[c-nsp] PIX 515e VPN

Alvaro R askxfs at gmail.com
Fri Jul 22 14:18:14 EDT 2005


I rewritten to config trying to make it work.

This is what I have now:


pix# wr term
Building configuration...
: Saved
:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security4
hostname pix
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol icmp error
no fixup protocol rsh 514
fixup protocol rtsp 554
no fixup protocol sip 5060
no fixup protocol sip udp 5060
no fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
no fixup protocol tftp 69
names
access-list acl_out remark Allow ICMP Ping, Ping Reply, Traceroute, Unreachables
access-list acl_out permit icmp any any 
access-list ipsec-adpusa permit ip 10.159.1.0 255.255.255.0 10.0.0.0 255.0.0.0 
access-list ipsec-adpusa permit ip 10.159.1.0 255.255.255.0
192.168.0.0 255.255.0.0
access-list nonat-inside permit ip 10.159.1.0 255.255.255.0 10.0.0.0 255.0.0.0 
access-list nonat-inside permit ip 10.159.1.0 255.255.255.0
192.168.0.0 255.255.0.0
access-list nonat-inside permit ip 10.159.1.0 255.255.255.0 10.159.2.0
255.255.255.0
access-list ipsec-adplabs permit ip 10.159.1.0 255.255.255.0
10.159.2.0 255.255.255.0
pager lines 40
logging on
logging timestamp
logging buffered debugging
logging trap informational
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
mtu dmz 1500  
ip address outside *.*.106.189 255.255.255.224
ip address inside 10.159.1.254 255.255.255.0
no ip address dmz
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnpool1 10.159.2.20-10.159.2.240
pdm location *.*.106.162 255.255.255.255 outside
pdm location 10.159.1.0 255.255.255.0 inside
pdm location 10.159.1.1 255.255.255.255 inside
pdm location 10.0.0.0 255.0.0.0 outside
pdm location 192.168.0.0 255.255.0.0 outside
pdm location 10.159.2.0 255.255.255.0 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list nonat-inside
nat (inside) 10 0.0.0.0 0.0.0.0 dns 0 0
access-group acl_out in interface outside
route outside 0.0.0.0 0.0.0.0 200.162.106.161 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+ 
aaa-server RADIUS protocol radius 
aaa-server LOCAL protocol local 
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authorization command LOCAL
ntp server 10.159.1.1 source inside prefer
http server enable
http 10.159.1.0 255.255.255.0 inside
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set adpusa esp-3des esp-md5-hmac 
crypto ipsec transform-set adplabs esp-aes-256 esp-sha-hmac 
crypto ipsec security-association lifetime seconds 5000
crypto dynamic-map map2 10 set transform-set adplabs
crypto map adpusa 10 ipsec-isakmp
crypto map adpusa 10 match address ipsec-adpusa
crypto map adpusa 10 set peer *.*.91.112
crypto map adpusa 10 set transform-set adpusa
crypto map adpusa 20 ipsec-isakmp dynamic map2
crypto map adpusa interface outside
isakmp enable outside
isakmp key ******** address *.*.91.112 netmask 255.255.255.255 
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 5000
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption aes-256
isakmp policy 20 hash sha
isakmp policy 20 group 5
isakmp policy 20 lifetime 14400
vpngroup adplados address-pool vpnpool1
vpngroup adplados dns-server 10.159.1.1
vpngroup adplados wins-server 10.159.1.2
vpngroup adplados default-domain adplabs.com.br
vpngroup adplados split-tunnel ipsec-adplabs
vpngroup adplados idle-time 1800
vpngroup adplados password ********
telnet *.*.106.160 255.255.255.224 outside
telnet 10.159.1.0 255.255.255.0 inside
telnet timeout 25
ssh *.*.106.160 255.255.255.224 outside
ssh 10.159.1.0 255.255.255.0 inside
ssh timeout 25
management-access inside
console timeout 0
dhcpd address 10.159.1.40-10.159.1.100 inside
dhcpd dns 10.159.1.1 200.198.64.66
dhcpd wins 10.159.1.2 
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain example.com
dhcpd auto_config outside
privilege show level 0 command version
privilege show level 0 command curpriv
privilege show level 3 command pdm
privilege show level 3 command blocks
privilege show level 3 command ssh
privilege configure level 3 command who
privilege show level 3 command isakmp
privilege show level 3 command ipsec
privilege show level 3 command vpdn
privilege show level 3 command local-host
privilege show level 3 command interface
privilege show level 3 command ip
privilege configure level 3 command ping
privilege show level 3 command uauth
privilege configure level 5 mode enable command configure
privilege show level 5 command running-config
privilege show level 5 command privilege
privilege show level 5 command clock
privilege show level 5 command ntp
privilege show level 5 mode configure command logging
privilege show level 5 command fragment
banner login We don't like you. Go away.


Thanks!


On 7/22/05, info at beprojects.com <info at beprojects.com> wrote:
> Can you send an updated config.
> 
> Alvaro R wrote:
> > That allows internet access, but I still can't ping inside hosts :(
> >
> > Thanks
> >
> > On 7/22/05, Tim Bulger <timb at phreakocious.net> wrote:
> >
> >>How about:
> >>
> >>access-list split-tunnel permit ip 10.159.1.0 255.255.255.0 any
> >>vpngroup road split-tunnel split-tunnel
> >>
> >>?
> >>
> >>-Tim
> >>
> >>-----Original Message-----
> >>From: cisco-nsp-bounces at puck.nether.net
> >>[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Alvaro R
> >>Sent: Thursday, July 21, 2005 8:16 PM
> >>To: cisco-nsp at puck.nether.net
> >>Subject: Re: [c-nsp] PIX 515e VPN
> >>
> >>I'm 6.3(3), and per your advice I added
> >>
> >>isakmp nat-traversal 20
> >>
> >>
> >>didn't work either :(
> >>
> >>
> >>
> >>On 7/21/05, Jim McBurnett <jim at tgasolutions.com> wrote:
> >>
> >>>Look up the ISAKMP nat-transparency command....
> >>>Later,
> >>>Jim
> >>>
> >>>-----Original Message-----
> >>>From: Alvaro R [mailto:askxfs at gmail.com]
> >>>Sent: Thursday, July 21, 2005 5:26 PM
> >>>To: cisco-nsp at puck.nether.net
> >>>Subject: [c-nsp] PIX 515e VPN
> >>>
> >>>Hello, I would like some advice regarding a Cisco PIX 515e.
> >>>
> >>>I am trying to allow road warriors to get access to the inside LAN,
> >>>using the Cisco client (tried versions 4.0.5 and 4.6).
> >>>
> >>>I am able to get the IP for client/dns/wins but I cannot ping or
> >>>anything else, it just won't work.
> >>>
> >>>this PIX is used as a gateway and does NAT for the internal LAN, also
> >>>it connects to a remote PIX via pre-share keys, that works just fine.
> >>>
> >>>pertinent config follows:
> >>>
> >>>access-list ipsec-remote permit ip 10.159.1.0 255.255.255.0 10.0.0.0
> >>>255.0.0.0 access-list ipsec-remote permit ip 10.159.1.0 255.255.255.0
> >>>192.168.0.0 255.255.0.0 access-list nonat-inside permit ip 10.159.1.0
> >>>255.255.255.0 10.0.0.0 255.0.0.0 access-list nonat-inside permit ip
> >>>10.159.1.0 255.255.255.0 192.168.0.0 255.255.0.0 access-list
> >>>nonat-inside permit ip 10.159.1.0 255.255.255.0 10.159.2.0
> >>>255.255.255.0 access-list ipsec-road permit ip 10.159.1.0
> >>>255.255.255.0 10.159.2.0 255.255.255.0 access-list
> >>>outside_cryptomap_dyn_20 permit ip any 10.159.2.0 255.255.255.0
> >>>
> >>>ip local pool ippool1 10.159.2.2-10.159.2.253
> >>>
> >>>global (outside) 10 interface
> >>>nat (inside) 0 access-list nonat-inside nat (inside) 10 0.0.0.0
> >>>0.0.0.0 dns 0 0 access-group acl_out in interface outside route
> >>>outside 0.0.0.0 0.0.0.0 ext.gw.ip.here 1
> >>>
> >>>sysopt connection permit-ipsec
> >>>crypto ipsec transform-set remote esp-3des esp-md5-hmac crypto ipsec
> >>>security-association lifetime seconds 5000 crypto dynamic-map
> >>>outside_dyn_map 20 match address outside_cryptomap_dyn_20 crypto
> >>>dynamic-map outside_dyn_map 20 set transform-set remote crypto map
> >>>remote 10 ipsec-isakmp crypto map remote 10 match address ipsec-remote
> >>>crypto map remote 10 set peer *.*.91.112 crypto map remote 10 set
> >>>transform-set remote crypto map remote 65535 ipsec-isakmp dynamic
> >>>outside_dyn_map crypto map remote interface outside
> >>>
> >>>isakmp enable outside
> >>>isakmp key ******** address *.*.91.112 netmask 255.255.255.255 isakmp
> >>>identity address isakmp policy 10 authentication pre-share isakmp
> >>>policy 10 encryption 3des isakmp policy 10 hash md5 isakmp policy 10
> >>>group 2 isakmp policy 10 lifetime 5000
> >>>
> >>>vpngroup road address-pool ippool1
> >>>vpngroup road dns-server 10.159.1.1 10.159.1.4 vpngroup road
> >>>wins-server 10.159.1.2 vpngroup road default-domain bla.com vpngroup
> >>>road idle-time 1800 vpngroup road password ********
> >>>
> >>>Any hints?
> >>>
> >>>
> >>>Thanks,
> >>>
> >>>Alvaro
> >>>
> >>>_______________________________________________
> >>>cisco-nsp mailing list  cisco-nsp at puck.nether.net
> >>>https://puck.nether.net/mailman/listinfo/cisco-nsp
> >>>archive at http://puck.nether.net/pipermail/cisco-nsp/
> >>>
> >>>
> >>
> >>_______________________________________________
> >>cisco-nsp mailing list  cisco-nsp at puck.nether.net
> >>https://puck.nether.net/mailman/listinfo/cisco-nsp
> >>archive at http://puck.nether.net/pipermail/cisco-nsp/
> >>
> >>
> >
> >
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
> > .
> >
>



More information about the cisco-nsp mailing list