Link to home
Create AccountLog in
Avatar of th48ad
th48ad

asked on

PIX 501 Remote Access VPN setup

Hello.  I am a newbie to EE and a novice to Cisco products so please bear with me.  I'm trying to set up a VPN so that people within my workplace can access our fileserver remotely using a Cisco VPN client.

I'm using a PIX 501 behind a Quest DSL Actiontek M1000 modem.  The DSL modem is forwarding the necessary ports to the PIX to establish VPN tunnels and Remote Desktop.

I've gotten as far as establishing a VPN session remotely but I just can't seem to access anything on the INSIDE interface of the firewall (fileserver, printers, workstations..). I may be using the wrong technique to access the fileserver??  (The IP address of our fileserver on the inside is static 192.168.0.221) After the VPN connection is established I go to "My network places" and type in \\192.168.0.221    but it eventually times out.

I have split tunneling enabled only temporarily so I can Remote Desktop into my computer at home and try to connect to the VPN from there; I will disable split tunneling later as I know it is a potential security risk.

I've attached I nice little network diagram so you can decipher my choppy verbal description of our network =)

Your help is greatly appreciated!

Here is my PIX 501 config:
________________________________
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxxxxx encrypted
passwd xxxxxxxx encrypted
hostname xxxxxxxxx
domain-name xxxxxxxxxxxx
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.0.221 DOCUMENTARCHIVE
access-list outside_access_in remark DENY FTP (20, 21), SSH (22), and TELNET (23)
access-list outside_access_in deny tcp any range ftp-data telnet any range ftp-data telnet
access-list outside_access_in deny tcp any eq nntp any eq nntp
access-list outside_access_in deny icmp any any
access-list outside_access_in deny tcp any eq h323 any eq h323
access-list outside_access_in remark QuickBooks 2008
access-list outside_access_in permit tcp any eq 10180 any eq 10180
access-list outside_access_in remark QuickBooks 2007
access-list outside_access_in permit tcp any eq 10172 any eq 10172
access-list outside_access_in remark QuickBooks 2006
access-list outside_access_in permit tcp any eq 10160 any eq 10160
access-list outside_access_in permit tcp any eq 3389 host 172.16.10.254 eq 3389
access-list inside_outbound_nat0_acl permit ip any 10.10.10.0 255.255.255.224
access-list inside_outbound_nat0_acl permit ip host DOCUMENTARCHIVE 192.168.0.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip host DOCUMENTARCHIVE any
access-list inside_outbound_nat0_acl permit ip any 192.168.0.0 255.255.255.128
access-list rivertekvpn_splitTunnelAcl permit ip any any
access-list outside_cryptomap_dyn_20 permit ip any 192.168.0.0 255.255.255.128
pager lines 24
mtu outside 1478
mtu inside 1478
ip address outside dhcp setroute
ip address inside 192.168.0.2 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip audit info action alarm
ip audit attack action alarm
ip local pool rivertekvpn_pool 192.168.0.10-192.168.0.100 mask 255.255.255.0
pdm location 192.168.0.0 255.255.255.0 inside
pdm location DOCUMENTARCHIVE 255.255.255.255 inside
pdm location 192.168.0.0 255.255.255.0 outside
pdm location 10.10.10.0 255.255.255.224 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 192.168.0.0 255.255.255.0 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 172.16.10.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server inside 192.168.0.10 ./
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup rivertekvpn address-pool rivertekvpn_pool
vpngroup rivertekvpn split-tunnel rivertekvpn_splitTunnelAcl
vpngroup rivertekvpn idle-time 1800
vpngroup rivertekvpn password ********
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.0.10-192.168.0.130 inside
dhcpd dns 205.171.3.65 205.171.2.65
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd enable inside
terminal width 80
________________________________

RivertekNetwork.jpg
ASKER CERTIFIED SOLUTION
Avatar of Voltz-dk
Voltz-dk
Flag of Denmark image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
Avatar of th48ad
th48ad

ASKER

thanks for the comment Voltz;  unfortunately the 'isakmp nat-traversal 20' command made it so that the remote client could not connect because it timed out on 'negotiating security policies' (see first pic).  It was able to establish an IKE tunnel temporarily but no IPSec tunnel (see second pic); then when the client timed out the IKE tunnel also dissapeared.

Along the way I also found out that my fileserver (static ip: 192.168.0.221) has no access to the internet and/or outside.  On the inside the fileserver is viewable/accessable from anywhere in the network. I'm sure this might be contributing to my troubles somehow, just not exactly sure how.  the other computers obtain their addresses from the PIX via DHCP.  Do I have to create a route for fileserver manually to the outside? If so how?

After I'm connected to the VPN how do I access the server's files (If everything was set up okay)?  Do I just type in the fileservers local address in the address bar? \\192.168.0.221 ?

Thanks

Thanks
client.jpg
IKE.jpg
Hm, that's puzzling - never seen anything stop working from enabling NAT-T.

Yes you should be able to access the shares in that way.

But I see your point about the routing.  You have used IP addresses for the VPN pool that belong to the internal network.  That COULD give the server problems in getting back to you.  But while I have never tested it, I would assume the PIX to perform proxy arp for those addresses.

The server should likely have the PIX as default gateway.  And if you have the split-tunnel, you could try a few things to shed light on these potential problems:

When connected with VPN, do this on PIX (and have a connection to the file server too, if you can):
debug icmp trace
(now ping from VPN client to file-server)
(while pings run, type "arp -a" on fileserver)

What output do you get on PIX?
What does arp -a give on server?
Avatar of th48ad

ASKER

I changed my address vpn pool as I see where that could pose a problem.. I'll refresh you on my current config (see code snippet)

I also changed the ip settings of the fileserver to obtain its IP from DHCP via the PIX as I was having too many problems trying to route the path within the firewall config so the NEW ip of the fileserver DOCUMENTARCHIVE is now 192.168.0.12 and probably won't change because the server is always running and will renew its lease for that ip (unless the power went out or something).

I tried commands you listed above while having an outside client connected via VPN to the PIX and the below pics will show you the results (see pic description to decipher which terminal the pic is coming from)

Thanks
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxxxxxx encrypted
passwd xxxxxxxxxxxxxxx encrypted
hostname yyyyyyy
domain-name yyyyyyyyyy
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside_access_in remark DENY FTP (20, 21)
access-list outside_access_in deny tcp any range ftp-data ftp any range ftp-data ftp
access-list outside_access_in deny tcp any eq nntp any eq nntp
access-list outside_access_in deny icmp any any
access-list outside_access_in deny tcp any eq h323 any eq h323
access-list outside_access_in remark QuickBooks 2008
access-list outside_access_in permit tcp any eq 10180 any eq 10180
access-list outside_access_in remark QuickBooks 2007
access-list outside_access_in permit tcp any eq 10172 any eq 10172
access-list outside_access_in remark QuickBooks 2006
access-list outside_access_in permit tcp any eq 10160 any eq 10160
access-list outside_access_in permit tcp any eq 3389 host 172.16.10.254 eq 3389
access-list outside_access_in remark DENY TELNET(23)
access-list outside_access_in deny tcp any eq telnet any eq telnet
access-list inside_outbound_nat0_acl permit ip any 192.168.0.128 255.255.255.192
access-list outside_cryptomap_dyn_20 permit ip any 192.168.0.128 255.255.255.192
access-list rivertekvpn_splitTunnelAcl_1 permit ip any any
access-list rivertekvpn_splitTunnelAcl permit ip any any
pager lines 24
mtu outside 1478
mtu inside 1478
ip address outside dhcp setroute
ip address inside 192.168.0.2 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip audit info action alarm
ip audit attack action alarm
ip local pool rivertekvpn_pool 192.168.0.131-192.168.0.190 mask 255.255.255.0
pdm location 192.168.0.0 255.255.255.0 inside
pdm location zzz.zzz.zzz.zzz 255.255.0.0 outside
pdm location zzz.zzz.zzz.zzz 255.255.255.255 outside
pdm location 192.168.0.0 255.255.255.128 outside
pdm location 172.16.10.0 255.255.255.0 inside
pdm location 172.16.10.0 255.255.255.0 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 192.168.0.0 255.255.255.0 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 172.16.10.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication ssh console LOCAL
http server enable
http zzz.zzz.zzz.zzz 255.255.255.255 outside
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server inside 192.168.0.10 ./
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map_1 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map_1 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map inside_map 65535 ipsec-isakmp dynamic inside_dyn_map
crypto map outside_map_1 65535 ipsec-isakmp dynamic outside_dyn_map_1
crypto map outside_map_1 interface outside
isakmp enable outside
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup rivertekvpn address-pool rivertekvpn_pool
vpngroup rivertekvpn split-tunnel rivertekvpn_splitTunnelAcl_1
vpngroup rivertekvpn split-dns 205.171.2.65 205.171.3.65
vpngroup rivertekvpn idle-time 1800
vpngroup rivertekvpn password ********
telnet timeout 5
ssh zzz.zzz.zzz.zzz 255.255.0.0 outside
ssh 192.168.0.0 255.255.255.0 inside
ssh timeout 30
console timeout 0
dhcpd address 192.168.0.10-192.168.0.130 inside
dhcpd dns 205.171.3.65 205.171.2.65
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
username xxxxx password xxxxxxxxxxxxx encrypted privilege 15
terminal width 80

Open in new window

PIX-screenshot.jpg
VPNclient-screenshot.jpg
Fileserver-screenshot.jpg
Avatar of th48ad

ASKER

in thhe above 3rd pic the ip 192.168.0.33 is me within our office on the inside network, th ip 192.168.0.2 is the PIX and the ip 192.168.0.13 is another local workstation (probably my boss).
I have a gut feeling you need the NAT-T, but that something blocks that traffic.  If you didn't need it, you shouldn't feel any change in enabling it.

How's your client connected to the Internet?

Could you try to enable logging on the client and post that?
Could you also try to run debugging on the PIX, both with and without NAT-T enabled? (And perhaps run a capture at the same time)

access-list CAPT permit ip host <clients PUBLIC ip> host <PIX PUBLIC ip>
access-list CAPT permit ip host <PIX PUBLIC ip> host <cients PUBLIC ip>
capt CAPT access-list CAPT int ouside
debug crypto isakmp
debug crypto ipsec
(now you try to connect client and ping server - then disconnect VPN)
(Then you grab debug output and do "show capt CAPT" as well)
(now "clear capt CAPT" will clear the buffer, and you now enable NAT-T again and repeat)
capt CAPT access-list CAPT int ouside should read,
capt CAPT access-list CAPT int outside
When you are done you can disable it all again,

no debug all
no capt CAPT
no access-list CAPT
Avatar of th48ad

ASKER

Thanks for your help
Avatar of th48ad

ASKER

I ended up getting the nat-t to work by forwarding port 4500 from the DSL modem to the PIX, but in order to get it to work fully I have to make DOCUMENTARCHIVE (192.168.0.12) a WINS server for the rest of the workstations.  After I connected the client to the VPN I was able to browse the local network!  Thhanks for your help Voltz.  Some links I found that helped me out with the WINS server and PIX config are here:

http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_tech_note09186a0080194b4a.shtml

http://www.isaserver.org/img/upl/vpnkitbeta2/vpnclientbrowsing.htm

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009442e.shtml