Solved

Cisco VPN Traffic stats show data coming in, but no data being sent

Posted on 2006-06-14
6
315 Views
Last Modified: 2013-11-16
Group,
Wanted to ask you a quick question, I have been doing some work for a client on a Pix506 FW, and I have been working on installing and getting the VPN portion up and running. I have been able to connect the VPN client (4.6) to the FW, however in the stats, you can see that data is being received, however nothing is being sent. I have included the config below, any help would be appreciated.

PIX Version 6.3(5)                  
interface ethernet0 auto                        
interface ethernet1 auto                        
nameif ethernet0 outside security0                                  
nameif ethernet1 inside security 100                        
enable password 2KFQnbNIdI.2KYOU encrypted                                          
passwd 2KFQnbNIdI.2KYOU encrypted                                
hostname ExhibitPix                  
domain-name domain.net                              
clock timezone EST -5                    
clock summer-time EDT recurring                              
fixup protocol dns maximum-length 512                                    
fixup protocol ftp 21                    
fixup protocol h323 h225 1720                            
fixup protocol h323 ras 1718-1719                                
fixup protocol http 80                      
fixup protocol ils 389                      
fixup protocol rsh 514                      
fixup protocol rtsp 554                      
fixup protocol sip 5060                      
fixup protocol sip udp 5060                          
fixup protocol skinny 2000                          
no fixup protocol smtp 25                        
fixup protocol s              
fixup protocol tftp 69                      
names    
access-list outside_access_in remark Rule For SMTP                                                  
access-list outside_access_in permit tcp any host 72.242.110.162 eq smtp                                                                        
access-list outside_access_in remark Rule For POP3                                                  
access-list outside_access_in permit tcp any host 72.242.110.162 eq pop3                                                                        
access-list outside_access_in remark Rules For Handling ICMP Traffic                                                                    
access-list outside_access_in permit icmp any any echo-reply                                                            
access-list outside_access_in remark Traffic For FTP                                                    
access-list outside_access_in permit tcp any host 72.242.                                                      
access-list outside_access_in remark Rules For WWW                                                  
access-list outside_access_in permit tcp any host 72.242.110.162 eq www                                                                      
access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0                                                                            
access-list 101 remark Rule For IP Address For VPN Client                                                        
access-list 102 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0                                                                            
access-list 102 remark Additional Rule For VPN Pool                                                  
no pager        
logging on          
logging timestamp                
logging trap informational                          
logging history warnings                        
logging host inside 192.168.1.2                              
mtu outside 1500                
mtu inside 1500              
ip address outside 72.242.110.xxx 255.255.255.248                                                
ip address inside 192.168.1.1 255.255.255.0                                          
ip verify reverse-path interface outside                                        
ip audit info action alarm                          
ip audit attack action alarm                            
ip local pool ippool 192.168.2.1-192.168.2.50                                            
pdm location 192.168.1.0 255.255.255.0 inside                                            
pdm location 192.168.0.0 255.255.255.255 inside                                              
pdm logging informational 100                            
pdm history enable                  
arp timeout 14400                
global (outside) 1 interface                            
nat (inside) 0 access-list 101                              
nat (inside) 1 0.0.0.0 0.0.0.                          
static (inside,outside) tcp 72.242.110.xxx smtp 192.168.1.3 smtp netmask 255.255                                                                                
.255.255 0 0            
static (inside,outside) tcp 72.242.110.xxx pop3 192.168.1.3 pop3 netmask 255.255                                                                                
.255.255 0 0            
static (inside,outside) tcp 72.242.110.xxx www 192.168.1.3 www netmask 255.255.2                                                                                
55.255 0 0          
access-group outside_access_in in interface outside                                                  
conduit permit icmp any any                          
route outside 0.0.0.0 0.0.0.0 72.242.110.xxx 1                                              
timeout xlate 3:00:00                    
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00                                                                            
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00                                                              
timeout sip-disconnect 0:02:00 sip-invite 0:03:00                                                
timeout uauth 0:05:00 absolute                              
aaa-server TACACS+ protocol tacacs+                                  
aaa-server TACACS+ max-failed-attempts 3                                        
aaa-server TACACS+ deadtime 10                              
aaa-server RADIUS protocol radius                                
aaa-server RADIUS max-failed-attempts 3                                      
aaa-server RADIUS deadtime 10                            
aaa-server LOCAL protocol local                              
http server enable                  
http 192.168.1.0 255.255.255.255 inside                                      
http 0.0.0.0 0.0.0.0 inside                          
snmp-server location Tampa, Florida                                  
snmp-server contact Mecca Media                              
snmp-server community                            
snmp-server enable traps                        
floodguard enable                
sysopt connection permit-ipsec                              
crypto ipsec transform-set myset esp-des esp-md5-hmac                                                    
crypto dynamic-map IRE 10 set transform-set CLIENT                                                  
crypto dynamic-map dynmap 10 set transform-set myset                                                    
crypto map mymap 10 ipsec-isakmp dynamic dynmap                                              
crypto map mymap client configuration address initiate                          
crypto map mymap interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup exhibitnet address-pool ippool
vpngroup exhibitnet dns-server 192.168.1.2
vpngroup exhibitnet wins-server 192.168.1.2
vpngroup exhibitnet default-domain exhibitservices.net
vpngroup exhibitnet idle-time 1800
vpngroup exhibitnet password ********
vpngroup default-domain idle-time 1800
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:c447fde94494deb068aace068fa59359
: end
ExhibitPix(config)#
0
Comment
Question by:blakmoon91
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
6 Comments
 
LVL 32

Assisted Solution

by:rsivanandan
rsivanandan earned 150 total points
ID: 16903776
Add these;

access-list split permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

vpngroup exhitbitnet split-tunnel split

Cheers,
Rajesh
0
 

Author Comment

by:blakmoon91
ID: 16903958
Rajesh,
Thanks so much for the quick reply, I just had a follow up question. I am testing the VPN and now under route details I see a route being translated instead of 0.0.0.0   0.0.0.0, so I think that is good, I also noticed though on my computer that when I establish a connection and do a ipconfig /all on my computer that I do have a IP address of 2.1 and the it does see the DNS and WINS servers correctly, however there is no default gateway listed. Also, I am not receiving any packets. Is this because we have specified the default-domain as exhibitservices, and my computer is on a differnet domain? Is there a way to disable this so that I can test this out? Your thoughts? Thanks again!!!
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 16904495
hmm. I'm not quite sure about that, how about you removing it and try if it works ?

Cheers,
Rajesh
0
Are You Headed to Black Hat USA 2017?

Getting ready for Black Hat next week? Kick things off with the WatchGuard Badge Challenge and test your puzzle and cipher skills. Do you have what it takes to earn our limited edition Firebox Badge? Get started today - https://crimsonthorn.net

 
LVL 9

Accepted Solution

by:
stressedout2004 earned 150 total points
ID: 16904875
>>>>Is this because we have specified the default-domain as exhibitservices, and my computer is on a differnet domain? Is there a way to disable this so that I can test this out? Your thoughts? Thanks again!!!

No, the default domain has nothing to do with it. Just add the following on the PIX:

isakmp nat-t

Then try the connection again.

If it still doesn't work, turn on the following debug on the PIX:

debug icmp trace
term mon

Then try to ping any host behind the PIX from the PC connected to the VPN. Check if the PIX is getting any packets.






0
 

Author Comment

by:blakmoon91
ID: 16906856
Guys, thanks so much for the help, both of you. I though splitting the points would be fair. Stressed, if you could explain just formy own knowledge what the nat-t switch does in conjunction with the isakmp I would appreciate it.
0
 
LVL 9

Expert Comment

by:stressedout2004
ID: 16907055
It has something to do with allowing encrypted traffic to pass through UDP 4500 instead of protocol ESP to get around the PAT restriction. When a VPN Client user's public IP is a PAT IP (port address translation) meaning a shared public IP, and the traffic is passing over the tunnel using ESP, the traffic gets dropped because the PAT device has no way of mapping ESP because it is portless. So the common symptom is that you can connect with the VPN Client but cannot pass any traffic. To get around that, UDP NAT transparency was introduced to allow traffic from VPN that is PATted to use UDP 4500 instead of ESP when passing traffic over the tunnel. Since UDP has port, the PAT device will have no problem mapping the traffic.
0

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Do you want to know how to make a graph with Microsoft Access? First, create a query with the data for the chart. Then make a blank form and add a chart control. This video also shows how to change what data is displayed on the graph as well as form…
In this video you will find out how to export Office 365 mailboxes using the built in eDiscovery tool. Bear in mind that although this method might be useful in some cases, using PST files as Office 365 backup is troublesome in a long run (more on t…
Suggested Courses

632 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question