Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Problem getting remote VPN working on PIX 506E

Posted on 2007-10-03
8
Medium Priority
?
495 Views
Last Modified: 2012-08-14
I am having trouble configuring a remote VPN client for a Cisco PIX 506.  We had a contractor set up tunnels between our site and several others that work, but he did not set up anything for remote VPN clients.  I am not very knowledgeable on configuring network devices, but I would like to get this working.  Thus far I am just using the PDM and used the wizard to create the VPN.  I can get connected and authenticated fine using a version 4.7 client, but once connected I cannot get to anything on the internal network (I had tried pinging the DNS servers at 192.168.12.5 and 192.168.12.6).  I am sort of suspicious of the one line in the below config that seems (to my limited knowledge) to place associate part of our internal network with the outside interface.  That line is "pdm location 192.168.12.0 255.255.255.192 outside".

Can someone look at this config and tell me what might be wrong?  I would rather not wait until the consultant gets back from vacation next week to get this working.

Building configuration...
: Saved
:
PIX Version 6.3(4)
interface ethernet0 100full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ##hidden## encrypted
passwd ##hidden## encrypted
hostname WCS-PIX506
domain-name mydomain.com
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.12.5 RADIUS
object-group network ONE-NETS
  network-object 192.168.50.0 255.255.255.0
  network-object 192.168.1.0 255.255.255.0
  network-object 172.31.0.0 255.255.255.0
  network-object 172.29.9.0 255.255.255.0
object-group network TWO-NETS
  network-object 192.168.8.0 255.255.252.0
object-group network WCS-NETS
  network-object 192.168.12.0 255.255.255.0
object-group network REMOTE-NETS
  group-object ONE-NETS
  group-object TWO-NETS
object-group service VPN-Site2Site-TCP tcp
  port-object eq www
  port-object eq https
  port-object eq imap4
  port-object eq smtp
  port-object eq domain
  port-object eq telnet
  port-object eq 135
  port-object eq ldap
  port-object eq 379
  port-object eq 3268
object-group service VPN-Site2Site-UDP udp
  port-object eq domain
  port-object eq 135
access-list ACL-OUTSIDE permit icmp any any
access-list ACL-OUTSIDE permit tcp object-group REMOTE-NETS object-group WCS-NETS object-group VPN-Site2Site-TCP
access-list ACL-OUTSIDE permit udp object-group REMOTE-NETS object-group WCS-NETS object-group VPN-Site2Site-UDP
access-list ACL-OUTSIDE permit icmp object-group REMOTE-NETS object-group WCS-NETS
access-list ACL-OUTSIDE permit icmp any any echo-reply
access-list ACL-OUTSIDE permit icmp any any unreachable
access-list ACL-OUTSIDE permit icmp any any time-exceeded
access-list ACL-VPN-WCS2ONE permit ip object-group WCS-NETS object-group ONE-NETS
access-list NO-NAT permit ip object-group WCS-NETS object-group ONE-NETS
access-list NO-NAT permit ip object-group WCS-NETS object-group TWO-NETS
access-list NO-NAT permit ip any 192.168.12.0 255.255.255.192
access-list NO-NAT permit ip 192.168.12.0 255.255.254.0 192.168.14.0 255.255.255.128
access-list ACL-VPN-WCS2TWO permit ip object-group WCS-NETS object-group TWO-NETS
access-list WCS_users_splitTunnelAcl permit ip 192.168.12.0 255.255.254.0 any
access-list outside_cryptomap_dyn_580 permit ip any 192.168.14.0 255.255.255.128
pager lines 24
logging on
logging timestamp
logging buffered errors
logging trap debugging
logging history notifications
mtu outside 1500
mtu inside 1500
ip address outside 68.178.79.236 255.255.255.248
ip address inside 192.168.12.2 255.255.254.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip audit info action alarm
ip audit attack action alarm
ip local pool VPNPool 192.168.14.1-192.168.14.254 mask 255.255.255.0
pdm location 69.10.64.0 255.255.255.0 inside
pdm location 69.10.64.0 255.255.255.0 outside
pdm location 172.29.9.0 255.255.255.0 outside
pdm location 172.31.0.0 255.255.255.0 outside
pdm location 192.168.1.0 255.255.255.0 outside
pdm location 192.168.8.0 255.255.252.0 outside
pdm location 192.168.50.0 255.255.255.0 outside
pdm location RADIUS 255.255.255.255 inside
pdm location 192.168.12.0 255.255.255.0 inside
pdm location 192.168.14.0 255.255.255.128 outside
pdm location 192.168.12.0 255.255.255.192 outside
pdm group WCS-NETS inside
pdm group ONE-NETS outside
pdm group TWO-NETS outside
pdm logging warnings 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NO-NAT
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group ACL-OUTSIDE in interface outside
route outside 0.0.0.0 0.0.0.0 68.178.79.233 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa-server WCSDC01 protocol radius
aaa-server WCSDC01 max-failed-attempts 3
aaa-server WCSDC01 deadtime 10
aaa-server WCSDC01 (inside) host RADIUS ##hidden## timeout 10
aaa authentication telnet console LOCAL
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
ntp server 192.5.41.40 source outside
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set 3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map DYNMAP 500 set transform-set 3DES-MD5
crypto dynamic-map DYNMAP 520 set transform-set 3DES-MD5
crypto dynamic-map DYNMAP 540 set transform-set 3DES-MD5
crypto dynamic-map DYNMAP 560 set transform-set 3DES-MD5
crypto dynamic-map DYNMAP 580 match address outside_cryptomap_dyn_580
crypto dynamic-map DYNMAP 580 set transform-set 3DES-MD5
crypto map VPN-MAP-OUT 101 ipsec-isakmp
crypto map VPN-MAP-OUT 101 match address ACL-VPN-WCS2ONE
crypto map VPN-MAP-OUT 101 set peer 147.31.204.97
crypto map VPN-MAP-OUT 101 set transform-set ESP-3DES-MD5
crypto map VPN-MAP-OUT 102 ipsec-isakmp
crypto map VPN-MAP-OUT 102 match address ACL-VPN-WCS2TWO
crypto map VPN-MAP-OUT 102 set peer 216.143.158.99
crypto map VPN-MAP-OUT 102 set transform-set ESP-3DES-MD5
crypto map VPN-MAP-OUT 500 ipsec-isakmp dynamic DYNMAP
crypto map VPN-MAP-OUT client authentication RADIUS
crypto map VPN-MAP-OUT interface outside
isakmp enable outside
isakmp key ******** address 147.31.204.97 netmask 255.255.255.255
isakmp key ******** address 216.143.158.99 netmask 255.255.255.255
isakmp identity address
isakmp keepalive 10 3
isakmp nat-traversal 30
isakmp policy 3 authentication pre-share
isakmp policy 3 encryption 3des
isakmp policy 3 hash md5
isakmp policy 3 group 2
isakmp policy 3 lifetime 86400
vpngroup WCS_users address-pool VPNPool
vpngroup WCS_users dns-server WCSDC01 192.168.12.6
vpngroup WCS_users wins-server WCSDC01 192.168.12.6
vpngroup WCS_users default-domain myADdomain.com
vpngroup WCS_users split-tunnel WCS_users_splitTunnelAcl
vpngroup WCS_users idle-time 1800
vpngroup WCS_users password ********
telnet 192.168.12.0 255.255.255.0 inside
telnet timeout 5
ssh 69.10.64.0 255.255.255.0 outside
ssh 69.10.64.0 255.255.255.0 inside
ssh 192.168.12.0 255.255.255.0 inside
ssh timeout 10
management-access inside
console timeout 0
username ##user1## password ##hidden## encrypted privilege 15
username ##user2## password ##hidden## encrypted privilege 15
username ##user3## password ##hidden## encrypted privilege 15
terminal width 80
Cryptochecksum:##hidden##
: end
[OK]


0
Comment
Question by:wcstrategy
  • 4
  • 4
8 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 20009238
It looks like you have all the required entries...
Let's check them off -

Vpn pool addresses different from local LAN subnet? Check
    ip local pool VPNPool 192.168.14.1-192.168.14.254 mask 255.255.255.0

VPN pool added to the NO_NAT acl? Check , but you might want to review the netmask
  access-list NO-NAT permit ip 192.168.12.0 255.255.254.0 192.168.14.0 255.255.255.128
 Suggest perhaps:
  access-list NO-NAT permit ip 192.168.12.0 255.255.254.0 192.168.14.0 255.255.255.0
                                                                                                                                        ^
Acl applied to nat 0 ? - Check
 nat (inside) 0 access-list NO-NAT

Split-tunnel applied correctly?
 vpngroup WCS_users split-tunnel WCS_users_splitTunnelAcl
 access-list WCS_users_splitTunnelAcl permit ip 192.168.12.0 255.255.254.0 any
Suggest (copy/paste this into PDM Tools/Command line/multiline):
 no access-list WCS_users_splitTunnelAcl permit ip 192.168.12.0 255.255.254.0 any
 access-list WCS_users_splitTunnelAcl permit ip 192.168.12.0 255.255.254.0 192.168.14.0 255.255.255.0
 vpngroup WCS_users split-tunnel WCS_users_splitTunnelAcl

Nat traversal allowed? Check
 isakmp nat-traversal 30

>pdm location 192.168.12.0 255.255.255.192 outside
This is irrelevant to the function of the PIX. You can delete it if you want.


0
 

Author Comment

by:wcstrategy
ID: 20009892
I made your suggested changes, but unfortunately nothing changed.  Once connected remotely I was unable to ping any internal addresses.  If it helps, I did a route print from my laptop while I was connected to the VPN:

Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.0.1    192.168.0.17       25
    68.178.79.236  255.255.255.255      192.168.0.1    192.168.0.17       1
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
      192.168.0.0    255.255.255.0     192.168.0.17    192.168.0.17       25
      192.168.0.1  255.255.255.255     192.168.0.17    192.168.0.17       1
     192.168.0.17  255.255.255.255        127.0.0.1       127.0.0.1       25
    192.168.0.255  255.255.255.255     192.168.0.17    192.168.0.17       25
     192.168.12.0    255.255.254.0     192.168.14.1    192.168.14.1       1
     192.168.14.0    255.255.255.0     192.168.14.1    192.168.14.1       25
     192.168.14.1  255.255.255.255        127.0.0.1       127.0.0.1       25
   192.168.14.255  255.255.255.255     192.168.14.1    192.168.14.1       25
        224.0.0.0        240.0.0.0     192.168.0.17    192.168.0.17       25
        224.0.0.0        240.0.0.0     192.168.14.1    192.168.14.1       25
  255.255.255.255  255.255.255.255     192.168.0.17    192.168.0.17       1
  255.255.255.255  255.255.255.255     192.168.14.1    192.168.14.1       1
Default Gateway:       192.168.0.1
===========================================================================
Persistent Routes:
  None
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 20010906
How about what is in the VPN client status pages? Protected networks and local networks?
It looks like everything should be working. What kind of router/modem do you have on the client side? Does it support IPSEC passthrough?
Client is Vista or XP?
>version 4.7 client
Suggest upgrading to 4.8 or 5.0 client and trying again
0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 

Author Comment

by:wcstrategy
ID: 20015201
I'm not positive what you mean by the client status pages.

I have tried this remotely via a local unsecured WAP that is apparently some sort of Actiontech, and at home through a Dlink that I know passes IPSEC (I used the Cisco VPN at a previous job through the same router).

Clients have both been XP, not Vista.

I am trying to get my hands on an updated client, but it will probably be next week.

While connected to the VPN, I can ping the internal IP address (192.168.12.2) of the Pix as well as the 192.168.14.1 address it assigned me when I connected, but nothing else internally.  External connections work so split tunneling must be working.  Does this help suggest athe cause of my problem?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 20015788
status pages: when you launch the client and connect, on the VPN client interface there is a Status menu link at the top. Select Status | Statistics
Tunnel Details | Route Details
 Do you see number of bytes received and sent increasing?
                         | Route Details
 What networks do you see in the two columns?

If you can only access the inside IP of the PIX and nothing else, and every indication is that you should be able to access anything on the 192.168.12.x LAN, then the next question is: What is the default gateway of the LAN devices that you are trying to access?
Can you provide output of "C:\>route print" from one of the servers/pcs on the inside lan?


0
 

Author Comment

by:wcstrategy
ID: 20016079
Here is a route print for a LAN PC.  Internal clients have a gateway of 192.168.12.1 (our older Sonicwall), while the Pix is at 192.168.12.2.

===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0     192.168.12.1  192.168.12.151       20
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
     192.168.12.0    255.255.254.0   192.168.12.151  192.168.12.151       20
   192.168.12.151  255.255.255.255        127.0.0.1       127.0.0.1       20
   192.168.12.255  255.255.255.255   192.168.12.151  192.168.12.151       20
        224.0.0.0        240.0.0.0   192.168.12.151  192.168.12.151       20
  255.255.255.255  255.255.255.255   192.168.12.151  192.168.12.151       1
  255.255.255.255  255.255.255.255   192.168.12.151               3       1
Default Gateway:      192.168.12.1
===========================================================================
Persistent Routes:
  None
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 1000 total points
ID: 20016165
> Internal clients have a gateway of 192.168.12.1 (our older Sonicwall), while the Pix is at 192.168.12.2.
D'OH! That's the problem!
The Sonicwall needs a static route to the 192.168.14.0 subnet, pointing back at the PIX. If the Sonicwall acts like a PIX FW, then it won't redirect traffic anyway. You may have to resort to adding static routes on any server(s) that you want to access:
 C:\>route add -p 192.168.14.0 mask 255.255.255.0 192.168.12.2
0
 

Author Comment

by:wcstrategy
ID: 20016323
That was the problem!  I should have known this as I had to create routes on the Sonicwall for the VPN tunnels to the other offices.  Thanks a lot for your help!
0

Featured Post

Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
Considering cloud tradeoffs and determining the right mix for your organization.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses
Course of the Month12 days, 7 hours left to enroll

579 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question