Pix Point to Point VPN

I'm at a loss. I've tried to get this Point to Point VPN setup from our home office to our colo'd server and I can't seem to figure out why it isn't working. Any help would be greatly appreciated. IPs have been changed to protect the innocent.

Marcos

Home Office External IP: 66.66.66.66 provided by dsl dhcp Home Office Internal IP: 192.168.3.x

Colo External IP: 55.55.55.55 Colo Internal IP: 192.168.50.x

Home Office Pix Config:

PIX Version 6.3(4) interface ethernet0 auto interface ethernet1 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password securepassword passwd securepassword hostname HOME-PIX fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol pptp 1723 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names access-list outside_access_in permit tcp any any eq pptp access-list outside_access_in permit gre any any access-list nonat permit ip 192.168.3.0 255.255.255.0 192.168.50.0

255.255.255.0 access-list corp permit ip 192.168.3.0 255.255.255.0 192.168.50.0 255.255.255.0 pager lines 24 mtu outside 1500 mtu inside 1500 ip address outside dhcp setroute ip address inside 192.168.3.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm pdm logging informational 100 pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list nonat nat (inside) 1 192.168.3.0 255.255.255.0 0 0 nat (inside) 1 0.0.0.0 0.0.0.0 0 0 static (inside,outside) tcp interface 47 192.168.3.2 47 netmask 255.255.255.255 0 0 timeout xlate 0:05:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local http server enable http 192.168.3.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec crypto ipsec transform-set strong esp-3des esp-md5-hmac crypto map vpn 10 ipsec-isakmp crypto map vpn 10 match address colo crypto map vpn 10 set peer 55.55.55.55 crypto map vpn 10 set transform-set strong crypto map vpn interface outside isakmp enable outside isakmp key 12345 address 55.55.55.55 netmask 255.255.255.255 isakmp identity address isakmp policy 10 authentication pre-share isakmp policy 10 encryption 3des isakmp policy 10 hash md5 isakmp policy 10 group 2 isakmp policy 10 lifetime 86400 telnet 192.168.3.0 255.255.255.0 inside telnet timeout 15 ssh timeout 5 console timeout 0 dhcpd address 192.168.3.2-192.168.3.33 inside dhcpd dns 208.67.222.222 208.67.220.220 dhcpd lease 3600 dhcpd ping_timeout 750 dhcpd auto_config outside dhcpd enable inside terminal width 80

COLO Pix Config:

PIX Version 6.3(5) interface ethernet0 auto interface ethernet1 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password securepassword passwd securepassword hostname COLOFW fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 no fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names access-list inbound permit icmp any any access-list inbound permit tcp any host 55.55.55.55 eq https access-list inbound permit tcp any host 55.55.55.55 eq pptp access-list inbound permit tcp any host 55.55.55.55 eq www access-list inbound permit tcp any host 55.55.55.55 eq 444 access-list inbound permit tcp any host 55.55.55.55 eq smtp access-list inbound permit gre any host 55.55.55.55 access-list inbound permit tcp any host 55.55.55.56 eq ftp access-list inbound permit tcp any host 55.55.55.56 eq ftp-data access-list inbound permit tcp any host 55.55.55.55 eq 4125 access-list inbound permit tcp any host 55.55.55.56 eq domain access-list inbound permit udp any host 55.55.55.56 eq domain access-list nonat permit ip 192.168.50.0 255.255.255.0 192.168.3.0

255.255.255.0 access-list corp permit ip 192.168.50.0 255.255.255.0 192.168.3.0 255.255.255.0 pager lines 24 mtu outside 1500 mtu inside 1500 ip address outside 55.55.55.55 255.255.255.240 ip address inside 192.168.50.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm pdm logging informational 100 pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list nonat nat (inside) 1 192.168.50.0 255.255.255.0 0 0 nat (inside) 1 0.0.0.0 0.0.0.0 0 0 static (inside,outside) 55.55.55.55 192.168.50.55 netmask 255.255.255.255 0 0 static (inside,outside) 55.55.55.56 192.168.50.56 netmask 255.255.255.255 0 0 access-group inbound in interface outside route outside 0.0.0.0 0.0.0.0 55.55.55.54 1 timeout xlate 0:05:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout sip-disconnect 0:02:00 sip-invite 0:03:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local http server enable http 192.168.50.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec crypto ipsec transform-set strong esp-3des esp-md5-hmac crypto map vpn 10 ipsec-isakmp crypto map vpn 10 match address corp crypto map vpn 10 set peer 66.66.66.66 crypto map vpn 10 set transform-set strong crypto map vpn interface outside isakmp enable outside isakmp key 12345 address 66.66.66.66 netmask 255.255.255.255 isakmp identity address isakmp policy 10 authentication pre-share isakmp policy 10 encryption 3des isakmp policy 10 hash md5 isakmp policy 10 group 2 isakmp policy 10 lifetime 86400 telnet 192.168.50.0 255.255.255.0 inside telnet timeout 15 ssh timeout 5 console timeout 0 terminal width 80

It would be better to upgrade that to 6.3(5)112 because of the known security problems in 6.3(4) and 6.3(5)[original]

Note that 0.0.0.0 0.0.0.0 includes 192.168.3.0 255.255.255.0, so the first nat 1 is redundant. (My recommendation would be to get rid of the nat 1 0.0.0.0)

You appear to have tried to pass through gre, IP protocol 47. Unfortunately for you, GRE is not a TCP port. In order to get GRE through, you would have to static (inside,outside) the entire IP, but you as there is no way to static just a single protocol. You cannot, though, static the entire IP when the interface address is involved.

What just -might- work is

access-list gre_acl permit 47 any host 192.168.3.2 static (inside,outside) interface access-list gre_acl

I do not have a PIX available to test this with, so I do not know if it will accept a protocol in that context.

At one point, I had found documentation that 3DES MD5 was not supported... or was it DES SHA that wasn't supported? I can't find the relevant documentation at the moment. It wouldn't hurt to expand your transform sets and isakmp to include 3DES SHA. For that matter, consider using AES-128 SHA Group 5 as your highest priority: it is faster and more secure than 3DES.

There is no access-list named 'colo' in what you showed.

Earlier you defined 192.168.3.2 to be the target IP of a static. Do you really want 192.168.3.2 to be whatever random host on your network happens to be assigned that IP by the PIX DHCP daemon? It would seem to make more sense to start your address list from

192.168.3.3 .

It is not, by the way, immediately obvious as to why you are staticing 47 or permiting inward pptp and gre. You would only want to use those if you are using a host-to-host VPN from some remote machine to a server at your home office. These things are not needed for a site-to-site PIX VPN, and they are also (for different reasons) unneeded if you are using a host-to-host VPN out from the inside to the outside.

Do you really want to permit random hosts on the Internet to send you ICMP Network Redirects, and thereby sending your traffic on to their equipment?? If not, then you should restrict the icmp access only to those protocols that you want to go through -- icmp unreachable, icmp time-exceeded, and possibly icmp echo-reply .

[...]

You have defined 55.55.55.55 as your external IP address. You cannot directly reference your external IP address in an access-list: you must instead use the phrase 'interface outside', such as

access-list inbound permit tcp any interface outside eq https

You never need to specifically permit in tcp-data, not unless you have turned off the ftp fixup.

See above comments about redundant nats. (I would delete the 0.0.0.0 one)

You have defined 55.55.55.55 as your external IP address. You cannot static the entire external IP address. The policy static I described above -might- work.

See above comments about SHA and AES.

Your home office configuration defined the home office IP as being provided by the ISP via dhcp. Unless that is really a static IP that will not change, you need to reconfigure the crypto map setup on the colo. You need to use a dynamic-map and you need to import that dynamic map into your crypto map. A dynamic map must be configured any time that the device will be the contacted by other hosts that do not have fixed IP addresses.

As per the above, unless the dhcp'd IP address is really a static IP in disguise, you should not be locking in that specific IP into the isakmp key.

As discussed above, there is no obvious reason for you to specifically permit pptp and gre: those are used for host-to-host VPNs, not for site-to-site VPNs.