Cisco 515 VPN Traffic can not ping internal hosts|
|
|
Bookmark this page:
 Yahoo!
 Google
 Windows Live
 del.icio.us
 digg
 Netscape
|
|
|||||||||||||
|
Posted by on May 17, 2006, 1:33 pm
Please log in for more thread options
internal network. currently the clients can connect and authenticate ok but can't see anything on the inside network. PIX Version 6.3(1) interface ethernet0 100full interface ethernet1 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password Gn7cdoayw6QM/xoG encrypted passwd Gn7cdoayw6QM/xoG encrypted hostname PIX515e domain-name rockeagle clock timezone EST -5 clock summer-time EDT recurring fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol ils 389 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 names name 168.24.225.12 Relabserver name 168.24.225.19 Steve name 168.24.225.21 Tina name 168.24.225.20 Tandberg name 168.24.224.0 Rockeagle name 168.24.225.11 Userfiles name 168.24.225.18 Cory access-list outside_access_in remark FTP access to Userfiles access-list outside_access_in permit tcp any host Userfiles eq ftp access-list outside_access_in remark Full TCP access to Tandberg access-list outside_access_in permit tcp any host Tandberg access-list outside_access_in remark Full TCP access to Tandberg for h323 access-list outside_access_in permit tcp any host Tandberg eq h323 access-list outside_access_in remark Full UDP access to Tandberg access-list outside_access_in remark access-list outside_access_in permit udp any host Tandberg access-list outside_access_in remark Full http access to Userfiles access-list outside_access_in permit tcp any host Userfiles eq www access-list outside_access_in remark Full ftp access to Relabserver access-list outside_access_in permit tcp any host Relabserver eq ftp access-list outside_access_in remark WWW access to Relabserver access-list outside_access_in remark access-list outside_access_in permit tcp any host Relabserver eq www access-list outside_access_in remark Allow tcp traffic to Tandberg for range 5555 to 5599 access-list outside_access_in remark access-list outside_access_in permit tcp any host Tandberg range 5555 5599 access-list outside_access_in remark Allow tcp traffic to Tandberg for range 3230 to 3235 access-list outside_access_in remark access-list outside_access_in permit tcp any host Tandberg range 3230 3235 access-list outside_access_in remark Allow udp traffic to Tandberg for range 2325 to 2387 access-list outside_access_in remark access-list outside_access_in permit udp any host Tandberg range 2325 2387 access-list outside_access_in remark Allow udp traffic to Tandberg for range 3220 to 3247 access-list outside_access_in remark access-list outside_access_in permit udp any host Tandberg range 3220 3247 access-list outside_access_in remark FTP access to Tina access-list outside_access_in permit tcp any host Tina eq ftp access-list outside_access_in remark PPTP for VPN to RELABSERVER access-list outside_access_in permit tcp any host Relabserver eq pptp access-list outside_access_in remark GRE for VPN on RELABSERVER access-list outside_access_in permit tcp any host Relabserver eq 47 access-list outside_access_in remark PCAnywhere access to Userfiles access-list outside_access_in permit tcp any host Userfiles eq pcanywhere-data access-list outside_access_in permit esp any any access-list outside_access_in permit gre any any access-list outside_access_in permit tcp any eq pptp host Relabserver access-list inside_outbound_nat0_acl permit ip any 168.24.224.240 255.255.255.240 access-list outside_cryptomap_dyn_20 permit ip any 168.24.224.240 255.255.255.240 pager lines 24 mtu outside 1500 mtu inside 1500 ip address outside 168.24.192.141 255.255.255.248 ip address inside 168.24.224.1 255.255.254.0 ip audit info action alarm ip audit attack action alarm ip local pool VPN Cory ip local pool Steve Steve ip local pool VPNAdd 168.24.224.245-168.24.224.249 failover failover timeout 0:00:00 failover poll 15 failover ip address outside 168.24.192.142 failover ip address inside 168.24.224.2 pdm location Rockeagle 255.255.254.0 inside pdm location Userfiles 255.255.255.255 inside pdm location Relabserver 255.255.255.255 inside pdm location Cory 255.255.255.255 inside pdm location Steve 255.255.255.255 inside pdm location Tina 255.255.255.255 inside pdm location 168.24.225.0 255.255.255.0 inside pdm location Tandberg 255.255.255.255 inside pdm location 192.168.1.1 255.255.255.255 inside pdm location 192.168.1.0 255.255.255.0 inside pdm location 72.152.146.187 255.255.255.255 outside pdm location 128.192.83.0 255.255.255.0 outside pdm location 168.24.224.240 255.255.255.240 outside pdm logging informational 100 pdm history enable arp timeout 14400 nat (inside) 0 access-list inside_outbound_nat0_acl static (inside,outside) Relabserver Relabserver netmask 255.255.255.255 0 0 static (inside,outside) Rockeagle Rockeagle netmask 255.255.254.0 0 0 access-group outside_access_in in interface outside route outside 0.0.0.0 0.0.0.0 168.24.192.137 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server LOCAL protocol local ntp server 132.163.4.101 source outside http server enable http 72.152.146.187 255.255.255.255 outside http 128.192.83.0 255.255.255.0 outside http Rockeagle 255.255.254.0 inside http 192.168.1.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server community rockeagle no snmp-server enable traps floodguard enable sysopt connection permit-ipsec sysopt connection permit-pptp sysopt connection permit-l2tp crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto dynamic-map inside_dyn_map 20 set transform-set ESP-3DES-MD5 crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20 crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5 crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map crypto map outside_map interface outside isakmp enable outside isakmp policy 20 authentication pre-share isakmp policy 20 encryption 3des isakmp policy 20 hash md5 isakmp policy 20 group 2 isakmp policy 20 lifetime 86400 vpngroup state address-pool VPNAdd vpngroup state dns-server Userfiles 128.192.110.221 vpngroup state wins-server Userfiles 128.192.1.31 vpngroup state default-domain rockeagle vpngroup state idle-time 1800 vpngroup state password ******** telnet 72.152.146.186 255.255.255.255 outside telnet Rockeagle 255.255.254.0 inside telnet timeout 5 ssh 72.152.146.186 255.255.255.255 outside ssh timeout 5 management-access inside console timeout 0 vpdn username a password ********* vpdn username b password ********* vpdn enable outside dhcprelay server Userfiles inside dhcprelay enable outside terminal width 80 Cryptochecksum:1e38b95a71ebb4117009e37fdb1495e8 : end | |||||||||||||
|
Posted by Walter Roberson on May 17, 2006, 2:10 pm
Please log in for more thread options >PIX Version 6.3(1)
You should upgrade, there are known security problems in 6.3(1), 6.3(3), and 6.3(5). You can get a free upgrade at least as far as 6.3(4) even if you do not have a support contract. >access-list outside_access_in remark FTP access to Userfiles
For the purpose of debugging this problem, we can ignore that ACL since you have sysopt connection permit-ipsec in effect. >access-list inside_outbound_nat0_acl permit ip any 168.24.224.240
255.255.255.240
>access-list outside_cryptomap_dyn_20 permit ip any 168.24.224.240
255.255.255.240
Okay, those are appropriate for the case where the VPN clients will have IPs in the range 168.24.224.240 -> .255
>ip address outside 168.24.192.141 255.255.255.248
>ip address inside 168.24.224.1 255.255.254.0 And there we hit the problem. In order for your nat0 and dyn_20 to work, your VPN clients have to have IPs in the 168.24.224 range, but that's the same range you have for your inside IPs. That isn't going to work: when the outgoing packets for those clients hit the inside interface, the PIX would see that they are destined to part of the inside interface IP range and would drop the packets. >ip local pool VPN Cory
>ip local pool Steve Steve You do not use those two pools. >ip local pool VPNAdd 168.24.224.245-168.24.224.249
>nat (inside) 0 access-list inside_outbound_nat0_acl
>route outside 0.0.0.0 0.0.0.0 168.24.192.137 1
>sysopt connection permit-ipsec
>sysopt connection permit-pptp >sysopt connection permit-l2tp You do not have pptp or l2tp defined so you might as get rid of the latter two of those. >crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
It is unusual these days to use 3DES with MD5: there are known collision attacks on MD5 that reduce its theoretical security. >crypto dynamic-map inside_dyn_map 20 set transform-set ESP-3DES-MD5
>crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20 >crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5 >crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map >crypto map outside_map interface outside >isakmp enable outside >isakmp policy 20 authentication pre-share >isakmp policy 20 encryption 3des >isakmp policy 20 hash md5 >isakmp policy 20 group 2 >isakmp policy 20 lifetime 86400 As per above, 3DES + MD5 is unusual these days. If you are at 6.3(1) and you can use 3DES, your license also allows you to use AES (note: use group 5 for AES). You could put AES-128/SHA and 3DES/SHA as higher priority (lower policy numbers) than your 3DES/MD5, and thereby get the increased security for systems that support it while not affecting connections to any devices that don't support those two. >vpngroup state address-pool VPNAdd
As discussed above, your VPN address pool must not be part of the same IP range as your inside interface. Use one of the private IP ranges. >vpngroup state dns-server Userfiles 128.192.110.221
>vpngroup state wins-server Userfiles 128.192.1.31 >vpngroup state default-domain rockeagle You designate an external dns server, but your default domain is "rockeagle" instead of a qualified domain name. Will the external dns server know how to resolve "rockeagle" as a top-level domain? >management-access inside
That can complicate matters: in order to use a management-access properly, you need a distinct tunnel with a different transport-mode . I don't know if the VPN client is able to negotiate those tunnels automatically. | |||||||||||||
|
Posted by on May 17, 2006, 3:40 pm
Please log in for more thread options Thanks for the info. I don't know very much about pix firewalls and
don't have a budget to hire a Cisco expert. What commands would you suggest to fix my problems. | |||||||||||||
|
Posted by on May 17, 2006, 3:40 pm
Please log in for more thread options Thanks for the info. I don't know very much about pix firewalls and
don't have a budget to hire a Cisco expert. What commands would you suggest to fix my problems. | |||||||||||||
|
Home Cabling GuideFinally, an instantly downloadable book that saves you thousands in home improvement dollars! Enjoy living in 21st century technology-advanced home while increasing its selling value and competitive advantage on the real estate market. Whether your cabling is for home office or high-tech leisure, you can wire your home yourself or learn "wirish" to speak with your cabling contractors in their language! Learn More |
>internal network. currently the clients can connect and authenticate ok
>but can't see anything on the inside network.