Solved

Another connection problem with this CISCO PIX! please help!

Posted on 2007-11-27
14
264 Views
Last Modified: 2010-04-09
Ok, now I have another problem...

The Cisco PIX is our firewall device, to which VPN users connect.
When they connect, they are assigned an IP on the 192.168.17.x subnet.
There is a route inside the PIX so that they can 'see' the mail server which is at 192.168.20.2

This works some of the time, but when more than 1 user connects to the VPN, it doesn't allow you to ping 192.168.20.2
It's very strange, they can still access the internet but can't connect to the shared drive or exchange!

Does anyone know what the problem might be?

Here is the router config:

Here is the config:

: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 17r encrypted
passwd 2KFOU encrypted
hostname londonpix
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.1.0 Munich-Lan
name 192.168.15.0 munich
name 212.202.225.34 munichpix
name 192.168.20.2 mail
object-group service Webmail tcp
  description Secure webmail access
  port-object eq www
  port-object eq https
  port-object eq smtp
access-list inside_outbound_nat0_acl permit ip any 192.168.17.10 255.255.255.254
access-list inside_outbound_nat0_acl permit ip 192.168.16.0 255.255.255.0 munich 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 192.168.20.0 255.255.255.0 munich 255.255.255.0
access-list split_T permit ip 192.168.16.0 255.255.255.0 192.168.17.0 255.255.255.0
access-list split_T permit ip 192.168.20.0 255.255.255.0 192.168.17.0 255.255.255.0
access-list outside_access_in remark Remoteweb workplace
access-list outside_access_in permit tcp any eq 4125 any eq 4125
access-list outside_access_in permit tcp any interface outside object-group Webmail
access-list outside_cryptomap_20 permit ip 192.168.16.0 255.255.255.0 munich 255.255.255.0
access-list outside_cryptomap_20 permit ip 192.168.20.0 255.255.255.0 munich 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 217.144.147.66 255.255.255.252
ip address inside 192.168.20.253 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool remote 192.168.17.10-192.168.17.21 mask 255.255.255.0
pdm location 192.168.16.0 255.255.255.255 inside
pdm location 192.168.16.0 255.255.255.0 inside
pdm location Munich-Lan 255.255.255.0 inside
pdm location 192.168.16.2 255.255.255.255 inside
pdm location 192.168.17.10 255.255.255.254 outside
pdm location Munich-Lan 255.255.255.255 outside
pdm location munich 255.255.255.0 outside
pdm location munichpix 255.255.255.255 outside
pdm location 0.0.0.0 255.255.255.255 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface smtp mail smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface www mail www netmask 255.255.255.255 0 0
static (inside,outside) tcp interface https mail https netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 217.144.147.65 1
route outside munich 255.255.255.0 217.144.147.65 1
route inside 192.168.16.0 255.255.255.0 mail 1
route outside munichpix 255.255.255.255 217.144.147.66 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http Munich-Lan 255.255.255.0 inside
http 192.168.16.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
sysopt connection permit-l2tp
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer munichpix
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 212.202.225.48 netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address munichpix netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address 0.0.0.0 netmask 255.255.255.255 no-xauth no-config-mode
isakmp nat-traversal 3600
isakmp log 1
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup users address-pool remote
vpngroup users dns-server mail
vpngroup users split-tunnel split_T
vpngroup users idle-time 1800
vpngroup users password ********
telnet 0.0.0.0 255.255.255.255 outside
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group users accept dialin l2tp
vpdn group users ppp authentication pap
vpdn group users client configuration address local remote
vpdn group users client authentication local
vpdn group users l2tp tunnel hello 300
vpdn username magnus password *********
dhcpd address 192.168.20.3-192.168.20.10 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
username lmiles password C2K7vvz encrypted privilege 5
username dvago password WXgDIo encrypted privilege 5
username nlarsen password QtR1r86 encrypted privilege 5
username sfallgren password j767 encrypted privilege 5
username treiss password 84cqT encrypted privilege 5
username jcgas password uTOiBncrypted privilege 5
username akoch password 8KaLZxhN encrypted privilege 5
username magnus password qu7g encrypted privilege 15
username eyblood password whhCrfoivSj9zJwC encrypted privilege 5
vpnclient server 217.144.147.66
vpnclient mode client-mode
vpnclient vpngroup users password ********
terminal width 80
Cryptochecksum:4feae555fe0a8b1e1fb56e89d0dc7f6d
: end
londonpix(config)# crypto map outside_map client authentication LOCAL
londonpix(config)#
0
Comment
Question by:magnus911
  • 10
  • 4
14 Comments
 
LVL 1

Author Comment

by:magnus911
ID: 20357903
Just to update - I'm thinking this is definitely a VPN problem. It seems that if more than one user connects to the PIX then the new users can't ping 192.168.20.2 and so can't access shared drive or exchange.

Can someone check the VPN config ? Thanks!
0
 
LVL 36

Expert Comment

by:grblades
ID: 20358066
Just spotted the offending entry :-
access-list inside_outbound_nat0_acl permit ip any 192.168.17.10 255.255.255.254
It was only allowing a couple of IP addresses to be excluded from NAT.
If you add the correct entry shown below it should work. I am removing the section and then reapplying it as you cannot remove single lines from an acl.

no access-list inside_outbound_nat0_acl
access-list inside_outbound_nat0_acl permit ip any 192.168.17.10 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 192.168.16.0 255.255.255.0 munich 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 192.168.20.0 255.255.255.0 munich 255.255.255.0
0
 
LVL 1

Author Comment

by:magnus911
ID: 20358111
ok, but after the first line i get this error on the 2nd command:

londonpix(config)# access-list inside_outbound_nat0_acl permit ip any 192.168.$
ERROR: Source address,mask <192.168.17.10,255.255.255.0> doesn't pair
Usage:  [no] access-list compiled
[no] access-list deny-flow-max <n>
[no] access-list alert-interval <secs>
[no] access-list <id> object-group-search
[no] access-list <id> compiled
[no] access-list <id> [line <line-num>] remark <text>
[no] access-list <id> [line <line-num>] deny|permit
        <protocol>|object-group <protocol_obj_grp_id>
        <sip> <smask> | interface <if_name> | object-group <network_obj_grp_id>
        [<operator> <port> [<port>] | object-group <service_obj_grp_id>]
        <dip> <dmask> | interface <if_name> | object-group <network_obj_grp_id>
        [<operator> <port> [<port>] | object-group <service_obj_grp_id>]
        [log [disable|default] | [<level>] [interval <secs>]]
[no] access-list <id> [line <line-num>] deny|permit icmp
        <sip> <smask> | interface <if_name> | object-group <network_obj_grp_id>
        <dip> <dmask> | interface <if_name> | object-group <network_obj_grp_id>
        [<icmp_type> | object-group <icmp_type_obj_grp_id>]
        [log [disable|default] | [<level>] [interval <secs>]]
Restricted ACLs for route-map use:
[no] access-list <id> deny|permit {any | <prefix> <mask> | host <address>}
londonpix(config)#
0
 
LVL 36

Expert Comment

by:grblades
ID: 20358131
ok its a bit fussy :)

no access-list inside_outbound_nat0_acl
access-list inside_outbound_nat0_acl permit ip any 192.168.17.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 192.168.16.0 255.255.255.0 munich 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 192.168.20.0 255.255.255.0 munich 255.255.255.0
0
 
LVL 1

Author Comment

by:magnus911
ID: 20358163
Ok thanks, that seemed to take:

config is now:

PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 1iwWUtCZbeXI9x7r encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname londonpix
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.1.0 Munich-Lan
name 192.168.15.0 munich
name 212.202.225.34 munichpix
name 192.168.20.2 mail
object-group service Webmail tcp
  description Secure webmail access
  port-object eq www
  port-object eq https
  port-object eq smtp
access-list inside_outbound_nat0_acl permit ip any 192.168.17.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 192.168.16.0 255.255.255.0 munich 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 192.168.20.0 255.255.255.0 munich 255.255.255.0
access-list split_T permit ip 192.168.16.0 255.255.255.0 192.168.17.0 255.255.255.0
access-list split_T permit ip 192.168.20.0 255.255.255.0 192.168.17.0 255.255.255.0
access-list outside_access_in remark Remoteweb workplace
access-list outside_access_in permit tcp any eq 4125 any eq 4125
access-list outside_access_in permit tcp any interface outside object-group Webmail
access-list outside_cryptomap_20 permit ip 192.168.16.0 255.255.255.0 munich 255.255.255.0
access-list outside_cryptomap_20 permit ip 192.168.20.0 255.255.255.0 munich 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 217.144.147.66 255.255.255.252
ip address inside 192.168.20.253 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool remote 192.168.17.10-192.168.17.21 mask 255.255.255.0
pdm location 192.168.16.0 255.255.255.255 inside
pdm location 192.168.16.0 255.255.255.0 inside
pdm location Munich-Lan 255.255.255.0 inside
pdm location 192.168.16.2 255.255.255.255 inside
pdm location 192.168.17.10 255.255.255.254 outside
pdm location Munich-Lan 255.255.255.255 outside
pdm location munich 255.255.255.0 outside
pdm location munichpix 255.255.255.255 outside
pdm location 0.0.0.0 255.255.255.255 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface smtp mail smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface www mail www netmask 255.255.255.255 0 0
static (inside,outside) tcp interface https mail https netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 217.144.147.65 1
route outside munich 255.255.255.0 217.144.147.65 1
route inside 192.168.16.0 255.255.255.0 mail 1
route outside munichpix 255.255.255.255 217.144.147.66 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http Munich-Lan 255.255.255.0 inside
http 192.168.16.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
sysopt connection permit-l2tp
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer munichpix
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication LOCAL
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 212.202.225.48 netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address munichpix netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address 0.0.0.0 netmask 255.255.255.255 no-xauth no-config-mode
isakmp nat-traversal 3600
isakmp log 1
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup users address-pool remote
vpngroup users dns-server mail
vpngroup users split-tunnel split_T
vpngroup users idle-time 1800
vpngroup users password ********
telnet 0.0.0.0 255.255.255.255 outside
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group users accept dialin l2tp
vpdn group users ppp authentication pap
vpdn group users client configuration address local remote
vpdn group users client authentication local
vpdn group users l2tp tunnel hello 300
vpdn username magnus password *********
dhcpd address 192.168.20.3-192.168.20.10 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
username lmiles password C2KmXgyDJjL27vvz encrypted privilege 5
username dvago password WXHm1TBh5B6VgDIo encrypted privilege 5
username nlarsen password QtvepTrpg8fR1r86 encrypted privilege 5
username sfallgren password j75viSdKsDioff67 encrypted privilege 5
username treiss password 84cqV/yi9n6c6nuT encrypted privilege 5
username jcgas password uTOiBOn/rmqRSV.v encrypted privilege 5
username akoch password 8KaL7ZAowyWxZxhN encrypted privilege 5
username magnus password qu7pouLeRTTVAQBg encrypted privilege 15
username eyblood password whhCrfoivSj9zJwC encrypted privilege 5
vpnclient server 217.144.147.66
vpnclient mode client-mode
vpnclient vpngroup users password ********
terminal width 80
Cryptochecksum:e4f8488c64c6108f02b2c851f4f1c73a
: end
londonpix(config)#
0
 
LVL 1

Author Comment

by:magnus911
ID: 20358169
I'll test to see how it goes! thanks...
0
 
LVL 1

Author Comment

by:magnus911
ID: 20358186
Ok, I reloaded the cisco box, having 'write memory' first of course...
now I've connected to the VPN again...and still can't ping 192.168.20.2

Any ideas?
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 1

Author Comment

by:magnus911
ID: 20358247
someone said something about this being the wrong way around....is that possible?

access-list split_T permit ip 192.168.16.0 255.255.255.0 192.168.17.0 255.255.255.0
access-list split_T permit ip 192.168.20.0 255.255.255.0 192.168.17.0 255.255.255.0
0
 
LVL 36

Accepted Solution

by:
grblades earned 500 total points
ID: 20358397
The split-t acl may look incorrect but it is the correct way round.

Removing the acl earlier must have removed the nat configuration which depended on it. Reapply the following :-
nat (inside) 0 access-list inside_outbound_nat0_acl
0
 
LVL 1

Author Comment

by:magnus911
ID: 20358418
err...

londonpix# nat (inside) 0 access-list inside_outbound_nat0_acl
Type help or '?' for a list of available commands.
0
 
LVL 1

Author Comment

by:magnus911
ID: 20358423
sorry, this must be getting tiresome!
0
 
LVL 1

Author Comment

by:magnus911
ID: 20358433
Does this still look correct also?:

londonpix# show route inside
        inside 192.168.16.0 255.255.255.0 mail 1 OTHER static
        inside 192.168.20.0 255.255.255.0 192.168.20.253 1 CONNECT static
0
 
LVL 36

Expert Comment

by:grblades
ID: 20358487
Yes that looks fine.
1st line sais there is a route to 192.168.16.0 vis the server called mail which is the sbs server
2nd line sais 192.168.20.0 is directly connected to the interface.
0
 
LVL 1

Author Comment

by:magnus911
ID: 20358509
Ok...got that line to take afterall and I'm back pining 20.2

thanks...I hope it lasts this time! it keeps dropping off but i think you were right about that 254 subnet...
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Suggested Solutions

Overview The Cisco PIX 501, PIX 506e, ASA 5505 and ASA 5510 (most if not all of this information will be relevant to the PIX 515e but I do not have a working configuration handy to verify the validity) are primarily used within small to medium busi…
Overview Often, we set up VPN appliances where the connected clients are on a separate subnet and the company will have alternate internet connections and do not use this particular device as the gateway for certain servers or clients. In this case…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now