Solved

PIX IPSec passthrough

Posted on 2007-04-02
2
499 Views
Last Modified: 2012-06-21
Hi
I'm having an issue with IPSec protocol. I want to connect to an external VPN (other CISCO VPN).

From my network, i can connect to the external VPN, but I can do nothing. I want to use Remote Desktop for controle a pc in the other network.

I dont know what rules add's in my PIX to open IPSec  passthrough.


Thank's

My conf :


PIX Version 6.3(3)
interface ethernet0 10baset
interface ethernet1 10baset
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ security10
enable password ************* encrypted
passwd ************ encrypted
hostname **********
domain-name ************
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 10.100.0.20 SRVWEB
access-list outside_cryptomap_dyn_60 permit ip any 10.11.0.0 255.255.255.0
access-list ACL-Outside permit tcp any host 206.X.X.220 eq smtp
access-list ACL-Outside permit tcp any host 206.X.X.221 eq smtp
access-list ACL-Outside permit tcp any host 206.X.X.220 eq www
access-list ACL-Outside permit tcp any host 206.X.X.220 eq domain
access-list ACL-Outside permit udp any host 206.X.X.220 eq domain
access-list ACL-Outside permit tcp any host 206.X.X.220 eq ftp
access-list ACL-Outside permit tcp any host 206.X.X.221 eq pop3

access-list 100 permit ip 10.0.0.0 255.255.0.0 10.11.0.0 255.255.0.0
access-list 100 permit icmp 10.0.0.0 255.255.0.0 10.11.0.0 255.255.0.0
access-list 100 permit ip 10.11.0.0 255.255.0.0 10.0.0.0 255.255.0.0
access-list 100 permit icmp 10.11.0.0 255.255.0.0 10.0.0.0 255.255.0.0
access-list ACL-Inside permit ip any any
access-list noNATDMZ permit ip 10.100.0.0 255.255.0.0 10.11.0.0 255.255.255.0
access-list noNATDMZ permit ip 10.100.0.0 255.255.0.0 10.0.0.0 255.255.0.0
access-list bypassingNAT permit ip 10.100.0.0 255.255.0.0 10.0.0.0 255.255.0.0
access-list bypassingNAT permit ip 10.0.0.0 255.255.0.0 10.11.0.0 255.255.255.0

access-list 200 permit ip 10.0.0.0 255.255.0.0 10.30.0.0 255.255.0.0
access-list 200 permit ip 10.0.0.0 255.255.0.0 10.100.0.0 255.255.0.0
access-list 200 permit ip 10.0.0.0 255.255.0.0 10.11.0.0 255.255.0.0
access-list 200 permit ip 10.100.0.0 255.255.0.0 10.11.0.0 255.255.0.0
access-list 200 permit ip 10.0.0.0 255.255.0.0 host 206.X.X.220
access-list 200 permit ip 10.100.0.0 255.255.0.0 10.0.0.0 255.255.0.0
access-list 200 permit ip 10.11.0.0 255.255.0.0 10.0.0.0 255.255.0.0
access-list 102 permit ip any any
access-list 110 permit ip host 10.10.0.1 any
access-list 110 permit ip host 10.0.0.21 any
access-list 110 permit ip host 10.0.0.22 any
access-list 400 permit ip any any
access-list 400 permit icmp any any
access-list acl_out permit tcp any host X.X.X.X eq https
access-list acl_out permit tcp any host X.X.X.X eq https
access-list 500 permit ip 10.0.0.0 255.255.0.0 10.20.0.0 255.255.0.0
access-list 500 permit ip 10.0.0.0 255.255.0.0 10.30.0.0 255.255.0.0
access-list 500 permit tcp 10.0.0.0 255.255.0.0 host SRVWEB
access-list 600 permit tcp host X.X.X.X 10.0.0.0 255.255.0.0 eq 445
access-list 600 permit udp host X.X.X.X 10.0.0.0 255.255.0.0 eq 389
access-list 600 permit tcp host X.X.X.X 10.0.0.0 255.255.0.0 eq ldap
access-list 600 permit udp host X.X.X.X 10.0.0.0 255.255.0.0 eq 88
access-list 600 permit udp host X.X.X.X 10.0.0.0 255.255.0.0 eq domain
access-list 600 permit tcp host X.X.X.X 10.0.0.0 255.255.0.0 eq 1026
access-list 600 permit tcp host X.X.X.X 10.0.0.0 255.255.0.0 eq netbios-
ssn
access-list 600 permit tcp host X.X.X.X 10.0.0.0 255.255.0.0 eq 135
access-list 600 permit icmp host SRVWEB 10.0.0.0 255.255.0.0
access-list 600 permit ip 10.0.0.0 255.255.0.0 any
pager lines 24
logging on
logging timestamp
logging monitor debugging
logging buffered debugging
logging trap warnings
logging history debugging
logging host inside 10.0.0.133
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
mtu Terminal 1500
mtu Laboratoire 1500
mtu consultik 1500
ip address outside X.X.X.X 255.255.255.248
ip address inside 10.0.0.1 255.255.0.0
ip address DMZ 10.100.0.1 255.255.0.0

ip audit name attack-sign attack action reset
ip audit name info-sign info action alarm
ip audit interface outside info-sign
ip audit interface outside attack-sign
ip audit info action alarm
ip audit attack action reset
ip audit signature 2000 disable
ip audit signature 2004 disable
ip local pool clients 10.11.0.1-10.11.0.254
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address DMZ
no failover ip address Terminal
no failover ip address Laboratoire
no failover ip address consultik

arp timeout 14400
global (outside) 1 206.X.X.X
global (DMZ) 1 interface
nat (inside) 1 10.0.0.0 255.255.0.0 0 0
nat (DMZ) 0 access-list 200
nat (DMZ) 1 10.100.0.0 255.255.0.0 0 0
nat (DMZ) 1 0.0.0.0 0.0.0.0 0 0
static (DMZ,outside) 206.X.X.220 SRVWEB netmask 255.255.255.255 0 0
static (inside,outside) 206.X.X.221 10.0.0.20 netmask 255.255.255.255 0 0
static (inside,outside) 206.X.X.222 10.0.0.20 netmask 255.255.255.255 0 0
access-group 600 in interface DMZ
conduit permit icmp any any
conduit permit tcp host 206.X.X.220 eq domain any
conduit permit udp host 206.X.X.220 eq domain any
conduit permit tcp host 206.X.X.220 eq www any
conduit permit tcp host 206.X.X.220 eq https any
conduit permit tcp host 206.X.X.221 eq smtp any
conduit permit tcp host 206.X.X.221 eq www any
conduit permit tcp host 206.X.X.220 eq smtp any
conduit permit tcp host 206.X.X.223 eq ldap any
conduit permit tcp host 206.X.X.223 eq 522 any
conduit permit tcp host 206.X.X.223 eq 1503 any
conduit permit tcp host 206.X.X.223 eq h323 any
conduit permit tcp host 206.X.X.223 eq 1731 any
conduit permit tcp host 206.X.X.218 eq ldap any
conduit permit tcp host 206.X.X.218 eq www any
conduit permit tcp host 206.X.X.222 eq ldap any
conduit permit tcp host 206.X.X.222 eq h323 any
conduit permit tcp host 206.X.X.222 eq 1731 any
conduit permit tcp host 206.X.X.222 eq 522 any
conduit permit tcp host 206.X.X.222 eq 1503 any
conduit permit tcp host 206.X.X.221 eq 3389 any
conduit permit tcp host 206.X.X.222 eq smtp any
route outside 0.0.0.0 0.0.0.0 206.X.X.217 0
route outside 10.0.10.51 255.255.255.255 206.X.X.217 1
route outside 10.0.10.61 255.255.255.255 206.X.X.217 1
route outside 10.0.20.51 255.255.255.255 206.X.X.217 1
route outside 10.0.20.61 255.255.255.255 206.X.X.217 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host 10.0.0.21 harfant timeout 10
aaa-server LOCAL protocol local
http server enable
http 216.226.44.195 255.255.255.255 outside
http 0.0.0.0 0.0.0.0 outside
http 10.0.0.114 255.255.255.255 inside
http 10.0.0.21 255.255.255.255 inside
http 10.0.0.153 255.255.255.255 inside
http 10.0.0.107 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt nodnsalias inbound
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto ipsec transform-set strongDES esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map dynmap 40 set transform-set myset
crypto dynamic-map dynmap 60 set transform-set ESP-3DES-MD5
crypto map newmap 10 ipsec-isakmp
crypto map newmap 10 set peer 206.X.X.1
crypto map newmap 10 set transform-set strongDES
! Incomplete
crypto map newmap 40 ipsec-isakmp dynamic dynmap
crypto map newmap client configuration address initiate
crypto map newmap client configuration address respond
crypto map newmap client authentication RADIUS
crypto map newmap interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp key ******** address 206.167.48.1 netmask 255.255.255.255
isakmp identity address
isakmp client configuration address-pool local clients outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 1000
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
isakmp policy 40 authentication pre-share
isakmp policy 40 encryption 3des
isakmp policy 40 hash md5
isakmp policy 40 group 2
isakmp policy 40 lifetime 86400
vpngroup vpn-usagers address-pool clients
vpngroup vpn-usagers dns-server 10.0.0.21 10.0.0.22
vpngroup vpn-usagers wins-server 10.0.0.22
vpngroup vpn-usagers split-tunnel split-tunnel
vpngroup vpn-usagers idle-time 6000
vpngroup vpn-usagers password ********
telnet 10.0.0.0 255.255.0.0 inside
telnet timeout 5

console timeout 0
terminal width 80
Cryptochecksum:
: end
0
Comment
Question by:jeansebgrenon
2 Comments
 
LVL 29

Accepted Solution

by:
Alan Huseyin Kayahan earned 500 total points
ID: 18839043
ip local pool clients 10.11.0.1-10.11.0.254   this looks like class c (cant see mask)
access-list 200 permit ip 10.0.0.0 255.255.0.0 10.11.0.0 255.255.0.0   this looks like class b
             *I cant see any tunneling. Following may help
group-policy rvpn internal
      group-policy rvpn attributes
        vpn-tunnel-protocol IPSec
        split-tunnel-policy tunnelspecified
        split-tunnel-network-list value rvpn_splitTunnelAcl
     tunnel-group rvpn type ipsec-ra
      tunnel-group rvpn general-attributes
        default-group-policy rvpn
        authentication-server-group  tacacs+
        address-pool  rvpnpool
      tunnel-group rvpn ipsec-attributes
        pre-shared-key xxx
           
          and conf nat as following
nat (DMZ) 0 access-list 200 tcp 0 0 udp 0

0
 

Author Comment

by:jeansebgrenon
ID: 18839252
I want to open port to do IPSEc with an other VPN network. In my PIX, i should do an ACL to open IPSE

JS
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

This article assumes you have at least one Cisco ASA or PIX configured with working internet and a non-dynamic, public, address on the outside interface. If you need instructions on how to enable your device for internet, or basic configuration info…
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now