BRNIIT
asked on
Pix 506E ipsec client configuration
I have a pix 506e with an ipsec tunnel back to a vpn3005. The tunnel is working fine. I have also set up remote ipsec client access on the pix. Remote ipsec clients can access the lan behind the pix just fine, but they cannot access anything on the other side of the tunnel behind the vpn3005.
Am I trying to do something that the pix is not capable of? How can I get ipsec clients to be able to talk over the tunnel back to my 3005 concentrator?
Here is the pix config:
PIX Version 6.3(5)
interface ethernet0 100full
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname mypix
domain-name mydomain.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
no fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list hq_vpn_tunnel permit ip 10.3.0.0 255.255.255.0 10.1.0.0 255.255.0.0
access-list hq_vpn_tunnel permit ip 10.3.0.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list hq_vpn_tunnel permit ip 10.3.0.0 255.255.255.0 10.2.0.0 255.255.0.0
access-list hq_vpn_tunnel permit ip 10.3.0.0 255.255.255.0 10.100.1.0 255.255.255.0
access-list hq_vpn_tunnel permit ip 10.3.0.0 255.255.255.0 172.16.0.0 255.255.0.0
access-list vpn_no_nat permit ip 10.3.0.0 255.255.255.0 10.1.0.0 255.255.0.0
access-list vpn_no_nat permit ip 10.3.0.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list vpn_no_nat permit ip 10.3.0.0 255.255.255.0 172.16.0.0 255.255.0.0
access-list vpn_no_nat permit ip 10.3.0.0 255.255.255.0 10.2.0.0 255.255.0.0
access-list vpn_no_nat permit ip 10.3.0.0 255.255.255.0 10.100.1.0 255.255.255.0
access-list vpn_no_nat permit ip 10.3.0.0 255.255.255.0 172.17.3.0 255.255.255.0
access-list from_outside permit icmp any any echo
access-list from_outside permit icmp any any echo-reply
access-list split_tunnel permit ip 10.3.0.0 255.255.255.0 172.17.3.0 255.255.255.0
access-list split_tunnel permit ip 10.1.0.0 255.255.0.0 172.17.3.0 255.255.255.0
access-list split_tunnel permit ip 10.2.0.0 255.255.0.0 172.17.3.0 255.255.255.0
access-list split_tunnel permit ip 10.100.1.0 255.255.255.0 172.17.3.0 255.255.255.0
access-list split_tunnel permit ip 192.168.1.0 255.255.255.0 172.17.3.0 255.255.255.0
access-list split_tunnel permit ip 172.16.0.0 255.255.0.0 172.17.3.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 111.111.111.111 255.255.255.0
ip address inside 10.3.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool ipsec_client_pool 172.17.3.100-172.17.3.149 mask 255.255.255.0
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list vpn_no_nat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group from_outside in interface outside
route outside 0.0.0.0 0.0.0.0 111.111.111.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 10.3.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set tunnel_transform_set esp-3des esp-md5-hmac
crypto ipsec transform-set ipsec_client_transform_set
crypto dynamic-map dynmap 20 set transform-set ipsec_client_transform_set
crypto map hq_vpn_map 10 ipsec-isakmp
crypto map hq_vpn_map 10 match address hq_vpn_tunnel
crypto map hq_vpn_map 10 set pfs group2
crypto map hq_vpn_map 10 set peer 111.111.111.112
crypto map hq_vpn_map 10 set transform-set tunnel_transform_set
crypto map hq_vpn_map 20 ipsec-isakmp dynamic dynmap
crypto map hq_vpn_map client authentication LOCAL
crypto map hq_vpn_map interface outside
isakmp enable outside
isakmp key ******** address 111.111.111.112 netmask 255.255.255.255 no-xauth
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 10000
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption aes
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup ipsec_group address-pool ipsec_client_pool
vpngroup ipsec_group dns-server 10.1.1.5 10.1.0.5
vpngroup ipsec_group split-tunnel split_tunnel
vpngroup ipsec_group idle-time 1800
vpngroup ipsec_group password ********
vpngroup dns-server idle-time 1800
telnet 10.3.0.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
management-access inside
console timeout 0
vpdn group ipsec_group client configuration address local ipsec_client_pool
vpdn enable outside
dhcpd address 10.3.0.100-10.3.0.149 inside
dhcpd dns 10.1.1.5 10.1.0.5
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain mydomain.com
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Am I trying to do something that the pix is not capable of? How can I get ipsec clients to be able to talk over the tunnel back to my 3005 concentrator?
Here is the pix config:
PIX Version 6.3(5)
interface ethernet0 100full
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname mypix
domain-name mydomain.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
no fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list hq_vpn_tunnel permit ip 10.3.0.0 255.255.255.0 10.1.0.0 255.255.0.0
access-list hq_vpn_tunnel permit ip 10.3.0.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list hq_vpn_tunnel permit ip 10.3.0.0 255.255.255.0 10.2.0.0 255.255.0.0
access-list hq_vpn_tunnel permit ip 10.3.0.0 255.255.255.0 10.100.1.0 255.255.255.0
access-list hq_vpn_tunnel permit ip 10.3.0.0 255.255.255.0 172.16.0.0 255.255.0.0
access-list vpn_no_nat permit ip 10.3.0.0 255.255.255.0 10.1.0.0 255.255.0.0
access-list vpn_no_nat permit ip 10.3.0.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list vpn_no_nat permit ip 10.3.0.0 255.255.255.0 172.16.0.0 255.255.0.0
access-list vpn_no_nat permit ip 10.3.0.0 255.255.255.0 10.2.0.0 255.255.0.0
access-list vpn_no_nat permit ip 10.3.0.0 255.255.255.0 10.100.1.0 255.255.255.0
access-list vpn_no_nat permit ip 10.3.0.0 255.255.255.0 172.17.3.0 255.255.255.0
access-list from_outside permit icmp any any echo
access-list from_outside permit icmp any any echo-reply
access-list split_tunnel permit ip 10.3.0.0 255.255.255.0 172.17.3.0 255.255.255.0
access-list split_tunnel permit ip 10.1.0.0 255.255.0.0 172.17.3.0 255.255.255.0
access-list split_tunnel permit ip 10.2.0.0 255.255.0.0 172.17.3.0 255.255.255.0
access-list split_tunnel permit ip 10.100.1.0 255.255.255.0 172.17.3.0 255.255.255.0
access-list split_tunnel permit ip 192.168.1.0 255.255.255.0 172.17.3.0 255.255.255.0
access-list split_tunnel permit ip 172.16.0.0 255.255.0.0 172.17.3.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 111.111.111.111 255.255.255.0
ip address inside 10.3.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool ipsec_client_pool 172.17.3.100-172.17.3.149 mask 255.255.255.0
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list vpn_no_nat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group from_outside in interface outside
route outside 0.0.0.0 0.0.0.0 111.111.111.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 10.3.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set tunnel_transform_set esp-3des esp-md5-hmac
crypto ipsec transform-set ipsec_client_transform_set
crypto dynamic-map dynmap 20 set transform-set ipsec_client_transform_set
crypto map hq_vpn_map 10 ipsec-isakmp
crypto map hq_vpn_map 10 match address hq_vpn_tunnel
crypto map hq_vpn_map 10 set pfs group2
crypto map hq_vpn_map 10 set peer 111.111.111.112
crypto map hq_vpn_map 10 set transform-set tunnel_transform_set
crypto map hq_vpn_map 20 ipsec-isakmp dynamic dynmap
crypto map hq_vpn_map client authentication LOCAL
crypto map hq_vpn_map interface outside
isakmp enable outside
isakmp key ******** address 111.111.111.112 netmask 255.255.255.255 no-xauth
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 10000
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption aes
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup ipsec_group address-pool ipsec_client_pool
vpngroup ipsec_group dns-server 10.1.1.5 10.1.0.5
vpngroup ipsec_group split-tunnel split_tunnel
vpngroup ipsec_group idle-time 1800
vpngroup ipsec_group password ********
vpngroup dns-server idle-time 1800
telnet 10.3.0.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
management-access inside
console timeout 0
vpdn group ipsec_group client configuration address local ipsec_client_pool
vpdn enable outside
dhcpd address 10.3.0.100-10.3.0.149 inside
dhcpd dns 10.1.1.5 10.1.0.5
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain mydomain.com
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Hmm.. I am not aware of a way to configure the PIX to do DNS proxying.. It does DHCP proxying.. but not DNS as far as i can tell .
Is there a DNS server on that end which could act as a DNS server for these clients because any localized DNS server would be able to act as that proxy easily..even a small Pc based caching name server.
Is there a DNS server on that end which could act as a DNS server for these clients because any localized DNS server would be able to act as that proxy easily..even a small Pc based caching name server.
ASKER
Nope, just workstations and laptops on the other end - nothing I could reliably use as a dns server.
Anyway, thanks again for the info. I will find a workaround.
Anyway, thanks again for the info. I will find a workaround.
ASKER
The only thing for which I would need remote clients to be able to connect all the way back through the tunnel would be for dns queries, since there is no local server. Is there any way to get the pix to act as a dns proxy?
Thanks again for your help.