[Edit] VPN pix 506 to 501 ...

Do all users loose visibility of the other side or just some users? If just some then what user licence do you have on the 501? i.e. 10 users? could it be that you have more users on the PIX 501 side than the licence allows?

If not, then could you post all of your configs - including NAT, Access-Lists etc

Regards,

Nick Ersdown

Nick Ersdown a écrit :

I have 5 users behind the pix 501, so it's ok :)

The configuration has changed and is not very clean now (I fastly configure VPN by cisco client and I change "isakmp policy 20 group 5" by "isakmp policy 20 group 2" on the 501).

1.1.1.1 & 2.2.2.2 & 1.1.1.2 are, in fact, public address.

------------Pix 501------------ PIX Version 6.3(5) interface ethernet0 auto interface ethernet1 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password ************ encrypted passwd ************* encrypted hostname PIX-VPN domain-name ********.fr fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol ils 389 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names name 192.168.2.0 lan01 name 192.168.0.0 lan02 access-list inside_outbound_nat0_acl permit ip 192.168.5.0 255.255.255.0 lan02 255.255.255.0 access-list inside_outbound_nat0_acl permit ip 192.168.5.0 255.255.255.0 lan01 255.255.255.0 access-list inside_outbound_nat0_acl permit ip 192.168.5.0 255.255.255.0

172.16.1.0 255.255.255.0 access-list outside_cryptomap_20 permit ip 192.168.5.0 255.255.255.0 lan02 255.255.255.0 access-list outside_cryptomap_20 permit ip 192.168.5.0 255.255.255.0 lan01 255.255.255.0 access-list fwoutside permit icmp any any access-list fwoutside deny ip any any log access-list fwinside permit ip 192.168.5.0 255.255.255.0 lan01 255.255.255.0 access-list fwinside permit ip 192.168.5.0 255.255.255.0 lan02 255.255.255.0 access-list fwinside permit udp any any eq bootpc access-list fwinside permit udp 192.168.5.0 255.255.255.0 any eq domain access-list fwinside permit tcp 192.168.5.0 255.255.255.0 any eq www access-list fwinside permit tcp 192.168.5.0 255.255.255.0 any eq ftp access-list fwinside permit tcp 192.168.5.0 255.255.255.0 any eq ftp-data access-list fwinside permit tcp 192.168.5.0 255.255.255.0 any eq https access-list fwinside permit icmp any any access-list fwinside permit tcp 192.168.5.0 255.255.255.0 any eq ssh access-list fwinside deny ip any any log pager lines 24 logging on logging monitor debugging logging buffered debugging icmp permit any outside icmp permit any inside mtu outside 1500 mtu inside 1500 ip address outside pppoe setroute ip address inside 192.168.5.254 255.255.255.0 ip verify reverse-path interface outside ip verify reverse-path interface inside ip audit name IDS-INFO info action alarm ip audit name IDS-ATTACK attack action alarm drop reset ip audit interface outside IDS-INFO ip audit interface outside IDS-ATTACK ip audit interface inside IDS-INFO ip audit interface inside IDS-ATTACK ip audit info action alarm ip audit attack action alarm ip local pool test 172.16.1.1-172.16.1.254 pdm logging informational 100 pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list inside_outbound_nat0_acl nat (inside) 1 0.0.0.0 0.0.0.0 0 0 access-group fwoutside in interface outside access-group fwinside in interface inside timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout sip-disconnect 0:02:00 sip-invite 0:03:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local aaa authentication http console LOCAL aaa authentication serial console LOCAL aaa authentication ssh console LOCAL http server enable http 192.168.5.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto dynamic-map dynmap 30 set transform-set ESP-AES-256-SHA crypto map outside_map 20 ipsec-isakmp crypto map outside_map 20 match address outside_cryptomap_20 crypto map outside_map 20 set pfs group5 crypto map outside_map 20 set peer 1.1.1.1 crypto map outside_map 20 set transform-set ESP-AES-256-SHA crypto map outside_map 60 ipsec-isakmp dynamic dynmap crypto map outside_map interface outside isakmp enable outside isakmp key ******** address 1.1.1.1 netmask 255.255.255.255 no-xauth no-config-mode isakmp identity address isakmp policy 20 authentication pre-share isakmp policy 20 encryption aes-256 isakmp policy 20 hash sha isakmp policy 20 group 2 isakmp policy 20 lifetime 86400 vpngroup address-pool idle-time 1800 vpngroup nomade address-pool test vpngroup nomade idle-time 1800 vpngroup nomade password ******** telnet timeout 5 ssh 192.168.5.0 255.255.255.0 inside ssh timeout 5 management-access inside console timeout 0 vpdn group pppoe_group request dialout pppoe vpdn group pppoe_group localname ********** vpdn group pppoe_group ppp authentication pap vpdn username fti/rchzgxt password ********* dhcpd address 192.168.5.15-192.168.5.14 inside dhcpd dns 194.2.0.20 dhcpd lease 3600 dhcpd ping_timeout 750 dhcpd auto_config outside username admin password *********** encrypted privilege 15 terminal width 80

--------pix506------------- PIX Version 6.3(3) interface ethernet0 auto interface ethernet1 auto nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password ********** encrypted passwd ************ encrypted hostname PIX-VPN domain-name **********.fr fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol ils 389 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names name 192.168.5.0 lan access-list outside_cryptomap_30 permit ip 192.168.0.0 255.255.255.0 lan

255.255.255.0 access-list outside_cryptomap_30 permit ip 192.168.2.0 255.255.255.0 lan 255.255.255.0 access-list fwoutside permit icmp any any access-list inside_outbound_nat0_acl permit ip 192.168.0.0 255.255.255.0 lan 255.255.255.0 access-list inside_outbound_nat0_acl permit ip 192.168.2.0 255.255.255.0 lan 255.255.255.0 access-list fwinside permit ip any any pager lines 24 logging console debugging logging monitor debugging icmp permit any outside icmp permit any inside mtu outside 1500 mtu inside 1500 ip address outside 1.1.1.1 255.255.255.0 ip address inside 192.168.2.2 255.255.255.0 ip audit info action alarm ip audit attack action alarm pdm history enable arp timeout 14400 global (outside) 10 interface nat (inside) 0 access-list inside_outbound_nat0_acl nat (inside) 10 0.0.0.0 0.0.0.0 0 0 access-group fwoutside in interface outside access-group fwinside in interface inside route outside 0.0.0.0 0.0.0.0 1.1.1.2 1 route inside 192.168.0.0 255.255.255.0 192.168.2.1 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server LOCAL protocol local aaa authentication http console LOCAL aaa authentication serial console LOCAL aaa authentication ssh console LOCAL http server enable http 192.168.0.0 255.255.255.0 inside http 192.168.2.0 255.255.255.255 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto map outside_map 30 ipsec-isakmp crypto map outside_map 30 match address outside_cryptomap_30 crypto map outside_map 30 set pfs group5 crypto map outside_map 30 set peer 2.2.2.2 crypto map outside_map 30 set transform-set ESP-AES-256-SHA crypto map outside_map interface outside isakmp enable outside isakmp key ******** address 2.2.2.2 netmask 255.255.255.255 no-xauth no-config-mode isakmp policy 30 authentication pre-share isakmp policy 30 encryption aes-256 isakmp policy 30 hash sha isakmp policy 30 group 5 isakmp policy 30 lifetime 86400 telnet timeout 5 ssh 192.168.0.0 255.255.255.0 inside ssh 192.168.2.0 255.255.255.0 inside ssh timeout 5 management-access inside console timeout 0 username admin password ********* encrypted privilege 15 terminal width 80

:The configuration has changed and is not very clean now

I do not see the problem at the moment, and it puzzles me that a ping to -inside- would do anything. I'd want to see some of the log entries and debug crypto isakmp 2 debug crypto ipsec 2 results.

In the meantime, I happen to notice a couple of small problems with your configurations:

:------------Pix 501------------ :PIX Version 6.3(5)

:access-list fwoutside permit icmp any any

You should not permit -all- icmp, because people *will* attack you with unsolicited icmp network-redirects, in an attempt to get connections to (e.g.) banks to be redirected to their site that has been made up to look just like the bank's...

You do not need this "for debugging" as it is not going to affect any traffic in the tunnel: you have sysopt connection permit-ipsec which tells the PIX to ignore the interface ACLs for tunnel traffic.

:access-list fwoutside deny ip any any log

Deny is the default, and a log statement would be generated anyhow, unless you had turned that off with 'logging message'... which you didn't.

:access-list fwinside deny ip any any log

Again, deny is the default and a log statement would be generated anyhow.

:logging on :logging monitor debugging :logging buffered debugging

When you are trying to debug a PIX, I recommend that you use logging trap debugging and also use logging host IP to send a copy of the log messages to a syslog daemon for recording to a file.

:ip address outside pppoe setroute :ip address inside 192.168.5.254 255.255.255.0

:management-access inside

Ah, that's probably why pinging to the -inside- brought up a tunnel.

:--------pix506------------- :PIX Version 6.3(3)

Upgrade to 6.3(4) or 6.3(5) is recommended, for a security fix.

:access-list fwoutside permit icmp any any

See above about icmp any.

:crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac :crypto map outside_map 30 ipsec-isakmp :crypto map outside_map 30 match address outside_cryptomap_30 :crypto map outside_map 30 set pfs group5 :crypto map outside_map 30 set peer 2.2.2.2 :crypto map outside_map 30 set transform-set ESP-AES-256-SHA :crypto map outside_map interface outside

You have not defined a dynamic map here: you are expecting to talk to 2.2.2.2. But look above....

[501 configuration] ip address outside pppoe setroute

Your 501 does not -have- a fixed outside IP according to that. Perhaps your provider has assigned a constant address of 2.2.2.2, but you've told the PIX the address is variable. [Unfortunately I don't see any other way to tell the PIX you need to communicate via PPPoE.]

What I suggest you try is removing the crypto map outside_map 30 on the 506 and putting in a dynamic map (be sure to adjust the isakmp key address selector to match the possible range of IPs.) Then bring the tunnel up by traffic from the 501 to the 506.

I would also suggest removing the management access on the 501. If you want the traffic between the 501 and the 506 themselves to go through a tunnel (e.g., pings) then you should add an entry to the tunnel ACL that specifies the -outside- IPs for both ends. That's going to be a bit tricky on the 506 side, though, with the 501 having a dynamic IP... That is the situation that the management access is for, but I think that -for now- it is just confusing the issue.

Very very thank you for your answer.

I will test to fix the outside ip on the 501 as you said to not have a variable.

After, if that not resolve the problem, i will change the crypto map by dynamic map.

Thanks a lot !