Solved

Can connect to PIX 501 with VPN client and ping internal addresses but some limitations

Posted on 2008-10-27
4
658 Views
Last Modified: 2012-06-21
Scenario:
Internet---x.x.x.x---ADSL--192.168.1.1<---->192.168.1.2--(e)-PIX-(i)--10.0.0.1 (10.0.0.0/24)

I have to use the ADSL with NAT (and not bridge) as provider does not support PPPoE only PPPoA
I can connect with Cisco VPN client 4.0.3(C)
I can ping/telnet to any address on 10.0.0.0 network
What I can't do is run a remote desktop to any of the hosts on the 10.0.0.0 network
I also get the following occurring within the log "No route to 10.1.2.255 from 10.1.2.1"

Main parts of the config are posted.

Questions:
1. Why the error "No route to 10.1.2.255 from 10.1.2.1" ?

2. Is this the reason for remote desktop not working?

3. Are the following required in order to get to the 10.0.0.0 network once connected via VPN using pool 10.1.2.0/24 ?
(tried lots to get things to work and not sure if this is required or not, but main functionality is finally working)

access-list outside_crypto permit ip any 10.1.2.0 255.255.255.0
crypto dynamic-map dynmap 10 match address outside_crypto

4. I can't ping or telnet directly to the PIX from client. I assume this is normal/desired? How can I change this?

5. Any glaring problems/things that should be changed/removed?

6. Above is the main requirement. I also have an issue getting "no translation group found" when trying to connect via Putty to 10.0.0.35 (Dune) using SSH tunnel on port 443.
ADSL modem has NAT/PAT set to forward to 10.0.0.35 (Dune) incoming 443 outgoing 443

tried various options and currently:
access-list outside_access_in permit ip any host Dune
static (inside,outside) tcp interface https Dune https netmask 255.255.255.255 0 0

What do I need to do for this to work/remove the "no translation group found" issue?
(I don't have immediate access now, so may post a seperate query on this if there's no "simple" answer.

Thanks,
Mark
PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100
 

domain-name localdomain.com
 

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol pptp 1723

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

name 10.0.0.35 Dune
 

access-list outside_access_in permit ip 10.1.2.0 255.255.255.0 interface inside log

access-list outside_access_in permit ip any host Dune

access-list outside_access_in permit tcp any interface outside eq https

access-list 101 permit ip 10.0.0.0 255.255.255.0 10.1.2.0 255.255.255.0

access-list outside_crypto permit ip any 10.1.2.0 255.255.255.0
 

icmp permit any inside

mtu outside 1500

mtu inside 1500

ip address outside 192.168.1.2 255.255.255.0

ip address inside 10.0.0.1 255.255.255.0
 

ip local pool ippool 10.1.2.1-10.1.2.254 mask 255.255.255.0
 

pdm location Dune 255.255.255.255 inside

pdm location 10.0.0.0 255.0.0.0 inside

pdm location 192.168.1.0 255.255.255.0 outside

pdm location 10.1.2.0 255.255.255.0 outside

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list 101

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp interface https Dune https netmask 255.255.255.255 0 0

access-group outside_access_in in interface outside

rip inside default version 2

route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
 

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto dynamic-map dynmap 10 match address outside_crypto

crypto dynamic-map dynmap 10 set transform-set myset

crypto map mymap 10 ipsec-isakmp dynamic dynmap

crypto map mymap interface outside

isakmp enable outside

isakmp identity address

isakmp nat-traversal 20

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup vpn3000 address-pool ippool

vpngroup vpn3000 dns-server 10.0.0.1

vpngroup vpn3000 wins-server 10.0.0.1

vpngroup vpn3000 default-domain localdomain.com

vpngroup vpn3000 idle-time 1800

vpngroup vpn3000 password ********

telnet 10.0.0.0 255.0.0.0 inside

telnet timeout 60

ssh timeout 5

console timeout 0

dhcpd address 10.0.0.201-10.0.0.232 inside

dhcpd dns 192.168.1.1

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

dhcpd enable inside

Open in new window

0
Comment
Question by:mgferg
  • 3
4 Comments
 
LVL 79

Assisted Solution

by:lrmoore
lrmoore earned 100 total points
Comment Utility
Set the DSL modem to nat all traffic to the outside IP of the PIX
Use the VPn client utility SetMTU and set the PC MTU to 1300
For #4, add
 management-access inside
 telnet 10.1.2.0 255.255.255.0 inside
 http 10.1.2.0 255.255.255.0 inside
This allows you to access the inside IP address over the VPN
0
 

Author Comment

by:mgferg
Comment Utility
Hi. Thanks for the response. I will adjust the recommended MTUs later.

I have a Netcomm NB9W modem and not sure exactly how to "nat all traffic to the outside IP of the PIX". I'll need to play around and see if the NAT options will accept wildcards or if I remove all entries in the list then it will NAT all.

I can now telnet to the PIX and run remote desktop to hosts (maybe something else was changed with everything else I've been doing and the remote desktop works now for different reasons).

So now looking for suggestions for Q1, Q3, Q6 and any further comments (Q4)
Cheers,
Mark
0
 

Author Comment

by:mgferg
Comment Utility
BTW, one other thing.

Although I can remote desktop, I tried to mount open a network drive to another XP box which failed.

Log shows:

UDP request discarded from 10.1.2.1/62025 to inside:10.0.0.1/domain

So is there something we need to do to get all 10.1.2.0 traffic to access anything on 10.0.0.0? (and vice versa)

Thanks,
Mark
0
 

Accepted Solution

by:
mgferg earned 0 total points
Comment Utility
Hi, just an update:

It looks like the main culprit (in my situation was DNS. I removed the lines

vpngroup vpn3000 dns-server 10.0.0.1
vpngroup vpn3000 wins-server 10.0.0.1

and I can now map drives (as well as Remote Desktop)

In answer to my question, I didn't need
crypto dynamic-map dynmap 10 match address outside_crypto
(think this is used in PIX to PIX ... not sure ... but works without this)

Final code working below (some of the standard sections removed)

Any further comments would be appreciated ... thanks
PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100
 

domain-name localdomain.com
 

fixup protocol dns maximum-length 1024

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol pptp 1723

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69
 
 

access-list outside_access_in permit ip 10.1.2.0 255.255.255.0 10.0.0.0 255.255.255.0 log

access-list 101 permit ip 10.0.0.0 255.255.255.0 10.1.2.0 255.255.255.0
 

icmp permit any inside

mtu outside 1500

mtu inside 1500

ip address outside 192.168.1.2 255.255.255.0

ip address inside 10.0.0.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool ippool 10.1.2.1-10.1.2.254 mask 255.255.255.0
 

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list 101

nat (inside) 1 0.0.0.0 0.0.0.0 0 0
 

access-group outside_access_in in interface outside

rip inside default version 2

route outside 0.0.0.0 0.0.0.0 192.168.1.1 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

aaa authorization command LOCAL

http server enable

http 10.0.0.0 255.0.0.0 inside

http 10.1.2.0 255.255.255.0 inside
 

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto dynamic-map dynmap 10 set transform-set myset

crypto map mymap 10 ipsec-isakmp dynamic dynmap

crypto map mymap interface outside

isakmp enable outside

isakmp identity address

isakmp nat-traversal 20

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup vpn3000 address-pool ippool

vpngroup vpn3000 default-domain localdomain.com

vpngroup vpn3000 split-tunnel 101

vpngroup vpn3000 idle-time 1800

vpngroup vpn3000 password ********

telnet 10.0.0.0 255.0.0.0 inside

telnet 10.1.2.0 255.255.255.0 inside

telnet timeout 60

ssh timeout 5

management-access inside

console timeout 0

dhcpd address 10.0.0.201-10.0.0.232 inside

dhcpd dns 192.168.1.1

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

dhcpd enable inside

Open in new window

0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Have you experienced traffic destined through a Cisco ASA firewall disappears and you do not know if the traffic stops in the firewall or somewhere else? The solution is the capture feature. This feature was released in 6.2(1) and works in all firew…
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now