[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 277
  • Last Modified:

PIX 501 and 506e to allow for VPN traffice to be routed correctly

Here is my first request to get our VPN to VPN setup with the 506e to a 501 http://www.experts-exchange.com/Security/Firewalls/Q_21817139.html
and here is my second request to get our own VPN users to be able to be routeable to that HO via the main VPN http://www.experts-exchange.com/Security/Firewalls/Q_21830532.html

well, it seems that on this version of PIX 506e I cannot do IPSec tunnel "U-turn". So I then remember that I had a PIX 501 laying around. So I figured I could just setup that and off load my Dallas VPN users to the PIX 501 and satisfy my needs. Well this is turning into some what of a complex deal here. So would like to get some help to see if I am going about this in the right directions or if I should break down and buy a router (at least a 515E or something more)?

I have the following setup so far and working

                                          VPN  (DFW VPN tunnel going to the 506e 10.1.5.0 subnet)
                                            |
LA Calf Office---PIX (501)----internet------DFW PIX (506e)-----Inside (10.1.1.0 Subnet)
(192.168.1.0 Subnet)


So what I would like to accomplish is this


                                          VPN  (DFW VPN tunnel going to the 501 10.1.6.0 subnet)
                                            |
LA Calf Office---PIX (501)----internet------DFW PIX (506e)-----Inside (10.1.1.1 inside interface)
(192.168.1.0 Subnet)              |
                                             ------------DFW PIX2 (501)-----Inside (10.1.1.2 inside interface)
 
Have a dedicated VPN to VPN from the 506e(DFW)  to 501(LA Calf). Already setup and working. can see past posts for configs and what help I got.
Have DFW VPN users connect now to the PIX2 501 and get a 10.1.6.0 subnet.
Have a static route setup to allow the DFW VPN users go from 10.1.6.0 to the 192.168.1.0 subnet out via the 506e.

I hope that this is possible! I am having trouble currently also with the moving the DFW VPN users over to the PIX2 VPN. So I am including the current config for it.
I hope that this will work out so not have to buy more equipment.


Current config for DFW PIX2 501

7:27 PM 5/13/2006

Building configuration...
: Saved
:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password Apasswordhere encrypted
passwd Apasswordhere encrypted
hostname tx-fw2
domain-name TX.local
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 10.1.1.30 DFW
access-list inside_outbound_nat0_acl permit ip 10.1.1.0 255.255.255.0 10.1.6.0 255.255.255.0
access-list outside_cryptomap_dyn_20 permit ip any 10.1.6.0 255.255.255.0
access-list inside_access_in permit ip any any
access-list outside_in permit tcp 10.1.6.0 255.255.255.0 A.B.C.0 255.255.255.0
access-list split permit ip 10.1.1.0 255.255.255.0 10.1.6.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside A.B.C.30 255.255.255.248
ip address inside 10.1.1.2 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool VPN-Pool 10.1.6.70-10.1.6.254
pdm location DFW 255.255.255.255 inside
pdm location 10.1.6.0 255.255.255.0 inside
pdm location 10.1.6.0 255.255.255.0 outside
pdm location 10.1.1.0 255.255.255.0 outside
pdm location 10.1.5.0 255.255.255.0 inside
pdm location 10.1.5.0 255.255.255.0 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 A.B.C.29
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 A.B.C.25 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa-server partnerauth protocol radius
aaa-server partnerauth (inside) host DFW PasswordHere timeout 5
http server enable
http 10.1.1.0 255.255.255.0 inside
http 10.1.6.0 255.255.255.0 inside
http 10.1.5.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set myset
crypto dynamic-map dynmap 20 set transform-set myset
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication partnerauth
crypto map outside_map interface outside
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap client authentication partnerauth
isakmp enable outside
isakmp identity address
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup TX-VPN address-pool VPN-Pool
vpngroup TX-VPN dns-server DFW DFW
vpngroup TX-VPN wins-server DFW DFW
vpngroup TX-VPN default-domain TX.local
vpngroup TX-VPN split-tunnel split
vpngroup TX-VPN pfs
vpngroup TX-VPN idle-time 1800
vpngroup TX-VPN password ********
telnet 10.1.1.0 255.255.255.0 inside
telnet 10.1.6.0 255.255.255.0 inside
telnet 10.1.5.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
management-access inside
console timeout 0
username plamont password PasswordHere encrypted privilege 15
username dholcombe password PasswordHere encrypted privilege 15
vpnclient server 10.1.1.2
vpnclient mode client-mode
vpnclient vpngroup TX-VPN password ********
terminal width 80
Cryptochecksum:5c19edb3a7da5d32c7d77fa4d8c53668
: end
[OK]
0
Douglas_H
Asked:
Douglas_H
  • 5
  • 2
1 Solution
 
stressedout2004Commented:
Ok, what you have in mind is possible. In fact a very a  good workaround. But before anything, let's get the VPN client to work on this PIX 501 and then will pick up the rest. For the configuration of the VPN client, run the following command on the PIX 501:

no vpnclient server
no vpnclient mode
no vpnclient vpngroup TX-VPN
no vpnclient enable
no crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
no crypto dynamic-map dynmap 20 set transform-set myset
no crypto map mymap 10 ipsec-isakmp dynamic dynmap
no crypto map mymap client authentication partnerauth
no vpngroup TX-VPN pfs
no access-group outside_in in interface outside
no access-list outside_in permit tcp 10.1.6.0 255.255.255.0 A.B.C.0 255.255.255.0
no access-list inside_access_in permit ip any any

If the VPN Client still does not connect after the above changes, run the following debugs and post the ouput:

debug crypto isa
debug crypto ipsec
term mon
0
 
Douglas_HAuthor Commented:
OK thanks so far for delving into this! I did as you state and got rid of those commands. now I am able to connect but not getting to the 10.1.1.x network. Tried to ping the local server at 10.1.1.30 and no replys back. I wasn't able to do those last three debug commands from the PDM. maybe need to telnet in but not sure what I need to do to set up telnet?
I feel that there is still something missing on a route or accesslist command that is missing for the rest of this.
So here is the route print from my machine and the new running config.

C:\>route print
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0    192.168.123.1  192.168.123.106      10
         10.0.0.0        255.0.0.0        10.1.6.70       10.1.6.70       20
         10.1.1.0    255.255.255.0        10.1.6.70       10.1.6.70       1
        10.1.6.70  255.255.255.255        127.0.0.1       127.0.0.1       20
   10.255.255.255  255.255.255.255        10.1.6.70       10.1.6.70       20
      A.B.C.30  255.255.255.255    192.168.123.1  192.168.123.106      1
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
    192.168.123.0    255.255.255.0  192.168.123.106  192.168.123.106      10
    192.168.123.1  255.255.255.255  192.168.123.106  192.168.123.106      1
  192.168.123.106  255.255.255.255        127.0.0.1       127.0.0.1       10
  192.168.123.255  255.255.255.255  192.168.123.106  192.168.123.106      10
        224.0.0.0        240.0.0.0        10.1.6.70       10.1.6.70       20
        224.0.0.0        240.0.0.0  192.168.123.106  192.168.123.106      10
  255.255.255.255  255.255.255.255        10.1.6.70       10.1.6.70       1
  255.255.255.255  255.255.255.255  192.168.123.106           10005       1
  255.255.255.255  255.255.255.255  192.168.123.106  192.168.123.106      1
  255.255.255.255  255.255.255.255  192.168.123.106               2       1
Default Gateway:     192.168.123.1
===========================================================================
Persistent Routes:
  None


TX-FW2 running config

Building configuration...
: Saved
:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password APasswordHere encrypted
passwd APasswordHere encrypted
hostname tx-fw2
domain-name Domain.local
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 10.1.1.30 DFW
access-list inside_outbound_nat0_acl permit ip 10.1.1.0 255.255.255.0 10.1.6.0 255.255.255.0
access-list outside_cryptomap_dyn_20 permit ip any 10.1.6.0 255.255.255.0
access-list split permit ip 10.1.1.0 255.255.255.0 10.1.6.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside A.B.C.30 255.255.255.248
ip address inside 10.1.1.2 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool VPN-Pool 10.1.6.70-10.1.6.254
pdm location DFW 255.255.255.255 inside
pdm location 10.1.6.0 255.255.255.0 inside
pdm location 10.1.6.0 255.255.255.0 outside
pdm location 10.1.1.0 255.255.255.0 outside
pdm location 10.1.5.0 255.255.255.0 inside
pdm location 10.1.5.0 255.255.255.0 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 A.B.C.29
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 A.B.C.25 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa-server partnerauth protocol radius
aaa-server partnerauth (inside) host DFW BMLLCTX timeout 5
http server enable
http 10.1.1.0 255.255.255.0 inside
http 10.1.6.0 255.255.255.0 inside
http 10.1.5.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set myset
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication partnerauth
crypto map outside_map interface outside
isakmp enable outside
isakmp identity address
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup TX-VPN address-pool VPN-Pool
vpngroup TX-VPN dns-server DFW DFW
vpngroup TX-VPN wins-server DFW DFW
vpngroup TX-VPN default-domain domain.local
vpngroup TX-VPN split-tunnel split
vpngroup TX-VPN idle-time 1800
vpngroup TX-VPN password ********
telnet 10.1.1.0 255.255.255.0 inside
telnet 10.1.6.0 255.255.255.0 inside
telnet 10.1.5.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
management-access inside
console timeout 0
username plamont password APasswordHere encrypted privilege 15
username dholcombe password APasswordHere encrypted privilege 15
vpnclient vpngroup TX-VPN password ********
terminal width 80
Cryptochecksum:a61a7882cb4ad7d73fb4b185fded51a5
: end
[OK]
0
 
stressedout2004Commented:
Ok, not that the VPN client is connecting, its time to pick up the rest. And as you have guessed, the other piece of the puzzle is routing.

From your previous post, you have the following topology:

                                          VPN  (DFW VPN tunnel going to the 501 10.1.6.0 subnet)
                                            |
LA Calf Office---PIX (501)----internet------DFW PIX (506e)-----Inside (10.1.1.1 inside interface)
(192.168.1.0 Subnet)              |
                                             ------------DFW PIX2 (501)-----Inside (10.1.1.2 inside interface)

So as you can see the DFW PIX 506e and the DFW PIX 501 inside network is both on the 10.1.1.0/24, the hosts behind these two PIXes will only have *one* default gateway. Now, it makes more sense for the PIX 506e to be the internet gateway for the internal network since it is more capable than the PIX 501. So I am assuming that you have 10.1.1.1 as the default gateway for the 10.1.1.0/24 subnet (do correct me if I am wrong). With that said, what happens if the VPN client connects to DFW PIX2 and gets assigned a pool from 10.1.6.0/24 subnet then tries to ping host 10.1.1.30? Simple,
the 10.1.1.30 receives the icmp request and replies to it but then it sends it to its default gateway which is the PIX506e and not the PIX501. The PIX506e will simply drop it. The only way around it without adding a router or building a server
that will act as a router is to **add persistent route** on **each and every host** that the VPN client needs to talk to.

To add a route on a Windows machine, just do:

route add -p 10.1.6.0 mask 255.255.255.0 10.1.1.2



0
Restore individual SQL databases with ease

Veeam Explorer for Microsoft SQL Server delivers an easy-to-use, wizard-driven interface for restoring your databases from a backup. No expert SQL background required. Web interface provides a complete view of all available SQL databases to simplify the recovery of lost database

 
stressedout2004Commented:
In addition, you have to add the following configuration to allow the VPN client connecting to DFW PIX 501 access to the LA office (192.168.1.0) via the PIX 506e site to site connection. Don't add this until you can access the 10.1.1.0/24 network from the VPN client. Makes troubleshooting easier.


PIX 506e

access-list inside_outbound_nat0_acl permit ip 10.1.6.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list 170 permit ip 10.1.6.0 255.255.255.0 192.168.1.0 255.255.255.0
route inside 10.1.6.0 255.255.255.0 10.1.1.2

PIX2 (501)

access-list inside_outbound_nat0_acl permit ip 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list split permit ip 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0
route inside 192.168.1.0 255.255.255.0 10.1.1.1

LA Calf Office---PIX (501)

access-list 100 permit ip 192.168.1.0 255.255.255.0 10.1.6.0 255.255.255.0
access-list 170 permit ip 192.168.1.0 255.255.255.0 10.1.6.0 255.255.255.0



0
 
stressedout2004Commented:
BTW, telnet is already enabled on the DFW 501.

telnet 10.1.1.0 255.255.255.0 inside

So from a host on the 10.1.1.0/24 network, you should be able to telnet into the PIX inside interface.

C:\>telnet 10.1.1.2

0
 
Douglas_HAuthor Commented:
OK Now we are cooking here! So I put the persistent route command on the server now I can see my local server! So now I have put the other commands into the three PIXs and no errors. I try from my VPN connection to ping to 192.168.1.8 and don't get back anything. However when I jump on to the PDM for the 501 I can ping it and get replys back. So I know that the routes are setup so far. Now what I feel is that there needs to be a route added to the VPN client to allow for the 192.168.1.0 subnet to be routed through the VPN. Here is my current route print

===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0    192.168.123.1  192.168.123.106      10
         10.0.0.0        255.0.0.0        10.1.6.71       10.1.6.71       20
         10.1.1.0    255.255.255.0        10.1.6.71       10.1.6.71       1
         10.1.6.0    255.255.255.0         10.1.1.2       10.1.6.71       1
        10.1.6.71  255.255.255.255        127.0.0.1       127.0.0.1       20
   10.255.255.255  255.255.255.255        10.1.6.71       10.1.6.71       20
      69.15.68.30  255.255.255.255    192.168.123.1  192.168.123.106      1
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
    192.168.123.0    255.255.255.0  192.168.123.106  192.168.123.106      10
    192.168.123.1  255.255.255.255  192.168.123.106  192.168.123.106      1
  192.168.123.106  255.255.255.255        127.0.0.1       127.0.0.1       10
  192.168.123.255  255.255.255.255  192.168.123.106  192.168.123.106      10
        224.0.0.0        240.0.0.0        10.1.6.71       10.1.6.71       20
        224.0.0.0        240.0.0.0  192.168.123.106  192.168.123.106      10
  255.255.255.255  255.255.255.255        10.1.6.71               2       1
  255.255.255.255  255.255.255.255        10.1.6.71           10005       1
  255.255.255.255  255.255.255.255        10.1.6.71       10.1.6.71       1
  255.255.255.255  255.255.255.255  192.168.123.106  192.168.123.106      1
Default Gateway:     192.168.123.1
===========================================================================
Persistent Routes:


0
 
stressedout2004Commented:
Nope, you don't need any routes on the VPN client itself. I actually messed up and mixed up the command I gave you. I apologize for that.

Make the following changes on the DFW PIX 501:

no access-list inside_outbound_nat0_acl permit ip 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0
no access-list split permit ip 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 10.1.6.0 255.255.255.0
access-list split permit ip 192.168.1.0 255.255.255.0 10.1.6.0 255.255.255.0






0

Featured Post

Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.

  • 5
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now