Solved

Allow SMTP and VPN (PPTP / GRE) traffic through Cisco 1700 series router

Posted on 2009-03-28
54
1,847 Views
Last Modified: 2012-05-06
We replaced our Internet DSL line with a new Internet T1 line. I am trying to allow SMTP and VPN traffic through the Cisco 1700 series router to no avail. Can someone please take a look at my router config and let me know what I am doing wrong? I have searched the knowledge base and have entered commands that have worked for others, but is not working for me. I am missing something.
I am okay when it comes to setting up the PIX firewall, but very green when it comes to setting up Cisco routers. I setup four 1700's to connect 3 of our offices together, but have never set one up to access an Internet T1 (the Internet is working just fine from inside the network). Being a novice when it comes to setting up Cisco routers, BABY STEP would be much appreceated!
Thanking you in advance for your help with this issue.

-PCwimp

-------------------------
1700 Router Config:
-------------------------
version 12.1
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname 1700ROUTER
!
enable secret 5 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
enable password XXXXXXX
!
!
!
!
!
memory-size iomem 25
ip subnet-zero
ip name-server 198.6.1.1
ip name-server 198.6.1.2
!
!
!
!
interface Serial0
 description <Site ID>
 no ip address
 encapsulation frame-relay IETF
 frame-relay lmi-type ansi
!
interface Serial0.500 point-to-point
 ip address 65.194.9.30 255.255.255.252
 frame-relay interface-dlci 500
!
interface FastEthernet0
 ip address 65.200.78.3 255.255.255.224
 speed 10
 full-duplex
!
ip nat inside source static 10.51.1.60 65.200.78.5
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0.500
no ip http server
!
access-list 104 permit tcp any any established
access-list 104 permit udp host 198.6.1.1 eq domain any
access-list 104 permit tcp any host 65.200.78.5 eq smtp
access-list 104 permit tcp any host 65.200.78.5 eq www
access-list 104 permit tcp any host 65.200.78.5 eq 1723
access-list 104 permit gre any any
access-list 104 permit tcp any any eq smtp
!
line con 0
 logging synchronous
 transport input none
line aux 0
line vty 0 4
 password XXXXXXX
 login local
!
end
0
Comment
Question by:PCWimp
  • 32
  • 20
  • 2
54 Comments
 

Author Comment

by:PCWimp
ID: 24011279
Also, I am using the Cisco VPN client... It works just fine with a PIX hooked directly up to the DSL connection. I am unsure if the VPN is working or not because as soon as I realized that SMTP traffic was not passing, I had to switch back the DSL line.
FYI: I have two PIX firewalls setup right now. One is connected to my DSL line and the other is connected to the 1700 router (new configuration).

-PCwimp
0
 

Author Comment

by:PCWimp
ID: 24011417
I have to go to another site right now... I will check this question again with in the next hour and a half. Thank you!

-PCwimp
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24012271
The router config is fine.

Can you post the new PIX config?
0
 
LVL 7

Expert Comment

by:mitrushi
ID: 24014124
I don't see acl 104 applied on interface FastEthernet 0/0. Do you have an ip access-group 104 in on that interface. Also you need a default static route pointing out of this interface, ip route 0.0.0.0 0.0.0.0 FastEthernet 0/0 <ip address of next hop>.
0
 

Author Comment

by:PCWimp
ID: 24014787
Sorry for the late reply... I had to get some sleep! Was up way too long!

Here is the config for the PIX

interface ethernet4 10baset
interface ethernet5 10baset
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
nameif ethernet3 intf3 security6
nameif ethernet4 intf4 security8
nameif ethernet5 intf5 security10
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd XXXXXXXXXXXXXXXX encrypted
hostname PIX02
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside permit tcp any any eq pptp
access-list outside permit gre any any
access-list outside permit icmp any any
access-list outside permit tcp any host 65.200.78.6 eq www
access-list outside permit tcp any host 65.200.78.6 eq smtp
access-list outside permit tcp any host 65.200.78.8 eq 3389
access-list outside permit udp any host 65.200.78.8 eq 3389
access-list outside permit tcp any host 65.200.78.8 eq citrix-ica
access-list outside permit udp any host 65.200.78.8 eq 1494
access-list outside permit tcp any host 65.200.78.7 eq www
access-list 110 permit ip 10.51.1.0 255.255.255.0 10.58.1.0 255.255.255.0
access-list inside deny tcp any any eq smtp
access-list inside permit ip any any
access-list inside permit tcp host 10.51.1.247 any eq smtp
access-list inside permit tcp host 10.51.1.254 any eq smtp
access-list block135 deny tcp any any eq 135
access-list block135 permit ip any any
access-list 130 permit ip 10.51.1.0 255.255.255.0 10.59.1.0 255.255.255.0
access-list 100 permit ip 10.51.1.0 255.255.255.0 10.59.1.0 255.255.255.0
access-list acl-out permit gre any any
access-list acl-out permit tcp any any eq pptp
access-list 105 permit ip 10.51.1.0 255.255.255.0 10.51.2.0 255.255.255.0
access-list 105 permit ip 10.52.2.0 255.255.255.0 10.58.1.0 255.255.255.0
access-list 105 permit ip 10.58.1.0 255.255.255.0 10.51.2.0 255.255.255.0
access-list 105 permit ip 10.51.2.0 255.255.255.0 10.58.1.0 255.255.255.0
access-list 105 permit ip 10.51.2.0 255.255.255.0 10.50.1.0 255.255.255.0
access-list 105 permit ip 10.50.1.0 255.255.255.0 10.51.2.0 255.255.255.0
pager lines 24
logging on
logging buffered debugging
mtu outside 1500
mtu inside 1500
mtu intf2 1500
mtu intf3 1500
mtu intf4 1500
mtu intf5 1500
ip address outside 65.200.78.4 255.255.255.224
ip address inside 10.51.1.2 255.255.255.0
no ip address intf2
no ip address intf3
no ip address intf4
no ip address intf5
ip audit info action alarm
ip audit attack action alarm
ip local pool XDXVPN 10.51.2.1-10.51.2.100
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address intf2
no failover ip address intf3
no failover ip address intf4
no failover ip address intf5
pdm location 10.51.1.232 255.255.255.255 inside
pdm logging informational 100
no pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 105
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 65.200.78.8 10.51.1.247 netmask 255.255.255.255 0 0
static (inside,outside) 65.200.78.5 10.51.1.60 netmask 255.255.255.255 0 0
static (inside,outside) 65.200.78.7 10.51.1.237 netmask 255.255.255.255 0 0
access-group outside in interface outside
access-group block135 in interface inside
conduit permit icmp any any
route outside 0.0.0.0 0.0.0.0 65.200.78.3 1
timeout xlate 0:30:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map kamora 1 ipsec-isakmp
! Incomplete
crypto map footplant 1 ipsec-isakmp
! Incomplete
crypto map newmap 10 ipsec-isakmp
crypto map newmap 10 match address 110
crypto map newmap 10 set peer 72.86.156.127
crypto map newmap 10 set transform-set myset
crypto map newmap 30 ipsec-isakmp
crypto map newmap 30 match address 130
crypto map newmap 30 set peer 204.11.11.177
crypto map newmap 30 set transform-set myset
crypto map newmap interface outside
crypto map mymap 10 ipsec-isakmp dynamic dynmap
isakmp enable outside
isakmp key ******** address 204.11.11.77 netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp policy 1 authentication rsa-sig
isakmp policy 1 encryption des
isakmp policy 1 hash sha
isakmp policy 1 group 1
isakmp policy 1 lifetime 86400
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 1000
vpngroup XDXVPN address-pool XDXVPN
vpngroup XDXVPN dns-server 10.51.1.232
vpngroup XDXVPN default-domain ad.XdomainX.com
vpngroup XDXVPN split-tunnel 105
vpngroup XDXVPN idle-time 1800
vpngroup XDXVPN password ********
telnet 10.51.1.2 255.255.255.255 outside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
----------------------------------
I tried to enter IP ACCESS-GROUP command but it returned an error. Maybe the command I was using was wrong or I havd to enter it in a different config mode (Config-if ???)... Not sure. Again, I do not know to steps all to well on the router when entering command on the config itself or the interfaces.

[I don't see acl 104 applied on interface FastEthernet 0/0. Do you have an ip access-group 104 in on that interface. Also you need a default static route pointing out of this interface, ip route 0.0.0.0 0.0.0.0 FastEthernet 0/0 <ip address of next hop>.]

Can you please post the steps I need to do to enter these comands onto the router? I would very much appreceate it. Thank you!

-PCwimp
0
 

Author Comment

by:PCWimp
ID: 24014856
FYI: This is the command I tried to enter at the 'CONFIG T' prompt
ip access-group 104 in
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24015616
Don't worry about the access-list or routes on the router, the router is fine.

Is this the exchange server? 10.51.1.254 ?  You are missing a static NAT for it.

Add this to the PIX:

static (inside,outside) 65.200.78.6 10.51.1.254 netmask 255.255.255.255

You are allowing SMTP to 65.200.78.6 so I'm assuming that is your SMTP public IP?  Add this also to allow SMTP to what appears to be a second SMTP server? 10.51.1.247

conf t
access-list outside permit tcp any host 65.200.78.8 eq smtp
0
 

Author Comment

by:PCWimp
ID: 24015757
Is this the exchange server? 10.51.1.254 ?  You are missing a static NAT for it.
That is the exchange server. Though, those other commands are in the PIX to allow SMTP out from olny those servers. SMTP traffic comes in and goes to (Public IP) 65.200.78.5, (Internal IP) 10.51.1.60. That is my Spam firewall. That then forwards SMTP to 10.51.1.254 (the exchange server).

Okay... I am going to try this now... I have about an hour and 30 minute drive to the office. So I will not be updating this question for at least 2 hours. Thank you so much for your help!

-PCwimp
0
 

Author Comment

by:PCWimp
ID: 24016170
[You are allowing SMTP to 65.200.78.6 so I'm assuming that is your SMTP public IP?  Add this also to allow SMTP to what appears to be a second SMTP server? 10.51.1.247
conf t
access-list outside permit tcp any host 65.200.78.8 eq smtp]

I forgot to mention that 10.51.1.247 is an Exchange server. It is the main exchange server. All SMTP traffic gets router to 10.51.1.60 which is my Spam firewall. It then gets router to 10.51.1.247. The static route on the PIX for 10.51.1.247 is for OWA.

I need to set the router up so it allows SMTP traffic and VPN traffic. The PIX is all setup and tested. The Cisco VPN client works fine when hook directly up to the PIX. But, will the router allow PPTP/GRE to pass for VPN? Thanks for all your help!

FYI: I just put the router and the new PIX online and I switched my Internet DNS record to point to the new 62.200.78X IP range... I will update you in a few minutes and let you know if it is working or not. Thanks again!

      -PCwimp
0
 

Author Comment

by:PCWimp
ID: 24016280
Email does not seem to be getting through...
Are we missing anything? Even with my above explination of the static routes and the way the Exchange servers and Spam firewall is setup, should I still be adding certain commands? Thanks again, guys!

   -PCwimp
0
 
LVL 7

Expert Comment

by:mitrushi
ID: 24016314
You need to enter the ip access-group command when in inteface config mode.
conf t
interface FastEthernet 0/0
ip access-group 104 in
0
 

Author Comment

by:PCWimp
ID: 24016405
I just had it working and I guess I didnt save the config on the damn router! UGH!
I have to enter the commands again and this time I will make sure to write to the router... Sorry for the delay guys...
0
 

Author Comment

by:PCWimp
ID: 24016558
I must have the worst luck in the world...
I entered the following commands on the router yesterday:
------------------
ip nat inside source static 10.51.1.60 65.200.78.5
access-list 104 permit tcp any any established
access-list 104 permit udp host 198.6.1.1 eq domain any
access-list 104 permit tcp any host 65.200.78.5 eq smtp
access-list 104 permit tcp any host 65.200.78.5 eq www
access-list 104 permit tcp any host 65.200.78.5 eq 1723
access-list 104 permit gre any any
access-list 104 permit tcp any any eq smtp
------------------
And nothing was working...
I entered the following commands on the PIX tonight and SMTP traffic started moving in... I enter and access-list command for the wrong routable IP address on the PIX by mistake (I am not the smartest dude out there :-/ )... Once I switched the access-list from 65.200.78.6 to 65.200.78.5, everything started working.
--------------
access-list outside permit tcp any host 65.200.78.5 eq www
access-list outside permit tcp any host 65.200.78.5 eq smtp
-------------
Now I have all the commands in aside from the access-group command on the router and it is not working!!! Though, email was coming through without the assecc-group command before! I am at a total loss! Its my ass if I cant get this up tonight because I already changed the Internet DNS record. I will post both configs again if no one has any ideas. Thanks again for all the help!

-PCwimp
0
 

Author Comment

by:PCWimp
ID: 24016617
When I enter the 'ip access-group 104 in' command on the 'interface fastethernet0' (config-if) the Internet goes down and I am not able to browse the net??? As soon as I remove the command, the Internet comes back up... Please advise!
I really appreceate everyones help as I really thing I am going to get fired tomorrow if I do not have this resolved! LoL! And I mean really fired... as in they will set me on FIRE! :-/
Any and all advise is highly appreceated!
Thank you very much!

-PCwimp

FYI: Still no email is getting through!

0
 

Author Comment

by:PCWimp
ID: 24016646
OH MY GOD! While I was waiting for help from Experts-Exchange I removed these commands from the router...
no ip nat inside source static 10.51.1.60 65.200.178.35
no access-list 104 permit tcp any any established
no access-list 104 permit udp host 198.6.1.1 eq domain any
no access-list 104 permit tcp any host 65.200.178.35 eq smtp
no access-list 104 permit tcp any host 65.200.178.35 eq www
no access-list 104 permit tcp any host 65.200.178.35 eq 1723
no access-list 104 permit gre any any
no access-list 104 permit tcp any any eq smtp

as soon as I did that, email started working??????
I guess when I power cycled the router, I lost the config and email started work before... I re-entered the command and email stoped flowing. As soon as I just took them out 2 minutes ago, email started working again! Is it because the T1 is using frame relay? I am really confused now... Regardless, SMTP traffic is flowing now... Can anyone explain this?

-PCwimp
0
 

Author Comment

by:PCWimp
ID: 24016961
This very strange! Can anyone explain why when I removed the commands from the router then SMTP started working? Very odd!
Also, I still can't get the second part of my question to work... VPN...
Here is the current config on the 1700 router. Please help me get the correct commands on this router to allow VPN traffic. Thanks again, guys!
-------------------------
version 12.1
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname 1700ROUTER
!
enable secret 5 XXXXXXXXXXXXXXXXXXXXXXXXXXX
enable password XXXXXXXXX
!
!
!
!
!
memory-size iomem 25
ip subnet-zero
ip name-server 198.6.1.1
ip name-server 198.6.1.2
!
!
!
!
interface Serial0
 description <Site ID>
 no ip address
 encapsulation frame-relay IETF
 frame-relay lmi-type ansi
!
interface Serial0.500 point-to-point
 ip address 65.194.9.30 255.255.255.252
 frame-relay interface-dlci 500
!
interface FastEthernet0
 ip address 65.200.78.3 255.255.255.224
 speed 10
 full-duplex
!
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0.500
no ip http server
!
!
line con 0
 logging synchronous
 transport input none
line aux 0
line vty 0 4
 password XXXXXXX
 login local
!
end
-------------------------


     -PCwimp
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24017008
Again, nothing more is required on the router.  The access-list broke connectivity because it isn't built out enough but leave the access-list off as the PIX is doing the filtering.

All that was needed was to allow SMTP to the SPAM filter (.5).

What VPN isn't working? Cisco VPN client or the PPTP?
0
 

Author Comment

by:PCWimp
ID: 24017023
Not sure what the difference is between the two, sorry...
I am running Cisco VPN Client that is setup on the PIX... It worked okay when it was hooked up to the DSL line, but now it doesnt work hooked up to the T1 line behide the router. Yes, I did change the target IP on the client side in the Cisco VPN connection manager.
Thanks!
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24017120
Add this to the PIX.

conf t
isakmp nat-traversal
0
 

Author Comment

by:PCWimp
ID: 24017167
Okay... I added the command. I have to go up a few floors to link up to a different network so I can test it. Be right back!
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24017183
Add this as well.

conf t
crypto map newmap 65535 ipsec-isakmp dynamic dynmap
0
 

Author Comment

by:PCWimp
ID: 24017314
Okay. I just added that second command and I am going back up stairs to test. Thanks...

Question: Why would have worked before hooked up to the DSL line and now it would need more command lines for it to work?
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24017344
I thought this was a new PIX, right? Different from the DSL PIX?
0
 

Author Comment

by:PCWimp
ID: 24017432
Since it was for the same site and there was the client VPN and a pix to pix vpn that I have to get working... I figured it would be eaiser if I just copied the entire config from the old pix to the new pix and then just change the IP addresses as needed. The only reason I have 2 pix running at the same time was so that I wasnt under a super time crunch to get the new one up...

Okay... I added the second command and tested it... The VPN still doesnt work.
I have no clue!
FYI: I reset the password to make sure... Still no good...

-
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24017477
The VPN client is pointing to 65.200.78.4, right?

Does it connect but you can't access anything?  Do you get a login box?
0
 

Author Comment

by:PCWimp
ID: 24017534
Yes... It is pointing to 65.200.78.4

I get nothing... It trys to connect and then after 30-45 seconds it times out.
0
 

Author Comment

by:PCWimp
ID: 24017619
I hope you guys do not mind... I have been awake on and off for days and I have my users coming into the office in about 2 hours. I hope its okay that I take a quick nap in my office (I have an Aero bed in here! ;-) I am used to this! ) or I will be worth nothing today and worth nothing to you as you guys try to assist me! Once the users start filling the cubes, I will never be able to catch up on some rest... I will be awake by 9:30, no later. I am going to wake up, take a quick shower, brush the chops and then I will update this question so you guys know that I am back.
Thanks again... I appreceate your help to no end!

  -PCwimp
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 
LVL 43

Expert Comment

by:JFrederick29
ID: 24017822
No problem at all.  Take your time and get rested.

You are putting the VPN group name "XDXVPN" in all CAPS on the client right? as it is case sensitive.

Try this when you get up:

conf t
access-list 106 permit ip 10.51.1.0 255.255.255.0 10.51.2.0 255.255.255.0

no vpngroup XDXVPN split-tunnel 105
vpngroup XDXVPN split-tunnel 106

If still not working, post the current running-config from the PIX.
0
 

Author Comment

by:PCWimp
ID: 24022539
[You are putting the VPN group name "XDXVPN" in all CAPS on the client right? as it is case sensitive.]
Yes

[access-list 106 permit ip 10.51.1.0 255.255.255.0 10.51.2.0 255.255.255.0
no vpngroup XDXVPN split-tunnel 105
vpngroup XDXVPN split-tunnel 106]

"access-list 106 permit ip 10.51.1.0 255.255.255.0 10.51.2.0 255.255.255.0" is already in there as access-list 105... "vpngroup XDXVPN split-tunnel 105" is the command that references that access-list. Should I still proceed?

Here is the current PIX config.
-------------------------
PIX Version 6.3(4)
interface ethernet0 10baset
interface ethernet1 10full
interface ethernet2 10baset
interface ethernet3 10baset
interface ethernet4 10baset
interface ethernet5 10baset
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
nameif ethernet3 intf3 security6
nameif ethernet4 intf4 security8
nameif ethernet5 intf5 security10
enable password XXXXXXXXXXXXXXXX encrypted
passwd XXXXXXXXXXXXXXXXX encrypted
hostname PIX02
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside permit tcp any any eq pptp
access-list outside permit gre any any
access-list outside permit icmp any any
access-list outside permit tcp any host 65.200.78.8 eq 3389
access-list outside permit udp any host 65.200.78.8 eq 3389
access-list outside permit tcp any host 65.200.78.8 eq citrix-ica
access-list outside permit udp any host 65.200.78.8 eq 1494
access-list outside permit tcp any host 65.200.78.7 eq www
access-list outside permit tcp any host 65.200.78.5 eq www
access-list outside permit tcp any host 65.200.78.5 eq smtp
access-list outside permit tcp any host 65.200.78.7 eq 3389
access-list outside permit udp any host 65.200.78.7 eq 3389
access-list outside permit tcp any host 65.200.78.7 eq citrix-ica
access-list 110 permit ip 10.51.1.0 255.255.255.0 10.58.1.0 255.255.255.0
access-list inside deny tcp any any eq smtp
access-list inside permit ip any any
access-list inside permit tcp host 10.51.1.247 any eq smtp
access-list inside permit tcp host 10.51.1.254 any eq smtp
access-list block135 deny tcp any any eq 135
access-list block135 permit ip any any
access-list 130 permit ip 10.51.1.0 255.255.255.0 10.59.1.0 255.255.255.0
access-list 100 permit ip 10.51.1.0 255.255.255.0 10.59.1.0 255.255.255.0
access-list acl-out permit gre any any
access-list acl-out permit tcp any any eq pptp
access-list 105 permit ip 10.51.1.0 255.255.255.0 10.51.2.0 255.255.255.0
access-list 105 permit ip 10.52.2.0 255.255.255.0 10.58.1.0 255.255.255.0
access-list 105 permit ip 10.58.1.0 255.255.255.0 10.51.2.0 255.255.255.0
access-list 105 permit ip 10.51.2.0 255.255.255.0 10.58.1.0 255.255.255.0
access-list 105 permit ip 10.51.2.0 255.255.255.0 10.50.1.0 255.255.255.0
access-list 105 permit ip 10.50.1.0 255.255.255.0 10.51.2.0 255.255.255.0
pager lines 24
logging on
logging buffered debugging
mtu outside 1500
mtu inside 1500
mtu intf2 1500
mtu intf3 1500
mtu intf4 1500
mtu intf5 1500
ip address outside 65.200.78.4 255.255.255.224
ip address inside 10.51.1.1 255.255.255.0
no ip address intf2
no ip address intf3
no ip address intf4
no ip address intf5
ip audit info action alarm
ip audit attack action alarm
ip local pool XDXVPN 10.51.2.1-10.51.2.100
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address intf2
no failover ip address intf3
no failover ip address intf4
no failover ip address intf5
pdm location 10.51.1.232 255.255.255.255 inside
pdm logging informational 100
no pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 105
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 65.200.78.8 10.51.1.247 netmask 255.255.255.255 0 0
static (inside,outside) 65.200.78.5 10.51.1.60 netmask 255.255.255.255 0 0
static (inside,outside) 65.200.78.7 10.51.1.237 netmask 255.255.255.255 0 0
access-group outside in interface outside
access-group block135 in interface inside
conduit permit icmp any any
route outside 0.0.0.0 0.0.0.0 65.200.78.3 1
timeout xlate 0:30:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map kamora 1 ipsec-isakmp
! Incomplete
crypto map footplant 1 ipsec-isakmp
! Incomplete
crypto map newmap 10 ipsec-isakmp
crypto map newmap 10 match address 110
crypto map newmap 10 set peer 72.86.156.127
crypto map newmap 10 set transform-set myset
crypto map newmap 30 ipsec-isakmp
crypto map newmap 30 match address 130
crypto map newmap 30 set peer 204.11.11.177
crypto map newmap 30 set transform-set myset
crypto map newmap 65535 ipsec-isakmp dynamic dynmap
crypto map newmap interface outside
crypto map mymap 10 ipsec-isakmp dynamic dynmap
isakmp enable outside
isakmp key ******** address 204.11.11.177 netmask 255.255.255.255 no-xauth no-co
nfig-mode
isakmp identity address
isakmp nat-traversal 20
isakmp policy 1 authentication rsa-sig
isakmp policy 1 encryption des
isakmp policy 1 hash sha
isakmp policy 1 group 1
isakmp policy 1 lifetime 86400
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 1000
vpngroup XDXVPN address-pool XDXVPN
vpngroup XDXVPN dns-server 10.51.1.232
vpngroup XDXVPN default-domain ad.seegerweiss.com
vpngroup XDXVPN split-tunnel 105
vpngroup XDXVPN idle-time 1800
vpngroup XDXVPN password ********
telnet 10.51.1.2 255.255.255.255 outside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
----------------------------------

Thanks!

   -PCwimp
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24022575
Yeah, give this a shot:

access-list 106 permit ip 10.51.1.0 255.255.255.0 10.51.2.0 255.255.255.0
no vpngroup XDXVPN split-tunnel 105
vpngroup XDXVPN split-tunnel 106
0
 

Author Comment

by:PCWimp
ID: 24022608
Okay. Doing it now... Do I need to power down and power back up the PIX or just WRITE MEM? I am asking because I cannot reboot the firewall right now... I would have to wait till at least 5pm.
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24022618
Nope.  You don't have to reload.
0
 

Author Comment

by:PCWimp
ID: 24022766
Remote peer not responding
0
 

Author Comment

by:PCWimp
ID: 24024243
Remote peer not responding when I try to connect...
Any thoughts? Thanks again...
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24024721
Can you ping 65.78.200.4 from the client PC?

Try a "wr mem" and then a "reload" to reboot the PIX if possible.
0
 

Author Comment

by:PCWimp
ID: 24027838
No. I cannot Ping 65.200.78.4.... The VPN never connects.

Still no good... Did the last step and still no VPN.                    
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24027854
Okay, you should be able to ping the PIX outside if you are "outside" of the PIX.  Where are you attempting to connect from?
0
 

Author Comment

by:PCWimp
ID: 24027858
FYI: I even unpluged it and pluged it back in. Still no good.
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24027905
Is there anything in front of the PIX that is port filtering?
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24027915
Sorry, nevermind, this thread has become so long that I've forgotten about the 1700 in front :)

Can you browse the Internet through this PIX? are inbound connections working?
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24027983
Okay, there appears to be a connectivity issue as I am not able to ping the 1700 Ethernet.

Pinging 65.200.78.3 [65.200.78.3]:

Ping #1: * [No response]
Ping #2: * [No response]
Ping #3: * [No response]
Ping #4: * [No response]
[No times available]

Done pinging 65.200.78.3!

I can't even ping the Frame/Serial interface.

Pinging 65.194.9.30 [65.194.9.30]:

Ping #1: * [No response]
Ping #2: * [No response]
Ping #3: * [No response]
Ping #4: * [No response]
[No times available]

Done pinging 65.194.9.30!


Is the circuit up/up?  Can you post a "show ip int brief" from the 1700 and the results of a "ping  65.194.9.29" from the 1700 itself.
0
 

Author Comment

by:PCWimp
ID: 24028030
those IP addresses are not the real IP addresses. I don't post the real addresses as a matter of course.
Yes, everything works with this system. SMTP traffic flows in and out. People are able to browse the web with no problems. The olny issue I have is VPN. I will ping now and post the results.
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24028052
Okay, you need to be testing the VPN from the Internet (from a connection that will connect in through the Frame Relay circuit on the 1700.  You should be able to ping the 1700 Ethernet IP and the PIX Outside IP.
0
 

Author Comment

by:PCWimp
ID: 24028079
Correct. I am using a seprate network to test from (My laptop with a celular internet connection). Also using remote users to test.
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24028130
You have username/passwords on the PIX, right? did you remove them when posting the config or did they not copy over from the other PIX?
0
 

Author Comment

by:PCWimp
ID: 24028154
I reset the passwords after I brought over the config. I made sure of this.
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24028204
Okay, but you have lines in your config with username <username> password <password>, right?

I would change the VPN group password to something very simple just to test and then change it back later.

conf t
vpngroup XDXVPN password easypass

Update the client and test again.

If still no go, use Hyperterminal to connect to the PIX and capture output to a file then enable the following debugs:

debug cry isa sa
debug cry ipsec sa

Also, on the VPN client, enable logging (high).

Attempt a VPN connection and then post the debugs.
0
 

Author Comment

by:PCWimp
ID: 24028631
Will do... Thanks again fro all the help
0
 

Author Comment

by:PCWimp
ID: 24034698
It wasn't the password. Still cannot get it to work... I can except that I cannot get this to work. Or, at least right now. We have been without remote access for days now and I fear I will lose my job if I can't get this up with-in the hour. So, I tried to get VPN setup using one of my remote sites. If I can get that to work, I will be in the clear as my remote site is linked to this site via pix-to-pix VPN. Here is the PIX config in the other office. I added all the commands that I used one the first PIX that works fine for VPN. Can you take a look at this config and see if I am missing anything? I feel this is my best shot at getting VPN to work quickly. Plus, it is the same setup as the network where the VPN is working and it is the same internet connection and the same ISP... Thanks.
-----------------
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz1 security50
nameif ethernet3 dmz2 security15
nameif ethernet4 dmz3 security20
nameif ethernet5 dmz4 security25
enable pasXXord 8Ry2YjIyt7RRXU24 encrypted
pasXXd 2KFQnbNIdI.2KYOU encrypted
hostname XXNJFW01
domain-name ad.XdomainX.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list 80 permit ip 10.50.0.0 255.255.0.0 host 10.1.254.4
access-list 80 permit ip 10.50.0.0 255.255.0.0 host 188.144.1.1
access-list 80 permit ip 10.50.0.0 255.255.0.0 host 200.1.1.99
access-list 80 permit ip 10.50.0.0 255.255.0.0 host 200.1.1.9
access-list 80 permit ip 10.50.0.0 255.255.0.0 host 10.1.254.7
access-list 101 permit icmp 10.50.0.0 255.255.0.0 host 10.1.254.4
access-list 101 permit icmp 10.50.0.0 255.255.0.0 host 188.144.1.1
access-list 101 permit icmp 10.50.0.0 255.255.0.0 host 200.1.1.99
access-list 101 permit icmp 10.50.0.0 255.255.0.0 host 200.1.1.9
access-list 101 permit icmp 10.50.0.0 255.255.0.0 host 10.1.254.7
access-list 101 permit tcp 10.50.0.0 255.255.0.0 host 10.1.254.4 eq telnet
access-list 101 permit tcp 10.50.0.0 255.255.0.0 host 188.144.1.1 eq telnet
access-list 101 permit tcp 10.50.0.0 255.255.0.0 host 200.1.1.99 eq telnet
access-list 101 permit tcp 10.50.0.0 255.255.0.0 host 200.1.1.9 eq ftp
access-list 101 permit tcp 10.50.0.0 255.255.0.0 host 10.1.254.7 eq ftp
access-list 105 permit ip 10.50.0.0 255.255.0.0 10.51.1.0 255.255.255.0
access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any time-exceeded
access-list 100 permit icmp any any unreachable
access-list 100 permit tcp any host 64.15.29.27 eq ftp
access-list outside permit tcp any any eq 1723
access-list outside permit gre any any
access-list outside permit tcp any any eq pptp
access-list outside permit icmp any any
access-list nonat permit icmp 10.50.0.0 255.255.0.0 host 200.1.1.9
access-list nonat permit icmp 10.50.0.0 255.255.0.0 host 10.1.254.7
access-list nonat permit tcp 10.50.0.0 255.255.0.0 host 10.1.254.4 eq telnet
access-list nonat permit tcp 10.50.0.0 255.255.0.0 host 188.144.1.1 eq telnet
access-list nonat permit tcp 10.50.0.0 255.255.0.0 host 200.1.1.99 eq telnet
access-list nonat permit tcp 10.50.0.0 255.255.0.0 host 200.1.1.9 eq ftp
access-list nonat permit tcp 10.50.0.0 255.255.0.0 host 10.1.254.7 eq ftp
access-list nonat permit ip 10.50.0.0 255.255.0.0 10.51.1.0 255.255.255.0
access-list nonat permit icmp 10.50.0.0 255.255.0.0 host 200.1.1.99
access-list nonat permit ip 10.50.0.0 255.255.0.0 200.1.1.0 255.255.255.0
access-list inbound permit tcp any any eq ftp
access-list acl-out permit gre any any
access-list acl-out permit tcp any any eq pptp
access-list inside deny tcp any any eq smtp
access-list inside permit ip any any
access-list 106 permit ip 10.51.1.0 255.255.255.0 10.50.3.0 255.255.255.0
access-list 106 permit ip 10.50.3.0 255.255.255.0 10.51.1.0 255.255.255.0
access-list 106 permit ip 10.58.1.0 255.255.255.0 10.50.3.0 255.255.255.0
access-list 106 permit ip 10.50.3.0 255.255.255.0 10.58.1.0 255.255.255.0
access-list 106 permit ip 10.50.3.0 255.255.255.0 10.50.1.0 255.255.255.0
access-list 106 permit ip 10.50.1.0 255.255.255.0 10.50.3.0 255.255.255.0
access-list mnsadmin_splitTunnelAcl permit ip any any
pager lines 24
logging buffered debugging
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
interface ethernet3 auto shutdown
interface ethernet4 auto shutdown
interface ethernet5 auto shutdown
mtu outside 1500
mtu inside 1500
mtu dmz1 1500
mtu dmz2 1500
mtu dmz3 1500
mtu dmz4 1500
ip address outside 64.15.29.28 255.255.255.248
ip address inside 10.50.254.250 255.255.0.0
ip address dmz1 127.0.0.1 255.255.255.255
ip address dmz2 127.0.0.1 255.255.255.255
ip address dmz3 127.0.0.1 255.255.255.255
ip address dmz4 127.0.0.1 255.255.255.255
ip audit info action alarm
ip audit attack action alarm
ip local pool bigpool 192.168.1.1-192.168.1.254
ip local pool XXLLPVPN 10.50.3.1-10.50.3.100
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
failover ip address dmz1 0.0.0.0
failover ip address dmz2 0.0.0.0
failover ip address dmz3 0.0.0.0
failover ip address dmz4 0.0.0.0
pdm location 10.50.1.234 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 64.15.29.26 netmask 255.255.255.248
nat (inside) 0 access-list 106
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz1) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp 64.15.29.27 ftp 10.50.1.227 ftp netmask 255.255.255.255 0 0
static (inside,outside) 64.15.29.27 10.50.1.227 netmask 255.255.255.255 0 0
access-group outside in interface outside
conduit permit icmp any any
route outside 0.0.0.0 0.0.0.0 64.15.29.25 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 10.50.1.227 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
no floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
no sysopt route dnat
crypto ipsec transform-set strong esp-des esp-sha-hmac
crypto ipsec transform-set vpn esp-des esp-md5-hmac
crypto map rustmn 9 ipsec-isakmp
crypto map rustmn 9 match address 105
crypto map rustmn 9 set peer 66.95.109.147
crypto map rustmn 9 set transform-set vpn
crypto map rustmn 10 ipsec-isakmp
crypto map rustmn 10 match address 101
crypto map rustmn 10 set peer 208.42.8.93
crypto map rustmn 10 set transform-set strong
crypto map rustmn interface outside
isakmp enable outside
isakmp key ******** address 208.42.8.93 netmask 255.255.255.255
isakmp key ******** address 66.95.109.147 netmask 255.255.255.255
isakmp identity address
isakmp policy 8 authentication pre-share
isakmp policy 8 encryption des
isakmp policy 8 hash md5
isakmp policy 8 group 2
isakmp policy 8 lifetime 86400
vpngroup ciscotac idle-time 1800
vpngroup XXLLPVPN address-pool XXLLPVPN
vpngroup XXLLPVPN dns-server 10.50.1.234
vpngroup XXLLPVPN default-domain ad.XdomainX.com
vpngroup XXLLPVPN split-tunnel 106
vpngroup XXLLPVPN idle-time 1800
vpngroup XXLLPVPN pasXXord ********
telnet 10.51.1.0 255.255.255.0 outside
telnet 10.50.0.0 255.255.0.0 inside
telnet 10.50.1.203 255.255.255.255 inside
telnet 10.50.1.203 255.255.255.255 dmz1
telnet 10.50.1.203 255.255.255.255 dmz2
telnet 10.50.1.203 255.255.255.255 dmz3
telnet 10.50.1.203 255.255.255.255 dmz4
telnet timeout 5
ssh timeout 30
terminal width 80
Cryptochecksum:6642cc3c5649d91a4dbd98fe5218b7e8
------------------
0
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 500 total points
ID: 24035300
Here is the problem with that idea.  The PIX isn't going to allow you to hairpin the traffic, i.e. remote access VPN coming into the PIX outside and then sending it back out the outside to another VPN site.  You need to be running 7.x/8.x software to be able to do this.

For the other site, I would put a switch between the PIX outside and the router ethernet and then connect your laptop to the switch.  Address your laptop with a 65.200.78.x IP and test the VPN to rule out the router and "Internet".
0
 

Author Comment

by:PCWimp
ID: 24036263
Sorry for the late reply... I was driving home to get some clothes and take a shower. Will the VPN work like that being that they are both in the same IP range?
0
 

Author Comment

by:PCWimp
ID: 24037673
FINALLY!!!!!
I was able to get it working... Thank God!

One the orginal PIX config, not the remote office (though after your last post, it sounds like I need to setup a VPN for that office, Upgrade my PIX versions or centralize my file servers) I was able to get the VPN to work. I printed out the configs from the old working PIX from the DSL line and the new PIX on the T1 line. I sat there and compared each line. It was a tedious process but it worked. The main 2 line that made the difference was the following.
------------------------
Old PIX (working):
iskamp policy 10 group 2
iskamp policy 10 lifetime 86400
New PIX (not working)
iskamp policy 10 group 1
iskamp policy 10 lifetime 1000
------------------------
Once I removed those 2 command lines from the PIX and added "iskamp policy 10 group 2" and "iskamp policy 10 lifetime 86400", the VPN started working!
If you could answer one last question... Why would those 2 lines make the difference?
I can't thank you enough for all your help with this! Cheers!

   -PCwimp


0
 

Author Closing Comment

by:PCWimp
ID: 31563959
Thanks for sticking with me for days on this issue... You are a good person! Cheers!

   -PCwimp
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24038139
You know, I questioned that time and time again but it was set in my mind that that couldn't be the issue.  I figured the VPN client would be compatible with DH group 1 but it appears the 3.x and 4.x and assuming 5.x clients use DH 2.  Oh well, I'm glad it's working.  Get some rest now <8-]
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now