[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

cant vpn out externally because of ASA ?

Posted on 2009-12-17
2
Medium Priority
?
308 Views
Last Modified: 2012-05-08
Hi there,
We have a network on whose edge there are 2 PIX firewalls (515-E) with 2 separate Internet links (same ISP). The way our ISP has set up is that any outgoing traffic from our private network goes out to the internet via PIX1 whereas any traffic coming into our network from the Internet comes in via PIX2. Now, everybody can browse or do usual internet activity stuff, no problem.

However Ive noticed that if i want to VPN out externally to some other company ABC, it doesnt connect. Tried few other VPN connections and it was the same result, couldnt connect.

Now, am not sure if am correct here, But I think the VPN return traffic is causing the issue here since the originaly request was sent out via PIX 1 and it might be coming back in via PIX 2. I thought that the return traffic for any traffic originating from within the network should come back via the same path, no ? But in this case of trying to connect to an external VPN, I think what might be happening is that VPN connect request is sent out via Firewal-1 and in response, that VPN device originates some traffic and send to our network (which is configured to recieve all incoming traffic via PIX2 link). Now, the basic firewall principle that any traffic must enter/exit the same interface, else it will cause issues. Is that whats happening ? How can I fix this situation ? Does a certain protocol/port needs to be inspected in the default config of PIX to allow a successfuly VPN connection. VPN type is a normal Microsoft VPN connection which I think is PPTP based.

I would prefer not to change the routes as its doing load-balancing between the 2 PIX's. firewalls are in multiple contextss active/active failover mode.

Your help will be really appreciated !
PIX 1 Sanitized Config: 

 firewall1/failovergroup1# sh running-config
: Saved
:
PIX Version 8.0(2) <context>
!
hostname failovergroup1
enable password xxx
names
!
interface Ethernet0
 nameif outside_failovergroup1
 security-level 0
 ip address x.x.x.x 255.255.255.248 standby x.x.x.x
!
interface inside_failovergroup1
 nameif inside
 security-level 100
 ip address 172.16.1.2 255.255.255.248 standby 172.16.1.3
!
dns domain-lookup outside_failovergroup1
dns domain-lookup inside
dns domain-lookup inside_redundant
dns server-group DefaultDNS
 name-server x.x.x.x
 name-server x.x.x.x
same-security-traffic permit intra-interface
access-list 1 extended permit "The ACL is for outside interface. Permits some hosts, denies rest"
access-list 1 extended deny ip any any
pager lines 24
mtu outside_failovergroup1 1500
mtu inside 1500
mtu inside_redundant 1500
monitor-interface inside
monitor-interface inside_redundant
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside_failovergroup1) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
nat (inside_redundant) 1 0.0.0.0 0.0.0.0
static (inside,outside_failovergroup1) udp x.x.x.x snmp 10.0.9.19 snmp netmask 255.255.255.255
static (inside,outside_failovergroup1) udp x.x.x.x snmptrap 10.0.9.19 snmptrap netmask 255.255.255.255
static (inside,outside_failovergroup1) tcp x.x.x.x 1022 10.152.0.250 ssh netmask 255.255.255.255
static (inside,outside_failovergroup1) tcp x.x.x.x https 10.152.0.104 https netmask 255.255.255.255
static (inside,outside_failovergroup1) tcp x.x.x.x 3306 10.152.0.86 3306 netmask 255.255.255.255
static (inside,outside_failovergroup1) udp x.x.x.x 4569 10.152.0.250 4569 netmask 255.255.255.255
static (inside,outside_failovergroup1) tcp x.x.x.x 993 10.152.0.104 993 netmask 255.255.255.255
static (inside,outside_failovergroup1) tcp x.x.x.x 1443 10.152.0.250 https netmask 255.255.255.255
static (inside,outside_failovergroup1) udp x.x.x.x 4570 10.152.0.250 4570 netmask 255.255.255.255
static (inside,outside_failovergroup1) tcp x.x.x.x 10630 10.0.6.30 https netmask 255.255.255.255
static (inside,outside_failovergroup1) tcp x.x.x.x ldap 10.152.0.104 ldap netmask 255.255.255.255
access-group 1 in interface outside_failovergroup1
route outside_failovergroup1 0.0.0.0 0.0.0.0 x.x.x.x 1
route inside 10.0.9.0 255.255.255.0 10.0.9.1 1
route inside 172.16.0.0 255.255.0.0 172.16.2.1 1
route inside 172.16.0.0 255.255.255.248 172.16.1.1 1
route inside 172.16.0.16 255.255.255.248 172.16.1.1 1
route inside 172.16.0.64 255.255.255.240 172.16.1.1 1
route inside 172.25.0.0 255.255.0.0 172.16.1.1 1
!
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa authentication telnet console LOCAL
snmp-server host inside 10.0.9.19 community xxx
snmp-server host inside_redundant 10.0.9.19 community xxx
no snmp-server location
no snmp-server contact
snmp-server community xxx
snmp-server enable traps syslog
no crypto isakmp nat-traversal
telnet 172.16.1.0 255.255.255.248 inside
telnet 10.0.0.0 255.0.0.0 inside
telnet timeout 5
ssh timeout 5
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global
Cryptochecksum:4cb81e104301fd405f27de387c9e7a0c
: end

Open in new window

0
Comment
Question by:nabeel92
  • 2
2 Comments
 

Author Comment

by:nabeel92
ID: 26076440
My current google search is telling me to use 'fixup protocol ppptp' ? is that the case !
0
 

Accepted Solution

by:
nabeel92 earned 0 total points
ID: 26077100
Done, just had to inspect pptp in default pix policy. that's it ! That way, it allows the return gre traffic initiated by the vpn server sitting outside the network !
0

Featured Post

The IT Degree for Career Advancement

Earn your B.S. in Network Operations and Security and become a network and IT security expert. This WGU degree program curriculum was designed with tech-savvy, self-motivated students in mind – allowing you to use your technical expertise, to address real-world business problems.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

You deserve ‘straight talk’ from your cloud provider about your risk, your costs, security, uptime and the processes that are in place to protect your mission-critical applications.
Considering cloud tradeoffs and determining the right mix for your organization.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question