[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

IPSEC Tunnel Traffic through PIX 515 firewall

Posted on 2006-05-22
11
Medium Priority
?
778 Views
Last Modified: 2013-11-16
I have a Cisco 1721 router behind my Cisco Pix 515 firewall that is to be used for VPN connectivity to another office.  The only instructions I have been given are access list requirements to allow IPSEC tunnel traffic from the VPN router through my firewall.  I've added the access list requirements but I cannot connect to the other office.  I have searched through configs and have seen entries to configure IPSEC but I am not sure of what I need for a basic configuration.  Any help would be greatly appreciated.  
0
Comment
Question by:rogue028
  • 6
  • 5
11 Comments
 
LVL 9

Expert Comment

by:stressedout2004
ID: 16735171
For PIX version 6.3 or lower, you need to have the following:

a) static one is to one NAT for the Cisco 1721 router.
b) access-list allowing UDP 500, ESP and/or AH
c) access-group applied on the outside interface of the PIX.

e.g

static (inside, outside) 1.1.1.1 192.168.0.1 netmask 255.255.255.255
access-list acl_out permit udp any host 1.1.1.1 eq 500
access-list acl_out permit esp any host 1.1.1.1
access-list acl_out permit ah any host 1.1.1.1
access-group acl_out in interface outside

where 192.168.0.1 is the private IP of the router and 1.1.1.1 is the public IP assigned

For PIX version 7.x, if you are running NAT-control mode then you need the same commands as above. If you are running no nat-control and the router has a public IP address directly assigned to the interface, then all you need is an access-list then apply the rule using an access-group command.

0
 

Author Comment

by:rogue028
ID: 16742622
Thanks, I've added the entries with the appropriate ip addresses but now when I do a tracert I'm timing out at another router.   I'm set up as follows.  
Internet -->>Internet Router Cisco 1721 -->>Pix 515 -->> Cisco 3700 Router connecting different offices via PTP -->>VPN Router.   When I run the tracert I'm timing out at the 3700.  I do not have any access rule set in this device.   How can I get the VPN traffic to pass from this router to my PIX.  I thought the problem was in my Pix but I'm not even getting to my Pix.  
0
 
LVL 9

Expert Comment

by:stressedout2004
ID: 16743817
OK, let's step back a little, I am a little confuse with your topology. First I though the Cisco 1721 is behind the PIX? from your diagram it looks like its in front. Secondly, just to make sure we are on the same page, we are talking about the IPSEC type of VPN, not the PPTP or L2TP, right?

 If the 3700 router does not have *any* type of access-rule then all it should do is route the traffic to the PIX. You don't have any sort of NAT configured on the 3700, do you?

Will you be able to post a sanitized config of the 3700 and the 1721?
0
Become an IT Security Management Expert

In today’s fast-paced, digitally transformed world of business, the need to protect network data and ensure cloud privacy has never been greater. With a B.S. in Network Operations and Security, you can get the credentials it takes to become an IT security management expert.

 

Author Comment

by:rogue028
ID: 16744165
Sorry for the confusion.  The Internet Router is a Cisco 1721 and the VPN router on the backside is also a Cisco 1721 router behind my Pix.  Yes, the IPSEC type of VPN is what I've been requested to add.  I have posted the 3700 routers sanitized config.  I do not have access to the VPN Cisco 1721 router - it belongs to a vendor.  All I was given was a worksheet telling me what to add to "make it work".  
show running
Building configuration...

Current configuration : 6308 bytes
!
version 12.3
service timestamps debug uptime
service timestamps log uptime
service password-encryption
service udp-small-servers
service tcp-small-servers
!
hostname 3700router
!
boot-start-marker
boot-end-marker
!

ip subnet-zero
!
!
ip cef
no ip domain lookup
ip dhcp excluded-address 10.1.1.1 10.1.1.50
!
ip dhcp pool DHCP_Pool
   network 10.1.1.0 255.255.255.0
   default-router 10.1.1.254
   netbios-name-server 10.1.1.4
   dns-server xxx.xxx.xxx.xxx  xxx.xxx.xxx.xxx

!

!
class-map match-all Control
  match ip dscp af31
class-map match-all media
  match ip dscp ef
!
!
policy-map DSCP_TO_COS
  class media
   set cos 5
  class Control
   set cos 3
policy-map LLQ
  class media
   priority 256
  class Control
   priority 24
!
interface FastEthernet0/0
 description Connected to LAN
 ip address 10.1.1.254 255.255.255.0
 ip helper-address 10.1.1.4
 ip directed-broadcast
 duplex auto
 speed auto
!
interface Serial0/0
 description PtP T1 to N Office
 ip address 10.1.254.253 255.255.255.252
 ip directed-broadcast
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface Serial0/1
 description PtP T1 to S office
 ip address 10.1.254.249 255.255.255.252
 ip directed-broadcast
!
interface Serial0/2
 no ip address
 ip directed-broadcast
 shutdown
!
!
interface Serial2/0
 ip address 10.1.254.242 255.255.255.252
 service-policy output LLQ
 service-module t1 clock source internal
 service-module t1 timeslots 1-24
!
interface Serial2/1
 ip address 10.254.254.245 255.255.255.252
 service-policy output LLQ
 service-module t1 clock source internal
 service-module t1 timeslots 1-24
!

!
 router eigrp 1
 redistribute connected
 redistribute static
 network 10.0.0.0
 no auto-summary
!
ip http server
ip classless
ip route 0.0.0.0 0.0.0.0 10.1.1.253
ip route 10.1.2.0 255.255.255.0 10.254.254.246
ip route 10.1.8.0 255.255.255.0 10.1.8.254
!
!



10.1.1.253 is the inside address of Pix firewall
0
 
LVL 9

Expert Comment

by:stressedout2004
ID: 16746997
Ok, do you know what IP address(internal) the 1721 VPN router is going to be coming from? Meaning what IP address is assigned to it internally.

And where does this route go?

ip route 10.1.8.0 255.255.255.0 10.1.8.254

10.1.8.254 is not local to the 3700 router so that 2nd route is invalid. But anyway, it won't be an issue if the 1721 VPN router is not from the 10.1.8.0/24 subnet.
0
 

Author Comment

by:rogue028
ID: 16747806
the Vpn  Cisco 1721 routers internal address is 10.1.1.249.  
0
 
LVL 9

Expert Comment

by:stressedout2004
ID: 16748072
Ok, here's some of the things that you can do:

1) First on the 1721 VPN router, make sure that the default gateway is pointed to the 3700 router (10.1.1.254). If the gateway is pointed to a different IP, then you must have a *static* route for the remote VPN peers IP address pointing back to the 3700.

2) On the PIX, verify that you have configured the correct static statements and access-list. For troubleshooting purposes, add a temporary access-list entry on the existing access-rule applied on the outside interface of the PIX that will allow you to pass icmp traffic and traceroutes. By default its blocked.

e.g

access-list acl_out permit icmp any any
clear xlate

3) Once you have added the access-list like the one above, we need to test whether the translation on the PIX is working. From the 1721 VPN router, try to see if you can ping any internet IP address like 4.2.2.2 ( assuming that the 1721 VPN router has no access-rules configured on it that will prevent ping from going through).

Let me know the result of #3. If you have the sanitized PIX config in handy, post it as it will help a lot.


0
 

Author Comment

by:rogue028
ID: 16751913
I will test today and let you know the results.  I will also send a "sanitized" copy of the pix config.  I appreciate all of the assistance, and your patience.  
0
 

Author Comment

by:rogue028
ID: 16762198
Pix "sanitized version"  

PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
domain-name whocares.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list intraffic permit tcp host 61.219.2.3 host 69.219.100.8 eq pcanywhere-data
access-list intraffic permit tcp host 61.219.2.3 host 69.219.100.16 eq pcanywhere-data
access-list intraffic permit udp host 61.219.2.3 host 69.219.100.16 eq 5631
access-list intraffic permit udp host 61.219.2.3 host 69.219.100.8 eq 5631
access-list intraffic permit tcp host 61.219.2.3 host 69.219.100.16 eq 7572
access-list intraffic permit tcp host 61.219.2.3 host 69.219.100.8 eq 7572
access-list intraffic permit tcp host 61.219.2.3 host 69.219.100.8 eq 7505
access-list intraffic permit udp host 61.219.2.3 host 69.219.100.8 eq 7505
access-list intraffic permit udp host 61.219.2.3 host 69.219.100.16 eq 7505
access-list intraffic permit icmp any host 69.219.100.15 echo
access-list intraffic permit icmp any host 69.219.100.15 echo-reply
access-list intraffic permit icmp any host 69.219.100.15 source-quench
access-list intraffic permit icmp any host 69.219.100.15 unreachable
access-list intraffic permit icmp any host 69.219.100.15 time-exceeded
access-list intraffic permit udp host 69.219.100.15 host 199.200.223.10 eq isakmp
access-list intraffic permit udp host 69.219.100.15 host 199.200.255.10 eq isakmp
access-list intraffic permit esp host 69.219.100.15 host 199.200.223.10
access-list intraffic permit esp host 69.219.100.15 host 199.200.255.10
access-list intraffic permit esp host 199.200.223.10 host 69.219.100.15
access-list intraffic permit esp host 199.200.255.10 host 69.219.100.15
access-list intraffic permit icmp host 69.219.100.15 host 12.201.207.103 echo
access-list intraffic permit icmp host 69.219.100.15 host 63.204.123.101 echo
access-list intraffic permit icmp host 69.219.100.15 host 63.204.107.213 echo
access-list intraffic permit icmp host 69.219.100.15 host 206.15.221.6 echo
access-list intraffic permit ip host 69.219.100.15 host 199.200.223.10
access-list intraffic permit ip host 69.219.100.15 host 199.200.255.10
access-list intraffic permit ip host 199.200.223.10 host 69.219.100.15
access-list intraffic permit ip host 199.200.255.10 host 69.219.100.15
pager lines 24
logging on
logging timestamp
logging standby
logging trap critical
logging host inside 10.1.1.7
interface ethernet0 auto
interface ethernet1 auto
mtu outside 1500
mtu inside 1500
ip address outside 64.211.11.10 255.255.255.224
ip address inside 10.1.1.253 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 10.1.1.2 255.255.255.255 inside
pdm location 10.1.1.8 255.255.255.255 inside
pdm location 10.1.2.0 255.255.255.0 inside
pdm location 10.1.3.0 255.255.255.0 inside
pdm location 10.1.4.0 255.255.255.0 inside
pdm location 10.1.5.0 255.255.255.0 inside
pdm location 10.1.6.0 255.255.255.0 inside
pdm location 10.1.0.0 255.255.0.0 inside
pdm location 61.219.2.3 255.255.255.255 outside
pdm location 10.1.1.5 255.255.255.255 inside
pdm location 10.1.1.70 255.255.255.254 outside
pdm location 10.1.7.0 255.255.255.0 outside
pdm location 10.1.8.0 255.255.255.0 inside
pdm location 10.1.1.7 255.255.255.255 inside
pdm location 10.1.1.249 255.255.255.255 inside
pdm location 10.1.1.97 255.255.255.255 outside
pdm location 10.1.1.98 255.255.255.255 outside
pdm location 10.1.1.99 255.255.255.255 outside
pdm location 10.1.1.249 255.255.255.255 outside
pdm location 12.201.207.103 255.255.255.255 outside
pdm logging notifications 500
pdm history enable
arp timeout 14400
global (outside) 1 69.219.100.222
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 69.219.100.8 10.1.1.2 netmask 255.255.255.255 0 0
static (inside,outside) 69.219.100.16 10.1.1.8 netmask 255.255.255.255 0 0
static (inside,outside) 69.219.100.15 10.1.1.249 netmask 255.255.255.255 0 0
access-group intraffic in interface outside
route outside 0.0.0.0 0.0.0.0 64.211.11.194 1
route inside 10.1.2.0 255.255.255.0 10.1.1.254 1
route inside 10.1.3.0 255.255.255.0 10.1.1.254 1
route inside 10.1.4.0 255.255.255.0 10.1.1.254 1
route inside 10.1.5.0 255.255.255.0 10.1.1.254 1
route inside 10.1.6.0 255.255.255.0 10.1.1.254 1
route inside 10.1.8.0 255.255.255.0 10.1.1.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 10.1.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server Nobody public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
sysopt connection permit-l2tp
no sysopt route dnat
crypto map transam 1 ipsec-isakmp
isakmp enable outside
isakmp policy 1 authentication rsa-sig
isakmp policy 1 encryption des
isakmp policy 1 hash sha
isakmp policy 1 group 1
isakmp policy 1 lifetime 86400
telnet 10.1.0.0 255.255.0.0 inside
telnet timeout 5

0
 
LVL 9

Accepted Solution

by:
stressedout2004 earned 500 total points
ID: 16763524
From the PIX configuration, some of the access-list entry is incorrect. You can remove them to clean your configuration a little bit, its up to you. Just copy and paste the following commands and that will clean up your configuration:

no access-list intraffic permit udp host 69.219.100.15 host 199.200.223.10 eq isakmp
no access-list intraffic permit udp host 69.219.100.15 host 199.200.255.10 eq isakmp
no access-list intraffic permit esp host 69.219.100.15 host 199.200.223.10
no access-list intraffic permit esp host 69.219.100.15 host 199.200.255.10
no access-list intraffic permit icmp host 69.219.100.15 host 12.201.207.103 echo
no access-list intraffic permit icmp host 69.219.100.15 host 63.204.123.101 echo
no access-list intraffic permit icmp host 69.219.100.15 host 63.204.107.213 echo
no access-list intraffic permit icmp host 69.219.100.15 host 206.15.221.6 echo
no access-list intraffic permit ip host 69.219.100.15 host 199.200.223.10
no access-list intraffic permit ip host 69.219.100.15 host 199.200.255.10

As far as the host in question which is mapped to 69.219.100.15 publicly, you have everything that you need on the PIX.
It is just a matter of making sure that the translation you have configured for the 1721 works. Did you do the test yet?


0
 

Author Comment

by:rogue028
ID: 16764167
Yes, I managed to get traffic out.  Thank you for your assistance.  
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many of the companies I’ve worked with have embraced cloud solutions due to their desire to “get out of the datacenter business.” The ability to achieve better security and availability, and the speed with which they are able to deploy, is far grea…
WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Suggested Courses
Course of the Month19 days, 15 hours left to enroll

873 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question