Fwd: [c-nsp] PIX 515e VPN (SOLVED)
Alvaro R
askxfs at gmail.com
Fri Jul 22 15:50:52 EDT 2005
This solved the problem!
Thank you very much for your help.
Alvaro
---------- Forwarded message ----------
From: info be pro jects . com <>
Date: Jul 22, 2005 4:18 PM
Subject: Re: [c-nsp] PIX 515e VPN
I know why....
The dynmap is after the LAN to LAN connection:
>>>>crypto map adpusa 10 ipsec-isakmp
>>>>crypto map adpusa 10 match address ipsec-adpusa
>>>>crypto map adpusa 10 set peer *.*.91.112
>>>>crypto map adpusa 10 set transform-set adpusa
>>>>crypto map adpusa 20 ipsec-isakmp dynamic map2
IPSEC-ADPUSA says to tunnel anything from 10.159.1.0 to 10.x.x.x.
>>>>access-list ipsec-adpusa permit ip 10.159.1.0 255.255.255.0
10.0.0.0 255.0.0.0
>>>>access-list ipsec-adpusa permit ip 10.159.1.0 255.255.255.0
>>>>192.168.0.0 255.255.0.0
The VPNPOOL is 10.159.2.x, but that falls under 10.x.x.x, so it is being
sent out the lan to lan tunnel, not the user tunnel. Change the VPNPOOL
to 192.168.something and change the nonat and split-tunnel acl's and
I'll bet it works.
Alvaro R wrote:
> ahh.. this is on the client side, yes it is checked.
>
> I only tried IPsec over UDP (NAT/PAT),
> will try now over TCP (port 10000)
>
> Thanks
>
> On 7/22/05, Alvaro R <askxfs at gmail.com> wrote:
>
>>what's that ?
>>
>>IOS here is 6.3(3)
>>
>>one thing I added was
>>
>>isakmp nat-traversal 20
>>
>>but it didn't help ...
>>
>>
>>
>>On 7/22/05, info at beprojects.com <info at beprojects.com> wrote:
>>
>>>Do they have transparent tunneling through udp enabled on the client?
>>>
>>>
>>>Alvaro R wrote:
>>>
>>>>I rewritten to config trying to make it work.
>>>>
>>>>This is what I have now:
>>>>
>>>>
>>>>pix# wr term
>>>>Building configuration...
>>>>: Saved
>>>>:
>>>>PIX Version 6.3(3)
>>>>interface ethernet0 auto
>>>>interface ethernet1 auto
>>>>interface ethernet2 auto shutdown
>>>>nameif ethernet0 outside security0
>>>>nameif ethernet1 inside security100
>>>>nameif ethernet2 dmz security4
>>>>hostname pix
>>>>fixup protocol dns maximum-length 512
>>>>fixup protocol ftp 21
>>>>fixup protocol h323 h225 1720
>>>>fixup protocol h323 ras 1718-1719
>>>>fixup protocol http 80
>>>>fixup protocol icmp error
>>>>no fixup protocol rsh 514
>>>>fixup protocol rtsp 554
>>>>no fixup protocol sip 5060
>>>>no fixup protocol sip udp 5060
>>>>no fixup protocol skinny 2000
>>>>fixup protocol smtp 25
>>>>fixup protocol sqlnet 1521
>>>>no fixup protocol tftp 69
>>>>names
>>>>access-list acl_out remark Allow ICMP Ping, Ping Reply,
Traceroute, Unreachables
>>>>access-list acl_out permit icmp any any
>>>>access-list ipsec-adpusa permit ip 10.159.1.0 255.255.255.0
10.0.0.0 255.0.0.0
>>>>access-list ipsec-adpusa permit ip 10.159.1.0 255.255.255.0
>>>>192.168.0.0 255.255.0.0
>>>>access-list nonat-inside permit ip 10.159.1.0 255.255.255.0
10.0.0.0 255.0.0.0
>>>>access-list nonat-inside permit ip 10.159.1.0 255.255.255.0
>>>>192.168.0.0 255.255.0.0
>>>>access-list nonat-inside permit ip 10.159.1.0 255.255.255.0 10.159.2.0
>>>>255.255.255.0
>>>>access-list ipsec-adplabs permit ip 10.159.1.0 255.255.255.0
>>>>10.159.2.0 255.255.255.0
>>>>pager lines 40
>>>>logging on
>>>>logging timestamp
>>>>logging buffered debugging
>>>>logging trap informational
>>>>icmp permit any outside
>>>>icmp permit any inside
>>>>mtu outside 1500
>>>>mtu inside 1500
>>>>mtu dmz 1500
>>>>ip address outside *.*.106.189 255.255.255.224
>>>>ip address inside 10.159.1.254 255.255.255.0
>>>>no ip address dmz
>>>>ip audit info action alarm
>>>>ip audit attack action alarm
>>>>ip local pool vpnpool1 10.159.2.20-10.159.2.240
>>>>pdm location *.*.106.162 255.255.255.255 outside
>>>>pdm location 10.159.1.0 255.255.255.0 inside
>>>>pdm location 10.159.1.1 255.255.255.255 inside
>>>>pdm location 10.0.0.0 255.0.0.0 outside
>>>>pdm location 192.168.0.0 255.255.0.0 outside
>>>>pdm location 10.159.2.0 255.255.255.0 outside
>>>>pdm logging informational 100
>>>>pdm history enable
>>>>arp timeout 14400
>>>>global (outside) 10 interface
>>>>nat (inside) 0 access-list nonat-inside
>>>>nat (inside) 10 0.0.0.0 0.0.0.0 dns 0 0
>>>>access-group acl_out in interface outside
>>>>route outside 0.0.0.0 0.0.0.0 200.162.106.161 1
>>>>timeout xlate 3:00:00
>>>>timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00
h225 1:00:00
>>>>timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
>>>>timeout uauth 0:05:00 absolute
>>>>aaa-server TACACS+ protocol tacacs+
>>>>aaa-server RADIUS protocol radius
>>>>aaa-server LOCAL protocol local
>>>>aaa authentication ssh console LOCAL
>>>>aaa authentication telnet console LOCAL
>>>>aaa authorization command LOCAL
>>>>ntp server 10.159.1.1 source inside prefer
>>>>http server enable
>>>>http 10.159.1.0 255.255.255.0 inside
>>>>floodguard enable
>>>>sysopt connection permit-ipsec
>>>>crypto ipsec transform-set adpusa esp-3des esp-md5-hmac
>>>>crypto ipsec transform-set adplabs esp-aes-256 esp-sha-hmac
>>>>crypto ipsec security-association lifetime seconds 5000
>>>>crypto dynamic-map map2 10 set transform-set adplabs
>>>>crypto map adpusa 10 ipsec-isakmp
>>>>crypto map adpusa 10 match address ipsec-adpusa
>>>>crypto map adpusa 10 set peer *.*.91.112
>>>>crypto map adpusa 10 set transform-set adpusa
>>>>crypto map adpusa 20 ipsec-isakmp dynamic map2
>>>>crypto map adpusa interface outside
>>>>isakmp enable outside
>>>>isakmp key ******** address *.*.91.112 netmask 255.255.255.255
>>>>isakmp identity address
>>>>isakmp nat-traversal 20
>>>>isakmp policy 10 authentication pre-share
>>>>isakmp policy 10 encryption 3des
>>>>isakmp policy 10 hash md5
>>>>isakmp policy 10 group 2
>>>>isakmp policy 10 lifetime 5000
>>>>isakmp policy 20 authentication pre-share
>>>>isakmp policy 20 encryption aes-256
>>>>isakmp policy 20 hash sha
>>>>isakmp policy 20 group 5
>>>>isakmp policy 20 lifetime 14400
>>>>vpngroup adplados address-pool vpnpool1
>>>>vpngroup adplados dns-server 10.159.1.1
>>>>vpngroup adplados wins-server 10.159.1.2
>>>>vpngroup adplados default-domain adplabs.com.br
>>>>vpngroup adplados split-tunnel ipsec-adplabs
>>>>vpngroup adplados idle-time 1800
>>>>vpngroup adplados password ********
>>>>telnet *.*.106.160 255.255.255.224 outside
>>>>telnet 10.159.1.0 255.255.255.0 inside
>>>>telnet timeout 25
>>>>ssh *.*.106.160 255.255.255.224 outside
>>>>ssh 10.159.1.0 255.255.255.0 inside
>>>>ssh timeout 25
>>>>management-access inside
>>>>console timeout 0
>>>>dhcpd address 10.159.1.40-10.159.1.100 inside
>>>>dhcpd dns 10.159.1.1 200.198.64.66
>>>>dhcpd wins 10.159.1.2
>>>>dhcpd lease 3600
>>>>dhcpd ping_timeout 750
>>>>dhcpd domain example.com
>>>>dhcpd auto_config outside
>>>>privilege show level 0 command version
>>>>privilege show level 0 command curpriv
>>>>privilege show level 3 command pdm
>>>>privilege show level 3 command blocks
>>>>privilege show level 3 command ssh
>>>>privilege configure level 3 command who
>>>>privilege show level 3 command isakmp
>>>>privilege show level 3 command ipsec
>>>>privilege show level 3 command vpdn
>>>>privilege show level 3 command local-host
>>>>privilege show level 3 command interface
>>>>privilege show level 3 command ip
>>>>privilege configure level 3 command ping
>>>>privilege show level 3 command uauth
>>>>privilege configure level 5 mode enable command configure
>>>>privilege show level 5 command running-config
>>>>privilege show level 5 command privilege
>>>>privilege show level 5 command clock
>>>>privilege show level 5 command ntp
>>>>privilege show level 5 mode configure command logging
>>>>privilege show level 5 command fragment
>>>>banner login We don't like you. Go away.
>>>>
>>>>
>>>>Thanks!
>>>>
>>>>
>>>>On 7/22/05, info at beprojects.com <info at beprojects.com> wrote:
>>>>
>>>>
>>>>>Can you send an updated config.
>>>>>
>>>>>Alvaro R wrote:
>>>>>
>>>>>
>>>>>>That allows internet access, but I still can't ping inside hosts :(
>>>>>>
>>>>>>Thanks
>>>>>>
>>>>>>On 7/22/05, Tim Bulger <timb at phreakocious.net> wrote:
>>>>>>
>>>>>>
>>>>>>
>>>>>>>How about:
>>>>>>>
>>>>>>>access-list split-tunnel permit ip 10.159.1.0 255.255.255.0 any
>>>>>>>vpngroup road split-tunnel split-tunnel
>>>>>>>
>>>>>>>?
>>>>>>>
>>>>>>>-Tim
>>>>>>>
>>>>>>>-----Original Message-----
>>>>>>>From: cisco-nsp-bounces at puck.nether.net
>>>>>>>[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Alvaro R
>>>>>>>Sent: Thursday, July 21, 2005 8:16 PM
>>>>>>>To: cisco-nsp at puck.nether.net
>>>>>>>Subject: Re: [c-nsp] PIX 515e VPN
>>>>>>>
>>>>>>>I'm 6.3(3), and per your advice I added
>>>>>>>
>>>>>>>isakmp nat-traversal 20
>>>>>>>
>>>>>>>
>>>>>>>didn't work either :(
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>On 7/21/05, Jim McBurnett <jim at tgasolutions.com> wrote:
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>>Look up the ISAKMP nat-transparency command....
>>>>>>>>Later,
>>>>>>>>Jim
>>>>>>>>
>>>>>>>>-----Original Message-----
>>>>>>>>From: Alvaro R [mailto:askxfs at gmail.com]
>>>>>>>>Sent: Thursday, July 21, 2005 5:26 PM
>>>>>>>>To: cisco-nsp at puck.nether.net
>>>>>>>>Subject: [c-nsp] PIX 515e VPN
>>>>>>>>
>>>>>>>>Hello, I would like some advice regarding a Cisco PIX 515e.
>>>>>>>>
>>>>>>>>I am trying to allow road warriors to get access to the inside LAN,
>>>>>>>>using the Cisco client (tried versions 4.0.5 and 4.6).
>>>>>>>>
>>>>>>>>I am able to get the IP for client/dns/wins but I cannot ping or
>>>>>>>>anything else, it just won't work.
>>>>>>>>
>>>>>>>>this PIX is used as a gateway and does NAT for the internal LAN, also
>>>>>>>>it connects to a remote PIX via pre-share keys, that works just fine.
>>>>>>>>
>>>>>>>>pertinent config follows:
>>>>>>>>
>>>>>>>>access-list ipsec-remote permit ip 10.159.1.0 255.255.255.0 10.0.0.0
>>>>>>>>255.0.0.0 access-list ipsec-remote permit ip 10.159.1.0 255.255.255.0
>>>>>>>>192.168.0.0 255.255.0.0 access-list nonat-inside permit ip 10.159.1.0
>>>>>>>>255.255.255.0 10.0.0.0 255.0.0.0 access-list nonat-inside permit ip
>>>>>>>>10.159.1.0 255.255.255.0 192.168.0.0 255.255.0.0 access-list
>>>>>>>>nonat-inside permit ip 10.159.1.0 255.255.255.0 10.159.2.0
>>>>>>>>255.255.255.0 access-list ipsec-road permit ip 10.159.1.0
>>>>>>>>255.255.255.0 10.159.2.0 255.255.255.0 access-list
>>>>>>>>outside_cryptomap_dyn_20 permit ip any 10.159.2.0 255.255.255.0
>>>>>>>>
>>>>>>>>ip local pool ippool1 10.159.2.2-10.159.2.253
>>>>>>>>
>>>>>>>>global (outside) 10 interface
>>>>>>>>nat (inside) 0 access-list nonat-inside nat (inside) 10 0.0.0.0
>>>>>>>>0.0.0.0 dns 0 0 access-group acl_out in interface outside route
>>>>>>>>outside 0.0.0.0 0.0.0.0 ext.gw.ip.here 1
>>>>>>>>
>>>>>>>>sysopt connection permit-ipsec
>>>>>>>>crypto ipsec transform-set remote esp-3des esp-md5-hmac crypto ipsec
>>>>>>>>security-association lifetime seconds 5000 crypto dynamic-map
>>>>>>>>outside_dyn_map 20 match address outside_cryptomap_dyn_20 crypto
>>>>>>>>dynamic-map outside_dyn_map 20 set transform-set remote crypto map
>>>>>>>>remote 10 ipsec-isakmp crypto map remote 10 match address ipsec-remote
>>>>>>>>crypto map remote 10 set peer *.*.91.112 crypto map remote 10 set
>>>>>>>>transform-set remote crypto map remote 65535 ipsec-isakmp dynamic
>>>>>>>>outside_dyn_map crypto map remote interface outside
>>>>>>>>
>>>>>>>>isakmp enable outside
>>>>>>>>isakmp key ******** address *.*.91.112 netmask 255.255.255.255 isakmp
>>>>>>>>identity address isakmp policy 10 authentication pre-share isakmp
>>>>>>>>policy 10 encryption 3des isakmp policy 10 hash md5 isakmp policy 10
>>>>>>>>group 2 isakmp policy 10 lifetime 5000
>>>>>>>>
>>>>>>>>vpngroup road address-pool ippool1
>>>>>>>>vpngroup road dns-server 10.159.1.1 10.159.1.4 vpngroup road
>>>>>>>>wins-server 10.159.1.2 vpngroup road default-domain bla.com vpngroup
>>>>>>>>road idle-time 1800 vpngroup road password ********
>>>>>>>>
>>>>>>>>Any hints?
>>>>>>>>
>>>>>>>>
>>>>>>>>Thanks,
>>>>>>>>
>>>>>>>>Alvaro
>>>>>>>>
>>>>>>>>_______________________________________________
>>>>>>>>cisco-nsp mailing list cisco-nsp at puck.nether.net
>>>>>>>>https://puck.nether.net/mailman/listinfo/cisco-nsp
>>>>>>>>archive at http://puck.nether.net/pipermail/cisco-nsp/
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>_______________________________________________
>>>>>>>cisco-nsp mailing list cisco-nsp at puck.nether.net
>>>>>>>https://puck.nether.net/mailman/listinfo/cisco-nsp
>>>>>>>archive at http://puck.nether.net/pipermail/cisco-nsp/
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>>_______________________________________________
>>>>>>cisco-nsp mailing list cisco-nsp at puck.nether.net
>>>>>>https://puck.nether.net/mailman/listinfo/cisco-nsp
>>>>>>archive at http://puck.nether.net/pipermail/cisco-nsp/
>>>>>>
>>>>>>.
>>>>>>
>>>>>
>>>>_______________________________________________
>>>>cisco-nsp mailing list cisco-nsp at puck.nether.net
>>>>https://puck.nether.net/mailman/listinfo/cisco-nsp
>>>>archive at http://puck.nether.net/pipermail/cisco-nsp/
>>>>
>>>>.
>>>>
>>>
>
>
More information about the cisco-nsp
mailing list