Solved

Cisco PIX Client VPN Seems to work fine, but it doesnt

Posted on 2006-11-20
11
321 Views
Last Modified: 2010-08-05
Hi there,

I have just configured a remote cisco pix 501 with client vpn settings. I am able to setup a dial-up connection to it, and a show cry ipsec sa even shows traffic beeing encrypted and decrypted but still I cant connect to any server on the other side.

Here's a bit of output from a icmp trace debug, it seems to work fine but on my workstation I dont receive the eventual replies:

pix501itoi(config)# debug icmp trace
ICMP trace on
Warning: this may cause problems on busy networks
pix501itoi(config)# 1: ICMP echo-request from outside:192.168.100.1 to 192.168.7.2 ID=1280 seq=768 length=40
2: ICMP echo-reply from inside:192.168.7.2 to 192.168.100.1 ID=1280 seq=768 length=40
3: ICMP echo-request from outside:192.168.100.1 to 192.168.7.2 ID=1280 seq=1024 length=40
4: ICMP echo-reply from inside:192.168.7.2 to 192.168.100.1 ID=1280 seq=1024 length=40

Here's some output from the active vpn tunnel:

     PERMIT, flags={}
    #pkts encaps: 43, #pkts encrypt: 43, #pkts digest 43
    #pkts decaps: 44, #pkts decrypt: 44, #pkts verify 44
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

So it doesnt have any errors, and it encrypts and decrypts traffic.

Here's the configuration, modified with other ip's:

pix501itoi(config)# sh run
: Saved
:
PIX Version 6.3(4)
interface ethernet0 100full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password XXXXXXXXXXXXX encrypted
passwd XXXXXXXXXXXXX encrypted
hostname XXXXXXXXXXXXX
domain-name XXXXXXXXXXXXX
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name XXXXXXXXXXXXX XXXXXXXXXXXXX
name 192.168.7.0 lan
name XXXXXXXXXXXXX XXXXXXXXXXXXX office
access-list inside_to_outside deny ip any XXXXXXXXXXXXX 255.255.255.0
access-list inside_to_outside permit ip any any
access-list inside_to_outside permit icmp any any
access-list outside_to_inside permit icmp any any
access-list outside_to_inside permit tcp any interface outside eq https
access-list outside_to_inside permit tcp any interface outside eq www
access-list outside_to_inside permit tcp host XXXXXXXXXXXXX interface outside eq 3389
access-list outside_to_inside permit tcp host XXXXXXXXXXXXX interface outside eq 3389
access-list outside_to_inside permit tcp any interface outside eq 7226
access-list outside_to_inside permit tcp host XXXXXXXXXXXXX interface outside eq 8081
access-list outside_to_inside permit tcp host XXXXXXXXXXXXX interface outside eq 8081
access-list outside_to_inside permit tcp any interface outside eq 993
access-list outside_to_inside permit tcp any interface outside eq smtp
access-list 101 permit ip lan 255.255.255.0 192.168.100.0 255.255.255.0
access-list split permit ip lan 255.255.255.0 192.168.100.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside XXXXXXXXXXXXX 255.255.255.0
ip address inside 192.168.7.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool ippool 192.168.100.1-192.168.100.100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface https 192.168.7.x https netmask 255.255.255.255 0 0
static (inside,outside) tcp interface www 192.168.7.x www netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 3389 192.168.7.x 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 7226 192.168.7.x 7226 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 8081 192.168.7.x 8081 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 993 192.168.7.x 993 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface smtp 192.168.7.x smtp netmask 255.255.255.255 0 0
access-group outside_to_inside in interface outside
access-group inside_to_outside in interface inside
route outside 0.0.0.0 0.0.0.0 XXXXXXXXXXXXX 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa-server partnerauth protocol radius
aaa-server partnerauth max-failed-attempts 3
aaa-server partnerauth deadtime 10
aaa-server partnerauth (inside) host 192.168.7.x XXXXXXXXXXXXX timeout 5
http server enable
http lan 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server outside XXX /
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap client authentication partnerauth
crypto map mymap interface outside
isakmp enable outside
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup xxxvpngroup address-pool ippool
vpngroup xxxvpngroup dns-server 192.168.7.X
vpngroup xxxvpngroup wins-server 192.168.7.X
vpngroup xxxvpngroup default-domain XXXXXXXXXXXXX
vpngroup xxxvpngroup split-tunnel split
vpngroup xxxvpngroup idle-time 1800
vpngroup xxxvpngroup password ********
telnet lan 255.255.255.0 inside
telnet timeout 30

I've have tested to dial-in into other pix firewalls at other locations but non of them seem to be giving me troubles. Also my neighbour has the same issues when dial-ing in into this specific config. Ive been staring myself blind but I just cant find the glitch.. Any help will be greatly appreciated !

Regards,

Ronnie
0
Comment
Question by:phylaxict
  • 4
  • 3
  • 2
  • +1
11 Comments
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17979028
So the problem you're having is that you can't reach machines by 'names' ???

Cheers,
Rajesh
0
 
LVL 1

Author Comment

by:phylaxict
ID: 17979189
Its not a dns problem, I cant ping or rdp or do anyting through the vpn tunnel at the moment to either ip's or names. The weird thing is that the debug does show icmp traffic returning but somehow it doesnt arrive.
0
 
LVL 5

Expert Comment

by:WGhen
ID: 17979191
try changing your lines:
access-list 101 permit ip lan 255.255.255.0 192.168.100.0 255.255.255.0
vpngroup xxxvpngroup split-tunnel split
to
access-list 101 permit ip 192.168.100.0 255.255.255.128 192.168.7.0 255.255.255.0
vpngroup xxxvpngroup split-tunnel 101


get rid of:
access-list split permit ip lan 255.255.255.0 192.168.100.0 255.255.255.0

WGhen
0
 
LVL 5

Expert Comment

by:WGhen
ID: 17979198
BTW,
You may have to tell your internal routers where to find 192.168.100.x with a static IP route.Try that first if you have not done it.  Your pings could be reaching thier target, but the router may not know where to send the replies.

WGhen
0
 
LVL 1

Author Comment

by:phylaxict
ID: 17980037
Servers are directly connected to the switch in the 192.168.7.0/24 network with a default gateway pointing to the pix. I am able to access the servers through nat portforwards directly, just not via VPN.

I've always been teached by cisco to use a seperate line for both each nat and split rule. I've tried to make the adjustment you have suggested anyway but without any luck.

The firmware seems to be a bit old though, 6.3.1. Its a remote pix though so i'm a bit affraid to upgrade firmware just like that, i once had a pix that didnt come back up with the old config.
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 5

Expert Comment

by:WGhen
ID: 17980117
Well, here's a tidbit of info.  We are running 6.3.1 in one of our pix boxes and are connecting to it with a VPN.  I'm in the middle of something here, but let me think about this some more to see if I spot anything else that's different from my working VPN in the 6.3.1 pix.

WGhen
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17980150
Do not change the split and nonat acls, what you had is correct and it is better advised to keep 'em separate.

Can you run a tracert and see how far it reaches, (post it here?)


Cheers,
Rajesh
0
 
LVL 1

Author Comment

by:phylaxict
ID: 17989946
Thanks once again for the thoughts on this problem. I have just tried to do a traceroute but as I expected the pix itself replies with its internal ipadres but after that i get time-outs.
0
 
LVL 1

Author Comment

by:phylaxict
ID: 17990474
The problem has been fixed, isakmp nat-traversal 20 command resolved the issue.
0
 
LVL 1

Accepted Solution

by:
kodiakbear earned 0 total points
ID: 18064678
Closed, 500 points refunded.
kb
Experts Exchange Moderator
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now