Solved

Cisco VPN Traffic stats show data coming in, but no data being sent

Posted on 2006-06-14
6
300 Views
Last Modified: 2013-11-16
Group,
Wanted to ask you a quick question, I have been doing some work for a client on a Pix506 FW, and I have been working on installing and getting the VPN portion up and running. I have been able to connect the VPN client (4.6) to the FW, however in the stats, you can see that data is being received, however nothing is being sent. I have included the config below, any help would be appreciated.

PIX Version 6.3(5)                  
interface ethernet0 auto                        
interface ethernet1 auto                        
nameif ethernet0 outside security0                                  
nameif ethernet1 inside security 100                        
enable password 2KFQnbNIdI.2KYOU encrypted                                          
passwd 2KFQnbNIdI.2KYOU encrypted                                
hostname ExhibitPix                  
domain-name domain.net                              
clock timezone EST -5                    
clock summer-time EDT recurring                              
fixup protocol dns maximum-length 512                                    
fixup protocol ftp 21                    
fixup protocol h323 h225 1720                            
fixup protocol h323 ras 1718-1719                                
fixup protocol http 80                      
fixup protocol ils 389                      
fixup protocol rsh 514                      
fixup protocol rtsp 554                      
fixup protocol sip 5060                      
fixup protocol sip udp 5060                          
fixup protocol skinny 2000                          
no fixup protocol smtp 25                        
fixup protocol s              
fixup protocol tftp 69                      
names    
access-list outside_access_in remark Rule For SMTP                                                  
access-list outside_access_in permit tcp any host 72.242.110.162 eq smtp                                                                        
access-list outside_access_in remark Rule For POP3                                                  
access-list outside_access_in permit tcp any host 72.242.110.162 eq pop3                                                                        
access-list outside_access_in remark Rules For Handling ICMP Traffic                                                                    
access-list outside_access_in permit icmp any any echo-reply                                                            
access-list outside_access_in remark Traffic For FTP                                                    
access-list outside_access_in permit tcp any host 72.242.                                                      
access-list outside_access_in remark Rules For WWW                                                  
access-list outside_access_in permit tcp any host 72.242.110.162 eq www                                                                      
access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0                                                                            
access-list 101 remark Rule For IP Address For VPN Client                                                        
access-list 102 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0                                                                            
access-list 102 remark Additional Rule For VPN Pool                                                  
no pager        
logging on          
logging timestamp                
logging trap informational                          
logging history warnings                        
logging host inside 192.168.1.2                              
mtu outside 1500                
mtu inside 1500              
ip address outside 72.242.110.xxx 255.255.255.248                                                
ip address inside 192.168.1.1 255.255.255.0                                          
ip verify reverse-path interface outside                                        
ip audit info action alarm                          
ip audit attack action alarm                            
ip local pool ippool 192.168.2.1-192.168.2.50                                            
pdm location 192.168.1.0 255.255.255.0 inside                                            
pdm location 192.168.0.0 255.255.255.255 inside                                              
pdm logging informational 100                            
pdm history enable                  
arp timeout 14400                
global (outside) 1 interface                            
nat (inside) 0 access-list 101                              
nat (inside) 1 0.0.0.0 0.0.0.                          
static (inside,outside) tcp 72.242.110.xxx smtp 192.168.1.3 smtp netmask 255.255                                                                                
.255.255 0 0            
static (inside,outside) tcp 72.242.110.xxx pop3 192.168.1.3 pop3 netmask 255.255                                                                                
.255.255 0 0            
static (inside,outside) tcp 72.242.110.xxx www 192.168.1.3 www netmask 255.255.2                                                                                
55.255 0 0          
access-group outside_access_in in interface outside                                                  
conduit permit icmp any any                          
route outside 0.0.0.0 0.0.0.0 72.242.110.xxx 1                                              
timeout xlate 3:00:00                    
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00                                                                            
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00                                                              
timeout sip-disconnect 0:02:00 sip-invite 0:03:00                                                
timeout uauth 0:05:00 absolute                              
aaa-server TACACS+ protocol tacacs+                                  
aaa-server TACACS+ max-failed-attempts 3                                        
aaa-server TACACS+ deadtime 10                              
aaa-server RADIUS protocol radius                                
aaa-server RADIUS max-failed-attempts 3                                      
aaa-server RADIUS deadtime 10                            
aaa-server LOCAL protocol local                              
http server enable                  
http 192.168.1.0 255.255.255.255 inside                                      
http 0.0.0.0 0.0.0.0 inside                          
snmp-server location Tampa, Florida                                  
snmp-server contact Mecca Media                              
snmp-server community                            
snmp-server enable traps                        
floodguard enable                
sysopt connection permit-ipsec                              
crypto ipsec transform-set myset esp-des esp-md5-hmac                                                    
crypto dynamic-map IRE 10 set transform-set CLIENT                                                  
crypto dynamic-map dynmap 10 set transform-set myset                                                    
crypto map mymap 10 ipsec-isakmp dynamic dynmap                                              
crypto map mymap client configuration address initiate                          
crypto map mymap interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup exhibitnet address-pool ippool
vpngroup exhibitnet dns-server 192.168.1.2
vpngroup exhibitnet wins-server 192.168.1.2
vpngroup exhibitnet default-domain exhibitservices.net
vpngroup exhibitnet idle-time 1800
vpngroup exhibitnet password ********
vpngroup default-domain idle-time 1800
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:c447fde94494deb068aace068fa59359
: end
ExhibitPix(config)#
0
Comment
Question by:blakmoon91
  • 2
  • 2
  • 2
6 Comments
 
LVL 32

Assisted Solution

by:rsivanandan
rsivanandan earned 150 total points
Comment Utility
Add these;

access-list split permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

vpngroup exhitbitnet split-tunnel split

Cheers,
Rajesh
0
 

Author Comment

by:blakmoon91
Comment Utility
Rajesh,
Thanks so much for the quick reply, I just had a follow up question. I am testing the VPN and now under route details I see a route being translated instead of 0.0.0.0   0.0.0.0, so I think that is good, I also noticed though on my computer that when I establish a connection and do a ipconfig /all on my computer that I do have a IP address of 2.1 and the it does see the DNS and WINS servers correctly, however there is no default gateway listed. Also, I am not receiving any packets. Is this because we have specified the default-domain as exhibitservices, and my computer is on a differnet domain? Is there a way to disable this so that I can test this out? Your thoughts? Thanks again!!!
0
 
LVL 32

Expert Comment

by:rsivanandan
Comment Utility
hmm. I'm not quite sure about that, how about you removing it and try if it works ?

Cheers,
Rajesh
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 9

Accepted Solution

by:
stressedout2004 earned 150 total points
Comment Utility
>>>>Is this because we have specified the default-domain as exhibitservices, and my computer is on a differnet domain? Is there a way to disable this so that I can test this out? Your thoughts? Thanks again!!!

No, the default domain has nothing to do with it. Just add the following on the PIX:

isakmp nat-t

Then try the connection again.

If it still doesn't work, turn on the following debug on the PIX:

debug icmp trace
term mon

Then try to ping any host behind the PIX from the PC connected to the VPN. Check if the PIX is getting any packets.






0
 

Author Comment

by:blakmoon91
Comment Utility
Guys, thanks so much for the help, both of you. I though splitting the points would be fair. Stressed, if you could explain just formy own knowledge what the nat-t switch does in conjunction with the isakmp I would appreciate it.
0
 
LVL 9

Expert Comment

by:stressedout2004
Comment Utility
It has something to do with allowing encrypted traffic to pass through UDP 4500 instead of protocol ESP to get around the PAT restriction. When a VPN Client user's public IP is a PAT IP (port address translation) meaning a shared public IP, and the traffic is passing over the tunnel using ESP, the traffic gets dropped because the PAT device has no way of mapping ESP because it is portless. So the common symptom is that you can connect with the VPN Client but cannot pass any traffic. To get around that, UDP NAT transparency was introduced to allow traffic from VPN that is PATted to use UDP 4500 instead of ESP when passing traffic over the tunnel. Since UDP has port, the PAT device will have no problem mapping the traffic.
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now