VPN to pix 506e NAT issue
I know there are a million questions and answers on this topic -- however this is for a network of 200+ users in a doctors office with remote locations...and if I make one wrong mode and I'm toast :)
I've setup a VPN connection, and it connects...but i can't ping or do any traffic.
Now, I know it's an ACL issue...but I'm not confident on playing with this and not breaking it.
Currently, this is the entries I entered through ssh for VPN connection (And by enter, I mean PDM doesn't work too well on that pix so I have to do it off of my previous configs)
vpngroup XXXXeyedoctors password *****
ip local pool XXXXeyevpn 10.10.4.10-10.10.4.14
vpngroup XXXXeyedoctors address-pool XXXXeyevpn
vpngroup XXXXeyedoctors dns-server 10.10.3.2
vpngroup XXXXeyedoctors wins-server 10.10.3.2
vpngroup XXXXeyedoctors default-domain XXXXeye.local
isakmp policy 21 authen pre-share
isakmp policy 21 encrypt 3des
isakmp policy 21 hash md5
isakmp policy 21 group 2
isakmp enable outside
access-list XXXXeyedoctors_splitTunnel
access-list no-nat line 5 permit ip 10.10.3.0 255.255.255.0 10.10.4.8 255.255.255.248
nat (inside) 0 access-list no-nat
access-list outside_cryptomap_dyn_20 permit ip any 10.10.4.8 255.255.255.248
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 86400 kilobytes 50000
crypto map leevpnmap 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map leevpnmap interface outside
vpngroup XXXXeyedoctors split-tunnel XXXXeyedoctors_splitTunnel
sysopt connection permit-ipsec
I've setup a VPN connection, and it connects...but i can't ping or do any traffic.
Now, I know it's an ACL issue...but I'm not confident on playing with this and not breaking it.
Currently, this is the entries I entered through ssh for VPN connection (And by enter, I mean PDM doesn't work too well on that pix so I have to do it off of my previous configs)
vpngroup XXXXeyedoctors password *****
ip local pool XXXXeyevpn 10.10.4.10-10.10.4.14
vpngroup XXXXeyedoctors address-pool XXXXeyevpn
vpngroup XXXXeyedoctors dns-server 10.10.3.2
vpngroup XXXXeyedoctors wins-server 10.10.3.2
vpngroup XXXXeyedoctors default-domain XXXXeye.local
isakmp policy 21 authen pre-share
isakmp policy 21 encrypt 3des
isakmp policy 21 hash md5
isakmp policy 21 group 2
isakmp enable outside
access-list XXXXeyedoctors_splitTunnel
access-list no-nat line 5 permit ip 10.10.3.0 255.255.255.0 10.10.4.8 255.255.255.248
nat (inside) 0 access-list no-nat
access-list outside_cryptomap_dyn_20 permit ip any 10.10.4.8 255.255.255.248
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 86400 kilobytes 50000
crypto map leevpnmap 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map leevpnmap interface outside
vpngroup XXXXeyedoctors split-tunnel XXXXeyedoctors_splitTunnel
sysopt connection permit-ipsec
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
let me correct, it does work! :) I just cant ping
You still have "any" in your crypto acl. It is imperative that you change this.
>access-list outside_cryptomap_dyn_20 permit ip any 10.10.4.8 255.255.255.248
You did not make the change I suggested.
And I don't see these entries that need to be there:
isakmp nat-traversal 20
isakmp identity address
>access-list outside_cryptomap_dyn_20 permit ip any 10.10.4.8 255.255.255.248
You did not make the change I suggested.
And I don't see these entries that need to be there:
isakmp nat-traversal 20
isakmp identity address
ASKER
I did make the changes, I just posted a previous config as I didn't feel like changing tftp :)
You trying to ping my name or ip and what address are you trying to ping? A new config will help
ASKER
Brian,
Pinging by both IP and hostname.
The config above is correct, just adding what lrmoore told me to add :)
Pinging by both IP and hostname.
The config above is correct, just adding what lrmoore told me to add :)
If you made the corrections that lrmoore stated above, I see no reason why it wouldn't work. What is your subnet at the remote client end?
ASKER
Well, I'm not too concerned with pinging as I am with the functionality of the VPN, which lrmoore did help resolve.
Thanks to all.
Thanks to all.
ASKER
This site has two site to site pix VPN tunnels to it.
: Saved
: Written by enable_15 at 11:49:38.137 UTC Fri Aug 17 2007
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password **************** encrypted
passwd ********** encrypted
hostname PixVilXXX
domain-name XXXXEye.local
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
object-group service RDP tcp
port-object range 3389 3389
access-list leevpn permit ip 10.10.1.0 255.255.255.0 10.10.3.0 255.255.255.0
access-list leevpn permit ip 10.10.3.0 255.255.255.0 10.10.1.0 255.255.255.0
access-list no-nat permit ip 10.10.3.0 255.255.255.0 10.10.1.0 255.255.255.0
access-list no-nat permit ip 10.10.1.0 255.255.255.0 10.10.3.0 255.255.255.0
access-list no-nat permit ip 10.10.2.0 255.255.255.0 10.10.3.0 255.255.255.0
access-list no-nat permit ip 10.10.3.0 255.255.255.0 10.10.2.0 255.255.255.0
access-list no-nat permit ip 10.10.3.0 255.255.255.0 10.10.4.8 255.255.255.248
access-list eusvpn permit ip 10.10.2.0 255.255.255.0 10.10.3.0 255.255.255.0
access-list eusvpn permit ip 10.10.3.0 255.255.255.0 10.10.2.0 255.255.255.0
access-list out2in permit tcp any interface outside eq 3389
access-list out2in permit tcp any interface outside eq 3390
access-list XXXXeyedoctors_splitTunnel
access-list outside_cryptomap_dyn_20 permit ip any 10.10.4.8 255.255.255.248
pager lines 24
logging on
logging console debugging
logging monitor notifications
mtu outside 1500
mtu inside 1500
ip address outside 12.15x.xx.xx 255.255.255.240
ip address inside 10.10.3.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool XXXXeyevpn 10.10.4.10-10.10.4.14
pdm location 10.10.1.0 255.255.255.0 inside
pdm location 10.10.2.0 255.255.255.0 inside
pdm location 10.0.0.0 255.0.0.0 inside
pdm location 10.10.1.0 255.255.255.0 outside
pdm location 10.10.2.0 255.255.255.0 outside
pdm location 10.10.3.0 255.255.255.0 outside
pdm location 10.10.3.3 255.255.255.255 inside
pdm location 10.10.3.6 255.255.255.255 inside
pdm location 10.10.3.200 255.255.255.255 inside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list no-nat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) udp interface 3390 10.10.3.6 domain netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 3389 10.10.3.3 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 3390 10.10.3.200 3390 netmask 255.255.255.255 0 0
access-group out2in in interface outside
route outside 0.0.0.0 0.0.0.0 12.15x.xx.xxx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 0.0.0.0 0.0.0.0 outside
http 10.10.3.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server outside 204.15.13x.xxx /villXXXXeye.cfg
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set leevpnset esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 86400 kilobytes 50000
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map leevpnmap 2 ipsec-isakmp
crypto map leevpnmap 2 match address leevpn
crypto map leevpnmap 2 set peer 12.15x.xx.xxx
crypto map leevpnmap 2 set transform-set leevpnset
crypto map leevpnmap 3 ipsec-isakmp
crypto map leevpnmap 3 match address eusvpn
crypto map leevpnmap 3 set peer 12.154.16.162
crypto map leevpnmap 3 set transform-set leevpnset
crypto map leevpnmap 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map leevpnmap interface outside
isakmp enable outside
isakmp key ******** address 12.15x.xx.xxx netmask 255.255.255.255
isakmp key ******** address 12.15x.xx.xxx netmask 255.255.255.255
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 86400
isakmp policy 21 authentication pre-share
isakmp policy 21 encryption 3des
isakmp policy 21 hash md5
isakmp policy 21 group 2
isakmp policy 21 lifetime 86400
vpngroup XXXXeyedoctors address-pool XXXXeyevpn
vpngroup XXXXeyedoctors dns-server 10.10.3.2
vpngroup XXXXeyedoctors wins-server 10.10.3.2
vpngroup XXXXeyedoctors default-domain XXXXeye.local
vpngroup XXXXeyedoctors split-tunnel XXXXeyedoctors_splitTunnel
vpngroup XXXXeyedoctors idle-time 1800
vpngroup XXXXeyedoctors password ********
telnet 10.0.0.0 255.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
console timeout 0
dhcpd address 10.10.3.21-10.10.3.254 inside
dhcpd dns 10.10.3.2 12.18x.xx.xxx
dhcpd wins 10.10.1.2
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain XXXXEye.local
dhcpd auto_config outside
dhcpd enable inside
username cflhd password ************* encrypted privilege 2
terminal width 80
Cryptochecksum:125fb6c8127