PIX 501 VPN - I can ping but can't map a drive

- H
- Hank Zoeller
  
  Contact options for registered users
posted
18 years ago

Sat, Jan 21, 2006 1:21 AM

Hello,

I'm trying to set up a VPN connection from a PC outside the PIX 501 into a file server. On the outside PC I'm using the Microsoft VPN client software.

I get authenticated on the VPN circuit and can ping (~3 ms.) the server (192.168.0.250) but I can't map a drive or access the server in any useful way. I do not have a WINS or DNS server running and am simply trying to map a drive using the \\\\192.168.0.250\\ShareName method. The share name is valid. On the client PC I get the message, "The specified network name is no longer available."

I do see messages in the PIX log like the following but, as I am new to all this, I don't know if these messages are relevant.

"PIX-3-305005: No translation group found for tcp src outside:192.168.3.4/1561 dst inside:192.168.0.250/139"

The 192.168.3.4 IP is the outside PC's normal IP address and the above log messages happens when I try to map a drive on the server.

I also get the following log message:

"PIX-3-305005: No translation group found for udp src outside:

192.168.4.1/1025 dst inside:192.168.0.100/161"

Which (I think) is the outside PC trying to establish contact with an internal print server. The 192.168.4.1 IP address is the address given to the outside PC from the pool of VPN addresses in the PIX.

Here's my config:

PIX Version 6.3(4) interface ethernet0 auto interface ethernet1 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password xxxxxxxxxxxx encrypted passwd xxxxxxxxxxxxx encrypted hostname pixfirewall domain-name ciscopix.com fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol pptp 1723 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names access-list msnet permit tcp any host 192.168.0.250 eq netbios-ssn access-list msnet permit udp any host 192.168.0.250 eq netbios-dgm access-list msnet permit udp any host 192.168.0.250 eq netbios-ns access-list msnet permit icmp any any access-list inside_outbound_nat0_acl permit ip host 192.168.0.250

192.168.4.0 255.255.255.240 pager lines 24 logging on logging timestamp logging trap notifications logging host inside 192.168.0.253 mtu outside 1500 mtu inside 1500 ip address outside dhcp setroute ip address inside 192.168.0.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm ip local pool SS 192.168.4.1-192.168.4.11 pdm location 192.168.0.250 255.255.255.255 inside pdm location 192.168.0.254 255.255.255.255 inside pdm location 192.168.4.0 255.255.255.240 outside pdm logging informational 100 pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list inside_outbound_nat0_acl nat (inside) 1 0.0.0.0 0.0.0.0 0 0 static (inside,outside) 192.168.4.0 192.168.0.250 netmask 255.255.255.255 0 0 access-group msnet in interface outside timeout xlate 0:05:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local http server enable http 192.168.0.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-pptp telnet 192.168.0.0 255.255.255.0 inside telnet timeout 5 ssh timeout 5 console timeout 0 vpdn group PPTP-VPDN-GROUP accept dialin pptp vpdn group PPTP-VPDN-GROUP ppp authentication pap vpdn group PPTP-VPDN-GROUP ppp authentication chap vpdn group PPTP-VPDN-GROUP ppp authentication mschap vpdn group PPTP-VPDN-GROUP ppp encryption mppe auto vpdn group PPTP-VPDN-GROUP client configuration address local SS vpdn group PPTP-VPDN-GROUP pptp echo 60 vpdn group PPTP-VPDN-GROUP client authentication local vpdn username xxxxx password ********* vpdn enable outside dhcpd address 192.168.0.2-192.168.0.33 inside dhcpd lease 3600 dhcpd ping_timeout 750 dhcpd auto_config outside dhcpd enable inside terminal width 80 Cryptochecksum:b1e039a239a03680c43302546ee79164 : end

I have little doubt that I'm missing something or have done something wrong. Thank you for any tips or pointers!

- W
- Walter Roberson
  
  Contact options for registered users
Vote on answer
posted
18 years ago

Sat, Jan 21, 2006 3:18 AM

[re-arranged to make the answers a bit easier to follow]

Yes, udp 161 is the SNMP protocol; HP's monitoring service in particular likes to use SNMP to talk to the printer.

255.255.255.240

In combination with the nat 0 access-list, that entry says that packets between the one inside host 192.168.0.250 and the "outside" network 192.168.4.0 - 192.168.4.15 are not to undergo address translation -and- that you do not need a 'static' command for that traffic.

But if you look at the destination IP for the SNMP traffic, you will see that it is not 192.168.0.250, so that nat exemption ACL does not apply. Therefore what does apply to this case is the normal public address translation and public ACLs, just as if the traffic was not coming in via VPN.

Your normal applicable ACLs and translations are:

Those ACLs say that when that selected traffic comes from outside to the *outside* ("public") IP 192.168.0.250, that it should be permitted, but the only traffic allowed to any other public IP should be the icmp traffic. [That's why you can ping.] But is 192.168.0.250 the public IP of the inside host 192.168.0.250 ?

Nope, it isn't. That line says that except for the traffic exempted by the inside_outbound_nat0_acl ACL, that the inside host 192.168.0.250 should be represented on the outside by the *host* IP address

192.168.4.0 ... and that's going to apply even if 192.168.0.250 is trying to talk to a host outside the VPN, such as if it is trying to talk to a DNS server.

We see that the source IP for those packets is not in the 192.168.4.0 -

192.168.4.15 subnet, so the normal outside ACL is in charge and is denying that traffic. Remember here that as far as the PIX is concerned, if the inside_outbound_nat0_acl does not apply then the public IP of 192.168.0.250 is the -host- IP 192.168.4.0 . For packets with the PC's 192.168.3.4 source IP to have gotten through, the msnet ACL would have had to have named "host 192.168.4.0" as the destination address, because outside ACLs work on the basis of the -outside- version of the IPs.

Now, what is puzzling is why the PC is using the 192.168.3.4 source IP. If the PC did indeed connect through the VPN, then it should have been assigned an IP out of pool SS by the PPTP process, which would have given it an IP in the 192.168.4.0 - 192.168.4.15 network for which the address exemption would have applied (and thus the msnet ACL would have worked as well.)

Is it possible that somehow the PC is talking to the PIX directly, instead of through a VPN? Does the outside PC just happen to be on the network segment that the PIX outside interface is on? In that if it does happen to be on that outside interface, then its traffic to the reserved private IP 192.168.0.250 would have been able to get through, but if there is any public infrastructure between the PC and the PIX then normal public routing processes would not have been able to find your PIX, since 192.168.*.* traffic would normally get dropped.

Anyhow, putting these things together:

- you need to expand your access-list inside_outbound_nat0_acl so that the source is not just the host 192.168.0.250: it should include all the inside hosts that are to be reached (e.g., the printer.)

- you need to drop that static for the inside IP 192.168.0.250 -- it isn't doing you any good. You are dhcp'ing for an outside IP, so it isn't the case that you want 192.168.0.250 to be a public server that needs to be static'd to a public IP.

- you should adjust your outside ACLs to only allow the 192.168.4.0-15 network as the source IPs -- otherwise, attackers that -happen- to randomly (or sequentially) try your IP address might be able to get UDP packets through and exploit some NETBIOS vulnerability. Alternately, you could drop your outside ACL and turn on sysopt connection permit-pptp which would allow pptp clients to access -all- hosts (and ports) in your LAN, no matter what the ACLs said.

- you need to figure out why the PPTP client is not being assigned an IP from the pool SS. I don't have any good ideas on this one [other than the possibility that it skipped the PPTP layer and is right there on the outside segment...]

- H
- Hank Zoeller
  
  Contact options for registered users
Vote on answer
posted
18 years ago

Sat, Jan 21, 2006 10:57 PM

Walter Roberson wrote: [...considerable snippage...]

Walter, thank you very much for your analysis and response. Very helpful -- especially as I am a novice to all this.

Apparently, also the Lexmark TCP/IP print server.

Yes, the PC *was* in the same segment as the outside interface of the PIX. It was interesting that ping traffic was using the VPN assigned IP address from the VPN pool but NET USE was using the IP address that was on the same segment of the outside interface of the PIX.

I now have the PC out on the internet with an IP of 69.x.x.x and the perimeter firewall 71.x.x.x now routes TCP port 1723 and GRE stuff into the PIX outside address. From the perimeter firewall log:

Sat, 2006-01-21 15:20:54 - TCP Packet - Source:69.x.x.x,10013 Destination:192.168.3.2,1723 - [VPN-PPTP match] Sat, 2006-01-21 15:20:55 - GRE Packet - Source:69.x.x.x Destination:192.168.3.2 - [VPN-PPTP Data match]

And, sure enough, the PC at 69.x.x.x can now authenticate on the PIX by connecting to the public 71.x.x.x address. I get an IP address from within the VPN pool: 192.168.4.1.

But, I get no further. I can't ping the internal servers or map a drive.

I think I've done all the items you outlined in your post but I may have fouled something else up or not understood what I was doing well enough to properly carry out your suggestions.

Here's my current config:

PIX Version 6.3(4) interface ethernet0 auto interface ethernet1 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password ********** encrypted passwd ********** encrypted hostname pixfirewall domain-name ciscopix.com fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol pptp 1723 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names access-list msvpn permit ip 192.168.4.0 255.255.255.240 192.168.0.0

255.255.255.0 access-list inside_outbound_nat0_acl permit ip any 192.168.4.0 255.255.255.240 pager lines 24 logging on logging timestamp logging trap informational logging host inside 192.168.0.253 mtu outside 1500 mtu inside 1500 ip address outside dhcp setroute ip address inside 192.168.0.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm ip local pool SS 192.168.4.1-192.168.4.11 pdm location 192.168.0.250 255.255.255.255 inside pdm location 192.168.0.254 255.255.255.255 inside pdm location 192.168.0.253 255.255.255.255 inside pdm logging informational 100 pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list inside_outbound_nat0_acl nat (inside) 1 0.0.0.0 0.0.0.0 0 0 timeout xlate 0:05:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local http server enable http 192.168.0.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-pptp telnet 192.168.0.0 255.255.255.0 inside telnet timeout 5 ssh timeout 5 console timeout 0 vpdn group PPTP-VPDN-GROUP accept dialin pptp vpdn group PPTP-VPDN-GROUP ppp authentication pap vpdn group PPTP-VPDN-GROUP ppp authentication chap vpdn group PPTP-VPDN-GROUP ppp authentication mschap vpdn group PPTP-VPDN-GROUP ppp encryption mppe auto vpdn group PPTP-VPDN-GROUP client configuration address local SS vpdn group PPTP-VPDN-GROUP pptp echo 60 vpdn group PPTP-VPDN-GROUP client authentication local vpdn username xxxx password ********* vpdn enable outside dhcpd address 192.168.0.2-192.168.0.33 inside dhcpd lease 3600 dhcpd ping_timeout 750 dhcpd auto_config outside dhcpd enable inside terminal width 80 Cryptochecksum:b1e039a239a03680c43302546ee79164 : end [OK]

Thanks again, Walter, I guess I need another lesson.