[c-nsp] problems passing traffic once VPNed
Ivan Lopez
ilopez02 at earthlink.net
Mon Mar 21 17:28:18 EST 2005
I tried everything you suggested and even changing the order on the
vpnacl and the pix did not accept it and put it in the same order. I did
all you suggested and I also VPNed. What's weird is, once VPNed I can
telnet anywhere else.
thanks,
-Ivan
Josh Duffek wrote:
>Ivan,
>This might be a/the problem:
>access-list vpnacl permit ip 192.168.0.0 255.255.0.0 192.168.254.0
>255.255.255.0
>
>I should it should be something like:
>
>access-list vpnacl permit ip 192.168.254.0 255.255.255.0 192.168.0.0
>255.255.0.0
>
>Well...I believe the source network is what your VPN clients get from
>you...notice I flipped them...and the destination might need to change
>to exclude the 254 subnet...not sure though.
>
>...at the time of your capture it doesn't look like there was a tunnel
>built. Did you VPN in?
>
>It has been awhile since I supported this stuff but I should be able to
>help you get it running.
>
>Thanks,
>
>josh duffek network engineer
>consultantjd16 at ridemetro.org
>
>
>
>>-----Original Message-----
>>From: Ivan Lopez [mailto:ilopez02 at earthlink.net]
>>Sent: Monday, March 21, 2005 2:39 PM
>>To: Josh Duffek
>>Subject: Re: [c-nsp] problems passing traffic once VPNed
>>
>>Josh,
>>Thanks for your response, I followed your instructions in the same
>>order. I stripped down the running config on the firewall, and down
>>below the results of the commands. Just below the "pix-A" output I
>>included a short version of pix-B. Take a look and let me know.
>>
>>
>>thanks,
>>-Ivan
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>Josh Duffek wrote:
>>
>>
>>
>>>If it was me I would want to see:
>>>Sh ver
>>>Sh run
>>>Debug cry engine
>>>Debug cry ipsec
>>>Debug cry isakmp
>>>(then vpn in)
>>>sh cry ipsec sa
>>>sh cry isakmp sa
>>>
>>>Ethereal prolly won't help us here...sounds like the tunnels are
>>>misconfigged a little or just not getting build properly for some
>>>reason.
>>>
>>>Thanks,
>>>
>>>josh duffek network engineer
>>>consultantjd16 at ridemetro.org
>>>
>>>
>>>
>>>
>>>
>>>>-----Original Message-----
>>>>From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
>>>>bounces at puck.nether.net] On Behalf Of Ivan Lopez
>>>>Sent: Monday, March 21, 2005 1:50 PM
>>>>To: cisco-nsp at puck.nether.net
>>>>Subject: [c-nsp] problems passing traffic once VPNed
>>>>
>>>>I added isakmp nat-traversal, same results. Can both firewalls have
>>>>
>>>>
>>>>
>>>>
>>>the
>>>
>>>
>>>
>>>
>>>>same. When I analyze the statistics on my VPN client it
>>>>shows some packets going out but none inbound. Can Ethereal be
>>>>
>>>>
>useful
>
>
>>>>
>>>>
>>>in
>>>
>>>
>>>
>>>
>>>>troubleshooting this? I am constantly checking logs in the firewall
>>>>
>>>>
>to
>
>
>>>>see if something comes up. Any type of logging I should have set up
>>>>
>>>>
>on
>
>
>>>>
>>>>
>>>the
>>>
>>>
>>>
>>>
>>>>Firewall to capture this?
>>>>
>>>>
>>>>Any ideas?
>>>>
>>>>thanks,
>>>>-Ivan
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>Ivan
>>>>
>>>>You may want to try looking at
>>>>
>>>> isakmp nat-traversal
>>>>
>>>>A quick search on cisco.com should give you enough information to
>>>>figure out if this is your problem and whether or not it is
>>>>
>>>>
>supported
>
>
>>>>on your PIX software version.
>>>>
>>>>Regards
>>>>
>>>> Peter Walker
>>>>
>>>>--On 18 March 2005 20:01 -0500 Ivan Lopez <ilopez02 at earthlink.net
>>>><https://puck.nether.net/mailman/listinfo/cisco-nsp>>
>>>>wrote:
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>>/ I am very new in VPNs, and I inherited 2 pix firewalls in
>>>>>
>>>>>
>>>>>
>>>>>
>>>>/>/ different locations, location (pix)A and location (pix)B.
>>>>/>/
>>>>/>/ I can VPN into them individually using Cisco VPN client from
>>>>
>>>>
>home
>
>
>>>>/>/ using a simple broadband connection without any problems
>>>>
>>>>
>reaching
>
>
>>>>/>/ the desired traffic. However, using the same VPN client when I
>>>>
>>>>
>>>>
>>>>
>>>do
>>>
>>>
>>>
>>>
>>>>/>/ VPN from behind the pix in location A to (pix) location B, I
>>>>
>>>>
>can
>
>
>>>>/>/ connect but then I cannot pass any traffic or get anywhere at
>>>>
>>>>
>>>>
>>>>
>>>all.
>>>
>>>
>>>
>>>
>>>>/>/ Both PIXes have similar VPN related set ups. Anyone out there
>>>>/>/ that has a clue of what I am missing, I would sure appreciated
>>>>
>>>>
>>>>
>>>>
>>>any
>>>
>>>
>>>
>>>
>>>>/>/ suggestions.
>>>>/>/
>>>>/>/
>>>>/>/ thanks
>>>>/>/ _______________________________________________
>>>>/>/ cisco-nsp mailing list cisco-nsp at puck.nether.net
>>>><https://puck.nether.net/mailman/listinfo/cisco-nsp>
>>>>/>/ https://puck.nether.net/mailman/listinfo/cisco-nsp
>>>>/>/ archive at http://puck.nether.net/pipermail/cisco-nsp/
>>>>/>
>>>>
>>>>
>>>>_______________________________________________
>>>>cisco-nsp mailing list cisco-nsp at puck.nether.net
>>>>https://puck.nether.net/mailman/listinfo/cisco-nsp
>>>>archive at http://puck.nether.net/pipermail/cisco-nsp/
>>>>
>>>>
>>>>
>>>>
>>>pix-A# sho ver
>>>
>>>Cisco PIX Firewall Version 6.3(4)
>>>Cisco PIX Device Manager Version 3.0(2)
>>>
>>>Compiled on Fri 02-Jul-04 00:07 by morlee
>>>
>>>sunshine-pix up 7 days 20 hours
>>>
>>>Hardware: PIX-515E, 32 MB RAM, CPU Pentium II 433 MHz
>>>Flash E28F128J3 @ 0x300, 16MB
>>>BIOS Flash AM29F400B @ 0xfffd8000, 32KB
>>>
>>>0: ethernet0: address is 000e.8418.b4de, irq 10
>>>1: ethernet1: address is 000e.8418.b4df, irq 11
>>>2: ethernet2: address is 0002.b3d5.6eb0, irq 11
>>>Licensed Features:
>>>Failover: Disabled
>>>VPN-DES: Enabled
>>>VPN-3DES-AES: Enabled
>>>Maximum Physical Interfaces: 3
>>>Maximum Interfaces: 5
>>>Cut-through Proxy: Enabled
>>>Guards: Enabled
>>>URL-filtering: Enabled
>>>Inside Hosts: Unlimited
>>>Throughput: Unlimited
>>>IKE peers: Unlimited
>>>
>>>
>>>
>>>
>>>
>>sho run
>>: Saved
>>:
>>PIX Version 6.3(4)
>>interface ethernet0 10full
>>interface ethernet1 auto
>>interface ethernet2 auto
>>nameif ethernet0 outside security0
>>nameif ethernet1 inside security100
>>nameif ethernet2 intf2 security4
>>
>>
>>fixup protocol dns maximum-length 512
>>fixup protocol ftp 21
>>fixup protocol h323 h225 1720
>>fixup protocol h323 ras 1718-1719
>>fixup protocol http 80
>>fixup protocol pptp 47
>>fixup protocol pptp 1723
>>fixup protocol rsh 514
>>fixup protocol rtsp 554
>>fixup protocol sip 5060
>>fixup protocol sip 5190
>>fixup protocol sip 5298
>>fixup protocol sip 5678
>>fixup protocol sip udp 5060
>>fixup protocol skinny 2000
>>fixup protocol smtp 25
>>fixup protocol sqlnet 1521
>>fixup protocol tftp 69
>>names
>>access-list vpnacl permit ip 192.168.0.0 255.255.0.0 192.168.254.0
>>255.255.255.0
>>
>>access-list outside_coming_in permit esp any any
>>access-list outside_coming_in permit ah any any
>>access-list outside_coming_in permit gre any any
>>access-list outbound-filter permit tcp any any eq ftp
>>access-list outbound-filter permit tcp any any eq telnet
>>access-list outbound-filter permit tcp any any eq smtp
>>access-list outbound-filter permit tcp any any eq 47
>>access-list outbound-filter permit tcp any any eq domain
>>access-list outbound-filter permit tcp any any eq www
>>access-list outbound-filter permit tcp any any eq 88
>>access-list outbound-filter permit tcp any any eq pop3
>>access-list outbound-filter permit tcp any any eq 115
>>access-list outbound-filter permit tcp any any eq 123
>>access-list outbound-filter permit tcp any any eq imap4
>>access-list outbound-filter permit tcp any any eq 220
>>access-list outbound-filter permit tcp any any eq ldap
>>access-list outbound-filter permit tcp any any eq https
>>access-list outbound-filter permit tcp any any eq ldaps
>>access-list outbound-filter permit tcp any any eq pptp
>>access-list outbound-filter permit tcp any any eq 1863
>>access-list outbound-filter permit tcp any any eq 8080
>>access-list outbound-filter permit udp any any eq 47
>>access-list outbound-filter permit udp any any eq domain
>>access-list outbound-filter permit udp any any eq 88
>>access-list outbound-filter permit udp any any eq 110
>>access-list outbound-filter permit udp any any eq 115
>>access-list outbound-filter permit udp any any eq ntp
>>access-list outbound-filter permit udp any any eq 220
>>access-list outbound-filter permit udp any any eq 389
>>access-list outbound-filter permit udp any any eq 636
>>access-list outbound-filter permit udp any any eq 1863
>>access-list outbound-filter permit udp any any eq 8080
>>access-list outbound-filter permit tcp any any eq ssh
>>access-list outbound-filter permit tcp any any eq 5060
>>access-list outbound-filter permit tcp any any eq 587
>>access-list outbound-filter permit udp any any eq 587
>>access-list outbound-filter permit tcp any any eq 81
>>access-list outbound-filter permit udp any any eq 1723
>>access-list outbound-filter permit tcp any any eq 1492
>>access-list outbound-filter permit udp any any eq 1492
>>access-list outbound-filter permit tcp any any eq 8443
>>access-list outbound-filter permit udp any any eq 8443
>>access-list outbound-filter permit udp any any eq 2188
>>access-list outbound-filter permit udp any any eq 2189
>>access-list outbound-filter permit udp any any eq 2190
>>access-list outbound-filter permit udp any any eq 2192
>>access-list outbound-filter permit udp any any eq 2193
>>access-list outbound-filter permit udp any any eq 2194
>>access-list outbound-filter permit udp any any eq 2196
>>access-list outbound-filter permit tcp any any eq 2188
>>access-list outbound-filter permit tcp any any eq 2189
>>access-list outbound-filter permit tcp any any eq 2190
>>access-list outbound-filter permit tcp any any eq 2192
>>access-list outbound-filter permit tcp any any eq 2193
>>access-list outbound-filter permit tcp any any eq 2194
>>access-list outbound-filter permit tcp any any eq 2196
>>access-list outbound-filter permit tcp any any eq 993
>>access-list outbound-filter permit udp any any eq 993
>>access-list outbound-filter permit udp any any eq 1433
>>access-list outbound-filter permit tcp any any eq 1433
>>access-list outbound-filter permit tcp any any eq aol
>>access-list outbound-filter permit tcp any any eq 2047
>>access-list outbound-filter permit udp any any eq 2047
>>access-list outbound-filter permit tcp any any eq 2147
>>access-list outbound-filter permit udp any any eq 2147
>>access-list outbound-filter permit udp any any eq 5190
>>access-list outbound-filter permit udp any any eq 5297
>>access-list outbound-filter permit udp any any eq 5298
>>access-list outbound-filter permit tcp any any eq 5298
>>access-list outbound-filter permit udp any any eq 5353
>>access-list outbound-filter permit udp any any eq 5678
>>access-list outbound-filter permit udp any any range 16384 16403
>>
>>access-list outbound-filter permit tcp any any eq 6060
>>access-list outbound-filter permit udp any any eq 6667
>>access-list outbound-filter permit udp any any eq 5050
>>access-list outbound-filter permit tcp any any eq 5050
>>access-list outbound-filter permit tcp any any eq 6667
>>access-list outbound-filter permit udp any any eq 4500
>>access-list outbound-filter permit udp any any eq isakmp
>>access-list outbound-filter permit tcp any any eq 23100
>>access-list outbound-filter permit udp any any eq 23100
>>access-list outbound-filter permit udp any any eq 24100
>>access-list outbound-filter permit tcp any any eq 24100
>>access-list outbound-filter permit tcp any any eq 1869
>>access-list outbound-filter permit udp any any eq 1869
>>access-list outbound-filter permit tcp any any eq 5601
>>access-list outbound-filter permit udp any any eq 5601
>>access-list outbound-filter permit tcp any any eq 8180
>>access-list outbound-filter permit tcp any any eq 2401
>>access-list outbound-filter permit tcp any any eq 19638
>>access-list outbound-filter permit tcp any any eq 10099
>>access-list outbound-filter permit tcp any any eq 4899
>>access-list outbound-filter permit tcp any any eq 3899
>>access-list outbound-filter permit tcp any any eq 6061
>>access-list outbound-filter permit tcp any any eq 4125
>>access-list outbound-filter permit tcp any any eq citrix-ica
>>access-list outbound-filter permit tcp any any eq 995
>>access-list outbound-filter permit udp any any eq 995
>>access-list outbound-filter permit udp any any eq 465
>>access-list outbound-filter permit tcp any any eq 465
>>
>>access-list outbound-filter permit tcp any any eq ftp-data
>>access-list outbound-filter permit udp any any eq 20
>>access-list outbound-filter permit tcp any any eq 15443
>>access-list outbound-filter permit tcp any any eq 16443
>>access-list outbound-filter permit tcp any any eq 17443
>>access-list outbound-filter permit tcp any any eq 18443
>>access-list outbound-filter permit tcp host 192.168.5.10 any eq 5800
>>access-list outbound-filter permit tcp host 192.168.5.10 any eq 5900
>>access-list outbound-filter permit tcp any any eq 3389
>>access-list outbound-filter permit gre any any
>>access-list outbound-filter permit tcp any any eq 7001
>>access-list outbound-filter permit tcp any any eq 7002
>>access-list outbound-filter permit tcp any any eq 4000
>>access-list outbound-filter permit tcp any any eq 500
>>access-list outbound-filter permit esp any any
>>access-list outbound-filter permit ah any any
>>pager lines 24
>>logging on
>>logging timestamp
>>logging buffered warnings
>>icmp permit 192.168.4.32 255.255.255.248 inside
>>mtu outside 1500
>>mtu inside 1500
>>mtu intf2 1500
>>ip address outside 22.2.3.101 255.255.255.192
>>ip address inside 192.168.3.1 255.255.255.0
>>no ip address intf2
>>ip audit info action alarm
>>ip audit attack action alarm
>>ip local pool vpnpool 192.168.254.1-192.168.254.254
>>pdm history enable
>>arp timeout 14400
>>global (outside) 1 interface
>>nat (inside) 0 access-list vpnacl
>>nat (inside) 1 192.168.4.0 255.255.255.0 0 0
>>nat (inside) 1 192.168.5.0 255.255.255.0 0 0
>>nat (inside) 1 192.168.6.0 255.255.255.0 0 0
>>
>>access-group outside_coming_in in interface outside
>>access-group outbound-filter in interface inside
>>conduit permit udp 192.168.4.120 255.255.255.248 any range 1024 65000
>>conduit permit tcp 192.168.4.120 255.255.255.248 any range 1024 65000
>>route outside 0.0.0.0 0.0.0.0 22.2.3.100 1
>>route inside 192.168.4.0 255.255.255.0 192.168.3.2 1
>>route inside 192.168.5.0 255.255.255.0 192.168.3.2 1
>>route inside 192.168.6.0 255.255.255.0 192.168.3.2 1
>>
>>
>>
>>
>>
>>sysopt connection permit-ipsec
>>sysopt nodnsalias inbound
>>crypto ipsec transform-set myset esp-des esp-md5-hmac
>>crypto dynamic-map dynmap 10 set transform-set myset
>>crypto dynamic-map dynmap 20 set transform-set myset
>>crypto map mymap 20 ipsec-isakmp dynamic dynmap
>>crypto map mymap interface outside
>>isakmp enable outside
>>isakmp key ******address 0.0.0.0 netmask 0.0.0.0
>>isakmp identity address
>>isakmp nat-traversal 20
>>isakmp policy 20 authentication pre-share
>>isakmp policy 20 encryption des
>>isakmp policy 20 hash md5
>>isakmp policy 20 group 2
>>isakmp policy 20 lifetime 86400
>>isakmp policy 30 authentication pre-share
>>isakmp policy 30 encryption des
>>isakmp policy 30 hash md5
>>isakmp policy 30 group 1
>>isakmp policy 30 lifetime 86400
>>vpngroup "name" address-pool vpnpool
>>vpngroup "name" dns-server 209.73.205.60
>>vpngroup "name" split-tunnel vpnacl
>>vpngroup "name" idle-time 1800
>>vpngroup "name" password ********
>>
>>
>>
>>pix-A# sho crypto ipsec sa
>>
>>
>>interface: outside
>> Crypto map tag: mymap, local addr. 22.2.3.101
>>
>>pix-A# sho crypto isakmp sa
>>Total : 0
>>Embryonic : 0
>> dst src state pending created
>>pix-A#
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>PIX-B******************************************
>>
>>sysopt connection permit-ipsec
>>sysopt nodnsalias inbound
>>sysopt noproxyarp dmz
>>crypto ipsec transform-set myset esp-des esp-md5-hmac
>>crypto dynamic-map dynmap 10 set transform-set myset
>>crypto map mymap 20 ipsec-isakmp dynamic dynmap
>>crypto map mymap interface outside
>>isakmp enable outside
>>isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
>>isakmp identity address
>>isakmp policy 20 authentication pre-share
>>isakmp policy 20 encryption des
>>isakmp policy 20 hash md5
>>isakmp policy 20 group 2
>>isakmp policy 20 lifetime 86400
>>isakmp policy 30 authentication pre-share
>>isakmp policy 30 encryption des
>>isakmp policy 30 hash md5
>>isakmp policy 30 group 1
>>isakmp policy 30 lifetime 86400
>>vpngroup "name" address-pool vpnpool
>>vpngroup "name" dns-server 209.73.205.60
>>vpngroup "name" split-tunnel vpnacl
>>vpngroup "name" idle-time 1800
>>vpngroup "name" password ********
>>
>>
>>
>>
>
>
>
>
>
More information about the cisco-nsp
mailing list