1. Home
  2. Cisco Systems
  3. Cisco PIX 501 - VPNC connections blocked from internal lan to external end-point

Cisco PIX 501 - VPNC connections blocked from internal lan to external end-point

Hi,

Support question here.

I have a Cisco PIX 501 that won't let a VPNC connection past. It will allow the client to authenticate with an end-point, but won't actually pass the packets. I know this is the problem point, because I swapped the PIX out with a off the shelf Asus router and it worked without a hitch.

Below is the version, configuration and the client VPNC configuration. I wonder if some one would kindly run their eyes over it and point out some VPN related mistakes:

SH VERSION Cisco PIX Firewall Version 6.3(5) Cisco PIX Device Manager Version 3.0(1)

Compiled on Thu 04-Aug-05 21:40 by morlee

pixie up 2 mins 35 secs

Hardware: PIX-501, 16 MB RAM, CPU Am5x86 133 MHz Flash E28F640J3 @ 0x3000000, 8MB BIOS Flash E28F640J3 @ 0xfffd8000, 128KB

0: ethernet0: address is 000e.847c.7e6d, irq 9 1: ethernet1: address is 000e.847c.7e6e, irq 10 Licensed Features: Failover: Disabled VPN-DES: Enabled VPN-3DES-AES: Enabled Maximum Physical Interfaces: 2 Maximum Interfaces: 2 Cut-through Proxy: Enabled Guards: Enabled URL-filtering: Enabled Inside Hosts: 50 Throughput: Unlimited IKE peers: 10

This PIX has a Restricted (R) license.

SH RUNNING # sh run : Saved : PIX Version 6.3(5) interface ethernet0 auto interface ethernet1 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password REMOVED encrypted passwd REMOVED encrypted hostname REMOVED domain-name REMOVED.co.uk fixup protocol dns maximum-length 4096 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names access-list out2in deny ip 192.168.0.0 255.255.0.0 any access-list out2in deny ip 172.16.0.0 255.240.0.0 any access-list out2in deny ip 10.0.0.0 255.0.0.0 any access-list out2in deny ip 127.0.0.0 255.0.0.0 any access-list out2in permit icmp any any echo-reply access-list out2in permit icmp any any unreachable access-list out2in permit icmp any any time-exceeded pager lines 24 logging on logging timestamp logging console emergencies logging monitor debugging logging buffered debugging logging history debugging icmp permit any unreachable outside mtu outside 1500 mtu inside 1500 ip address outside dhcp setroute ip address inside 10.90.90.1 255.255.255.0 ip verify reverse-path interface outside ip verify reverse-path interface inside ip audit name attack_policy attack action alarm drop reset ip audit name info_policy info action alarm ip audit interface outside info_policy ip audit interface outside attack_policy ip audit info action alarm ip audit attack action alarm drop pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 1 10.90.90.0 255.255.255.0 0 0 access-group out2in in interface outside timeout xlate 1:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225

1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout sip-disconnect 0:02:00 sip-invite 0:03:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local ntp server 217.127.2.161 source outside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable fragment chain 1 outside telnet timeout 60 ssh 10.90.90.0 255.255.255.0 inside ssh timeout 60 console timeout 0 dhcpd address 10.90.90.100-10.90.90.200 inside dhcpd dns 10.90.80.1 4.2.2.3 dhcpd lease 28800 dhcpd ping_timeout 750 dhcpd domain blah.local dhcpd auto_config outside dhcpd enable inside terminal width 80

VPNC CLIENT PROFILE # cat /etc/vpnc/tt.conf IPSec gateway 62.12.12.12 # changed for obvious reasons IPSec ID VTL-VPN IPSec secret yadayadayada # changed for obvious reasons IKE Authmode psk Xauth username b-jones # changed for obvious reasons #Xauth password Domain ourad # changed for obvious reasons

Reply to
ziikell101
Loading thread data ...

Here are the logs on the PIX during the session set-up and an ICMP ping to a known router on the other side of the VPN:

### VPNC sets up the connection : vpnc --dpd-idle 0 tt

302015: Built outbound UDP connection 40 for outside:62.12.12.12/500 (62.58.16.86/500) to inside:10.90.90.100/500 (10.90.80.105/3) 710005: UDP request discarded from 62.12.12.12/500 to outside:10.90.80.105/2

### PINGs are sent, and lost

305006: portmap translation creation failed for protocol 50 src inside:10.90.90.100 dst outside:62.12.12.12 305006: portmap translation creation failed for protocol 50 src inside:10.90.90.100 dst outside:62.12.12.12 305006: portmap translation creation failed for protocol 50 src inside:10.90.90.100 dst outside:62.12.12.12 305006: portmap translation creation failed for protocol 50 src inside:10.90.90.100 dst outside:62.12.12.12
Reply to
ziikell101

It looks like the PIX is blocking ESP (IP protocol 50), which is generally required in order for IPSec to work properly. You probably need to enable NAT traversal on your IPSec client so that it can encapsulate the traffic in TCP or UDP and help it work correctly with NAT.

Reply to
Scott Lowe

Thank-you very much - The problem solved.

Added *fixup protocol esp-ike* to the config,

Added *NAT Traversal Mode cisco-udp* to the VPNC config file.

All is well.

Reply to
ziikell101

Thank-you very much - The problem solved.

Added *fixup protocol esp-ike* to the config,

Added *NAT Traversal Mode cisco-udp* to the VPNC config file.

All is well.

Reply to
ziikell101

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.