IPSEC to PIX 515

You usually do not want two interfaces to have the same security level: in PIX 6, interfaces with the same security level cannot talk to each other.

Personally I do not recommend accepting source-quench ICMP, as those ICMP can be forged and used as a Denial of Service attack against you.

Those can be replaced by access-list nonat permit ip 10.0.0.0 255.255.0.0 192.168.10.0 255.255.254.0 access-list nonat permit ip 10.0.0.0 255.255.0.0 192.168.12.0 255.255.254.0

Those can be replaced by access-list nonat permit ip 10.0.0.0 255.255.0.0 192.168.20.0 255.255.253.0

10.0.0.2 is the only host allowed to communicate out the savvist interface?

No access-list savvist was present in the configuration you showed.

No access-list savvist was present in the configuration you showed. Also, you must not use the same access list for a 'match address' and an 'access-group': the PIX needs to internally manipulate access-group access-lists and that has the effect of changing the crypto security associations if you are also using it as 'match address', and that messes up your VPN.

No access-list houston or att or pune were present in the configuration you showed.

thanks for the quick reply. I'll take your recommendations into consideration.

as for the "savvis" interface - we are in teh midst of switching from one provider (business calss cable, no bgp available) over to a T1 - thats why the 2 ints have the same security level, and why only one host (for testing) was set up to go that way.

'access-group': I'm looking to solve the cisco IPSec client problem right now, they connect to the Outside interface via a dynamic crypto map.

- note these are different: access-group savvist in interface savvist (note the t) crypto map outside 1 match address savvis

the full conf is below. thanks! ============================================== PIX Version 6.3(3) interface ethernet0 100full interface ethernet1 100full interface ethernet2 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 savvist security0 fixup protocol dns maximum-length 512 fixup protocol domain 53 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol ils 389 fixup protocol pptp 1723 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 no fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names access-list outside permit icmp any any echo-reply access-list outside permit icmp any any unreachable access-list outside permit icmp any any source-quench access-list outside permit icmp any any time-exceeded access-list savvis permit ip 10.0.0.0 255.255.0.0 192.168.10.0

255.255.255.0 access-list savvis permit ip 10.0.0.0 255.255.0.0 192.168.11.0 255.255.255.0 access-list savvis permit ip 10.0.0.0 255.255.0.0 192.168.12.0 255.255.255.0 access-list savvis permit ip 10.0.0.0 255.255.0.0 192.168.13.0 255.255.255.0 access-list inside permit ip any any access-list houston permit ip 10.0.0.0 255.255.0.0 10.1.0.0 255.255.255.0 access-list nonat permit ip 10.0.0.0 255.255.0.0 192.168.10.0 255.255.255.0 access-list nonat permit ip 10.0.0.0 255.255.0.0 192.168.11.0 255.255.255.0 access-list nonat permit ip 10.0.0.0 255.255.0.0 192.168.12.0 255.255.255.0 access-list nonat permit ip 10.0.0.0 255.255.0.0 192.168.13.0 255.255.255.0 access-list nonat permit ip 10.0.0.0 255.255.0.0 192.168.20.0 255.255.255.0 access-list nonat permit ip 10.0.0.0 255.255.0.0 192.168.21.0 255.255.255.0 access-list nonat permit ip 10.0.0.0 255.255.0.0 192.168.22.0 255.255.255.0 access-list nonat permit ip 10.0.0.0 255.255.0.0 192.168.23.0 255.255.255.0 access-list nonat permit ip 10.0.0.0 255.255.0.0 10.1.0.0 255.255.255.0

access-list nonat permit ip 10.0.0.0 255.255.0.0 10.253.58.0

255.255.255.0 access-list nonat permit ip 10.0.0.0 255.255.0.0 10.0.0.0 255.255.0.0 access-list att permit ip 10.0.0.0 255.255.0.0 192.168.20.0 255.255.255.0 access-list att permit ip 10.0.0.0 255.255.0.0 192.168.21.0 255.255.255.0 access-list att permit ip 10.0.0.0 255.255.0.0 192.168.22.0 255.255.255.0 access-list att permit ip 10.0.0.0 255.255.0.0 192.168.23.0 255.255.255.0 access-list pune permit ip 10.0.10.0 255.255.255.0 10.253.58.0 255.255.255.0 access-list pune permit ip 10.0.0.0 255.255.255.0 10.253.58.0 255.255.255.0 access-list savvist permit icmp any any echo-reply access-list savvist permit icmp any any unreachable access-list savvist permit icmp any any source-quench access-list savvist permit icmp any any time-exceeded pager lines 24 logging on logging timestamp logging trap informational logging facility 23 logging device-id hostname logging host inside 10.0.0.42 no logging message 305012 icmp deny any outside mtu outside 1500 mtu inside 1500 mtu savvist 1500 ip address outside w.x.y.z 255.255.255.248 ip address inside 10.0.15.1 255.255.255.0 ip address savvist a.b.c.d 255.255.255.240 ip audit info action alarm ip audit attack action alarm ip local pool vpn 10.0.15.100-10.0.15.254 pdm history enable arp timeout 14400 global (outside) 1 interface global (savvist) 2 interface nat (inside) 0 access-list nonat nat (inside) 2 10.0.0.2 255.255.255.255 0 0 nat (inside) 1 10.0.0.0 255.255.0.0 0 0 access-group outside in interface outside access-group savvist in interface savvist route outside 0.0.0.0 0.0.0.0 w.x.y.z 1 route inside 10.0.0.0 255.255.255.0 10.0.15.2 1 route inside 10.0.1.0 255.255.255.0 10.0.15.2 1 route inside 10.0.10.0 255.255.255.0 10.0.15.2 1 route inside 10.0.12.0 255.255.255.0 10.0.15.2 1 route inside 10.0.14.0 255.255.255.0 10.0.15.2 1 route savvist a.b.c.d 255.255.255.255 e.f.g.h 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ (inside) host 10.0.0.42 LehMePo23HHHee timeout 10 aaa-server RADIUS protocol radius aaa-server RADIUS (inside) host 10.0.0.10 k10D3* timeout 10 aaa-server LOCAL protocol local aaa authentication telnet console TACACS+ aaa authentication ssh console TACACS+ aaa accounting include tcp/0 outside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 TACACS+ floodguard enable sysopt connection permit-ipsec sysopt connection permit-pptp crypto ipsec transform-set kiodex esp-3des esp-md5-hmac crypto dynamic-map dynmap 5 set transform-set kiodex crypto map outside 1 ipsec-isakmp crypto map outside 1 match address savvis crypto map outside 1 set peer 216.74.163.199 crypto map outside 1 set transform-set kiodex crypto map outside 2 ipsec-isakmp crypto map outside 2 match address houston crypto map outside 2 set peer 209.163.128.71 crypto map outside 2 set transform-set kiodex crypto map outside 3 ipsec-isakmp crypto map outside 3 match address att crypto map outside 3 set peer 63.240.29.99 crypto map outside 3 set transform-set kiodex crypto map outside 4 ipsec-isakmp crypto map outside 4 match address pune crypto map outside 4 set peer 59.160.68.2 crypto map outside 4 set transform-set kiodex crypto map outside 5 ipsec-isakmp dynamic dynmap crypto map outside client authentication RADIUS crypto map outside interface outside isakmp enable outside isakmp key ******** address 216.74.163.199 netmask 255.255.255.255 isakmp key ******** address 209.163.128.71 netmask 255.255.255.255 isakmp key ******** address 63.240.29.99 netmask 255.255.255.255 isakmp key ******** address 59.160.68.2 netmask 255.255.255.255 no-xauth isakmp identity address isakmp nat-traversal 20 isakmp policy 10 authentication pre-share isakmp policy 10 encryption 3des isakmp policy 10 hash md5 isakmp policy 10 group 2 isakmp policy 10 lifetime 28800 vpngroup 628vpn address-pool vpn vpngroup 628vpn dns-server 10.0.0.10 10.0.0.204 vpngroup 628vpn wins-server 10.0.0.10 10.0.0.204 vpngroup 628vpn default-domain vpn.kiodex.com vpngroup 628vpn split-tunnel nonat vpngroup 628vpn idle-time 1800 vpngroup 628vpn password ******** telnet 10.0.0.0 255.255.0.0 inside telnet timeout 10 ssh 10.0.0.0 255.255.0.0 inside ssh timeout 10 console timeout 0 vpdn group 628pptp accept dialin pptp vpdn group 628pptp ppp authentication mschap vpdn group 628pptp ppp encryption mppe auto vpdn group 628pptp client configuration address local vpn vpdn group 628pptp client configuration dns 10.0.0.10 10.0.0.204 vpdn group 628pptp client configuration wins 10.0.0.10 10.0.0.204 vpdn group 628pptp client authentication aaa RADIUS vpdn group 628pptp pptp echo 60 vpdn enable outside terminal width 80

In both of those cases, you are going to be dynamically allocating an IP address to the remote client that is taken from the pool named 'vpn', which is a subset of 10.0.15/24 . That subnet is, though, the same IP range used by your inside interface. That will fail more often than it works.

You should set your vpn pool to be an IP subnet that is "outside" relative to your inside interface, and ensure that the routing to that IP subnet would be via the outside interface (the one that has the crypto map attached.)

Otherwise, the packets will appear "local" to the inside hosts, and won't be picked up by the PIX at all unless it just happens to proxy arp for those IPs (not certain); and if it is picked up by the PIX then the PIX will see that the route for the IP is back through the inside interface (because the pool is a subset of that range), and will promptly drop the packet. Sometimes the PIX will automatically insert a host route for the IP that would be good enough, but it is safer to not count on that.

I didn't examine your settings in detail, but I "bit" myself recently similarly:

... check to see that your "vpngroup 628vpn password ********" contains the correct password value.

I did some major mods on our config recently and "pasted" my vpn values back in from a text backup file. The PIX, naturally, could not tell what was hidden behind the "********". All was fine after I put the correct value in via CLI.

ok, i'm going to test walkter's suggestion today. Wierd thing is, this was working fine.

I'm sure the group password is right, because i'm getting prompted for the user password. If the group password was incorrect, I wouldnt get that far. thanks for the suggestion though.

any other thoughts appreciated. thanks

ok, i'm going to test walter's suggestion today. Wierd thing is, this was working fine.

I'm sure the group password is right, because i'm getting prompted for the user password. If the group password was incorrect, I wouldnt get that far. thanks for the suggestion though.

any other thoughts appreciated. thanks

FIXED!

The radius auth was failing because I didnt have "PAP" enabled as a valid auth type on the radius server. I guess the cisco VPN client uses PAP.

thanks for all the suggestions - dave pollack