Solved

Site to Site vpn tunnel trouble

Posted on 2009-05-20
19
1,109 Views
Last Modified: 2013-11-16
I need to give a customer access to a few of our clustered servers that are on my internal network.  We already have a vpn tunnel set up with them, however they are already using the additional subnets we need them to have access to so we need to nat them to external ip addresses.  The servers we need them to have access to are 2 nodes in a microsoft windows cluster.  So I need to give them  access to:
node 1: 192.168.40.21
node 2: 192.168.40.22
Cluster/sql ip: 192.168.40.24

In short, i would like to give them access to those 3 ip addresses but NAT those ip addresses to an external ip address statically.  

192.168.40.21=66.x.x.1
192.168.40.22=66.x.x.2
192.168.40.24=66.x.x.3


Below is some lines of config taken from my pix.  I am trying to get the 40.24 up first and then add the rest later.  The customer says the ike is up but the ipsec session wont establish.  Help!
global (outside) 2 66.a.b.1-66.a.b.4 netmask 255.255.255.0 

nat (inside) 2 access-list conditional_nat
 

access-list conditional_nat extended permit ip 192.168.40.0 255.255.255.0 host 198.x.x.1

access-list conditional_hostA permit ip host 192.168.40.24 198.178.131.1 255.255.255.255
 
 

static (inside,outside) 66.a.b.1 access-list conditional_hostA
 
 
 

crypto ipsec transform-set des esp-des esp-sha-hmac 

crypto map tippmanngroup 1 match address 103

crypto map tippmanngroup 1 set pfs 

crypto map tippmanngroup 1 set peer 199.d.e.f

crypto map tippmanngroup 1 set transform-set des
 
 

access-list 103 extended permit ip 192.168.40.0 255.255.255.0 host 198.x.x.1

Open in new window

0
Comment
Question by:joebass47
  • 9
  • 7
19 Comments
 
LVL 29

Accepted Solution

by:
Alan Huseyin Kayahan earned 500 total points
ID: 24509687
Hello joebass47,
    It doesnt have to be a public IP like 66.a.b.1 necessarily. Here is my recommendation
no global (outside) 2 66.a.b.1-66.a.b.4 netmask 255.255.255.0
no nat (inside) 2 access-list conditional_nat

no access-list conditional_nat extended permit ip 192.168.40.0 255.255.255.0 host 198.x.x.1
no access-list conditional_hostA permit ip host 192.168.40.24 198.178.131.1 255.255.255.255
no static (inside,outside) 66.a.b.1 access-list conditional_hostA

access-list CNat1 permit ip host 192.168.40.21 customernetwork customernetmask
access-list CNat2 permit ip host 192.168.40.22 customernetwork customernetmask
access-list CNat3 permit ip host 192.168.40.24 customernetwork customernetmask

static (inside,outside) 172.28.110.21 access-list CNat1
static (inside,outside) 172.28.110.22 access-list CNat2
static (inside,outside) 172.28.110.24 access-list CNat3

access-list Cstmr_Intr_Traf permit ip 172.28.110.21 customernetwork customernetmask
access-list Cstmr_Intr_Traf permit ip 172.28.110.22 customernetwork customernetmask
access-list Cstmr_Intr_Traf permit ip 172.28.110.24 customernetwork customernetmask

no crypto map tippmanngroup 1 match address 103
crypto map tippmanngroup 1 match address Cstmr_Intr_Traf

Make sure of 2 things
    1) You do not have nat 0 (Exempt NAT) statements that can cover source and destinations specified in conditional nat such as
     access-list inside_nat0_outbound permit ip 192.168.40.0 255.255.255.0 any
   2) Remote site has the exact mirror of your interesting traffic ACL, like following

access-list Crporate_Intr_Traf permit ip customernetwork customernetmask host 172.28.110.21
access-list Crporate_Intr_Traf permit ip customernetwork customernetmask host 172.28.110.22
access-list Crporate_Intr_Traf permit ip customernetwork customernetmask host 172.28.110.24

   And make sure they modify their exempt nat statement accordingly

Regards
0
 

Author Comment

by:joebass47
ID: 24517613
Thanks for the response!

We already have some subnets setup using acl 103 so if we remove that those wont work.  Is there anyway to look at both acl 103 and cstmr_intr_traf?
0
 

Author Comment

by:joebass47
ID: 24517684
Sorry let me be more clear on my last comment.  We already have two existing subnets setup in the vpn tunnel that both use acl 103.
0
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 24517751
If that two existing statements do not cover my above mirror acl entries and do not make them useless, then you can use that acl. But remember, ACL 103 must exactly be mirrored at remote site. If doesnt work, post the ACL 103
0
 

Author Comment

by:joebass47
ID: 24523628
Ok, i will put this in tomorrow.  One question before i do.  What if i want to use public ips?  Could i use the same config just change the private ips you gave me to my public?

Thanks,
Joey
0
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 24524014
"Could i use the same config just change the private ips you gave me to my public?"
    Yes you can. Change the priv IPs to pub ips in interestng traffic acl and statics
0
 

Author Comment

by:joebass47
ID: 24528527
access-list CNat1 permit ip host 192.168.40.21 198.x.x.x 255.255.255.255
access-list CNat2 permit ip host 192.168.40.22 198.x.x.x 255.255.255.255
access-list CNat3 permit ip host 192.168.40.24 198.x.x.x 255.255.255.255

static (inside,outside) 66.x.x.1 access-list CNat1
static (inside,outside) 66.x.x.2 access-list CNat2
static (inside,outside) 66.x.x.3 access-list CNat3

access-list 103 extended permit ip host 66.x.x.1 host 198.x.x.x
access-list 103 extended permit ip host 66.x.x.2 host 198.x.x.x
access-list 103 extended permit ip host 66.x.x.3 host 198.x.x.x


Above is what i have added.  I also took out what you had suggested...
no global (outside) 2 66.a.b.1-66.a.b.4 netmask 255.255.255.0
no nat (inside) 2 access-list conditional_nat

no access-list conditional_nat extended permit ip 192.168.40.0 255.255.255.0 host 198.x.x.1
no access-list conditional_hostA permit ip host 192.168.40.24 198.178.131.1 255.255.255.255
no static (inside,outside) 66.a.b.1 access-list conditional_hostA

_________________________________
Here is what is in access list 103
access-list 103 extended permit ip 192.168.7.0 255.255.255.0 host 198.x.x.1
access-list 103 extended permit ip 192.168.100.0 255.255.255.0 host 198.x.x.1
access-list 103 extended permit ip host 66.x.x.1 host 198.x.x.x
access-list 103 extended permit ip host 66.x.x.2 host 198.x.x.x
access-list 103 extended permit ip host 66.x.x.3 host 198.x.x.x

____________________________________
I also have the following nat statements:
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
____________________________________
access-list nonat extended permit ip 192.168.100.0 255.255.255.0 host 198.178.131.1
access-list nonat extended permit ip 192.168.8.0 255.255.255.0 172.16.60.0 255.255.255.0
access-list nonat extended permit ip 192.168.8.0 255.255.255.0 172.16.50.0 255.255.255.0
access-list nonat extended permit ip 192.168.8.0 255.255.255.0 10.5.125.0 255.255.255.0
access-list nonat extended permit ip 192.168.8.0 255.255.255.0 10.5.251.0 255.255.255.0
access-list nonat extended permit ip 192.168.40.0 255.255.255.0 host 198.178.131.1
access-list nonat extended permit ip 192.168.50.0 255.255.255.0 host 198.178.131.1
access-list nonat extended permit ip 192.168.10.0 255.255.255.0 host 198.178.131.1
access-list nonat extended permit ip 192.168.6.0 255.255.255.0 host 198.178.131.1
access-list nonat extended permit ip 192.168.7.0 255.255.255.0 host 198.178.131.1
0
 

Author Comment

by:joebass47
ID: 24574446
I guess i didnt put in my above comment that it didnt work.  
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 24579508
Can you post the current config?
0
 

Author Comment

by:joebass47
ID: 24580075
PIX Version 7.2(4)
!
hostname indigitalfire
domain-name tippmanngroup.com
enable password <removed>
passwd <removed>
names
dns-guard
!
interface Ethernet0
 nameif outside
 security-level 0
 ip address 66.170.x.x 255.255.255.224
!
interface Ethernet1
 nameif inside
 security-level 100
 ip address 192.168.100.1 255.255.255.0
!
boot system flash:/image.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
 domain-name tippmanngroup.com
access-list CNat1 extended permit ip host 192.168.40.21 host 198.178.131.1
access-list CNat2 extended permit ip host 192.168.40.22 host 198.178.131.1
access-list 103 extended permit ip 192.168.7.0 255.255.255.0 host 198.178.131.1
access-list 103 extended permit ip 192.168.100.0 255.255.255.0 host 198.178.131.1
access-list 103 extended permit ip host 66.249.242.1 host 198.178.131.1
access-list 103 extended permit ip host 66.249.242.2 host 198.178.131.1
access-list 103 extended permit ip host 66.249.242.3 host 198.178.131.1
access-list 103 extended permit ip 192.168.40.0 255.255.255.0 host 198.178.131.1
access-list 104 extended permit ip 192.168.8.0 255.255.255.0 172.16.60.0 255.255.255.0
access-list 104 extended permit ip 192.168.8.0 255.255.255.0 172.16.50.0 255.255.255.0
access-list 104 extended permit ip 192.168.8.0 255.255.255.0 10.5.125.0 255.255.255.0
access-list 104 extended permit ip 192.168.8.0 255.255.255.0 10.5.251.0 255.255.255.0
access-list nonat extended permit ip 192.168.100.0 255.255.255.0 host 198.178.131.1
access-list nonat extended permit ip 192.168.8.0 255.255.255.0 172.16.60.0 255.255.255.0
access-list nonat extended permit ip 192.168.8.0 255.255.255.0 172.16.50.0 255.255.255.0
access-list nonat extended permit ip 192.168.8.0 255.255.255.0 10.5.125.0 255.255.255.0
access-list nonat extended permit ip 192.168.8.0 255.255.255.0 10.5.251.0 255.255.255.0
access-list nonat extended permit ip 192.168.40.0 255.255.255.0 host 198.178.131.1
access-list nonat extended permit ip 192.168.50.0 255.255.255.0 host 198.178.131.1
access-list nonat extended permit ip 192.168.10.0 255.255.255.0 host 198.178.131.1
access-list nonat extended permit ip 192.168.6.0 255.255.255.0 host 198.178.131.1
access-list nonat extended permit ip 192.168.7.0 255.255.255.0 host 198.178.131.1
access-list nonat extended permit ip host 66.249.242.1 host 198.178.131.1
access-list nonat extended permit ip host 66.249.242.2 host 198.178.131.1
access-list nonat extended permit ip host 66.249.242.3 host 198.178.131.1
access-list nonat extended permit ip host 192.168.40.21 host 198.178.131.1
access-list nonat extended permit ip host 192.168.40.22 host 198.178.131.1
access-list nonat extended permit ip host 192.168.40.24 host 198.178.131.1
access-list CNat3 extended permit ip host 192.168.40.24 host 198.178.131.1
access-list Cstmr_Intr_Traf extended permit ip host 66.249.242.1 host 198.178.131.1
access-list Cstmr_Intr_Traf extended permit ip host 66.249.242.2 host 198.178.131.1
access-list Cstmr_Intr_Traf extended permit ip host 66.249.242.3 host 198.178.131.1
pager lines 24
logging enable
logging asdm informational
logging from-address pix@tippmanngroup.com
logging recipient-address jborgnini@tippmanngroup.com level warnings
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm
asdm history enable
arp timeout 14400
nat-control
global (outside) 1 66.170.x.x
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 66.170.35.204 192.168.4.11 netmask 255.255.255.255
static (inside,outside) 66.170.35.206 192.168.3.4 netmask 255.255.255.255
static (inside,outside) 66.170.35.202 192.168.100.97 netmask 255.255.255.255
static (inside,outside) 66.170.35.198 192.168.100.15 netmask 255.255.255.255
static (inside,outside) 66.170.35.196 192.168.100.18 netmask 255.255.255.255
static (inside,outside) 66.170.35.199 192.168.100.56 netmask 255.255.255.255
static (inside,outside) 66.170.35.222 192.168.100.19 netmask 255.255.255.255
static (inside,outside) 66.170.35.221 192.168.7.29 netmask 255.255.255.255
static (inside,outside) 66.170.35.217 192.168.100.96 netmask 255.255.255.255
static (inside,outside) 66.170.35.209 192.168.100.249 netmask 255.255.255.255
static (inside,outside) 66.170.35.205 192.168.6.38 netmask 255.255.255.255
static (inside,outside) 66.170.35.203 192.168.10.29 netmask 255.255.255.255
static (inside,outside) 66.170.35.208 192.168.50.29 netmask 255.255.255.255
static (inside,outside) 66.170.35.211 192.168.100.14 netmask 255.255.255.255
static (inside,outside) 66.170.35.212 192.168.100.70 netmask 255.255.255.255
static (inside,outside) 66.170.35.215 192.168.9.21 netmask 255.255.255.255
static (inside,outside) 66.170.35.219 192.168.100.33 netmask 255.255.255.255
static (inside,outside) 66.170.35.200 192.168.6.29 netmask 255.255.255.255
static (inside,outside) 66.249.242.1  access-list CNat1
static (inside,outside) 66.249.242.2  access-list CNat2
static (inside,outside) 66.249.242.3  access-list CNat3
access-group 101 in interface outside
route outside 0.0.0.0 0.0.0.0 66.170.35.194 1
route inside 192.168.0.0 255.255.0.0 192.168.100.6 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http 192.168.100.186 255.255.255.255 inside
http 192.168.100.240 255.255.255.255 inside
http 192.168.3.221 255.255.255.255 inside
http 192.168.4.40 255.255.255.255 inside
http 192.168.100.222 255.255.255.255 inside
http 192.168.100.15 255.255.255.255 inside
http 192.168.6.93 255.255.255.255 inside
http 192.168.3.104 255.255.255.255 inside
http 192.168.3.105 255.255.255.255 inside
http 192.168.100.241 255.255.255.255 inside
http 192.168.7.187 255.255.255.255 inside
http 192.168.4.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set des esp-des esp-sha-hmac
crypto map tippmanngroup 1 match address 103
crypto map tippmanngroup 1 set pfs
crypto map tippmanngroup 1 set peer 199.88.143.5
crypto map tippmanngroup 1 set transform-set des
crypto map tippmanngroup 2 match address 104
crypto map tippmanngroup 2 set pfs
crypto map tippmanngroup 2 set peer 75.137.63.10
crypto map tippmanngroup 2 set transform-set des
crypto map tippmanngroup interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 8
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 28800
crypto isakmp policy 65535
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
telnet 192.168.100.15 255.255.255.255 inside
telnet 192.168.100.176 255.255.255.255 inside
telnet 192.168.100.177 255.255.255.255 inside
telnet 192.168.5.150 255.255.255.255 inside
telnet 192.168.4.40 255.255.255.255 inside
telnet 192.168.100.187 255.255.255.255 inside
telnet 192.168.100.174 255.255.255.255 inside
telnet 192.168.3.107 255.255.255.255 inside
telnet 192.168.7.0 255.255.255.0 inside
telnet 192.168.7.187 255.255.255.255 inside
telnet 192.168.3.221 255.255.255.255 inside
telnet 192.168.100.240 255.255.255.255 inside
telnet timeout 5
ssh 192.168.4.151 255.255.255.255 inside
ssh 192.168.100.222 255.255.255.255 inside
ssh 192.168.4.40 255.255.255.255 inside
ssh 192.168.4.41 255.255.255.255 inside
ssh 192.168.100.15 255.255.255.255 inside
ssh 192.168.7.180 255.255.255.255 inside
ssh 192.168.100.239 255.255.255.255 inside
ssh 192.168.100.177 255.255.255.255 inside
ssh 192.168.5.150 255.255.255.255 inside
ssh 192.168.3.105 255.255.255.255 inside
ssh 192.168.4.181 255.255.255.255 inside
ssh 192.168.3.107 255.255.255.255 inside
ssh 192.168.7.187 255.255.255.255 inside
ssh timeout 5
ssh version 1
console timeout 0
username guido password <removed> privilege 15
username jborgnini password <removed> privilege 15
tunnel-group 199.88.143.5 type ipsec-l2l
tunnel-group 199.88.143.5 ipsec-attributes
 pre-shared-key *
tunnel-group 75.137.63.10 type ipsec-l2l
tunnel-group 75.137.63.10 ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map_1
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect http
  inspect ils
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:94544b06ff843955b0f7ee70da17cfad
: end
0
 

Author Comment

by:joebass47
ID: 24606103
Do you see anything that could be causing the problem?
0
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 24814799
Joe, does tunnel ever come up? What is the most recent error now?
0
 

Author Comment

by:joebass47
ID: 24815726
The tunnel never came up.  I still can't ping the customer.  I dont think the conditional nat is working properly.
0
 

Author Comment

by:joebass47
ID: 24816034
I also opened a question here since i wasnt getting much response in this thread.

http://www.experts-exchange.com/Security/Software_Firewalls/Enterprise_Firewalls/Cisco_PIX_Firewall/Q_24553922.html
0
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 24817744
I sometimes forget the questions i participate, I just saw the email. But if you have followed the suggestions correctly, the solution was in my first suggestion.
"Make sure of 2 things
    1) You do not have nat 0 (Exempt NAT) statements that can cover source and destinations specified in conditional nat such as
     access-list inside_nat0_outbound permit ip 192.168.40.0 255.255.255.0 any"

 The suggestion made in link you specified doesnt make sense, VPN Client and NAT are not safety criterias to choose from.

The problem is your exempt nat acl contains the statement we entered for conditional nat. So traffic is already exempted without reaching our CNAT static. Simply removing the following line should solve the issue

no access-list nonat extended permit ip 192.168.40.0 255.255.255.0 host 198.178.131.1

Run a clear-xlate after
0
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 24817967
Nice to hear that your issue is resolved and sad to see grade B for a good answer to a long to read and time consuming question which experts usually refrain to participate. Please open up a ticket to close the other question you opened up with a full refund since it is resolved.
Regards
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
If you use NetMotion Mobility on your PC and plan to upgrade to Windows 10, it may not work unless you take these steps.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now