Solved

PIX 501 Remote Access VPN setup

Posted on 2008-06-09
10
1,999 Views
Last Modified: 2012-05-05
Hello.  I am a newbie to EE and a novice to Cisco products so please bear with me.  I'm trying to set up a VPN so that people within my workplace can access our fileserver remotely using a Cisco VPN client.

I'm using a PIX 501 behind a Quest DSL Actiontek M1000 modem.  The DSL modem is forwarding the necessary ports to the PIX to establish VPN tunnels and Remote Desktop.

I've gotten as far as establishing a VPN session remotely but I just can't seem to access anything on the INSIDE interface of the firewall (fileserver, printers, workstations..). I may be using the wrong technique to access the fileserver??  (The IP address of our fileserver on the inside is static 192.168.0.221) After the VPN connection is established I go to "My network places" and type in \\192.168.0.221    but it eventually times out.

I have split tunneling enabled only temporarily so I can Remote Desktop into my computer at home and try to connect to the VPN from there; I will disable split tunneling later as I know it is a potential security risk.

I've attached I nice little network diagram so you can decipher my choppy verbal description of our network =)

Your help is greatly appreciated!

Here is my PIX 501 config:
________________________________
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxxxxx encrypted
passwd xxxxxxxx encrypted
hostname xxxxxxxxx
domain-name xxxxxxxxxxxx
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.0.221 DOCUMENTARCHIVE
access-list outside_access_in remark DENY FTP (20, 21), SSH (22), and TELNET (23)
access-list outside_access_in deny tcp any range ftp-data telnet any range ftp-data telnet
access-list outside_access_in deny tcp any eq nntp any eq nntp
access-list outside_access_in deny icmp any any
access-list outside_access_in deny tcp any eq h323 any eq h323
access-list outside_access_in remark QuickBooks 2008
access-list outside_access_in permit tcp any eq 10180 any eq 10180
access-list outside_access_in remark QuickBooks 2007
access-list outside_access_in permit tcp any eq 10172 any eq 10172
access-list outside_access_in remark QuickBooks 2006
access-list outside_access_in permit tcp any eq 10160 any eq 10160
access-list outside_access_in permit tcp any eq 3389 host 172.16.10.254 eq 3389
access-list inside_outbound_nat0_acl permit ip any 10.10.10.0 255.255.255.224
access-list inside_outbound_nat0_acl permit ip host DOCUMENTARCHIVE 192.168.0.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip host DOCUMENTARCHIVE any
access-list inside_outbound_nat0_acl permit ip any 192.168.0.0 255.255.255.128
access-list rivertekvpn_splitTunnelAcl permit ip any any
access-list outside_cryptomap_dyn_20 permit ip any 192.168.0.0 255.255.255.128
pager lines 24
mtu outside 1478
mtu inside 1478
ip address outside dhcp setroute
ip address inside 192.168.0.2 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip audit info action alarm
ip audit attack action alarm
ip local pool rivertekvpn_pool 192.168.0.10-192.168.0.100 mask 255.255.255.0
pdm location 192.168.0.0 255.255.255.0 inside
pdm location DOCUMENTARCHIVE 255.255.255.255 inside
pdm location 192.168.0.0 255.255.255.0 outside
pdm location 10.10.10.0 255.255.255.224 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 192.168.0.0 255.255.255.0 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 172.16.10.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server inside 192.168.0.10 ./
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup rivertekvpn address-pool rivertekvpn_pool
vpngroup rivertekvpn split-tunnel rivertekvpn_splitTunnelAcl
vpngroup rivertekvpn idle-time 1800
vpngroup rivertekvpn password ********
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.0.10-192.168.0.130 inside
dhcpd dns 205.171.3.65 205.171.2.65
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd enable inside
terminal width 80
________________________________

RivertekNetwork.jpg
0
Comment
Question by:th48ad
  • 5
  • 5
10 Comments
 
LVL 15

Accepted Solution

by:
Voltz-dk earned 500 total points
ID: 21746459
Try these:

isakmp identity address
isakmp nat-traversal 20
0
 

Author Comment

by:th48ad
ID: 21747163
thanks for the comment Voltz;  unfortunately the 'isakmp nat-traversal 20' command made it so that the remote client could not connect because it timed out on 'negotiating security policies' (see first pic).  It was able to establish an IKE tunnel temporarily but no IPSec tunnel (see second pic); then when the client timed out the IKE tunnel also dissapeared.

Along the way I also found out that my fileserver (static ip: 192.168.0.221) has no access to the internet and/or outside.  On the inside the fileserver is viewable/accessable from anywhere in the network. I'm sure this might be contributing to my troubles somehow, just not exactly sure how.  the other computers obtain their addresses from the PIX via DHCP.  Do I have to create a route for fileserver manually to the outside? If so how?

After I'm connected to the VPN how do I access the server's files (If everything was set up okay)?  Do I just type in the fileservers local address in the address bar? \\192.168.0.221 ?

Thanks

Thanks
client.jpg
IKE.jpg
0
 
LVL 15

Expert Comment

by:Voltz-dk
ID: 21747227
Hm, that's puzzling - never seen anything stop working from enabling NAT-T.

Yes you should be able to access the shares in that way.

But I see your point about the routing.  You have used IP addresses for the VPN pool that belong to the internal network.  That COULD give the server problems in getting back to you.  But while I have never tested it, I would assume the PIX to perform proxy arp for those addresses.

The server should likely have the PIX as default gateway.  And if you have the split-tunnel, you could try a few things to shed light on these potential problems:

When connected with VPN, do this on PIX (and have a connection to the file server too, if you can):
debug icmp trace
(now ping from VPN client to file-server)
(while pings run, type "arp -a" on fileserver)

What output do you get on PIX?
What does arp -a give on server?
0
 

Author Comment

by:th48ad
ID: 21755751
I changed my address vpn pool as I see where that could pose a problem.. I'll refresh you on my current config (see code snippet)

I also changed the ip settings of the fileserver to obtain its IP from DHCP via the PIX as I was having too many problems trying to route the path within the firewall config so the NEW ip of the fileserver DOCUMENTARCHIVE is now 192.168.0.12 and probably won't change because the server is always running and will renew its lease for that ip (unless the power went out or something).

I tried commands you listed above while having an outside client connected via VPN to the PIX and the below pics will show you the results (see pic description to decipher which terminal the pic is coming from)

Thanks
PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxxxxxxxx encrypted

passwd xxxxxxxxxxxxxxx encrypted

hostname yyyyyyy

domain-name yyyyyyyyyy

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list outside_access_in remark DENY FTP (20, 21)

access-list outside_access_in deny tcp any range ftp-data ftp any range ftp-data ftp

access-list outside_access_in deny tcp any eq nntp any eq nntp

access-list outside_access_in deny icmp any any

access-list outside_access_in deny tcp any eq h323 any eq h323

access-list outside_access_in remark QuickBooks 2008

access-list outside_access_in permit tcp any eq 10180 any eq 10180

access-list outside_access_in remark QuickBooks 2007

access-list outside_access_in permit tcp any eq 10172 any eq 10172

access-list outside_access_in remark QuickBooks 2006

access-list outside_access_in permit tcp any eq 10160 any eq 10160

access-list outside_access_in permit tcp any eq 3389 host 172.16.10.254 eq 3389

access-list outside_access_in remark DENY TELNET(23)

access-list outside_access_in deny tcp any eq telnet any eq telnet

access-list inside_outbound_nat0_acl permit ip any 192.168.0.128 255.255.255.192

access-list outside_cryptomap_dyn_20 permit ip any 192.168.0.128 255.255.255.192

access-list rivertekvpn_splitTunnelAcl_1 permit ip any any

access-list rivertekvpn_splitTunnelAcl permit ip any any

pager lines 24

mtu outside 1478

mtu inside 1478

ip address outside dhcp setroute

ip address inside 192.168.0.2 255.255.255.0

ip verify reverse-path interface outside

ip verify reverse-path interface inside

ip audit info action alarm

ip audit attack action alarm

ip local pool rivertekvpn_pool 192.168.0.131-192.168.0.190 mask 255.255.255.0

pdm location 192.168.0.0 255.255.255.0 inside

pdm location zzz.zzz.zzz.zzz 255.255.0.0 outside

pdm location zzz.zzz.zzz.zzz 255.255.255.255 outside

pdm location 192.168.0.0 255.255.255.128 outside

pdm location 172.16.10.0 255.255.255.0 inside

pdm location 172.16.10.0 255.255.255.0 outside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 1 192.168.0.0 255.255.255.0 0 0

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 172.16.10.1 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

aaa authentication ssh console LOCAL

http server enable

http zzz.zzz.zzz.zzz 255.255.255.255 outside

http 192.168.0.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

tftp-server inside 192.168.0.10 ./

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto dynamic-map outside_dyn_map_1 20 match address outside_cryptomap_dyn_20

crypto dynamic-map outside_dyn_map_1 20 set transform-set ESP-3DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map inside_map 65535 ipsec-isakmp dynamic inside_dyn_map

crypto map outside_map_1 65535 ipsec-isakmp dynamic outside_dyn_map_1

crypto map outside_map_1 interface outside

isakmp enable outside

isakmp identity address

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption 3des

isakmp policy 20 hash sha

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

vpngroup rivertekvpn address-pool rivertekvpn_pool

vpngroup rivertekvpn split-tunnel rivertekvpn_splitTunnelAcl_1

vpngroup rivertekvpn split-dns 205.171.2.65 205.171.3.65

vpngroup rivertekvpn idle-time 1800

vpngroup rivertekvpn password ********

telnet timeout 5

ssh zzz.zzz.zzz.zzz 255.255.0.0 outside

ssh 192.168.0.0 255.255.255.0 inside

ssh timeout 30

console timeout 0

dhcpd address 192.168.0.10-192.168.0.130 inside

dhcpd dns 205.171.3.65 205.171.2.65

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

dhcpd enable inside

username xxxxx password xxxxxxxxxxxxx encrypted privilege 15

terminal width 80

Open in new window

PIX-screenshot.jpg
VPNclient-screenshot.jpg
Fileserver-screenshot.jpg
0
 

Author Comment

by:th48ad
ID: 21755772
in thhe above 3rd pic the ip 192.168.0.33 is me within our office on the inside network, th ip 192.168.0.2 is the PIX and the ip 192.168.0.13 is another local workstation (probably my boss).
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 
LVL 15

Expert Comment

by:Voltz-dk
ID: 21755894
I have a gut feeling you need the NAT-T, but that something blocks that traffic.  If you didn't need it, you shouldn't feel any change in enabling it.

How's your client connected to the Internet?

Could you try to enable logging on the client and post that?
Could you also try to run debugging on the PIX, both with and without NAT-T enabled? (And perhaps run a capture at the same time)

access-list CAPT permit ip host <clients PUBLIC ip> host <PIX PUBLIC ip>
access-list CAPT permit ip host <PIX PUBLIC ip> host <cients PUBLIC ip>
capt CAPT access-list CAPT int ouside
debug crypto isakmp
debug crypto ipsec
(now you try to connect client and ping server - then disconnect VPN)
(Then you grab debug output and do "show capt CAPT" as well)
(now "clear capt CAPT" will clear the buffer, and you now enable NAT-T again and repeat)
0
 
LVL 15

Expert Comment

by:Voltz-dk
ID: 21755897
capt CAPT access-list CAPT int ouside should read,
capt CAPT access-list CAPT int outside
0
 
LVL 15

Expert Comment

by:Voltz-dk
ID: 21755900
When you are done you can disable it all again,

no debug all
no capt CAPT
no access-list CAPT
0
 

Author Closing Comment

by:th48ad
ID: 31465491
Thanks for your help
0
 

Author Comment

by:th48ad
ID: 21773582
I ended up getting the nat-t to work by forwarding port 4500 from the DSL modem to the PIX, but in order to get it to work fully I have to make DOCUMENTARCHIVE (192.168.0.12) a WINS server for the rest of the workstations.  After I connected the client to the VPN I was able to browse the local network!  Thhanks for your help Voltz.  Some links I found that helped me out with the WINS server and PIX config are here:

http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_tech_note09186a0080194b4a.shtml

http://www.isaserver.org/img/upl/vpnkitbeta2/vpnclientbrowsing.htm

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009442e.shtml

0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now