interface outside eq www
access-list outside_access_in deny tcp any any
access-list inside_access_in permit tcp host 192.168.2.1 any eq smtp log
access-list inside_access_in deny tcp 192.168.2.0 255.255.255.0 any eq smtp log
access-list inside_access_in permit ip 192.168.2.0 255.255.255.0 any log
access-list inside_outbound_nat0_acl permit ip 192.168.2.0 255.255.255.0 192.168.2.180 255.255.255.252
access-list nw_splitTunnelAcl permit ip 192.168.2.0 255.255.255.0 any
access-list outside_cryptomap_dyn_20 permit ip any 192.168.2.180 255.255.255.252
pager lines 24
logging trap informational
logging host inside 192.168.2.5
mtu outside 1500
mtu inside 1500
ip address outside PIX IP 255.255.255.248
ip address inside 192.168.2.253 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool DL 192.168.2.180-192.168.2.183
pdm location 213.249.136.20 255.255.255.255 outside
pdm location 192.168.2.253 255.255.255.255 inside
pdm location 192.168.2.1 255.255.255.255 inside
pdm location 192.168.2.5 255.255.255.255 inside
pdm location 192.168.2.140 255.255.255.255 inside
pdm location 192.168.254.200 255.255.255.255 inside
pdm location 192.168.2.3 255.255.255.255 inside
pdm location TESTSPAM 255.255.255.255 inside
pdm location SPAM_GATE 255.255.255.255 inside
pdm location 192.168.2.180 255.255.255.252 outside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 8000 192.168.2.1 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface smtp SPAM_GATE smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 3389 192.168.2.5 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface www 192.168.2.1 www netmask 255.255.255.255 0 0
static (inside,outside) udp interface domain 192.168.2.1 domain netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 X.X.X.X 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.254.200 255.255.255.255 inside
http 192.168.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server inside 192.168.2.252 \
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5 ESP-DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup nw address-pool DL
vpngroup nw split-tunnel nw_splitTunnelAcl
vpngroup nw idle-time 1800
vpngroup nw password ********
telnet 192.168.2.5 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:XXXXX
: end



this is the config as it stands with the software client working.

i have entered your config but was unable to get this command into the config

'crypto map outside_map interface outside'


The Soho is  as follows.



Current configuration : 2766 bytes
!
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname SOHO
!
enable secret 5 XXXXXXXXX
enable password XXXXXXXXX
!
username CRWS_dheeraj privilege 15 password 0 XXXXXXX
aaa new-model
!
!
aaa authentication login client_auth local
aaa authorization network group_author local
aaa session-id common
ip subnet-zero
ip name-server 213.208.106.212

ip name-server 213.208.106.213
ip dhcp excluded-address 192.168.4.254
ip dhcp excluded-address 192.168.4.1 192.168.4.99
ip dhcp excluded-address 192.168.4.201 192.168.4.254
!
ip dhcp pool CLIENT
   network 192.168.4.0 255.255.255.0
   default-router 192.168.4.254
   dns-server 213.208.106.212 213.208.106.213
   lease 0 2
!
!
crypto isakmp policy 5
 hash md5
 authentication pre-share
 group 2
!
crypto isakmp policy 10
 authentication pre-share


group 2
crypto isakmp key 0 nw address PIX IP no-xauth
!
crypto isakmp client configuration group nw
 key 0 nw
 domain HOST.COM
 pool vpn_pool
 acl acl_crypto_vpn_clients
!
!
crypto ipsec transform-set esp-des-md5 esp-des esp-md5-hmac
!
crypto dynamic-map dynmap 10
 set transform-set esp-des-md5
!
!
crypto map crypto_map client authentication list client_auth
crypto map crypto_map isakmp authorization list group_author
crypto map crypto_map client configuration address respond
crypto map crypto_map 10 ipsec-isakmp
 set peer PIX IP
 match address acl_crypto_sohosite_pixsite
crypto map crypto_map 110 ipsec-isakmp dynamic dynmap

!
!
!
!
interface Ethernet0
 ip address 192.168.4.254 255.255.255.0
 ip nat inside
 no ip mroute-cache
 no cdp enable
 hold-queue 32 in
!
interface Ethernet1
 ip address SOHO IP 255.255.255.248
 ip nat outside
 no ip mroute-cache
 duplex auto
 no cdp enable
 crypto map crypto_map
!
ip nat inside source list 102 interface Ethernet1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 84.12.130.145
ip http server


no ip http secure-server
!
!
ip access-list extended acl_crypto_sohosite_pixsite
 permit ip 192.168.4.0 0.0.0.255 172.16.10.0 0.0.0.255
ip access-list extended acl_crypto_vpn_clients
 permit ip 192.168.4.0 0.0.0.255 172.16.10.0 0.0.0.255
ip access-list extended acl_nat
 deny   ip 192.168.4.0 0.0.0.255 192.168.2.0 0.0.0.255
 deny   ip 192.168.4.0 0.0.0.255 172.16.10.0 0.0.0.255
 permit ip 192.168.4.0 0.0.0.255 any
access-list 102 permit ip 192.168.4.0 0.0.0.255 any
snmp-server community public RO
snmp-server enable traps tty
no cdp run
route-map no_nat permit 10
 match ip address acl_nat
!
!
line con 0
 no modem enable
line aux 0
line vty 0 4
exec-timeout 120 0
 password XXXXXXXXX
 length 0
!
scheduler max-task-time 5000
!
end



Those are the configs for both machines.

Whilst i think about it, how do i manually bring up and test the connection from the soho end? and how do i make teh routing work for the local machines so traffic will pass either over the VPN for a specific app, or to the internet for everything else.

thanks again for your help

Steve




0
 
LVL 10

Expert Comment

by:plemieux72
ID: 14055850
In your SOHO config, there are a few things to fix:

1)

ip access-list extended acl_crypto_sohosite_pixsite
 permit ip 192.168.4.0 0.0.0.255 172.16.10.0 0.0.0.255
 
should read...

ip access-list extended acl_crypto_sohosite_pixsite
 permit ip 192.168.4.0 0.0.0.255 192.168.2.0 0.0.0.255

2)

Enter this pool of addresses for your VPN clients who connect to the SOHO nw group
ip local pool vpn_pool 172.16.16.1 172.16.16.254   ...choose whichever range you want but make sure it's updated in the access-lists acl_crypto_vpn_clients and acl_nat

3)

NAT can be accomplished either via access-list 102 or via the route map with access-list acl_nat.  Choose which method you want but I suggest the route map method since it's newer and more flexible.

To change to the route map, enter this:

ip nat inside source route-map acl_nat interface ethernet1 overload
no ip nat inside source list 102 interface Ethernet1 overload

The acl_nat access-list has what you need to "not-NAT" the VPN traffic from site-to-site and VPN clients.  

<<Whilst i think about it, how do i manually bring up and test the connection from the soho end? and how do i make teh routing work for the local machines so traffic will pass either over the VPN for a specific app, or to the internet for everything else. >>

Anytime a packet sourced from the 192.168.4.0/24 network to the 192.168.2.0/24 network, it bypasses NAT and activates the tunnel if not active already.  So, unless you need to access the SOHO site apps from the PIX site and are worried the tunnel wont be up because of inactivity, you need find a way to have the tunnel permanently active.  On 2 of my remote sites, I do this by turning on CBAC auditing and logging to the syslog server at the PIX site.  This way, there are always packets going through the tunnel so it remains up.  There are probably better ways to do it (like ping tests) but this works for me.  The added benefit is the logged data.

All traffic with destination of other will be NATted as per acl_nat's permit ip 192.168.4.0 0.0.0.255 any entry and sent to the Internet.

0
 
LVL 10

Expert Comment

by:plemieux72
ID: 14055874
Sorry, mistake above in 3)

ip nat inside source route-map acl_nat interface ethernet1 overload
 should read:
ip nat inside source route-map no_nat interface ethernet1 overload
0
 

Author Comment

by:stevenhill
ID: 14068924
Hi, Plemieux72

still plugging away at this issue. I just want to thank you for your efforts. I know it's not easy when you can't get your hands on the equipment personally.. next time you're in London, I think i owe you a drink.

ok...

the configs are as follows with changes and all.... still it mocks me by not working. The software vesion on my personal machine (unconnected to either network) now makes a connection tho no longer can ping the machines on the other side of the pix. less of a worry as i was only doing that for testing. It's the soho that i really need working.

here goes:

SOHO CONFIG


Current configuration : 3430 bytes
!
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname LCN-ROUTER
!
enable secret 5 xxxxxxxx
enable password xxxxxxx!

aaa authentication login client_auth local
aaa authorization network group_author local
aaa session-id common
ip subnet-zero
ip name-server 213.208.106.212
ip name-server 213.208.106.213
ip dhcp excluded-address 192.168.4.254
ip dhcp excluded-address 192.168.4.1 192.168.4.99
ip dhcp excluded-address 192.168.4.201 192.168.4.254
!
ip dhcp pool CLIENT
   network 192.168.4.0 255.255.255.0
   default-router 192.168.4.254
   dns-server 213.208.106.212 213.208.106.213
   lease 0 2
!
!
crypto isakmp policy 5

hash md5
 authentication pre-share
 group 2
!
crypto isakmp policy 10
 authentication pre-share
 group 2
crypto isakmp key 0 nw address PIX IP ADDRESS no-xauth
!



crypto isakmp client configuration group nw
 key 0 nw
 domain DOMAIN.COM
 pool vpn_pool
 acl acl_crypto_vpn_clients
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set esp-des-md5 esp-des esp-md5-hmac
!
crypto dynamic-map dynmap 10
 set transform-set esp-des-md5
!
crypto map crypto_map client authentication list client_auth
crypto map crypto_map isakmp authorization list group_author
crypto map crypto_map client configuration address respond
crypto map crypto_map 10 ipsec-isakmp
 set peer PIX IP ADDRESS
 match address acl_crypto_sohosite_pixsite
crypto map crypto_map 110 ipsec-isakmp dynamic dynmap
!
!
!
!
interface Ethernet0
 ip address 192.168.4.254 255.255.255.0
 ip nat inside
 no ip mroute-cache
 no cdp enable
 hold-queue 32 in
!
interface Ethernet1
 ip address SOHO IP ADDRESS 255.255.255.248
 ip nat outside
 no ip mroute-cache
 duplex auto

crypto map crypto_map
!
ip local pool vpn_pool 192.168.2.180 192.168.2.183
ip nat inside source list 102 interface Ethernet1 overload
ip nat inside source route-map no_nat interface Ethernet1 overload
ip nat inside source static tcp 192.168.4.100 3389 SOHO IP ADDRESS3389 extendable

ip classless
ip route 0.0.0.0 0.0.0.0 84.12.130.145
ip http server
no ip http secure-server
!
!
ip access-list extended acl_crypto_sohosite_pixsite
 permit ip 192.168.4.0 0.0.0.255 192.168.2.0 0.0.0.255
ip access-list extended acl_crypto_vpn_clients
 permit ip 192.168.4.0 0.0.0.255 192.168.2.0 0.0.0.255
ip access-list extended acl_nat
 deny   ip 192.168.4.0 0.0.0.255 192.168.2.0 0.0.0.255
 permit ip 192.168.4.0 0.0.0.255 any
access-list 101 permit ip 192.168.4.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 102 permit ip 192.168.4.0 0.0.0.255 any
snmp-server community public RO
 
deny   ip 192.168.4.0 0.0.0.255 192.168.2.0 0.0.0.255
 permit ip 192.168.4.0 0.0.0.255 any
access-list 101 permit ip 192.168.4.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 102 permit ip 192.168.4.0 0.0.0.255 any
snmp-server community public RO
snmp-server enable traps tty
no cdp run
route-map no_nat permit 10
 match ip address acl_nat
!
!
line con 0
 no modem enable
line aux 0
line vty 0 4
 exec-timeout 120 0
 password xxxxxxx
 length 0
!
scheduler max-task-time 5000
!
end








Pix 515e


PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxxxx encrypted
passwd xxxxx
hostname pix
domain-name DOMAIN.COM
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
names
name 192.168.2.136 TESTSPAM
name 192.168.2.199 SPAM_GATE
access-list outside_access_in permit udp any interface outside eq domain log
access-list outside_access_in permit tcp any interface outside eq 3389 log
access-list outside_access_in permit tcp any host 213.249.136.19 eq smtp log
access-list outside_access_in permit tcp any interface outside eq www
access-list outside_access_in deny tcp any any
access-list inside_access_in permit tcp host 192.168.2.1 any eq smtp log
access-list inside_access_in deny tcp 192.168.2.0 255.255.255.0 any eq smtp log
access-list inside_access_in permit ip 192.168.2.0 255.255.255.0 any log
access-list outside_cryptomap_dyn_20 permit ip any 192.168.2.180 255.255.255.252
access-list acl_split_tunnel permit ip 192.168.2.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list acl_no_nat permit ip 192.168.2.0 255.255.255.0 192.168.4.0 255.255.255.0
pager lines 24
logging trap informational


logging host inside 192.168.2.5
mtu outside 1500
mtu inside 1500
ip address outside 213.249.136.19 255.255.255.248
ip address inside 192.168.2.253 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpn_pool 192.168.2.180-192.168.2.183
pdm location 213.249.136.20 255.255.255.255 outside
pdm location 192.168.2.253 255.255.255.255 inside
pdm location 192.168.2.1 255.255.255.255 inside
pdm location 192.168.2.5 255.255.255.255 inside
pdm location 192.168.2.140 255.255.255.255 inside
pdm location 192.168.254.200 255.255.255.255 inside
pdm location 192.168.2.3 255.255.255.255 inside
pdm location TESTSPAM 255.255.255.255 inside
pdm location SPAM_GATE 255.255.255.255 inside
pdm location 192.168.2.180 255.255.255.252 outside
pdm location 192.168.4.0 255.255.255.0 outside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list acl_no_nat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 8000 192.168.2.1 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface smtp SPAM_GATE smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 3389 192.168.2.5 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface www 192.168.2.1 www netmask 255.255.255.255 0 0
static (inside,outside) udp interface domain 192.168.2.1 domain netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 213.249.136.17 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.254.200 255.255.255.255 inside
http 192.168.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server inside 192.168.2.252 \
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5 ESP-DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0 no-xauth no-config-mode
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup nw address-pool vpn_pool
vpngroup nw default-domain DOMAIN.COM
vpngroup nw split-tunnel acl_split_tunnel
vpngroup nw split-dns DOMAIN.COM
vpngroup nw idle-time 1800
vpngroup nw password ********
telnet 192.168.2.5 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:
: end


once again, thanks for all your help. i do appreciated it.  Don't worry if you can't see the problem... I guess the next stop is to cough up to a consultant.. not a pleasing thought given cisco consultant's going rate.....

cheers



0
 
LVL 10

Expert Comment

by:plemieux72
ID: 14069299
I'll take a look tonight when I get back home...

As a suggestion, instead of a consultant ($$$), get a SmartNet contract from your Cisco vendor.  For the SOHO, it's less than $100 and lasts a year.  You can then open cases for how-to and break/fixes on the Cisco web site.  It's well worth the money.  However, there are lots Cisco experts on EE.  And, although I am just a beginner but I've done what you need to do before so I am sure I can spot the problem given a little more time.  I'll get back to you.
0
 

Author Comment

by:stevenhill
ID: 14069343
Thanks for your help, and thanks for the advice.
0
 
LVL 10

Expert Comment

by:plemieux72
ID: 14076676
There are several things to change on the SOHO.

In your "crypto map crypto_map 10 ipsec-isakmp", you need to set a transform set:

set transform-set esp-des-md5

For the remote access with VPN clients on the SOHO, your vpnpool needs to have a completely different range which is why I had chosen the 172.16.x.x addresses since those were not part of either network.  Then, don't forget to update your acl_crypto_vpn_clients to reflect the new range.

Still on the SOHO, remove this since your route-map now does NAT:
ip nat inside source list 102 interface Ethernet1 overload

Still on the SOHO, update the acl_nat to prevent NATting the VPN clients traffic with your 172.16.x.x addresses.  Final acl should look like:

ip access-list extended acl_nat
 deny   ip 192.168.4.0 0.0.0.255 192.168.2.0 0.0.0.255
 deny   ip 192.168.4.0 0.0.0.255 172.16.x.x 0.0.0.255 (or whatever range you set in your vpnpool)
 permit ip 192.168.4.0 0.0.0.255 any (this makes everything else NAT)

Finally, on the PIX, you need to also change your VPN pool... it should be yet another range like 172.16.y.y so it doesn't overlap with the 192.168.2.x internal network.  I know what you were thinking (very logical) when doing this... but it doesn't work that way.  The PIX basically "connects" the different VPN client network to the internal network 192.168.2.x when a client connects and takes care of routing between the two.

Let me know how it goes...

0
 

Author Comment

by:stevenhill
ID: 14107445
Hi, Plemieux

I'm afraid time ran out for this problem and we had to get it working for the client, so we gave in and found someone who could fix it remotely for a reasonable price. It was a case of last resort but now it works fine. I will shortly post the configs if they're of any interest to you.

Thanks again for all your help and I'll send the points your way as soon as i have put the configs up.


Cheers

0
 

Author Comment

by:stevenhill
ID: 14160542
Hi,

Here's the configs that finally solved the problem.

This is the pix:

Result of firewall command: "show run"
 
: Saved
:
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password XXXXXX encrypted
passwd XXXXX encrypted
hostname pix
domain-name DOMAIN.COM
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
names
name 192.168.2.136 TESTSPAM
name 192.168.2.199 SPAM_GATE
access-list outside_access_in permit udp any interface outside eq domain log
access-list outside_access_in permit tcp any interface outside eq 3389 log
access-list outside_access_in permit tcp any interface outside eq imap4 log
access-list outside_access_in permit tcp any host 213.249.136.19 eq smtp log
access-list outside_access_in permit tcp any interface outside eq www
access-list outside_access_in deny tcp any any
access-list inside_access_in permit tcp host 192.168.2.1 any eq smtp log
access-list inside_access_in deny tcp 192.168.2.0 255.255.255.0 any eq smtp log
access-list inside_access_in permit ip 192.168.2.0 255.255.255.0 any log
access-list inside_outbound_nat0_acl permit ip 192.168.2.0 255.255.255.0 192.168.2.180 255.255.255.252
access-list inside_outbound_nat0_acl permit ip 192.168.2.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list nw_splitTunnelAcl permit ip 192.168.2.0 255.255.255.0 any
access-list outside_cryptomap_dyn_20 permit ip any 192.168.2.180 255.255.255.252
access-list acl_crypto_pixsite_sohosite permit ip 192.168.2.0 255.255.255.0 192.168.4.0 255.255.255.0
pager lines 24
logging trap informational
logging host inside 192.168.2.1
mtu outside 1430
mtu inside 1430
ip address outside PIX IP ADDRESS 255.255.255.248
ip address inside 192.168.2.253 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool DL 192.168.2.180-192.168.2.183
pdm location x.x.x.x 255.255.255.255 outside
pdm location 192.168.2.253 255.255.255.255 inside
pdm location 192.168.2.1 255.255.255.255 inside
pdm location 192.168.2.5 255.255.255.255 inside
pdm location 192.168.2.140 255.255.255.255 inside
pdm location 192.168.254.200 255.255.255.255 inside
pdm location 192.168.2.3 255.255.255.255 inside
pdm location TESTSPAM 255.255.255.255 inside
pdm location SPAM_GATE 255.255.255.255 inside
pdm location 192.168.2.180 255.255.255.252 outside
pdm location 0.0.0.0 255.255.255.255 outside
pdm location 62.3.255.33 255.255.255.255 outside
pdm location 82.133.50.163 255.255.255.255 outside
pdm location 192.168.4.0 255.255.255.0 outside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 8000 192.168.2.1 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface smtp SPAM_GATE smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 3389 192.168.2.5 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface www 192.168.2.1 www netmask 255.255.255.255 0 0
static (inside,outside) tcp interface imap4 192.168.2.1 imap4 netmask 255.255.255.255 0 0
static (inside,outside) udp interface domain 192.168.2.1 domain netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 X.X.X.X 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.254.200 255.255.255.255 inside
http 192.168.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server inside 192.168.2.252 \
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5
crypto map outside_map 10 ipsec-isakmp
crypto map outside_map 10 match address acl_crypto_pixsite_sohosite
crypto map outside_map 10 set peer SOHO IP ADDRESS
crypto map outside_map 10 set transform-set ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address SOHO IP ADDRESS netmask 255.255.255.255
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup nw address-pool DL
vpngroup nw split-tunnel nw_splitTunnelAcl
vpngroup nw idle-time 1800
vpngroup nw password ********
telnet 192.168.2.0 255.255.255.0 inside
telnet timeout 5
ssh X.X.X.X 255.255.255.255 outside
ssh timeout 60
console timeout 0
terminal width 80
Cryptochecksum:XXXXXXXXXXX
: end



and the soho config:


LCN-ROUTER#show run
Building configuration...

Current configuration : 3468 bytes
!
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname LCN-ROUTER
!
enable secret 5 xxxxx
enable password PASSWORD!
!
aaa new-model
!
!
aaa authentication login client_auth local
aaa authorization network group_author local
aaa session-id common
ip subnet-zero
ip name-server 213.208.106.212
ip name-server 213.208.106.213
ip dhcp excluded-address 192.168.4.254
ip dhcp excluded-address 192.168.4.1 192.168.4.99
ip dhcp excluded-address 192.168.4.201 192.168.4.254
!
ip dhcp pool CLIENT
   network 192.168.4.0 255.255.255.0
   default-router 192.168.4.254
   dns-server 213.208.106.212 213.208.106.213
   lease 0 2
!
!
!
!
!
!
crypto isakmp policy 5
 hash md5
 authentication pre-share
 group 2
!
crypto isakmp policy 10
 authentication pre-share
 group 2
crypto isakmp key 0 nw address PIX IPno-xauth
!
crypto isakmp client configuration group nw
 key 0 nw
 domain dunn-line.com
 pool vpn_pool
 acl acl_crypto_vpn_clients
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set esp-des-md5 esp-des esp-md5-hmac
!
crypto dynamic-map dynmap 10
 set transform-set esp-des-md5
!
!
crypto map crypto_map client authentication list client_auth
crypto map crypto_map isakmp authorization list group_author
crypto map crypto_map client configuration address respond
crypto map crypto_map 10 ipsec-isakmp
 set peer 213.249.136.19
 set transform-set esp-des-md5
 match address acl_crypto_sohosite_pixsite
crypto map crypto_map 110 ipsec-isakmp dynamic dynmap
!
!
!
!
interface Ethernet0
 ip address 192.168.4.254 255.255.255.0
 ip nat inside
 no ip mroute-cache
 no cdp enable
 hold-queue 32 in
!
interface Ethernet1
 ip address SOHO IP 255.255.255.248
 ip nat outside
 no ip mroute-cache
 duplex auto
 no cdp enable
 crypto map crypto_map
!
ip local pool vpn_pool 192.168.3.180 192.168.3.183
ip nat inside source list acl_nat interface Ethernet1 overload
ip nat inside source static tcp 192.168.4.100 3389 SOHO IP 3389 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 ADSL ROUTER IP
ip http server
no ip http secure-server
!
!
ip access-list extended acl_crypto_sohosite_pixsite
 permit ip 192.168.4.0 0.0.0.255 192.168.2.0 0.0.0.255
ip access-list extended acl_crypto_vpn_clients
 permit ip 192.168.4.0 0.0.0.255 192.168.3.0 0.0.0.255
ip access-list extended acl_nat
 deny   ip 192.168.4.0 0.0.0.255 192.168.2.0 0.0.0.255
 deny   ip 192.168.4.0 0.0.0.255 192.168.3.0 0.0.0.255
 permit ip 192.168.4.0 0.0.0.255 any
access-list 102 permit ip 192.168.4.0 0.0.0.255 any
snmp-server community public RO
snmp-server enable traps tty
no cdp run
!
line con 0
 no modem enable
line aux 0
line vty 0 4
 exec-timeout 120 0
 password PASSWORD
 length 0
!
scheduler max-task-time 5000
!
end

LCN-ROUTER#



I hope this is helpful to you. And again, thank you very much for all your help!

0

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I've had to do a bit of research to setup my VPN connection so that Clients can access Windows Server 2008 network shares.  I have a Cisco ASA 5510 firewall.  I found an article which was extremely useful: It had a solution if you use ASDM to config…
Secure VPN Connection terminated locally by the Client.  Reason 442: Failed to enable Virtual Adapter. If you receive this error on Windows 8 or Windows 8.1 while trying to connect with the Cisco VPN Client then the solution is a simple registry f…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Suggested Courses
Course of the Month17 days, 2 hours left to enroll

862 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question