[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

PIX Site to Site ACL Problems

Posted on 2009-04-24
17
Medium Priority
?
383 Views
Last Modified: 2012-05-06
Hi Guys,
I'm following up on a this thread (has my config and network info):
http://www.experts-exchange.com/Security/Software_Firewalls/Enterprise_Firewalls/Cisco_PIX_Firewall/Q_24347163.html

I have managed to tunnel from site-to-site but now, I can't get to the internet from site B. I'd like for local traffic from "inside" interface @ site B to be tunneled to "inside" interface site A (this is working). Internet traffic from Site B should be also tunneled out to outisde (internet) interface @ site B.

Here is the error when trying to get to msn.com

Inbound TCP connection denied from 192.168.8.53/1173 to 65.55.12.249/80 (MSN.COM) flags SYN  on interface inside


Please, I need this done before the weekend.  Thanks guys
0
Comment
Question by:datgigrinch
  • 9
  • 8
17 Comments
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24226795
Did you mean?
Internet traffic from Site B should be also tunneled out to outisde (internet) interface @ site A.
                                                                                                                                                  ^^
If so, add this:

Site B:

access-list inside_nat0_outbound extended permit ip 192.168.8.0 255.255.255.0 any

Site A:

nat (inside) 2 192.168.8.0 255.255.255.0
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24226807
Also on Site B:

no route inside 0.0.0.0 0.0.0.0 192.168.7.1 1
route outside 0.0.0.0 0.0.0.0 192.168.7.1 1

0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24226837
Posting too fast :)

This also:

Site A:

access-list DMZ_20_cryptomap extended permit ip any 192.168.8.0 255.255.255.0
no access-list DMZ_20_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.8.0 255.255.255.0

Site B:

access-list outside_20_cryptomap extended permit ip 192.168.8.0 255.255.255.0 any
no access-list outside_20_cryptomap extended permit ip 192.168.8.0 255.255.255.0 192.168.1.0 255.255.255.0
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 

Author Comment

by:datgigrinch
ID: 24226874
yes, internet traffic from site B should be tunneled to outside  (internet) interface @ site A.

I added the commands but I am still getting this error.

Inbound TCP connection denied from 192.168.8.53/1355 to 208.69.32.132/80 flags SYN  on interface inside
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24226884
Sounds like the NAT 0 on site B didn't change correctly.

Can you post the current Site B config.
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24226911
Typo:

Do this on Site A:

no nat (inside) 2 192.168.8.0 255.255.255.0
nat (DMZ) 201 192.168.8.0 255.255.255.0
0
 

Author Comment

by:datgigrinch
ID: 24227132
Thanks for the quick response.

Same error. Here is my NAT and ACL:

Site A

 domain-name default.domain.invalid
access-list outside_access_in extended deny tcp any host *.101 eq telnet
access-list outside_access_in extended deny udp any host *.98 eq 60825
access-list outside_access_in extended deny tcp any host *.98 eq 60825
access-list outside_access_in extended deny tcp any host *.102 eq telnet
access-list outside_access_in extended deny tcp any host *.103 eq telnet
access-list outside_access_in extended permit tcp any host *.109 eq smtp
access-list outside_access_in extended permit tcp any host *.109 eq 3389
access-list outside_access_in extended deny tcp any host *.110 eq ftp
access-list outside_access_in remark Facebook Block
access-list outside_access_in extended deny ip 69.63.176.0 255.255.255.0 *.96 255.255.255.240
access-list outside_access_in extended deny ip host 69.63.176.44 *.96 255.255.255.240
access-list outside_cryptomap extended permit ip any 192.168.1.192 255.255.255.224
access-list test_splitTunnelAcl standard permit any
access-list outside_cryptomap_1 extended permit ip any 10.10.0.0 255.255.255.240
access-list outside_cryptomap_2 extended permit ip any 10.10.0.0 255.255.255.240
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 10.10.0.0 255.255.255.240
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.8.0 255.255.255.0
access-list Voice_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list DMZVPN_splitTunnelAcl standard permit any
access-list Voice_cryptomap extended permit ip any 10.10.0.0 255.255.255.240
access-list inside_access_in extended permit ip any any
access-list DMZ_20_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.8.0 255.255.255.0
pager lines 24
logging enable
logging timestamp
logging buffered informational
logging trap debugging
logging asdm errors
logging host inside 192.168.1.217
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
ip local pool vpn_pool 192.168.1.201-192.168.1.210
ip local pool pool_vpn 10.10.0.4-10.10.0.9
ip verify reverse-path interface outside
icmp permit any inside
icmp permit any DMZ
asdm image flash:/asdm521.bin
asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
global (outside) 2 *.98 netmask 255.255.255.0
global (outside) 3 *.102 netmask 255.255.255.0
global (outside) 4 *.105 netmask 255.255.255.0
global (outside) 201 *.109 netmask 255.255.255.248
global (DMZ) 200 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 2 192.168.1.0 255.255.255.0
nat (inside) 4 192.168.5.0 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0
nat (DMZ) 0 access-list Voice_nat0_outbound
nat (DMZ) 201 192.168.7.0 255.255.255.0
nat (DMZ) 201 192.168.8.0 255.255.255.0
static (inside,outside) *.99 192.168.1.2 netmask 255.255.255.255
static (inside,outside) *.101 192.168.1.40 netmask 255.255.255.255
static (inside,outside) *.102 192.168.1.216 netmask 255.255.255.255
static (inside,outside) *.103 10.10.1.1 netmask 255.255.255.255
static (inside,outside) *.106 192.168.5.199 netmask 255.255.255.255
static (inside,outside) *.110 192.168.1.217 netmask 255.255.255.255
static (inside,outside) *.109 192.168.1.240 netmask 255.255.255.255
static (inside,DMZ) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 *.97 1
route inside 192.168.5.0 255.255.255.0 192.168.1.216 1
route inside 10.10.1.0 255.255.255.0 192.168.1.216 1
route DMZ 192.168.8.0 255.255.255.0 192.168.7.100 1
!
router rip
 network 10.0.0.0
 network 192.168.1.0
 network 192.168.5.0
 version 2

Site B:

access-list outside_20_cryptomap extended permit ip 192.168.8.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.8.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.8.0 255.255.255.0 any
pager lines 24
logging enable
logging asdm debugging
mtu outside 1500
mtu inside 1500
mtu Voice 1500
asdm image flash:/asdm521.bin
asdm history enable
arp timeout 14400
nat-control
global (outside) 2 192.168.55.1-192.168.55.100 netmask 255.255.255.0
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
route outside 192.168.1.0 255.255.255.0 192.168.7.1 1
route inside 0.0.0.0 0.0.0.0 192.168.7.1 1
0
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 2000 total points
ID: 24227161
Looks like the changes didn't take.

On Site B:

conf t
no route inside 0.0.0.0 0.0.0.0 192.168.7.1 1
route outside 0.0.0.0 0.0.0.0 192.168.7.1 1
access-list outside_20_cryptomap extended permit ip 192.168.8.0 255.255.255.0 any
no access-list outside_20_cryptomap extended permit ip 192.168.8.0 255.255.255.0 192.168.1.0 255.255.255.0

On Site A:

access-list DMZ_20_cryptomap extended permit ip any 192.168.8.0 255.255.255.0
no access-list DMZ_20_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.8.0 255.255.255.0
0
 

Author Comment

by:datgigrinch
ID: 24228730
Great! Final step if being able get from site B to DMZ in site A. I'm getting this error on PIX @ site A

192.168.7.8      192.168.8.53       Inbound TCP connection denied from 192.168.7.8/80 to 192.168.8.53/2011 flags SYN ACK  on interface DMZ

Thanks!
0
 

Author Comment

by:datgigrinch
ID: 24229547
Any thoughts?
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24230385
Try this on site B:

conf t
access-list outside_20_cryptomap extended line 1 deny ip 192.168.8.0 255.255.255.0 192.168.7.0 255.255.255.0

access-list inside_nat0_outbound extended line 1 deny ip 192.168.8.0 255.255.255.0 192.168.7.0 255.255.255.0

nat (inside) 1 192.168.8.0 255.255.255.0
0
 

Author Comment

by:datgigrinch
ID: 24233186
Sorry. I'm still getting the same error message at the Site A PIX after this command. Any commands to be ran @ site A pix?
0
 

Author Comment

by:datgigrinch
ID: 24238452
Seems that the machine on the DMZ network ( 192.168.7.0 ) is receiving the SYN packet but the firewall is unaware of this connection and thereby drops the SYN-ACK packet returned from the DMZ network?

Please correct me if I'm wrong on this.
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24238533
Can you post the latest config from the Site B Firewall?  
0
 

Author Comment

by:datgigrinch
ID: 24238578
Site B:

PIX Version 7.2(1)
!
hostname *
domain-name *
enable password * encrypted
names
dns-guard
!
interface Ethernet0
 description *
 duplex full
 nameif outside
 security-level 0
 ip address 192.168.7.100 255.255.255.0
!
interface Ethernet1
 description Inside Interface *
 speed 100
 duplex full
 nameif inside
 security-level 100
 ip address 192.168.8.1 255.255.255.0
!
interface Ethernet2
 description Voice Interface
 nameif Voice
 security-level 4
 ip address 192.168.99.1 255.255.255.0
!
passwd * encrypted
banner motd *
ftp mode passive
dns server-group DefaultDNS
 domain-name *
access-list outside_20_cryptomap extended permit ip 192.168.8.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list outside_20_cryptomap extended deny ip 192.168.8.0 255.255.255.0 192.168.7.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.8.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.8.0 255.255.255.0 any
access-list inside_nat0_outbound extended deny ip 192.168.8.0 255.255.255.0 192.168.7.0 255.255.255.0
pager lines 24
logging enable
logging asdm debugging
mtu outside 1500
mtu inside 1500
mtu Voice 1500
asdm image flash:/asdm521.bin
asdm history enable
arp timeout 14400
nat-control
global (outside) 2 192.168.55.1-192.168.55.100 netmask 255.255.255.0
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
route outside 192.168.1.0 255.255.255.0 192.168.7.1 1
route outside 0.0.0.0 0.0.0.0 192.168.7.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no eou allow clientless
username * password * encrypted privilege 15
http server enable
http 0.0.0.0 0.0.0.0 outside
http 192.168.8.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto map outside_map 20 match address outside_20_cryptomap
crypto map outside_map 20 set peer 192.168.7.1
crypto map outside_map 20 set transform-set ESP-DES-MD5 ESP-DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp enable inside
crypto isakmp enable Voice
crypto isakmp policy 10
 authentication pre-share
 encryption des
 hash md5
 group 2
 lifetime 86400
crypto isakmp policy 30
 authentication pre-share
 encryption des
 hash sha
 group 5
 lifetime 86400
tunnel-group 192.168.7.1 type ipsec-l2l
tunnel-group 192.168.7.1 ipsec-attributes
 pre-shared-key *
telnet timeout 5
ssh timeout 5
ssh version 1
console timeout 10
dhcpd address 192.168.8.50-192.168.8.100 inside
dhcpd dns 192.168.1.240 interface inside
dhcpd enable inside
!
dhcpd address 192.168.99.2-192.168.99.20 Voice
dhcpd enable Voice
!
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map_1
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect http
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global
client-update enable
prompt hostname context
0
 
LVL 43

Assisted Solution

by:JFrederick29
JFrederick29 earned 2000 total points
ID: 24240806
Okay, looks like the changes didn't take again.

Copy and paste this onto the Site B pix:

conf t
access-list outside_20_cryptomap line 1 extended deny ip 192.168.8.0 255.255.255.0 192.168.7.0 255.255.255.0

no access-list inside_nat0_outbound extended deny ip 192.168.8.0 255.255.255.0 192.168.7.0
access-list inside_nat0_outbound line 1 extended deny ip 192.168.8.0 255.255.255.0 192.168.7.0 255.255.255.0

nat (inside) 1 192.168.8.0 255.255.255.0
0
 

Author Comment

by:datgigrinch
ID: 24254889
Thanks!
0

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many of the companies I’ve worked with have embraced cloud solutions due to their desire to “get out of the datacenter business.” The ability to achieve better security and availability, and the speed with which they are able to deploy, is far grea…
This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses
Course of the Month19 days, 7 hours left to enroll

873 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question