Solved

Cisco Pix 506e & 525 Site to Site VPN partially working

Posted on 2006-11-28
10
477 Views
Last Modified: 2013-11-16
I have site A and site B connected.  I am able to connect via RDP/FTP/WWW to machines on the other end from either site.  I am trying to make a connection from site A to a SQL server in site B and it will not connect.  I have tried connecting to 2-3 different SQL servers and I get the same results.  We have tried connecting with Enterprise Manager, Query Analyzer, as well as an ODBC connection.  Yes we can connect to any of the SQL servers with my laptop on the local network but when I move to the other end of the tunnel the connections fails.

Here is the config from Site A

PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password <REMOVED> encrypted
passwd <REMOVED> encrypted
hostname cctpix2
domain-name clearcube.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
no names
name 172.16.1.0 cctcorp1
name 172.16.1.10 mail
name 172.16.1.11 intranet
name 172.16.1.12 winterm
name 172.16.1.13 sfdc
name 172.16.1.14 defect
name 172.16.1.17 ftp
name 172.16.1.26 cctjas
name 172.16.1.33 mail3
name 172.16.1.44 cctflex
name 172.16.1.97 india
name 172.16.1.105 mail2
name 172.16.1.136 gentran
name 172.16.1.146 cctunanet
name 172.16.2.0 cctcorp2
name 172.16.3.0 cctcorp3
name 172.18.1.0 cctnyc
name 172.20.1.0 cctluk
name 192.168.150.0 saberex
access-list nyc permit ip 172.16.1.0 255.255.255.0 172.18.1.0 255.255.255.0
access-list nyc permit ip 172.16.2.0 255.255.255.0 172.18.1.0 255.255.255.0
access-list nyc permit ip 172.16.3.0 255.255.255.0 172.18.1.0 255.255.255.0
access-list gxs permit ip 2x6.1x7.x5.0 255.255.255.0 198.133.250.0 255.255.255.0
access-list saberex permit ip 172.16.1.0 255.255.255.0 192.168.150.0 255.255.255.0
access-list saberex permit ip 2x6.1x7.x5.0 255.255.255.0 192.168.150.0 255.255.255.0
access-list outbound permit tcp any any eq www
access-list outbound permit tcp any any eq domain
access-list outbound permit udp any any eq domain
access-list outbound permit tcp any any eq pop3
access-list outbound permit tcp any any eq smtp
access-list outbound permit tcp any any eq imap4
access-list outbound permit tcp any any eq ftp
access-list outbound permit tcp any any eq 3389
access-list outbound permit udp any any eq 3389
access-list outbound permit tcp any any eq 3306
access-list outbound permit tcp any any eq 3101
access-list outbound permit tcp any any eq https
access-list outbound permit tcp any any eq 888
access-list outbound permit tcp any any eq ssh
access-list outbound permit tcp any any eq telnet
access-list outbound permit tcp any any eq 47804
access-list outbound permit tcp any any eq 8916
access-list outbound permit tcp any any eq 8080
access-list outbound permit udp any any eq 418
access-list outbound permit tcp any any eq 418
access-list outbound permit tcp any any eq 1533
access-list outbound permit tcp any any eq nntp
access-list outbound permit tcp any any eq 7001
access-list outbound permit tcp any any eq 81
access-list outbound permit tcp any any eq 563
access-list outbound permit tcp any any eq 2082
access-list outbound permit tcp any any eq 993
access-list outbound permit tcp any any eq 27000
access-list outbound permit tcp any any eq 27001
access-list outbound permit tcp any any eq 6050
access-list outbound permit tcp any any eq 6051
access-list outbound permit udp any any eq 6050
access-list outbound permit udp any any eq 6051
access-list outbound permit tcp any any eq 5800
access-list outbound permit tcp any any eq 5900
access-list outbound permit tcp any any eq 123
access-list outbound permit tcp any any eq 5050
access-list outbound permit tcp any any eq 7618
access-list outbound permit tcp any any eq 2080
access-list outbound permit tcp any any eq 465
access-list outbound permit tcp any any eq 8010
access-list outbound permit tcp any any eq 1433
access-list outbound deny ip any any
access-list outbound deny udp any any
access-list outbound deny tcp any any
pager lines 24
logging on
logging buffered debugging
no logging message 710005
mtu outside 1500
mtu inside 1500
ip address outside 2x6.1x7.x5.254 255.255.255.0
ip address inside 172.16.1.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
pdm history enable
arp timeout 14400
global (outside) 1 2x6.1x7.x5.102-2x6.1x7.x5.200 netmask 255.255.255.0
global (outside) 1 2x6.1x7.x5.201
nat (inside) 0 access-list nyc
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 2x6.1x7.x5.10 172.16.1.10 netmask 255.255.255.255 0 0
static (inside,outside) 2x6.1x7.x5.11 172.16.1.11 netmask 255.255.255.255 0 0
static (inside,outside) 2x6.1x7.x5.15 172.16.1.12 netmask 255.255.255.255 0 0
static (inside,outside) 2x6.1x7.x5.13 172.16.1.13 netmask 255.255.255.255 0 0
static (inside,outside) 2x6.1x7.x5.95 172.16.1.14 netmask 255.255.255.255 0 0
static (inside,outside) 2x6.1x7.x5.17 172.16.1.17 netmask 255.255.255.255 0 0
static (inside,outside) 2x6.1x7.x5.93 172.16.1.26 netmask 255.255.255.255 0 0
static (inside,outside) 2x6.1x7.x5.12 172.16.1.33 netmask 255.255.255.255 0 0
static (inside,outside) 2x6.1x7.x5.44 172.16.1.44 netmask 255.255.255.255 0 0
static (inside,outside) 2x6.1x7.x5.97 172.16.1.97 netmask 255.255.255.255 0 0
static (inside,outside) 2x6.1x7.x5.9 172.16.1.105 netmask 255.255.255.255 0 0
static (inside,outside) 2x6.1x7.x5.222 172.16.1.136 netmask 255.255.255.255 0 0
static (inside,outside) 2x6.1x7.x5.96 172.16.1.146 netmask 255.255.255.255 0 0
static (inside,outside) 2x6.1x7.x5.94 172.16.1.149 netmask 255.255.255.255 0 0
static (inside,outside) 2x6.1x7.x5.86 172.16.1.86 netmask 255.255.255.255 0 0
access-group outbound in interface inside
conduit permit tcp host 2x6.1x7.x5.9 eq www any
conduit permit tcp host 2x6.1x7.x5.9 eq smtp any
conduit permit tcp host 2x6.1x7.x5.9 eq imap4 any
conduit permit tcp host 2x6.1x7.x5.9 eq pop3 any
conduit permit tcp host 2x6.1x7.x5.10 eq www any
conduit permit tcp host 2x6.1x7.x5.10 eq smtp any
conduit permit tcp host 2x6.1x7.x5.10 eq imap4 any
conduit permit tcp host 2x6.1x7.x5.10 eq pop3 any
conduit permit tcp host 2x6.1x7.x5.11 eq www any
conduit permit tcp host 2x6.1x7.x5.12 eq www any
conduit permit tcp host 2x6.1x7.x5.12 eq smtp any
conduit permit tcp host 2x6.1x7.x5.12 eq imap4 any
conduit permit tcp host 2x6.1x7.x5.12 eq pop3 any
conduit permit tcp host 2x6.1x7.x5.13 eq www any
conduit permit tcp host 2x6.1x7.x5.13 eq 2121 any
conduit permit tcp host 2x6.1x7.x5.13 eq 81 any
conduit permit tcp host 2x6.1x7.x5.13 eq 8080 any
conduit permit tcp host 2x6.1x7.x5.13 eq 3389 any
conduit permit tcp host 2x6.1x7.x5.15 eq 3389 any
conduit permit tcp host 2x6.1x7.x5.17 eq ftp any
conduit permit tcp host 2x6.1x7.x5.44 eq 27000 any
conduit permit tcp host 2x6.1x7.x5.44 eq 27001 any
conduit permit tcp host 2x6.1x7.x5.93 eq 81 any
conduit permit tcp host 2x6.1x7.x5.95 eq www any
conduit permit tcp host 2x6.1x7.x5.96 eq www any
conduit permit tcp host 2x6.1x7.x5.97 eq www any
conduit permit tcp host 2x6.1x7.x5.97 eq 3306 any
conduit permit tcp host 2x6.1x7.x5.97 eq https any
conduit permit tcp host 2x6.1x7.x5.97 eq ssh any
conduit permit tcp host 2x6.1x7.x5.97 eq telnet any
conduit permit tcp host 2x6.1x7.x5.97 eq 2082 any
conduit permit tcp host 2x6.1x7.x5.97 eq ftp any
conduit permit tcp host 2x6.1x7.x5.222 eq ftp-data any
conduit permit tcp host 2x6.1x7.x5.222 eq ftp any
conduit permit tcp host 2x6.1x7.x5.222 eq 3389 any
conduit permit tcp host 2x6.1x7.x5.94 eq 81 any
conduit permit tcp host 2x6.1x7.x5.86 eq 8010 any
route outside 0.0.0.0 0.0.0.0 2x6.1x7.x5.1 1
route inside 172.16.2.0 255.255.255.0 172.16.1.1 1
route inside 172.16.3.0 255.255.255.0 172.16.1.1 1
route inside 172.20.1.0 255.255.255.0 172.16.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set nycpix esp-3des esp-md5-hmac
crypto ipsec transform-set edi-set esp-3des esp-md5-hmac
crypto ipsec transform-set cct-sbrxvpn esp-3des esp-md5-hmac
crypto map vpn-map 5 ipsec-isakmp
crypto map vpn-map 5 match address nyc
crypto map vpn-map 5 set peer 6x.8x.20x.82
crypto map vpn-map 5 set transform-set nycpix
crypto map vpn-map 10 ipsec-isakmp
crypto map vpn-map 10 match address saberex
crypto map vpn-map 10 set peer 7x.15x.18x.178
crypto map vpn-map 10 set transform-set cct-sbrxvpn
crypto map vpn-map 15 ipsec-isakmp
crypto map vpn-map 15 match address gxs
crypto map vpn-map 15 set peer 20x.9x.18x.149
crypto map vpn-map 15 set transform-set edi-set
crypto map vpn-map interface outside
isakmp enable outside
isakmp key ******** address 6x.8x.20x.82 netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address 20x.9x.18x.149 netmask 255.255.255.255
isakmp key ******** address 7x.15x.18x.178 netmask 255.255.255.248
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
isakmp policy 15 authentication pre-share
isakmp policy 15 encryption 3des
isakmp policy 15 hash md5
isakmp policy 15 group 2
isakmp policy 15 lifetime 86400
telnet timeout 30
ssh timeout 60
management-access inside
console timeout 0
terminal width 80


Site B

PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password <REMOVED> encrypted
passwd <REMOVED> encrypted
hostname cct-sbrxvpn
domain-name clearcube.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
no names
name 172.16.2.0 cctcorp2
name 172.16.3.0 cctcorp3
name 192.168.150.0 saberex
name 172.16.1.0 cctcorp1
access-list saberex permit ip 192.168.150.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list saberex permit ip 192.168.150.0 255.255.255.0 206.127.5.0 255.255.255.0
pager lines 24
logging on
logging buffered debugging
mtu outside 1500
mtu inside 1500
ip address outside 7x.15x.18x.178 255.255.255.248
ip address inside 192.168.150.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 7x.15x.18x.179
nat (inside) 0 access-list saberex
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 7x.15x.18x.182 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set cctpix esp-3des esp-md5-hmac
crypto map vpn-map 10 ipsec-isakmp
crypto map vpn-map 10 match address saberex
crypto map vpn-map 10 set peer 2x6.1x7.x5.254
crypto map vpn-map 10 set transform-set cctpix
crypto map vpn-map interface outside
isakmp enable outside
isakmp key ******** address 2x6.1x7.x5.254 netmask 255.255.255.255
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80

Any help would be greatly appreciated.
0
Comment
Question by:pollardw
  • 5
  • 5
10 Comments
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
Are you using TCP/IP for the ODBC connection, or named pipes?
You should be using TCP/IP
Do you have Netbios name resolution working between the two sites?
Can you ping the remote SQL server by name?
0
 

Author Comment

by:pollardw
Comment Utility
We are using TCP/IP static on port 1433
No we do not have Netbios working between the sites.  We are using the IP.
No we have ICMP turned off on all routers and switches at site B.
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
The PIX is open "IP" which means all ports and protocols across the VPN tunnel. There is no reason why port 1433 would not be allowed.
Except . . .
>access-list outbound permit tcp any any eq 1433
This one might be a stumbling block..

Realizing the direction of data flow relative to the placement of the acl, it might have to be something like:
 access-list outbound permit tcp host <SQL server> eq 1433 any gt 1024

http://support.microsoft.com/kb/287932

First try removing the outbound acl from the inside interface and try the SQL.
If it works, then we know for sure that it is the acl that is the culprit.
0
 

Author Comment

by:pollardw
Comment Utility
I removed "access-list outbound permit tcp any any eq 1433" and tried it - no luck.
I added "access-list outbound permit tcp host 192.168.150.2 eq 1433 any gt 1024" - no luck.

I noticed one thing though when referencing the link you sent.  Connecting to a SQL server has a three-way handshake.  When connecting from site B to site A I have to use 2x6.1x7.x5.xxx to connect to one of the machines.  This has been fine as we will never be connecting to anything from site B to site A.  With that being said when I connect to the SQL server (192.168.150.2) from site A I am using a 172.16.1.xxx address not a 2x6.1x7.x5.xxx address.  Is there a reason why I can not connect to the 172.x.x.x network from site B?  Reason I ask is when I initiate a connection from 172.x.x.x to 192.x.x.x for the three-way connection to be successful it will need to be able to communicate back to the 172.x.x.x network and not the 2x6.1x7.x5.xxx network.  I think this has something to do with it.
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
Try adding this to A:
access-list nyc permit ip 172.16.1.0 255.255.255.0 192.168.150.0 255.255.255.0

Actually, I would clean it up a bit and create a new acl for no_nat

\\-- given the following
access-list nyc permit ip 172.16.1.0 255.255.255.0 172.18.1.0 255.255.255.0
access-list nyc permit ip 172.16.2.0 255.255.255.0 172.18.1.0 255.255.255.0
access-list nyc permit ip 172.16.3.0 255.255.255.0 172.18.1.0 255.255.255.0
access-list saberex permit ip 172.16.1.0 255.255.255.0 192.168.150.0 255.255.255.0

\\-- add these
access-list no_nat permit ip 172.16.0.0 255.255.0.0 172.18.1.0 255.255.255.0
access-list no_nat permit ip 172.16.1.0 255.255.255.0 191.68.150.0 255.255.255.0

\\-- change this
no nat (inside) 0 access-list nyc
nat (insdie) 0 access-list no_nat

0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 

Author Comment

by:pollardw
Comment Utility
Made these changes and I get the same results.  Do you see anything wrong on site B's config?  I can not connect to any 172.16.x.x addresses from there.  I can only connect to the public side of 2x6.1x7.x5.xxx.  I believe once I can connect to a 172.16.x.x address from site B rather than the 2x6.1x7.x5.xxx IP's I will be able to make the three way handshake.
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
>isakmp policy 10 group 1
Set this to group 2 on Site B

Everything else is there.. at site B

Match traffic from 192.168.150.0 --> 172.16.1.0
>access-list saberex permit ip 192.168.150.0 255.255.255.0 172.16.1.0 255.255.255.0

Don't NAT traffic that matches that acl:
>nat (inside) 0 access-list saberex

Any traffic matching that acl, encrypt it and send to the designated peer
>crypto map vpn-map 10 match address saberex

0
 

Author Comment

by:pollardw
Comment Utility
Ok so I had to leave
>nat (inside) 0 access-list saberex

when removed from site B I could not connect to anything on the 172.16.x.x network.  With the other recommended changes I am able to connect to any machine using any protocol from site B to site A.  I can even make an ODBC connection as well.

From site A to Site B I can still connect to any machine with any protocol except connectivity to any SQL server.  I have installed SQL on my laptop.  No local firewall, no GPO's, etc.... and I can not make an ODBC connection to it either.

Any other suggetions?
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
Comment Utility
>Ok so I had to leave
>>nat (inside) 0 access-list saberex
Yes, you need to keep this entry. I was simply explaining that this is a nat by-pass


Try removing the acl completely on site A
   no access-group outbound in interface inside

Then try again. I has to be the access-list.
0
 

Author Comment

by:pollardw
Comment Utility
I removed it and it worked.  I added it back and added

>access-list outbound permit tcp host 192.168.150.4 any eq 1433
 and it works.  Thanks for your help.

0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Join & Write a Comment

Suggested Solutions

If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
This video discusses moving either the default database or any database to a new volume.
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now