Solved

PIX IPSec passthrough

Posted on 2007-04-02
2
501 Views
Last Modified: 2012-06-21
Hi
I'm having an issue with IPSec protocol. I want to connect to an external VPN (other CISCO VPN).

From my network, i can connect to the external VPN, but I can do nothing. I want to use Remote Desktop for controle a pc in the other network.

I dont know what rules add's in my PIX to open IPSec  passthrough.


Thank's

My conf :


PIX Version 6.3(3)
interface ethernet0 10baset
interface ethernet1 10baset
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ security10
enable password ************* encrypted
passwd ************ encrypted
hostname **********
domain-name ************
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 10.100.0.20 SRVWEB
access-list outside_cryptomap_dyn_60 permit ip any 10.11.0.0 255.255.255.0
access-list ACL-Outside permit tcp any host 206.X.X.220 eq smtp
access-list ACL-Outside permit tcp any host 206.X.X.221 eq smtp
access-list ACL-Outside permit tcp any host 206.X.X.220 eq www
access-list ACL-Outside permit tcp any host 206.X.X.220 eq domain
access-list ACL-Outside permit udp any host 206.X.X.220 eq domain
access-list ACL-Outside permit tcp any host 206.X.X.220 eq ftp
access-list ACL-Outside permit tcp any host 206.X.X.221 eq pop3

access-list 100 permit ip 10.0.0.0 255.255.0.0 10.11.0.0 255.255.0.0
access-list 100 permit icmp 10.0.0.0 255.255.0.0 10.11.0.0 255.255.0.0
access-list 100 permit ip 10.11.0.0 255.255.0.0 10.0.0.0 255.255.0.0
access-list 100 permit icmp 10.11.0.0 255.255.0.0 10.0.0.0 255.255.0.0
access-list ACL-Inside permit ip any any
access-list noNATDMZ permit ip 10.100.0.0 255.255.0.0 10.11.0.0 255.255.255.0
access-list noNATDMZ permit ip 10.100.0.0 255.255.0.0 10.0.0.0 255.255.0.0
access-list bypassingNAT permit ip 10.100.0.0 255.255.0.0 10.0.0.0 255.255.0.0
access-list bypassingNAT permit ip 10.0.0.0 255.255.0.0 10.11.0.0 255.255.255.0

access-list 200 permit ip 10.0.0.0 255.255.0.0 10.30.0.0 255.255.0.0
access-list 200 permit ip 10.0.0.0 255.255.0.0 10.100.0.0 255.255.0.0
access-list 200 permit ip 10.0.0.0 255.255.0.0 10.11.0.0 255.255.0.0
access-list 200 permit ip 10.100.0.0 255.255.0.0 10.11.0.0 255.255.0.0
access-list 200 permit ip 10.0.0.0 255.255.0.0 host 206.X.X.220
access-list 200 permit ip 10.100.0.0 255.255.0.0 10.0.0.0 255.255.0.0
access-list 200 permit ip 10.11.0.0 255.255.0.0 10.0.0.0 255.255.0.0
access-list 102 permit ip any any
access-list 110 permit ip host 10.10.0.1 any
access-list 110 permit ip host 10.0.0.21 any
access-list 110 permit ip host 10.0.0.22 any
access-list 400 permit ip any any
access-list 400 permit icmp any any
access-list acl_out permit tcp any host X.X.X.X eq https
access-list acl_out permit tcp any host X.X.X.X eq https
access-list 500 permit ip 10.0.0.0 255.255.0.0 10.20.0.0 255.255.0.0
access-list 500 permit ip 10.0.0.0 255.255.0.0 10.30.0.0 255.255.0.0
access-list 500 permit tcp 10.0.0.0 255.255.0.0 host SRVWEB
access-list 600 permit tcp host X.X.X.X 10.0.0.0 255.255.0.0 eq 445
access-list 600 permit udp host X.X.X.X 10.0.0.0 255.255.0.0 eq 389
access-list 600 permit tcp host X.X.X.X 10.0.0.0 255.255.0.0 eq ldap
access-list 600 permit udp host X.X.X.X 10.0.0.0 255.255.0.0 eq 88
access-list 600 permit udp host X.X.X.X 10.0.0.0 255.255.0.0 eq domain
access-list 600 permit tcp host X.X.X.X 10.0.0.0 255.255.0.0 eq 1026
access-list 600 permit tcp host X.X.X.X 10.0.0.0 255.255.0.0 eq netbios-
ssn
access-list 600 permit tcp host X.X.X.X 10.0.0.0 255.255.0.0 eq 135
access-list 600 permit icmp host SRVWEB 10.0.0.0 255.255.0.0
access-list 600 permit ip 10.0.0.0 255.255.0.0 any
pager lines 24
logging on
logging timestamp
logging monitor debugging
logging buffered debugging
logging trap warnings
logging history debugging
logging host inside 10.0.0.133
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
mtu Terminal 1500
mtu Laboratoire 1500
mtu consultik 1500
ip address outside X.X.X.X 255.255.255.248
ip address inside 10.0.0.1 255.255.0.0
ip address DMZ 10.100.0.1 255.255.0.0

ip audit name attack-sign attack action reset
ip audit name info-sign info action alarm
ip audit interface outside info-sign
ip audit interface outside attack-sign
ip audit info action alarm
ip audit attack action reset
ip audit signature 2000 disable
ip audit signature 2004 disable
ip local pool clients 10.11.0.1-10.11.0.254
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address DMZ
no failover ip address Terminal
no failover ip address Laboratoire
no failover ip address consultik

arp timeout 14400
global (outside) 1 206.X.X.X
global (DMZ) 1 interface
nat (inside) 1 10.0.0.0 255.255.0.0 0 0
nat (DMZ) 0 access-list 200
nat (DMZ) 1 10.100.0.0 255.255.0.0 0 0
nat (DMZ) 1 0.0.0.0 0.0.0.0 0 0
static (DMZ,outside) 206.X.X.220 SRVWEB netmask 255.255.255.255 0 0
static (inside,outside) 206.X.X.221 10.0.0.20 netmask 255.255.255.255 0 0
static (inside,outside) 206.X.X.222 10.0.0.20 netmask 255.255.255.255 0 0
access-group 600 in interface DMZ
conduit permit icmp any any
conduit permit tcp host 206.X.X.220 eq domain any
conduit permit udp host 206.X.X.220 eq domain any
conduit permit tcp host 206.X.X.220 eq www any
conduit permit tcp host 206.X.X.220 eq https any
conduit permit tcp host 206.X.X.221 eq smtp any
conduit permit tcp host 206.X.X.221 eq www any
conduit permit tcp host 206.X.X.220 eq smtp any
conduit permit tcp host 206.X.X.223 eq ldap any
conduit permit tcp host 206.X.X.223 eq 522 any
conduit permit tcp host 206.X.X.223 eq 1503 any
conduit permit tcp host 206.X.X.223 eq h323 any
conduit permit tcp host 206.X.X.223 eq 1731 any
conduit permit tcp host 206.X.X.218 eq ldap any
conduit permit tcp host 206.X.X.218 eq www any
conduit permit tcp host 206.X.X.222 eq ldap any
conduit permit tcp host 206.X.X.222 eq h323 any
conduit permit tcp host 206.X.X.222 eq 1731 any
conduit permit tcp host 206.X.X.222 eq 522 any
conduit permit tcp host 206.X.X.222 eq 1503 any
conduit permit tcp host 206.X.X.221 eq 3389 any
conduit permit tcp host 206.X.X.222 eq smtp any
route outside 0.0.0.0 0.0.0.0 206.X.X.217 0
route outside 10.0.10.51 255.255.255.255 206.X.X.217 1
route outside 10.0.10.61 255.255.255.255 206.X.X.217 1
route outside 10.0.20.51 255.255.255.255 206.X.X.217 1
route outside 10.0.20.61 255.255.255.255 206.X.X.217 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host 10.0.0.21 harfant timeout 10
aaa-server LOCAL protocol local
http server enable
http 216.226.44.195 255.255.255.255 outside
http 0.0.0.0 0.0.0.0 outside
http 10.0.0.114 255.255.255.255 inside
http 10.0.0.21 255.255.255.255 inside
http 10.0.0.153 255.255.255.255 inside
http 10.0.0.107 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt nodnsalias inbound
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto ipsec transform-set strongDES esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map dynmap 40 set transform-set myset
crypto dynamic-map dynmap 60 set transform-set ESP-3DES-MD5
crypto map newmap 10 ipsec-isakmp
crypto map newmap 10 set peer 206.X.X.1
crypto map newmap 10 set transform-set strongDES
! Incomplete
crypto map newmap 40 ipsec-isakmp dynamic dynmap
crypto map newmap client configuration address initiate
crypto map newmap client configuration address respond
crypto map newmap client authentication RADIUS
crypto map newmap interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp key ******** address 206.167.48.1 netmask 255.255.255.255
isakmp identity address
isakmp client configuration address-pool local clients outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 1000
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
isakmp policy 40 authentication pre-share
isakmp policy 40 encryption 3des
isakmp policy 40 hash md5
isakmp policy 40 group 2
isakmp policy 40 lifetime 86400
vpngroup vpn-usagers address-pool clients
vpngroup vpn-usagers dns-server 10.0.0.21 10.0.0.22
vpngroup vpn-usagers wins-server 10.0.0.22
vpngroup vpn-usagers split-tunnel split-tunnel
vpngroup vpn-usagers idle-time 6000
vpngroup vpn-usagers password ********
telnet 10.0.0.0 255.255.0.0 inside
telnet timeout 5

console timeout 0
terminal width 80
Cryptochecksum:
: end
0
Comment
Question by:jeansebgrenon
2 Comments
 
LVL 29

Accepted Solution

by:
Alan Huseyin Kayahan earned 500 total points
ID: 18839043
ip local pool clients 10.11.0.1-10.11.0.254   this looks like class c (cant see mask)
access-list 200 permit ip 10.0.0.0 255.255.0.0 10.11.0.0 255.255.0.0   this looks like class b
             *I cant see any tunneling. Following may help
group-policy rvpn internal
      group-policy rvpn attributes
        vpn-tunnel-protocol IPSec
        split-tunnel-policy tunnelspecified
        split-tunnel-network-list value rvpn_splitTunnelAcl
     tunnel-group rvpn type ipsec-ra
      tunnel-group rvpn general-attributes
        default-group-policy rvpn
        authentication-server-group  tacacs+
        address-pool  rvpnpool
      tunnel-group rvpn ipsec-attributes
        pre-shared-key xxx
           
          and conf nat as following
nat (DMZ) 0 access-list 200 tcp 0 0 udp 0

0
 

Author Comment

by:jeansebgrenon
ID: 18839252
I want to open port to do IPSEc with an other VPN network. In my PIX, i should do an ACL to open IPSE

JS
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
ASA 5520 problem with Failover in Active/Standby 8 68
Outgoing Call restriction in Cisco UC560 2 92
Firmware for ISR4321 Router 6 47
Cisco Router / Switch - NAT 10 43
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
This past year has been one of great growth and performance for OnPage. We have added many features and integrations to the product, making 2016 an awesome year. We see these steps forward as the basis for future growth.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question