Solved

Cisco Pix 506e & 525 Site to Site VPN partially working

Posted on 2006-11-28
10
494 Views
Last Modified: 2013-11-16
I have site A and site B connected.  I am able to connect via RDP/FTP/WWW to machines on the other end from either site.  I am trying to make a connection from site A to a SQL server in site B and it will not connect.  I have tried connecting to 2-3 different SQL servers and I get the same results.  We have tried connecting with Enterprise Manager, Query Analyzer, as well as an ODBC connection.  Yes we can connect to any of the SQL servers with my laptop on the local network but when I move to the other end of the tunnel the connections fails.

Here is the config from Site A

PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password <REMOVED> encrypted
passwd <REMOVED> encrypted
hostname cctpix2
domain-name clearcube.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
no names
name 172.16.1.0 cctcorp1
name 172.16.1.10 mail
name 172.16.1.11 intranet
name 172.16.1.12 winterm
name 172.16.1.13 sfdc
name 172.16.1.14 defect
name 172.16.1.17 ftp
name 172.16.1.26 cctjas
name 172.16.1.33 mail3
name 172.16.1.44 cctflex
name 172.16.1.97 india
name 172.16.1.105 mail2
name 172.16.1.136 gentran
name 172.16.1.146 cctunanet
name 172.16.2.0 cctcorp2
name 172.16.3.0 cctcorp3
name 172.18.1.0 cctnyc
name 172.20.1.0 cctluk
name 192.168.150.0 saberex
access-list nyc permit ip 172.16.1.0 255.255.255.0 172.18.1.0 255.255.255.0
access-list nyc permit ip 172.16.2.0 255.255.255.0 172.18.1.0 255.255.255.0
access-list nyc permit ip 172.16.3.0 255.255.255.0 172.18.1.0 255.255.255.0
access-list gxs permit ip 2x6.1x7.x5.0 255.255.255.0 198.133.250.0 255.255.255.0
access-list saberex permit ip 172.16.1.0 255.255.255.0 192.168.150.0 255.255.255.0
access-list saberex permit ip 2x6.1x7.x5.0 255.255.255.0 192.168.150.0 255.255.255.0
access-list outbound permit tcp any any eq www
access-list outbound permit tcp any any eq domain
access-list outbound permit udp any any eq domain
access-list outbound permit tcp any any eq pop3
access-list outbound permit tcp any any eq smtp
access-list outbound permit tcp any any eq imap4
access-list outbound permit tcp any any eq ftp
access-list outbound permit tcp any any eq 3389
access-list outbound permit udp any any eq 3389
access-list outbound permit tcp any any eq 3306
access-list outbound permit tcp any any eq 3101
access-list outbound permit tcp any any eq https
access-list outbound permit tcp any any eq 888
access-list outbound permit tcp any any eq ssh
access-list outbound permit tcp any any eq telnet
access-list outbound permit tcp any any eq 47804
access-list outbound permit tcp any any eq 8916
access-list outbound permit tcp any any eq 8080
access-list outbound permit udp any any eq 418
access-list outbound permit tcp any any eq 418
access-list outbound permit tcp any any eq 1533
access-list outbound permit tcp any any eq nntp
access-list outbound permit tcp any any eq 7001
access-list outbound permit tcp any any eq 81
access-list outbound permit tcp any any eq 563
access-list outbound permit tcp any any eq 2082
access-list outbound permit tcp any any eq 993
access-list outbound permit tcp any any eq 27000
access-list outbound permit tcp any any eq 27001
access-list outbound permit tcp any any eq 6050
access-list outbound permit tcp any any eq 6051
access-list outbound permit udp any any eq 6050
access-list outbound permit udp any any eq 6051
access-list outbound permit tcp any any eq 5800
access-list outbound permit tcp any any eq 5900
access-list outbound permit tcp any any eq 123
access-list outbound permit tcp any any eq 5050
access-list outbound permit tcp any any eq 7618
access-list outbound permit tcp any any eq 2080
access-list outbound permit tcp any any eq 465
access-list outbound permit tcp any any eq 8010
access-list outbound permit tcp any any eq 1433
access-list outbound deny ip any any
access-list outbound deny udp any any
access-list outbound deny tcp any any
pager lines 24
logging on
logging buffered debugging
no logging message 710005
mtu outside 1500
mtu inside 1500
ip address outside 2x6.1x7.x5.254 255.255.255.0
ip address inside 172.16.1.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
pdm history enable
arp timeout 14400
global (outside) 1 2x6.1x7.x5.102-2x6.1x7.x5.200 netmask 255.255.255.0
global (outside) 1 2x6.1x7.x5.201
nat (inside) 0 access-list nyc
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 2x6.1x7.x5.10 172.16.1.10 netmask 255.255.255.255 0 0
static (inside,outside) 2x6.1x7.x5.11 172.16.1.11 netmask 255.255.255.255 0 0
static (inside,outside) 2x6.1x7.x5.15 172.16.1.12 netmask 255.255.255.255 0 0
static (inside,outside) 2x6.1x7.x5.13 172.16.1.13 netmask 255.255.255.255 0 0
static (inside,outside) 2x6.1x7.x5.95 172.16.1.14 netmask 255.255.255.255 0 0
static (inside,outside) 2x6.1x7.x5.17 172.16.1.17 netmask 255.255.255.255 0 0
static (inside,outside) 2x6.1x7.x5.93 172.16.1.26 netmask 255.255.255.255 0 0
static (inside,outside) 2x6.1x7.x5.12 172.16.1.33 netmask 255.255.255.255 0 0
static (inside,outside) 2x6.1x7.x5.44 172.16.1.44 netmask 255.255.255.255 0 0
static (inside,outside) 2x6.1x7.x5.97 172.16.1.97 netmask 255.255.255.255 0 0
static (inside,outside) 2x6.1x7.x5.9 172.16.1.105 netmask 255.255.255.255 0 0
static (inside,outside) 2x6.1x7.x5.222 172.16.1.136 netmask 255.255.255.255 0 0
static (inside,outside) 2x6.1x7.x5.96 172.16.1.146 netmask 255.255.255.255 0 0
static (inside,outside) 2x6.1x7.x5.94 172.16.1.149 netmask 255.255.255.255 0 0
static (inside,outside) 2x6.1x7.x5.86 172.16.1.86 netmask 255.255.255.255 0 0
access-group outbound in interface inside
conduit permit tcp host 2x6.1x7.x5.9 eq www any
conduit permit tcp host 2x6.1x7.x5.9 eq smtp any
conduit permit tcp host 2x6.1x7.x5.9 eq imap4 any
conduit permit tcp host 2x6.1x7.x5.9 eq pop3 any
conduit permit tcp host 2x6.1x7.x5.10 eq www any
conduit permit tcp host 2x6.1x7.x5.10 eq smtp any
conduit permit tcp host 2x6.1x7.x5.10 eq imap4 any
conduit permit tcp host 2x6.1x7.x5.10 eq pop3 any
conduit permit tcp host 2x6.1x7.x5.11 eq www any
conduit permit tcp host 2x6.1x7.x5.12 eq www any
conduit permit tcp host 2x6.1x7.x5.12 eq smtp any
conduit permit tcp host 2x6.1x7.x5.12 eq imap4 any
conduit permit tcp host 2x6.1x7.x5.12 eq pop3 any
conduit permit tcp host 2x6.1x7.x5.13 eq www any
conduit permit tcp host 2x6.1x7.x5.13 eq 2121 any
conduit permit tcp host 2x6.1x7.x5.13 eq 81 any
conduit permit tcp host 2x6.1x7.x5.13 eq 8080 any
conduit permit tcp host 2x6.1x7.x5.13 eq 3389 any
conduit permit tcp host 2x6.1x7.x5.15 eq 3389 any
conduit permit tcp host 2x6.1x7.x5.17 eq ftp any
conduit permit tcp host 2x6.1x7.x5.44 eq 27000 any
conduit permit tcp host 2x6.1x7.x5.44 eq 27001 any
conduit permit tcp host 2x6.1x7.x5.93 eq 81 any
conduit permit tcp host 2x6.1x7.x5.95 eq www any
conduit permit tcp host 2x6.1x7.x5.96 eq www any
conduit permit tcp host 2x6.1x7.x5.97 eq www any
conduit permit tcp host 2x6.1x7.x5.97 eq 3306 any
conduit permit tcp host 2x6.1x7.x5.97 eq https any
conduit permit tcp host 2x6.1x7.x5.97 eq ssh any
conduit permit tcp host 2x6.1x7.x5.97 eq telnet any
conduit permit tcp host 2x6.1x7.x5.97 eq 2082 any
conduit permit tcp host 2x6.1x7.x5.97 eq ftp any
conduit permit tcp host 2x6.1x7.x5.222 eq ftp-data any
conduit permit tcp host 2x6.1x7.x5.222 eq ftp any
conduit permit tcp host 2x6.1x7.x5.222 eq 3389 any
conduit permit tcp host 2x6.1x7.x5.94 eq 81 any
conduit permit tcp host 2x6.1x7.x5.86 eq 8010 any
route outside 0.0.0.0 0.0.0.0 2x6.1x7.x5.1 1
route inside 172.16.2.0 255.255.255.0 172.16.1.1 1
route inside 172.16.3.0 255.255.255.0 172.16.1.1 1
route inside 172.20.1.0 255.255.255.0 172.16.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set nycpix esp-3des esp-md5-hmac
crypto ipsec transform-set edi-set esp-3des esp-md5-hmac
crypto ipsec transform-set cct-sbrxvpn esp-3des esp-md5-hmac
crypto map vpn-map 5 ipsec-isakmp
crypto map vpn-map 5 match address nyc
crypto map vpn-map 5 set peer 6x.8x.20x.82
crypto map vpn-map 5 set transform-set nycpix
crypto map vpn-map 10 ipsec-isakmp
crypto map vpn-map 10 match address saberex
crypto map vpn-map 10 set peer 7x.15x.18x.178
crypto map vpn-map 10 set transform-set cct-sbrxvpn
crypto map vpn-map 15 ipsec-isakmp
crypto map vpn-map 15 match address gxs
crypto map vpn-map 15 set peer 20x.9x.18x.149
crypto map vpn-map 15 set transform-set edi-set
crypto map vpn-map interface outside
isakmp enable outside
isakmp key ******** address 6x.8x.20x.82 netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address 20x.9x.18x.149 netmask 255.255.255.255
isakmp key ******** address 7x.15x.18x.178 netmask 255.255.255.248
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
isakmp policy 15 authentication pre-share
isakmp policy 15 encryption 3des
isakmp policy 15 hash md5
isakmp policy 15 group 2
isakmp policy 15 lifetime 86400
telnet timeout 30
ssh timeout 60
management-access inside
console timeout 0
terminal width 80


Site B

PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password <REMOVED> encrypted
passwd <REMOVED> encrypted
hostname cct-sbrxvpn
domain-name clearcube.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
no names
name 172.16.2.0 cctcorp2
name 172.16.3.0 cctcorp3
name 192.168.150.0 saberex
name 172.16.1.0 cctcorp1
access-list saberex permit ip 192.168.150.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list saberex permit ip 192.168.150.0 255.255.255.0 206.127.5.0 255.255.255.0
pager lines 24
logging on
logging buffered debugging
mtu outside 1500
mtu inside 1500
ip address outside 7x.15x.18x.178 255.255.255.248
ip address inside 192.168.150.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 7x.15x.18x.179
nat (inside) 0 access-list saberex
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 7x.15x.18x.182 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set cctpix esp-3des esp-md5-hmac
crypto map vpn-map 10 ipsec-isakmp
crypto map vpn-map 10 match address saberex
crypto map vpn-map 10 set peer 2x6.1x7.x5.254
crypto map vpn-map 10 set transform-set cctpix
crypto map vpn-map interface outside
isakmp enable outside
isakmp key ******** address 2x6.1x7.x5.254 netmask 255.255.255.255
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80

Any help would be greatly appreciated.
0
Comment
Question by:pollardw
  • 5
  • 5
10 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 18030887
Are you using TCP/IP for the ODBC connection, or named pipes?
You should be using TCP/IP
Do you have Netbios name resolution working between the two sites?
Can you ping the remote SQL server by name?
0
 

Author Comment

by:pollardw
ID: 18030916
We are using TCP/IP static on port 1433
No we do not have Netbios working between the sites.  We are using the IP.
No we have ICMP turned off on all routers and switches at site B.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 18031206
The PIX is open "IP" which means all ports and protocols across the VPN tunnel. There is no reason why port 1433 would not be allowed.
Except . . .
>access-list outbound permit tcp any any eq 1433
This one might be a stumbling block..

Realizing the direction of data flow relative to the placement of the acl, it might have to be something like:
 access-list outbound permit tcp host <SQL server> eq 1433 any gt 1024

http://support.microsoft.com/kb/287932

First try removing the outbound acl from the inside interface and try the SQL.
If it works, then we know for sure that it is the acl that is the culprit.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:pollardw
ID: 18032350
I removed "access-list outbound permit tcp any any eq 1433" and tried it - no luck.
I added "access-list outbound permit tcp host 192.168.150.2 eq 1433 any gt 1024" - no luck.

I noticed one thing though when referencing the link you sent.  Connecting to a SQL server has a three-way handshake.  When connecting from site B to site A I have to use 2x6.1x7.x5.xxx to connect to one of the machines.  This has been fine as we will never be connecting to anything from site B to site A.  With that being said when I connect to the SQL server (192.168.150.2) from site A I am using a 172.16.1.xxx address not a 2x6.1x7.x5.xxx address.  Is there a reason why I can not connect to the 172.x.x.x network from site B?  Reason I ask is when I initiate a connection from 172.x.x.x to 192.x.x.x for the three-way connection to be successful it will need to be able to communicate back to the 172.x.x.x network and not the 2x6.1x7.x5.xxx network.  I think this has something to do with it.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 18035206
Try adding this to A:
access-list nyc permit ip 172.16.1.0 255.255.255.0 192.168.150.0 255.255.255.0

Actually, I would clean it up a bit and create a new acl for no_nat

\\-- given the following
access-list nyc permit ip 172.16.1.0 255.255.255.0 172.18.1.0 255.255.255.0
access-list nyc permit ip 172.16.2.0 255.255.255.0 172.18.1.0 255.255.255.0
access-list nyc permit ip 172.16.3.0 255.255.255.0 172.18.1.0 255.255.255.0
access-list saberex permit ip 172.16.1.0 255.255.255.0 192.168.150.0 255.255.255.0

\\-- add these
access-list no_nat permit ip 172.16.0.0 255.255.0.0 172.18.1.0 255.255.255.0
access-list no_nat permit ip 172.16.1.0 255.255.255.0 191.68.150.0 255.255.255.0

\\-- change this
no nat (inside) 0 access-list nyc
nat (insdie) 0 access-list no_nat

0
 

Author Comment

by:pollardw
ID: 18038113
Made these changes and I get the same results.  Do you see anything wrong on site B's config?  I can not connect to any 172.16.x.x addresses from there.  I can only connect to the public side of 2x6.1x7.x5.xxx.  I believe once I can connect to a 172.16.x.x address from site B rather than the 2x6.1x7.x5.xxx IP's I will be able to make the three way handshake.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 18039730
>isakmp policy 10 group 1
Set this to group 2 on Site B

Everything else is there.. at site B

Match traffic from 192.168.150.0 --> 172.16.1.0
>access-list saberex permit ip 192.168.150.0 255.255.255.0 172.16.1.0 255.255.255.0

Don't NAT traffic that matches that acl:
>nat (inside) 0 access-list saberex

Any traffic matching that acl, encrypt it and send to the designated peer
>crypto map vpn-map 10 match address saberex

0
 

Author Comment

by:pollardw
ID: 18046292
Ok so I had to leave
>nat (inside) 0 access-list saberex

when removed from site B I could not connect to anything on the 172.16.x.x network.  With the other recommended changes I am able to connect to any machine using any protocol from site B to site A.  I can even make an ODBC connection as well.

From site A to Site B I can still connect to any machine with any protocol except connectivity to any SQL server.  I have installed SQL on my laptop.  No local firewall, no GPO's, etc.... and I can not make an ODBC connection to it either.

Any other suggetions?
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 18049527
>Ok so I had to leave
>>nat (inside) 0 access-list saberex
Yes, you need to keep this entry. I was simply explaining that this is a nat by-pass


Try removing the acl completely on site A
   no access-group outbound in interface inside

Then try again. I has to be the access-list.
0
 

Author Comment

by:pollardw
ID: 18049749
I removed it and it worked.  I added it back and added

>access-list outbound permit tcp host 192.168.150.4 any eq 1433
 and it works.  Thanks for your help.

0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question