Solved

Changed ISP and Public NIC on PIX.. No more VPN, Incoming Mail!

Posted on 2006-11-09
15
245 Views
Last Modified: 2013-11-16
0
Comment
Question by:Justin Durrant
  • 8
  • 7
15 Comments
 
LVL 23

Author Comment

by:Justin Durrant
ID: 17911998
Here is my config:


:
PIX Version 6.3(3)
interface ethernet0 100full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password  encrypted
passwd  encrypted
hostname FW
domain-name xxx.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 102 permit tcp any interface outside eq www
access-list 102 permit tcp any interface outside eq https
access-list 102 permit tcp any interface outside eq ftp
access-list 102 permit icmp any any
access-list 102 permit tcp any any eq smtp
access-list 102 permit tcp host 63.86.112.66 interface outside eq 3389
access-list 102 permit tcp host 24.118.66.111 interface outside eq 3389
access-list inside_outbound_nat0_acl permit ip any 192.168.8.64 255.255.255.224
access-list outside_cryptomap_dyn_20 permit ip any 192.168.8.64 255.255.255.224
pager lines 24
logging host inside 192.168.8.5
mtu outside 1500
mtu inside 1500
ip address outside x.x.x.x 255.255.255.252
ip address inside 192.168.8.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool xxx-pool 192.168.8.70-192.168.8.80
pdm location 192.168.8.5 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface smtp 192.168.8.5 smtp netmask 255.255.255.
255 0 0
static (inside,outside) tcp interface www 192.168.8.5 www netmask 255.255.255.25
5 0 0
static (inside,outside) tcp interface 3389 192.168.8.5 3389 netmask 255.255.255.
255 0 0
access-group 102 in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.x 255
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.8.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup xxx-vpn address-pool xxx-pool
vpngroup xxx-vpn dns-server 192.168.8.5 208.254.149.169
vpngroup xxx-vpn wins-server 192.168.8.5 208.254.149.169
vpngroup xxx-vpn default-domain xxx.com
vpngroup xxx-vpn idle-time 1800
vpngroup xxx-vpn password ********
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:785a2f181c017f989c24fe20a084b59c
: end
FW#



0
 
LVL 79

Expert Comment

by:lrmoore
ID: 17914193
>route outside 0.0.0.0 0.0.0.0 x.x.x.x 255
This "255" looks suspicious.
Is this default route correct in relation to  your outside IP address?
The 255 should be 1

What do you have outside this PIX to connect to ISP? Do you have a router? What kind of connection is it? How does this compare to the type connection it was?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 17914218
Can you post result of "show access-list"
If you have a router or modem in front of the PIX, try rebooting it also. Power it off and wait a full 5 minutes before powering it back up. Cable/DSL modems tend to hold information like ARP cache for a very long time.
4 hours is default timeout for ARP cache. If the modem/router is holding an arp entry that maps your MAC address to your old IP address then this arp cache must be cleared or wait for the timeout.

0
 
LVL 23

Author Comment

by:Justin Durrant
ID: 17914326
>route outside 0.0.0.0 0.0.0.0 x.x.x.x 255
This "255" looks suspicious.
Is this default route correct in relation to  your outside IP address?
The 255 should be 1

--- The x.x.x.x is the default gateway Comcast gave me.  

What do you have outside this PIX to connect to ISP?

---Comcast SMC Modem

 Do you have a router?

---Nope. Just the PIX

What kind of connection is it?

---Cable Modem

How does this compare to the type connection it was?

---We had a Frac T1 before


The box says IP local addres for the Comcast Modem is 10.x. Yet my Internel network is 192.168.8.x. I assume this does not matter since everything but VPN is working right? I did not make any changes to the Comcast modem. They configured everything and handed it over. I just hooked the coax up and the xover cable from port1 on the device to port 0 on my PIX. Within the PIX I only changed the outside IP on the PIX and the default route.

Here is my sh access-list:


FW# sh access-l
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 256)
            alert-interval 300
access-list 102; 7 elements
access-list 102 line 1 permit tcp any interface outside eq www (hitcnt=30)
access-list 102 line 2 permit tcp any interface outside eq https (hitcnt=0)
access-list 102 line 3 permit tcp any interface outside eq ftp (hitcnt=0)
access-list 102 line 4 permit icmp any any (hitcnt=172)
access-list 102 line 5 permit tcp any any eq smtp (hitcnt=38)
access-list 102 line 6 permit tcp host x.x.x.x interface outside eq 3389
 (hitcnt=1)
access-list 102 line 7 permit tcp host x.x.x.x interface outside eq 3389 (
hitcnt=0)
access-list inside_outbound_nat0_acl; 1 elements
access-list inside_outbound_nat0_acl line 1 permit ip any 192.168.8.64 255.255.2
55.224 (hitcnt=56)
access-list outside_cryptomap_dyn_20; 1 elements
access-list outside_cryptomap_dyn_20 line 1 permit ip any 192.168.8.64 255.255.2
55.224 (hitcnt=57)
FW#


PS: Incoming mail has worked itself out, so I just need to get VPN working again. :)
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 17914504
>Incoming mail has worked itself out
May have just been a problem with the DNS Caching MX records with your old IP somewhere
That's good news!

The VPN may just "work itself out" also.
But, please do change the default route. just add this back in:
 route outside 0.0.0.0 0.0.0.0 x.x.x.x  [enter]

Do not add any number after the IP address of the next hop.
0
 
LVL 23

Author Comment

by:Justin Durrant
ID: 17914652
^^ will do. So you are confident changing the outside IP should have no effect on client VPN connections?

I have heard mixed reviews that the public IP info is somehow built into the encryption algorhytm. So if your outside IP changes, you must reconfigure VPN on the PIX.
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 17914972
>mixed reviews that the public IP info is somehow built into the encryption algorhytm
I've never heard of this, and I've been doing VPN's for a living for a long time.
The only thing built into the algorythm is the pre-shared key.
Lan-to-Lan vpn's have a peer IP address designated, client VPN's do not.
I've changed external IP's several times and never had this problem except for the external router's arp cache.

Do the VPN clients use the direct IP address, or dns name to resolve?
Can any of your VPN users get in, or are you only working with one right now?
Is there perchance a hosts file entry on the user's PC with the old IP address?
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 
LVL 79

Expert Comment

by:lrmoore
ID: 17914974
On the client end, try
 C:\>ipconfig /flushdns

0
 
LVL 23

Author Comment

by:Justin Durrant
ID: 17915327
Ok cool. Hopefully I will not have to redo VPN. Although, if I recall it was quite easy via the wizard in PDM. I am only trying to connect from one client. That client is connecting via the new IP now, so DNS should not matter. I get all the way to "Securing communications channel" and then it errors out saying remote peer is no longer responding.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 17915914
It can't hurt to go ahead and re-create a new VPN client configuration. Only takes a minute with the wizard.
If it works, just pass the new .pcf file around to other clients.
0
 
LVL 23

Author Comment

by:Justin Durrant
ID: 17916017
Will do. It just drives me nuts not knowing what happened. :)
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 17916074
Agree, but sometimes we just have to take a quick fix and move on. No time for detailed analysis..
Try creating a new client connection at the client instead of just changing the IP address before re-doing the PIX end..
0
 
LVL 23

Author Comment

by:Justin Durrant
ID: 17916183
^^ good call. I will do try that.
0
 
LVL 23

Author Comment

by:Justin Durrant
ID: 17929105
VPN works now! I did not have to reconfure it. It must have had something to do with the arp cache as you pointed out! Thanks so much!
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 17934992
Yippee!!
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Suggested Solutions

If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now