PIX 506 configuration
I am having a Cisco PIX 506e and having a VPN thru a leased line to a remote site in another company. The problem is that the firewall of the other part is not allowing any traffic coming from real IPs, I want to make all traffic to this site: 10.134.35.59 thru the internal network only (inside of the PIX).
I had this working with the router only and an ISA2000 server, the ISA was routing to the router, the router routing to the other end's router, and then routed to the firewall on the other side.
Since the PIX in installed between the router and my network I am not able to connect. When I enable debugging, it shows that the traffic is passed thru the outside (real IP) of the PIX, which is blocked by the firewall on the other side.
Any help?
I am hope it is clear.
My IP is 10.157.14.0, the other side IP is 10.157.13.0, and the routers are having .1 .
Previously the conf was as follows:
ISA routes requests to 10.134.35.59 to the router 10.157.14.1 using its local interface,
Router1 (10.157.14.1) routes to the other router, using VPN
Router2 (10.157.13.1) routes to firewall (10.157.13.2)
firewall aloows routing to 10.134.35.59 only if traffic is coming from 10.157.14.0 network
Thanks.
I had this working with the router only and an ISA2000 server, the ISA was routing to the router, the router routing to the other end's router, and then routed to the firewall on the other side.
Since the PIX in installed between the router and my network I am not able to connect. When I enable debugging, it shows that the traffic is passed thru the outside (real IP) of the PIX, which is blocked by the firewall on the other side.
Any help?
I am hope it is clear.
My IP is 10.157.14.0, the other side IP is 10.157.13.0, and the routers are having .1 .
Previously the conf was as follows:
ISA routes requests to 10.134.35.59 to the router 10.157.14.1 using its local interface,
Router1 (10.157.14.1) routes to the other router, using VPN
Router2 (10.157.13.1) routes to firewall (10.157.13.2)
firewall aloows routing to 10.134.35.59 only if traffic is coming from 10.157.14.0 network
Thanks.
hehehe Sounds like we are on the same wavelength.
Have you placed a NAT (inside) 0 statement in the PIX?
Did you run the vpn wizard?
Have you placed a NAT (inside) 0 statement in the PIX?
Did you run the vpn wizard?
ASKER
There is a NAT (inside) o.
I don't know how to run the VPN wizard, can you give more guidance.
I don't know how to run the VPN wizard, can you give more guidance.
ASKER
PIX Configuration:
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password aRfsdeffnl2R5 encrypted
passwd 2KFasds.2KYKU encrypted
hostname NVOC.GGUARD
fixup protocol dns maximum-length 512
fixup protocol esp-ike
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 101 permit tcp any host (realIP1) eq smtp
access-list 101 permit tcp any host (realIP1) eq www
access-list 101 permit ip host 10.2.133.50 any
access-list 101 permit ip 10.134.35.0 255 ---------------> This is the IP I am having trouble with
access-list 101 permit tcp any host (realIP3) eq www
access-list 101 permit ip 10.157.13.0 255.255.255.0 any
access-list 101 permit udp any any eq 4500
access-list 101 permit esp any any
access-list 101 permit udp any any eq 1701
access-list 101 permit ah any any
access-list 101 permit icmp any any echo
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 102 deny tcp any any eq 2745
access-list 102 deny tcp any any eq 4751
access-list 102 deny tcp any any eq 6667
access-list 102 permit ip any any
pager lines 24
logging console debugging
mtu outside 1500
mtu inside 1500
ip address outside (realIP4) 255.255.255.224
ip address inside 10.157.14.5 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 0.0.0.0 0.0.0.0 inside
pdm location (realPDM) 255.255.255.224 outside
pdm history enable
arp timeout 14400
global (outside) 1 (realIP5)
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) (realIP1) 10.157.14.55 netmask 255.255.255.255 0 0
static (inside,outside) (realIP6) 10.157.14.54 netmask 255.255.255.255 0 0
access-group 101 in interface outside
access-group 102 in interface inside
route outside 0.0.0.0 0.0.0.0 (routerRealIP) 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:0
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http (realIP6) 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
isakmp nat-traversal 20
telnet 10.157.14.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password aRfsdeffnl2R5 encrypted
passwd 2KFasds.2KYKU encrypted
hostname NVOC.GGUARD
fixup protocol dns maximum-length 512
fixup protocol esp-ike
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 101 permit tcp any host (realIP1) eq smtp
access-list 101 permit tcp any host (realIP1) eq www
access-list 101 permit ip host 10.2.133.50 any
access-list 101 permit ip 10.134.35.0 255 ---------------> This is the IP I am having trouble with
access-list 101 permit tcp any host (realIP3) eq www
access-list 101 permit ip 10.157.13.0 255.255.255.0 any
access-list 101 permit udp any any eq 4500
access-list 101 permit esp any any
access-list 101 permit udp any any eq 1701
access-list 101 permit ah any any
access-list 101 permit icmp any any echo
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 102 deny tcp any any eq 2745
access-list 102 deny tcp any any eq 4751
access-list 102 deny tcp any any eq 6667
access-list 102 permit ip any any
pager lines 24
logging console debugging
mtu outside 1500
mtu inside 1500
ip address outside (realIP4) 255.255.255.224
ip address inside 10.157.14.5 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 0.0.0.0 0.0.0.0 inside
pdm location (realPDM) 255.255.255.224 outside
pdm history enable
arp timeout 14400
global (outside) 1 (realIP5)
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) (realIP1) 10.157.14.55 netmask 255.255.255.255 0 0
static (inside,outside) (realIP6) 10.157.14.54 netmask 255.255.255.255 0 0
access-group 101 in interface outside
access-group 102 in interface inside
route outside 0.0.0.0 0.0.0.0 (routerRealIP) 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:0
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http (realIP6) 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
isakmp nat-traversal 20
telnet 10.157.14.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
global (outside) 1 (realIP5)
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
That is the only NAT statement I can see which tells the PIX to use the realip5 for all traffic leaving through the external interface.
I use the PDM for the VPN connection
https://inside ip_of_pix
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
That is the only NAT statement I can see which tells the PIX to use the realip5 for all traffic leaving through the external interface.
I use the PDM for the VPN connection
https://inside ip_of_pix
ASKER
PDM https://inside is not working. How do I tell whether it is installed or not?
What lines should I add to make traffic to 10.134.35.59 go thru 10.157.14.0 network to the router 10.157.14.1?
What lines should I add to make traffic to 10.134.35.59 go thru 10.157.14.0 network to the router 10.157.14.1?
ASKER
ok, now I am able to run the PDM.
I will check the VPN wizd
I will check the VPN wizd
Excellent. I assume you had to add the http server?
ASKER
I added http 10.157.14.0 255.255.255.0 inside
Now what is next? I got into the VPN wizard, but the remote site I don't have access to it at all. I want to force the traffic to 10.134.35.59 to the inside interface.
I had this problem before when the gateway was a windows server with ISA, I just added a static route on the inside interface to route traffic to the inside of the router an dit worked fine. Why is this a problem in the PIX?
Now what is next? I got into the VPN wizard, but the remote site I don't have access to it at all. I want to force the traffic to 10.134.35.59 to the inside interface.
I had this problem before when the gateway was a windows server with ISA, I just added a static route on the inside interface to route traffic to the inside of the router an dit worked fine. Why is this a problem in the PIX?
ASKER
When I add
route inside 10.134.35.59 255.255.255.255 10.157.14.1
I get in the log:
110001: No route to 10.134.35.59 from 10.157.14.61 (61 is my IP address)
route inside 10.134.35.59 255.255.255.255 10.157.14.1
I get in the log:
110001: No route to 10.134.35.59 from 10.157.14.61 (61 is my IP address)
Post your configuration as it stands now
It sounds like you do not have the proper acls, nat 0 statement in place to point the traffic up the tunnel / down the tunnel.
Also on the other end is traffic being routed properly across the tunnel?
It sounds like you do not have the proper acls, nat 0 statement in place to point the traffic up the tunnel / down the tunnel.
Also on the other end is traffic being routed properly across the tunnel?
ASKER
The problem was solved by adding these two lines:
access-list inside_outbound permit ip 10.157.14.0 255.255.255.0 host 10.134.35.59
nat (inside) 0 access-list inside_outbound
This disables nating for this address and the original IP is kept.
Thanks for all your help.
access-list inside_outbound permit ip 10.157.14.0 255.255.255.0 host 10.134.35.59
nat (inside) 0 access-list inside_outbound
This disables nating for this address and the original IP is kept.
Thanks for all your help.
As above :)
<< Have you placed a NAT (inside) 0 statement in the PIX? >>
but never mind :)
<< Have you placed a NAT (inside) 0 statement in the PIX? >>
but never mind :)
I'm not fussed ghost. Paq - refund is fine :)
ASKER
I am still having a problem.
Although I can ping and tracert the destination 10.134.35.59, I cannot telnet to it on both ports 23 (normal telnet) and port 25 (SMTP). I need to telnet 23 and 25.
So the question is still open.
Although I can ping and tracert the destination 10.134.35.59, I cannot telnet to it on both ports 23 (normal telnet) and port 25 (SMTP). I need to telnet 23 and 25.
So the question is still open.
From what
ASKER
from my IP 10.157.14.0 255.255.255.0
ASKER
I think it is a routing problem and not a firewall issue. The traffic coming from 10.134.35.59 cannot find its way to 10.157.14.62.
I am getting this in in the pix log when there is no NAT (inside) 0 command:
- Built outbound TCP connection 19 for outside:10.134.35.59/23 (10.134.35.59/23) to inside:10.157.14.62/3747 x.x.x.x (PIX realIP)/1026)
- Teardown TCP connection 19 for outside:10.134.35.59/23 to inside:10.157.14.62/3747 duration 0:00:05 bytes 1223 TCP FINs
When I put the NAT0 line, I get only the first line, ie
- Built outbound TCP connection 19 for outside:10.134.35.59/23 (10.134.35.59/23) to inside:10.157.14.62/3747 x.x.x.x (PIX realIP)/1026)
But I still cannot figure it out.
I am getting this in in the pix log when there is no NAT (inside) 0 command:
- Built outbound TCP connection 19 for outside:10.134.35.59/23 (10.134.35.59/23) to inside:10.157.14.62/3747 x.x.x.x (PIX realIP)/1026)
- Teardown TCP connection 19 for outside:10.134.35.59/23 to inside:10.157.14.62/3747 duration 0:00:05 bytes 1223 TCP FINs
When I put the NAT0 line, I get only the first line, ie
- Built outbound TCP connection 19 for outside:10.134.35.59/23 (10.134.35.59/23) to inside:10.157.14.62/3747 x.x.x.x (PIX realIP)/1026)
But I still cannot figure it out.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
do you have any Natting in your side??
Pls post the configs of the router and the pix
renill