Remote VPN

Can we see your config ? (Remove any sensitive info 1st obviously)

thank you very much for your help.

Here is the config on the PIX

access-list INSIDE_IN permit icmp 192.168.2.0 255.255.255.0 any access-list INSIDE_IN permit udp host OFTSFAP1 any eq domain access-list INSIDE_IN permit tcp 192.168.2.0 255.255.255.224 object-group ML_Inbound_SMTP eq smtp access-list INSIDE_IN permit tcp 192.168.2.0 255.255.255.224 object-group special_www eq www access-list INSIDE_IN permit udp host OFTSFAP1 object-group OPTUS_NTP eq ntp access-list INSIDE_IN permit tcp HOST_PC 255.255.255.192 any eq www access-list INSIDE_IN permit tcp HOST_PC 255.255.255.192 any eq https access-list INSIDE_IN remark Testing connnection to Net-2-Net access-list INSIDE_IN permit ip 192.168.2.0 255.255.255.0 host NET2NETSRV access-list INSIDE_IN deny ip any any log access-list OUTSIDE_IN permit tcp object-group ML_Inbound_SMTP host Public_OFTSFAP1 eq smtp access-list OUTSIDE_IN permit tcp host PM_PC host Public_OFTSFAP1 eq

3389 access-list OUTSIDE_IN deny ip any any log access-list inside_outbound_nat0_acl permit ip 192.168.2.0 255.255.255.0 HO_VPN_NET 255.255.255.0 access-list inside_outbound_nat0_acl permit ip 192.168.2.0 255.255.255.0 VPN_RM 255.255.255.0 access-list outside_cryptomap_20 remark VPN to head office access-list outside_cryptomap_20 permit ip 192.168.2.0 255.255.255.0 HO_VPN_NET 255.255.255.0 access-list outside_inbound_nat0_acl permit ip HO_VPN_NET 255.255.255.0 192.168.2.0 255.255.255.0 access-list outside_inbound_nat0_acl permit ip VPN_RM 255.255.255.0 192.168.2.0 255.255.255.0 access-list OFT_VPN_CL_splitTunnelAcl permit ip 192.168.2.0 255.255.255.0 any pager lines 24 logging standby mtu outside 1500 mtu inside 1500 ip address outside PIX_OUT_INT 255.255.255.248 ip address inside 192.168.2.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm ip local pool VPN_POOL 172.11.1.64-172.11.1.96 mask 255.255.255.224 nat (outside) 0 access-list outside_inbound_nat0_acl outside nat (inside) 0 access-list inside_outbound_nat0_acl nat (inside) 3 192.168.2.0 255.255.255.128 0 0 access-group OUTSIDE_IN in interface outside access-group INSIDE_IN in interface inside route outside 0.0.0.0 0.0.0.0 61.88.19.161 1 timeout xlate 0:05:00 timeout conn 2:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout sip-disconnect 0:02:00 sip-invite 0:03:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local http server enable http 192.168.2.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto dynamic-map outside_dyn_map 30 set transform-set ESP-DES-MD5 crypto map outside_map 20 ipsec-isakmp crypto map outside_map 20 match address outside_cryptomap_20 crypto map outside_map 20 set peer HO_PIX crypto map outside_map 20 set transform-set ESP-DES-SHA crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map crypto map outside_map interface outside isakmp enable outside isakmp key ******** address HO_PIX netmask 255.255.255.255 no-xauth no-config-mode isakmp policy 20 authentication pre-share isakmp policy 20 encryption des isakmp policy 20 hash md5 isakmp policy 20 group 2 isakmp policy 20 lifetime 86400 isakmp policy 30 authentication pre-share isakmp policy 30 encryption des isakmp policy 30 hash sha isakmp policy 30 group 1 isakmp policy 30 lifetime 86400 vpngroup OFT_VPN_CL address-pool VPN_POOL vpngroup OFT_VPN_CL dns-server OFTSFAP1 vpngroup OFT_VPN_CL split-tunnel OFT_VPN_CL_splitTunnelAcl vpngroup OFT_VPN_CL idle-time 1800 vpngroup OFT_VPN_CL password ******** telnet HO_VPN_NET 255.255.255.0 inside telnet 192.168.2.0 255.255.255.224 inside telnet HOST_PC 255.255.255.192 inside telnet timeout 5 ssh timeout 5 console timeout 0 dhcpd address 192.168.2.2-192.168.2.254 inside dhcpd lease 3600 dhcpd ping_timeout 750 dhcpd auto_config outside vpnclient server HO_PIX vpnclient mode network-extension-mode vpnclient vpngroup OFT_VPN password ******** vpnclient username OFT_VPN_User password ******** terminal width 80 Cryptochecksum:0e5ef91744953bfd6679320e8c0fb6c5

The VPN client connects fine to the PIX but there are no decrypted packets and a lot of bypass.

Regards

The pool with a mask of .224 ends at .95 not .96 . I would suggest that you use a netmask of 255.255.255.0, and make sure that the first and last addresses implied by the netmask are not listed in the pool.

ML_Inbound_SMTP eq smtp

special_www eq www

In your first line, you permit out the full 192.168.2/24, but in the two lines above you only allow yout 192.168.2.0 - 192.168.2.31 . Is that really what you want? If you have made a deliberate decision to confine "hosts that are allowed to contact those services" to that address range, then take note that that address range includes the PIX inside interface, which would you wouldn't normally want to include if you are being particular about what goes out where.

If you have allocated a group of hosts starting from HOST_PC and extending to HOST_PC + 63, and that's what you want to allow to access those services, then I would suggest that it is better form to hide the details of the permitted hosts inside an object-group; that way later you they don't have to be contiguous.

That denies traffic to the VPN_pool . However, the sysopt you use later allows the VPN to ignore the access lists.

With the information you gave, we cannot tell whether HO_VPN_NET or VPN_RM encompasses VPN_POOL . If one of the two does, notice the netmask inconsistancy compared to the pool definition.

Don't try nat 0 against the outside interface: if it does anything at all, it surely won't be whatever you intended. Instead just rely upon the fact that nat (inside) 0 is automatically applied "in reverse" for incoming traffic.

no global (outside) 3 policy...

Why is your fixed peer using ESP-DES-SHA but your dynamics are using ESP-DES-MD5 ? PIX 6.3 does not support ESP-DES-SHA by the way (if I recall correctly.) It's better to list several transforms in the set, strongest first; then if somehow there becomes a mismatch in support, they can fall back to another transform.

DES SHA is stronger than DES MD5, so it would be better if it were a lower policy number.

Everything else implies that HO_VPN_NET is outside, but here you have it on the inside.

??? You are allowing accidents of DHCP address allocation to determine whether a particular host is allowed particular kinds of inside or outside access (because of the various .224 you use against inside addresses in places) ?

And if there are fixed hosts at HOST_PC then they overlap with your dhcpd address pool, unless HOST_PC is in a completely different IP range -- but if it is in a completely different range then the situation can't work without an 'ip route' statement.

You are trying to create a management VPN to HO_PIX and there is a corresponding VPN at HO_PIX marked with a 'management interface' command? If not then don't use network-extension-mode . If you -are- trying to create such a management VPN, note that the network-extension-mode VPN being created will permit only traffic that originates at the PIX itself, such as CLI pings -- usually not of substantial utility considering the configuration complexity.

If you want to build a LAN to LAN VPN to the outside interface of HO_PIX then include the outside interface IP of HO_PIX amongst the traffic permitted by outside_cryptomap_20 .