osuser
asked on
How do I configure PIX 506e VPN with a static public ip on the outside interface?
Hi,
The company I work for just moved from DSL to a T1. We have a Pix 506e that we use for VPN connections. Everything ran great with the DSL, but with the T1 remote users are having a problem connecting to the VPN (they can FTP in just fine and other things). I'm not sure if having the static public ip is part of the problem or not ... but seeing as how that was a big change when the T1 came in, I'm guessing it may be.
My network looks basically likes this: INTERNET --> T1/IAD --> Pix506e --> Intranet
I'd appreciate any help. My Pix config is below.
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password fkup9sdnxTeK2EIC encrypted
passwd fkup9sdnxTeK2EIC encrypted
hostname 506e
domain-name domain.local
clock timezone MST -7
clock summer-time MDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 10.0.0.95 ftpmachine
access-list out-in permit icmp any any
access-list out-in permit esp any any
access-list out-in permit udp any any eq isakmp
access-list out-in permit udp any any eq 4500
access-list out-in permit tcp any interface outside eq ftp
access-list out-in permit tcp any interface outside eq 3389
access-list out-in permit tcp any interface outside eq ident
access-list out-in permit tcp any interface outside eq 5555
access-list inside_outbound_nat0_acl permit ip any 10.10.10.0 255.255.255.240
access-list outside_cryptomap_dyn_20 permit ip any 10.10.10.0 255.255.255.240
pager lines 24
logging on
logging timestamp
logging trap errors
logging history debugging
logging host inside 10.0.0.99
mtu outside 1500
mtu inside 1500
ip address outside 216.x.x.x 255.255.255.252
ip address inside 10.0.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool VPNPOOL 10.10.10.1-10.10.10.10
pdm location 10.0.0.99 255.255.255.255 inside
pdm location 10.0.0.105 255.255.255.255 inside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp 216.x.x.x ftp ftpmachine ftp netmask 255.255.255.255 0 0
static (inside,outside) tcp 216.x.x.x 3389 ftpmachine 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp 216.x.x.x ident ftpmachine ident netmask 255.255.255.255 0 0
static (inside,outside) tcp 216.x.x.x 5555 ftpmachine 5555 netmask 255.255.255.255 0 0
access-group out-in in interface outside
route outside 0.0.0.0 0.0.0.0 216.x.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 10.0.0.99 255.255.255.255 inside
http 10.0.0.105 255.255.255.255 inside
snmp-server host inside 10.0.0.99
snmp-server location office
snmp-server contact IT
snmp-server community public
snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp nat-traversal 60
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup OSVPN address-pool VPNPOOL
vpngroup OSVPN dns-server 10.0.0.100
vpngroup OSVPN wins-server 10.0.0.100
vpngroup OSVPN default-domain domain.local
vpngroup OSVPN idle-time 1800
vpngroup OSVPN password ********
telnet 10.0.0.105 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
username woot password MKW.I0vwQGeiNVJb encrypted privilege 15
terminal width 80
Cryptochecksum:c35d10c371c
: end
The company I work for just moved from DSL to a T1. We have a Pix 506e that we use for VPN connections. Everything ran great with the DSL, but with the T1 remote users are having a problem connecting to the VPN (they can FTP in just fine and other things). I'm not sure if having the static public ip is part of the problem or not ... but seeing as how that was a big change when the T1 came in, I'm guessing it may be.
My network looks basically likes this: INTERNET --> T1/IAD --> Pix506e --> Intranet
I'd appreciate any help. My Pix config is below.
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password fkup9sdnxTeK2EIC encrypted
passwd fkup9sdnxTeK2EIC encrypted
hostname 506e
domain-name domain.local
clock timezone MST -7
clock summer-time MDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 10.0.0.95 ftpmachine
access-list out-in permit icmp any any
access-list out-in permit esp any any
access-list out-in permit udp any any eq isakmp
access-list out-in permit udp any any eq 4500
access-list out-in permit tcp any interface outside eq ftp
access-list out-in permit tcp any interface outside eq 3389
access-list out-in permit tcp any interface outside eq ident
access-list out-in permit tcp any interface outside eq 5555
access-list inside_outbound_nat0_acl permit ip any 10.10.10.0 255.255.255.240
access-list outside_cryptomap_dyn_20 permit ip any 10.10.10.0 255.255.255.240
pager lines 24
logging on
logging timestamp
logging trap errors
logging history debugging
logging host inside 10.0.0.99
mtu outside 1500
mtu inside 1500
ip address outside 216.x.x.x 255.255.255.252
ip address inside 10.0.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool VPNPOOL 10.10.10.1-10.10.10.10
pdm location 10.0.0.99 255.255.255.255 inside
pdm location 10.0.0.105 255.255.255.255 inside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp 216.x.x.x ftp ftpmachine ftp netmask 255.255.255.255 0 0
static (inside,outside) tcp 216.x.x.x 3389 ftpmachine 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp 216.x.x.x ident ftpmachine ident netmask 255.255.255.255 0 0
static (inside,outside) tcp 216.x.x.x 5555 ftpmachine 5555 netmask 255.255.255.255 0 0
access-group out-in in interface outside
route outside 0.0.0.0 0.0.0.0 216.x.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 10.0.0.99 255.255.255.255 inside
http 10.0.0.105 255.255.255.255 inside
snmp-server host inside 10.0.0.99
snmp-server location office
snmp-server contact IT
snmp-server community public
snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp nat-traversal 60
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup OSVPN address-pool VPNPOOL
vpngroup OSVPN dns-server 10.0.0.100
vpngroup OSVPN wins-server 10.0.0.100
vpngroup OSVPN default-domain domain.local
vpngroup OSVPN idle-time 1800
vpngroup OSVPN password ********
telnet 10.0.0.105 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
username woot password MKW.I0vwQGeiNVJb encrypted privilege 15
terminal width 80
Cryptochecksum:c35d10c371c
: end
clearacid
When you changed ISPs from DSL to T1 your outside ip address probably changed. Did you check to see if the client configurations point to the new one?
ASKER
Yep, I made sure to do that. The correct outside ip is being used.
ASKER
Just an update, I can see that the traffic is at least getting to the Pix. Everytime I try to connect I'm watching the counter update for the isakmp.
506e(config)# sh access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 1024)
alert-interval 300
access-list out-in; 8 elements
access-list out-in line 1 permit icmp any any (hitcnt=5834)
access-list out-in line 2 permit tcp any interface outside eq ftp (hitcnt=66)
access-list out-in line 3 permit tcp any interface outside eq 3389 (hitcnt=4)
access-list out-in line 4 permit tcp any interface outside eq ident (hitcnt=2)
access-list out-in line 5 permit tcp any interface outside eq 5555 (hitcnt=0)
access-list out-in line 6 permit esp any any (hitcnt=0)
access-list out-in line 7 permit udp any any eq isakmp (hitcnt=3)
access-list out-in line 8 permit udp any any eq 4500 (hitcnt=0)
access-list inside_outbound_nat0_acl; 1 elements
access-list inside_outbound_nat0_acl line 1 permit ip any 10.10.10.0 255.255.255
.240 (hitcnt=0)
access-list outside_cryptomap_dyn_20; 1 elements
access-list outside_cryptomap_dyn_20 line 1 permit ip any 10.10.10.0 255.255.255
.240 (hitcnt=0)
506e(config)# sh access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 1024)
alert-interval 300
access-list out-in; 8 elements
access-list out-in line 1 permit icmp any any (hitcnt=5834)
access-list out-in line 2 permit tcp any interface outside eq ftp (hitcnt=66)
access-list out-in line 3 permit tcp any interface outside eq 3389 (hitcnt=4)
access-list out-in line 4 permit tcp any interface outside eq ident (hitcnt=2)
access-list out-in line 5 permit tcp any interface outside eq 5555 (hitcnt=0)
access-list out-in line 6 permit esp any any (hitcnt=0)
access-list out-in line 7 permit udp any any eq isakmp (hitcnt=3)
access-list out-in line 8 permit udp any any eq 4500 (hitcnt=0)
access-list inside_outbound_nat0_acl; 1 elements
access-list inside_outbound_nat0_acl line 1 permit ip any 10.10.10.0 255.255.255
.240 (hitcnt=0)
access-list outside_cryptomap_dyn_20; 1 elements
access-list outside_cryptomap_dyn_20 line 1 permit ip any 10.10.10.0 255.255.255
.240 (hitcnt=0)
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.