Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 242
  • Last Modified:

Pix 501

The vpn works fine but I can no connect to the internet, unless I connect the cable from the modem to put one. Then the vpn stops working. If i connect the cable back to the wan port the vpn works but the internet stops working. This is new to me can some explain this to me. And is there a script that I can wite for the pix???
0
macc1212
Asked:
macc1212
  • 8
  • 8
  • 2
  • +1
1 Solution
 
0xSaPx0Commented:
If you post the configuration, we can dissect it and help you out. Just log into the pix via the console cable and cut and paste the output of "show-run" make sure you remove any passwd or enable lines.

0xSaPx0
0
 
rsivanandanCommented:
Make sure you hide the 2nd and 3rd octect of your public ip information when you paste it here.

Do you have split-tunneling enabled on your PIX vpn ?

Cheers,
Rajesh
0
 
macc1212Author Commented:
PIX Version 6.3(5)                  
interface ethernet0 auto                        
interface ethernet1 100full                          
nameif ethernet0 outside security0                                  
nameif ethernet1 inside security100                                  
enable password ecCwMh0COe94IjJK encrypted                                          
passwd ecCwMh0COe94IjJK encrypted                                
hostname rcsnet              
domain-name sms.siemens.com                          
fixup protocol dns maximum-length 512                                    
fixup protocol ftp 21                    
fixup protocol h323 h225 1720                            
fixup protocol h323 ras 1718-1719                                
fixup protocol http 80                      
fixup protocol rsh 514                      
fixup protocol rtsp 554                      
fixup protocol sip 5060                      
fixup protocol sip udp 5060                          
fixup protocol skinny 2000                          
fixup protocol smtp 25                      
fixup protocol sqlnet 1521                          
fixup protocol tftp 69                      
names    
access-list outside_c-map_20 permit ip host ##### ##### 255.255.2                                                                                
55.248      
pager lines 24              
logging on          
logging timestamp                
logging buffered notifications                              
logging history notifications                            
logging queue 0              
icmp permit #.#.#.# 255.255.248.0 outside                                            
mtu outside 1500                
mtu inside 1500              
ip address outside #.#.#.# 255.255.255.0                                            
ip address inside #.#.#.# 255.255.255.0                                          
ip audit info action alarm                          
ip audit attack action alarm                            
pdm logging informational 100                            
pdm history enable                  
arp timeout 14400                
nat (inside) 0 access-list outside_c-map_20                                          
route outside 0.0.0.0 0.0.0.0 #.#.#.#                                            
timeout xlate 1:00:00                    
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00                                                                            
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00                                                              
timeout sip-disconnect 0:02:00 sip-invite 0:03:00                                                
timeout uauth 0:05:00 absolute                              
aaa-server TACACS+ protocol tacacs+                                  
aaa-server TACACS+ max-failed-attempts 3                                        
aaa-server TACACS+ deadtime 10                              
aaa-server RADIUS protocol radius                                
aaa-server RADIUS max-failed-attempts 3                                      
aaa-server RADIUS deadtime 10                            
aaa-server LOCAL protocol local                              
aaa authentication telnet console LOCAL                                      
http server enable                  
http #.#.#.# 255.255.255.248 outside                                          
http #.#.#.# 255.255.248.0 outside                                      
http #.#.#.# 255.255.255.0 inside                                    
http #.#.#.# 255.255.255.255 inside                                        
no snmp-server location                      
no snmp-server contact                      
snmp-server community !S13m3n3S!                                
no snmp-server enable traps                          
floodguard enable                
sysopt connection permit-ipsec                              
sysopt connection permit-ipsec                              
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_c-map_20
crypto map outside_map 20 set pfs group2
crypto map outside_map 20 set peer #.#.#.#
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 20 set security-association lifetime seconds 3600 kilobyt
es 4608000
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address #.#.#.# netmask 255.255.255.255 no-xauth no-co
nfig-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
telnet timeout 5
ssh #.#.#.# 255.255.248.0 outside
ssh timeout 60
console timeout 0
terminal width 80
Cryptochecksum:59d620c4dbee6a283257f3a9755ac581
0
NEW Veeam Backup for Microsoft Office 365 1.5

With Office 365, it’s your data and your responsibility to protect it. NEW Veeam Backup for Microsoft Office 365 eliminates the risk of losing access to your Office 365 data.

 
rsivanandanCommented:
This looks to me like a site to site vpn ? aren't we talking about client vpn ?

Cheers,
Rajesh
0
 
macc1212Author Commented:
Yes this is a lan to lan vpn.
0
 
rsivanandanCommented:
Change this >>access-list outside_c-map_20 permit ip host ##### ##### 255.255.2

To reflect the SiteA network and Site B network respectively on both ends.

access-list outside_c-map_20 permit ip <NetworkA> <Mask> <NetworkB> <Mask>

The above goes on the NetworkA side PIX.

access-list outside_c-map_20 permit ip <NetworkB> <Mask> <NetworkA> <Mask>

The above goes on the NetworkB side PIX

Then save the configuration, do a 'clear xlate'.

Then try.

Cheers,
Rajesh


0
 
macc1212Author Commented:
Will this allow me to access the internet with the other computers on the netwotk?
0
 
rsivanandanCommented:
Yes, it would.

Only the traffic destined for the other network will be passed through the VPN tunnel and all other traffic destined for internet will go to internet.

Cheers,
Rajesh
0
 
macc1212Author Commented:
how would i write the script
access-list outside_c-map_20 permit ip host 10.10.12.11 255.255.2                                                                                
55.248  
Where do I plug the Network A and Network B
What is the Net A and Net B
Is it the outside ip A and the inside Ip B.
Please explain
0
 
lrmooreCommented:
For internal users to use the internet, add these:

 global (outside) 10 interface
 nat (inside) 10 0 0
0
 
rsivanandanCommented:
NetworkA------PIX-----------------------VPN----------------PIX---------NetworkB

Now you know what is NetworkA and NetworkB right ?

Cheers,
Rajesh
0
 
macc1212Author Commented:
when i try to put the sript in the pix I get (??????)
0
 
macc1212Author Commented:
Please explain where I would plug in my ip addresses for the network a and network b.
0
 
rsivanandanCommented:
access-list outside_c-map_20 permit ip <networkA> <subnet mask> <networkB> <subnet mask>

This has to be done on networkA.

 access-list outside_c-map_20 permit ip <networkB> <subnet mask> <networkA> <subnet mask>    

The above has to be done at the networkB.

Cheers,
Rajesh                                                        
0
 
rsivanandanCommented:
Here NetworkA means your internal network at Site A (You have masked all the ip addresses in the output you posted here, so I don't know what is your internal network). Similarly NetworkB means your internal network at Site B.

Cheers,
Rajesh
0
 
macc1212Author Commented:
Can I just write a line to give access to th B side
0
 
rsivanandanCommented:
that is what the above access-list does wrt your configuration.

Cheers,
Rajesh
0
 
macc1212Author Commented:
logging on
logging timestamp
logging buffered 5
logging history 5
logging queue 0
no clock timezone
timeout xlate 1:00:00
http server enable
http 129.73.116.77 255.255.255.248 outside
http 64.46.232.0 255.255.248.0 outside
snmp-server community !S13m3n44!
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
no dhcpd enable inside
no dhcpd auto_config outside
no dhcpd address 192.168.1.2-192.168.1.33 inside
no global (outside) 1 interface
no nat (inside) 1 0.0.0.0 0.0.0.0
no nat (inside) 0 0.0.0.0 0.0.0.0
icmp permit 64.46.777.0 255.255.248.0 outside
ip address outside 70.89.654.41 255.255.255.0
ip address inside 10.24.54.1 255.255.255.0
route outside 0.0.0.0 0.0.0.0 70.89.438.42
access-list outside_c-map_20 permit ip host 10.24.160.# 129.73.116.44 255.255.255.0
nat (inside) 0 access-list outside_c-map_20
isakmp enable outside
isakmp key ####### address 12.46.0.193 netmask 255.255.255.255 no-xauth no-config-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_c-map_20
crypto map outside_map 20 set pfs group2
crypto map outside_map 20 set peer 12.46.135.193
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 20 set security-association lifetime seconds 3600 kilobytes 4608000
crypto map outside_map interface outside
hostname rcsnet
domain-name sms.siemens.com
ca gen rsa key 1024
ssh 64.46.65.0 255.255.248.0 outside
ssh timeout 60
passwd 3333
enable password 3333
ca save all
Write Mem
Exit
This is the script that is kicking my butt can some one solve this. I can use the vpn but I can not get on the internet.
0
 
lrmooreCommented:
>I can use the vpn but I can not get on the internet.

That's because you have this:
>no global (outside) 1 interface
>no nat (inside) 1 0.0.0.0 0.0.0.0

I'll repeat my first post. Remove the "no" from those two lines of your script
  global (outside) 1 interface
  nat (inside) 1 0.0.0.0 0.0.0.0

Done. Now you can get on the Internet


0

Featured Post

A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

  • 8
  • 8
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now