?
Solved

VPN wizard using ASDM on PIX 525

Posted on 2006-05-12
11
Medium Priority
?
1,390 Views
Last Modified: 2013-11-16
Might have guessed that I am new to setting up VPN. Using ASDM's VPN wizard on PIX 525 (ASDM v5.1(2) and PIX IOS 7.1(2), was a breeze though I am still having a few minor glitches probably.

Network layout is pretty simple: The only catch is that I have Netware servers on the inside which need to be connected using IPSEC VPN client without using NAT on the outside interface as the NCP protocol doesn't support NAT.

 Netware Servers(Int. Network||--->PIX----->||---->Router||---->{Internet}
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 ---------10.20.220.0/23--------||----(inside:10.20.220.50) PIX (out PAT:194.150.10.1---
||-----Router 194.150.10.100--->Internet {Remote VPN clients}

In non VPN scenerio, all my internal clients having local DHCP assigned IPs (10.20.220.0/23), access Internet through PAT (single public IP on PIX outside interface).

Now, I configured VPN using VPN wizard for Remote Access.
I intend to use Cisco's VPN Client. (Would Easy VPN be a better option?)
I am using 525 UR license with 3DES support enabled.
In step 6 of the wizard, I configured a pool that would be assigning dyn IP addr to remote VPN clients (10.20.225.1-10.20.225.250 mask 255.255.255.0).
I am assigning primary DNS server to VPn clients as my 10.20.220.30 on my Internal network.
IKE policy is: Encryption 3des, authentication SHA
IPSEC Encryption is is 3DES and authentication SHA.

Internal Network elements are exposed to remote VPN users without NAT (any). Split Tunneling is disabled... (Step 10 of wizard)

User authentication is using local user database (without password  still)
ISEC authentication uses pre-shared key

...The problem that still remains is, I probably have to create a client-pool that is routable internally to the server so that once the user authenticates via the VPN, it's like sitting at the remote office. What part of asdm/pdm would allow me to route my incoming VPN clients to Internal network of 10.20.220.0/23 range?

Also, at no point of wizard, did it ask me to enter the default gateway to be used for the traffic flowing out from 10.20.220.0 back to IPSEC VPN client. How should I take care of this?

And...here is the related output generated at the end of the wizard:

---------------------------------------------------------------------------------------------
access-list inside_nat0_outbound line 1 extended permit ip any 10.20.225.0 255.255.255.0
      nat (inside) 0 access-list inside_nat0_outbound
      isakmp enable outside
      username test1 nopassword   privilege 0
      username test1 attributes
        vpn-group-policy eucstaff
      username test2 nopassword   privilege 0
      username test2 attributes
        vpn-group-policy abcstaff
      ip local pool vpnpool 10.20.225.1-10.20.225.250 mask 255.255.255.0
      group-policy abcstaff internal
      group-policy abcstaff attributes
        dns-server value 10.20.220.30
        default-domain value abc.com
      tunnel-group abcstaff type ipsec-ra
      tunnel-group abcstaff general-attributes
        default-group-policy abcstaff
        address-pool  vpnpool
      tunnel-group abcstaff ipsec-attributes
        pre-shared-key thesame
      isakmp policy 10 authen pre-share
      isakmp policy 10 encrypt 3des
      isakmp policy 10 hash sha
      isakmp policy 10 group 2
      isakmp policy 10 lifetime 86400
      crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
      crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
      crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 28800 kilobytes 4608000
      no crypto dynamic-map outside_dyn_map 20 set nat-t-disable
      no crypto dynamic-map outside_dyn_map 20 set reverse-route
      crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
      crypto map outside_map interface outside
      sysopt connection permit-ipsec
---------------------------------------------------------------------------------------------------


Edited::

Also, I realised that though references exist to my Group policy 'abcstaff', the details of what I configured doesn't exist in the final output of my VPN wizard, probably because I configured it prior to starting my VPN wizard...!!!??

All I did there was to create a policy by the name abcstaff and add an acl 105 while adding ACE's in the following order:
----------------------------------------------------------
access-list 105 remark Permit IP Access from ANY source to the Internal subnet (
10.20.220.0/23)
access-list 105 extended permit ip any 10.20.220.0 255.255.254.0
access-list inside_nat0_outbound extended permit ip any 10.20.225.0 255.255.255.0
----------------------------------------------------------
0
Comment
Question by:fahim
  • 6
  • 5
11 Comments
 
LVL 9

Expert Comment

by:stressedout2004
ID: 16668584
>>>>>What part of asdm/pdm would allow me to route my incoming VPN clients to Internal network of 10.20.220.0/23 range? Also, at no point of wizard, did it ask me to enter the default gateway to be used for the traffic flowing out from 10.20.220.0 back to IPSEC VPN client. How should I take care of this?

You don't have to worry about routing as long as all of your Netware Servers and the rest of the host in the internal network has their default gateway pointing to the PIX inside IP addres. The PIX will automatically route the packets for you with no additional configuration other than the NAT(inside) 0 command which you already have. No need to add any route statements.

>>>>>Also, I realised that though references exist to my Group policy 'abcstaff', the details of what I configured doesn't exist in the final output of my VPN wizard, probably because I configured it prior to starting my VPN wizard...!!!??

Only configuration done within the VPN wizard will show. Other commands not specified within the wizard will not show up on the final output of the wizard. However it should show when you do a "show run".

Out of curiosity, what do you intend to use access-list 105 and where did you apply it? Reason I ask is that I don't see any use for that ACL on any VPN config.


0
 

Author Comment

by:fahim
ID: 16670224

Just realised I was probably in the wrong area for an exclusive forum for VPN exists.
Nevertheless...I would rather culminate this one here.

Thanks for the reply 'stressed out'. You got company though. Post this posting, I am going to call it a day and return tomorrow for setting up syslog to see how the VPN communicates.

Well..I guess ACL 105 is the leftover of 'abcstaff' group policy I configured manually before starting the VPN wizard for I read somewhere that Tunnel group and group policy should exist before we can work with wizard but it wasn't supposed to be so. Everytime I reached the step where it asks me to specify Tunnel group and upon selection of an already existing one, it didn't allow me to continue using that one. So I deleted them both and restarted the VPN wizard. I guess, I configured an ACE in ACL 105 to imply (as remarked) : Permit IP Access from ANY source to the Internal subnet (10.20.220.0/23). ANY source here being my IPSEC clients coming from 10.20.225.0/24 vpn client network.

Just have a quick glance at my 'running config' while I prepare to run my client tomorrow. See if you can sqeeze a few minutes out to cross check.
Thanks in advance!!

--------------------------------------------------------------------------------------
abcfw1> en
Password: **********
abcfw1# sh run
: Saved
:
PIX Version 7.1(2)
!
hostname abcfw1
domain-name abc.edu
enable password iotefki encrypted
names
!
interface Ethernet0
 nameif outside
 security-level 0
 ip address 194.150.10.15 255.255.255.0
!
interface Ethernet1
 nameif inside
 security-level 100
 ip address 10.20.220.50 255.255.254.0
!
interface Ethernet2
 shutdown
 nameif intf3
 security-level 6
 no ip address
!
interface Ethernet3
 shutdown
 nameif intf4
 security-level 8
 no ip address
!
interface Ethernet4
 shutdown
 nameif intf5
 security-level 10
 no ip address
!
interface Ethernet5
 shutdown
 nameif intf6
 security-level 12
 no ip address
!
interface GigabitEthernet0
 shutdown
 nameif intf2
 security-level 4
 no ip address
!
passwd iotefcbZ/9/kcNki encrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name abc.edu
access-list 102 extended permit ip any any
access-list 103 extended permit icmp any any echo-reply
access-list 103 extended permit icmp any any source-quench
access-list 103 extended permit icmp any any unreachable
access-list 103 extended permit icmp any any time-exceeded
access-list 105 remark Permit IP Access from ANY source to the Internal subnet (
10.20.220.0/23)
access-list 105 extended permit ip any 10.20.220.0 255.255.254.0
access-list inside_nat0_outbound extended permit ip any 10.20.225.0 255.255.255.0
pager lines 24
logging asdm critical
mtu outside 1500
mtu inside 1500
mtu intf3 1500
mtu intf4 1500
mtu intf5 1500
mtu intf6 1500
mtu intf2 1500
ip local pool vpnpool 10.20.225.1-10.20.225.250 mask 255.255.255.0
no failover
asdm image flash:/asdm-512.bin
asdm history enable
arp timeout 14400
nat-control
global (outside) 1 194.150.10.1 netmask 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
access-group 103 in interface outside
route outside 0.0.0.0 0.0.0.0 194.150.10.100 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
group-policy abcstaff internal
group-policy abcstaff attributes
 dns-server value 10.20.220.30
 default-domain value abc.edu
username test1 nopassword privilege 0
username test1 attributes
 vpn-group-policy abcstaff
username test2 nopassword privilege 0
username test2 attributes
 vpn-group-policy abcstaff
http server enable
http 10.20.220.2 255.255.255.255 inside
http 10.20.220.0 255.255.254.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
tunnel-group abcstaff type ipsec-ra
tunnel-group abcstaff general-attributes
 address-pool vpnpool
 default-group-policy abcstaff
tunnel-group abcstaff ipsec-attributes
 pre-shared-key *
telnet 10.20.220.120 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
ssh version 1
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 750
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect ftp strict
!
service-policy global_policy global
ssl encryption des-sha1 rc4-md5
: end
abcfw1#

0
 
LVL 9

Expert Comment

by:stressedout2004
ID: 16672055
Configuration looks good. You might just wanna add the command:

isakmp nat-traversal

This will enable support for UDP encapsulation on 4500 and allow you to pass traffic over VPN even when
connecting from behind a PAT device.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:fahim
ID: 16673425
Installed VPN client today after adding the said entry : isakmp nat-traversal

I used a machine internally on my outside interface of the PIX with a public address, just to rule out the access list issue that exist on my Router level. Basically wanted to keep it simple still.

So I gave a public IP tp pne of the machines say (194.150.10.100). Installed VPN Client v 4.8.01.0300. Configured the connection entry and zoom..it got in.
On ASDM I could see under VPN status, 1 IKE and 1 IPSEC tunnel.
Conection entryIP is 194.150.10.15, my outside IP address of PIX.

Now, one problem which I initially suspected still remains.
I cannot ping my Netware Servers which exist on 10.20.220.0/23 network, namely on 10.20.220.10 and 11 with a mask of 255.255.254.0.

On client machine, ipconfig /all shows:

Ethernet adapter Local Area Connection 3:

        Connection-specific DNS Suffix  . : abc.edu
        Description . . . . . . . . . . . : Cisco Systems VPN Adapter
        Physical Address. . . . . . . . . : 00-05-9A-3C-78-00
        DHCP Enabled. . . . . . . . . . . : No
        IP Address. . . . . . . . . . . . : 10.20.225.1
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 10.20.225.1
        DNS Servers . . . . . . . . . . . : 10.20.220.30

Ethernet adapter Local Area Connection:

        Connection-specific DNS Suffix  . :
        Description . . . . . . . . . . . : 3Com EtherLink XL 10/100 PCI For Co
plete PC Management NIC (3C905C-TX)
        Physical Address. . . . . . . . . : 00-04-76-D6-35-28
        DHCP Enabled. . . . . . . . . . . : No
        IP Address. . . . . . . . . . . . : 194.150.10.100
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . :
        DNS Servers . . . . . . . . . . . : 194.150.10.36
-----------------------------------------------------------------------------

Surprisingly, I am able to ping 10.20.220.30, the DNS server that gets assigned by the DHCP pool on PIX and exists on the Internal network. I can even resolve my names to Netware servers but ping achieves a 'no reply'.

I also noticed that for VPN adapter that's virtually assigned on my machine, the default gateway is the same as the assigned IP..Is this ok!!??

I fee like I am almost there.
Any advise would be helpful !!??

0
 
LVL 9

Expert Comment

by:stressedout2004
ID: 16675348
>>>I also noticed that for VPN adapter that's virtually assigned on my machine, the default gateway is the same as the assigned IP..Is this ok!!??

Yup, that's fine. This is usually the case.

>>>Surprisingly, I am able to ping 10.20.220.30, the DNS server that gets assigned by the DHCP pool on PIX and exists on the Internal network. I can even resolve my names to Netware servers but ping achieves a 'no reply'.

So basically, you can ping a host within the internal network but not the Netware servers. If you ping Netware Servers from within the internal network (10.20.220.0/23), does it respond? Reason I ask is that I would just like to verify
that pinging works internally to eliminate the possibility that the server blocks icmp and just don't respond to it.

If you can ping at least a single host within the internal network, then that means that the VPN is configured fine and we
need to focus on the servers that it can't ping.

If you do a " debug icmp trace" on the PIX, and try to ping the servers, do you see the ping coming in the PIX?

0
 

Author Comment

by:fahim
ID: 16677204
Now. this gets really spooky. If this isn't an oversight on my part or a crazy little I might be missing here, then it's going to be the *spookiest* technical situation of my career until now.

Yes..I can ping my Netware Servers (say: 10.20.220.10 and 10.20.220.11/23) from my internal 10.20.220.0/23 network.

More, my DNS/DHCP server is also netware based built of exactly same Service Packs andrev. of the two other File print Servers at .10 and .11.
From VPN tunnel, I can ping 10.20.220.30 and am even able to resolve addresses for both Netware servers to their correct addresses. There is also a lotus notes server on the internal network whom I can ping. Actually, I can ping everything except these two Netware Servers.

I could have suspected Netware servers with subnet issues as I am using /23 mask on my internal network and part of IP addresses leased fall on 10.20.221.* range but that's not the case here.

Yes...debug icmp trace shows that request in this fashion:
ICMP echo request <len 32 10.20.225.1 > 10.20.220.10
whereas ping to 10.20.220.12 (Lotus Notes Server)  gives both echo request and reply.

And also, My three netware servers and including the inside interface of PIX, are all connected via one single Layer 2 switch with least mangement options so I can rule out port level access lists on the switch too.

Now this is as exciting as it can get... :)


0
 

Author Comment

by:fahim
ID: 16677240
Is there a way here that I can edit my typos / sentences etc.???
0
 
LVL 9

Accepted Solution

by:
stressedout2004 earned 600 total points
ID: 16678949
I am not that familiar with Netware, but is there any way to do a route print on them to see their routing tables? What I am asking you is to double or triple check the default gateway of the Netware and check if there is any persistent routes
that exists on these servers.

10.20.225.0/24 does not overlap with your internal network, so we can eliminate any issues with overlapping.

To verify routing, here's a test that you can do; turn on debug icmp trace on the PIX and try to ping the assigned IP address of the VPN Client from the internal network. Do it first from hosts that you can ping, then do it from the
netware servers that you can't ping. See if there is a difference in the debugs between the ping from the netware servers and the other internal host.
0
 

Author Comment

by:fahim
ID: 16680258

Problem solved...
Increasing points..for stressed out! :)

Thanks stressed...the clue worked. I hit the right place to troubleshoot the problem. Additional clues to zero in on the problem were obtained fron Netware's TID. I'll relate it here future references for everyone..JIC!!
http://support.novell.com/cgi-bin/search/searchtid.cgi?2908890.htm

Another small problem I realised. I'll start another thread if you advise! it's just that Internet browsing doesn't seem to work on the clients when connected to the remote network...seems like the whole traffic gets diverted to tunnel instead of realising that the path to outside network also exists through the other interface.

Just divert me to the notes and I'll pick up from there..

Regards
0
 
LVL 9

Expert Comment

by:stressedout2004
ID: 16683384
That's normal, since you don't have split tunneling enabled. Split tunneling allows VPN client users to be able to browse the internet while connected to the VPN. Just add the split tunnel policy under the group you have specified.

e.g

access-list split_acl standard permit 10.20.220.0 255.255.254.0

group-policy abcstaff attributes
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value split_acl



0
 

Author Comment

by:fahim
ID: 16706659

Thanks...

Last one stressed...Is there any other port I have to open on my Router level for the incoming Remote IPSEC Clients apart from UDP port 500 ( I guess that's for ISAKMP key negotiations), IP protocol 51 (for Authentication Header traffic) and IP protocol 50 for the "encapsulated data" itself.

Anything else except these three...???

This one is indeed going to be the last in this thread..hope you'll advise!

0

Featured Post

What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
This article explains the fundamentals of industrial networking which ultimately is the backbone network which is providing communications for process devices like robots and other not so interesting stuff.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question