SETUP A VPN CONNECTION FROM THE OUTSIDE

Hi,

Here is the situation. I am trying to allow a VPN connection from the outside of a PIX Firewall to a Windows 2003 Server which is the VPN server. In the same LAN where the Windows 2003 Server is located there is another server. Server A, I am trying to SSH into Server A after I make a VPN connection to the Windows 2003 Server. However, after I make the VPN connection and I try to SSH into Server A I get a connection timeout error. I am able to connect to the VPN server. But after I connect to the VPN Server, I do not have access to Server A using SSH. What could I be doing wrong?

Thank You

Victor

Reply to
vreyesii
Loading thread data ...

about 1000 things...ya gotta post your config if you want help.

Reply to
Brian V

Below is a copy of the PIX config.

pixfirewall# sh run : Saved : PIX Version 6.3(5) interface ethernet0 100full interface ethernet1 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password XXXXXXXXX encrypted passwd XXXXXXXXXX encrypted hostname pixfirewall domain-name XXXXX.com clock timezone EST -5 clock summer-time EDT recurring fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol pptp 1723 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names access-list 101 permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0 access-list allow_inbound deny ip 59.124.0.0 255.252.0.0 any access-list allow_inbound deny ip host 24.71.105.183 any access-list allow_inbound deny ip host 163.27.116.133 any access-list allow_inbound deny ip host 218.189.179.82 any access-list allow_inbound deny ip host 84.60.164.161 any access-list allow_inbound deny ip host 222.128.34.89 any access-list allow_inbound deny ip host 202.64.47.108 any access-list allow_inbound deny ip host 87.162.179.31 any access-list allow_inbound deny ip host 70.255.106.164 any access-list allow_inbound permit tcp any interface outside eq smtp access-list allow_inbound permit tcp any interface outside eq pop3 access-list allow_inbound permit tcp any interface outside eq www access-list allow_inbound permit icmp any any source-quench access-list allow_inbound permit icmp any any echo-reply access-list allow_inbound permit tcp any host B.X.X.236 eq www access-list allow_inbound permit tcp any host B.X.X.236 eq h323 access-list allow_inbound permit tcp any host B.X.X.236 eq 5060 access-list allow_inbound permit tcp any interface outside eq pptp access-list allow_inbound permit gre any interface outside access-list allow_inbound permit tcp any interface outside eq 3000 access-list allow_inbound permit udp any interface outside eq 49153 access-list allow_inbound permit tcp any interface outside eq 49153 access-list allow_inbound permit tcp any interface outside eq 10240 access-list allow_inbound permit tcp any interface outside eq 10241 access-list allow_inbound permit tcp any interface outside eq 10242 access-list allow_inbound permit udp any interface outside eq 10240 access-list allow_inbound permit udp any interface outside eq 10241 access-list allow_inbound permit udp any interface outside eq 10242 access-list allow_inbound permit tcp any interface outside eq 41170 access-list allow_inbound permit udp any interface outside eq 41170 access-list allow_inbound permit tcp any interface outside eq 4662 access-list allow_inbound permit tcp any interface outside eq 4000 access-list deny_outbound deny tcp any host 63.236.240.73 eq https access-list deny_outbound deny tcp any host 209.202.9.7 eq https access-list deny_outbound deny tcp any host 63.236.240.73 eq www access-list deny_outbound deny tcp any host 66.28.235.59 eq www access-list deny_outbound deny tcp any host 204.245.86.77 eq www access-list deny_outbound deny tcp any host 69.18.151.78 eq www access-list deny_outbound permit ip any any access-list deny_outbound permit esp any any access-list deny_outbound permit gre any any access-list do_not_nat permit ip 10.1.1.0 255.255.255.0 10.1.2.0

255.255.255.0 no pager logging on logging timestamp logging monitor debugging logging trap notifications logging queue 24 logging host inside 10.1.1.23 icmp deny any outside icmp deny any echo outside mtu outside 1500 mtu inside 1500 ip address outside A.X.X.85 255.255.255.0 ip address inside 10.1.1.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm ip local pool ippool 10.1.2.1-10.1.2.254 pdm location 10.1.1.6 255.255.255.255 inside pdm location 10.1.1.2 255.255.255.255 inside pdm location 10.1.1.7 255.255.255.255 inside pdm location 10.1.1.23 255.255.255.255 inside pdm location 59.124.0.0 255.252.0.0 outside pdm location 63.236.240.73 255.255.255.255 outside pdm location 84.60.164.161 255.255.255.255 outside pdm location 163.27.116.133 255.255.255.255 outside pdm location 209.202.9.7 255.255.255.255 outside pdm location 218.189.179.82 255.255.255.255 outside pdm location 10.1.1.8 255.255.255.255 inside pdm location 10.1.1.30 255.255.255.255 inside pdm location 10.1.1.251 255.255.255.255 inside pdm location 10.1.1.252 255.255.255.255 inside pdm location 192.168.2.0 255.255.255.0 inside pdm location 192.168.10.0 255.255.255.0 inside pdm location 24.71.105.183 255.255.255.255 outside pdm location 66.28.235.59 255.255.255.255 outside pdm location 202.64.47.108 255.255.255.255 outside pdm location 216.178.32.48 255.255.255.255 outside pdm location 216.178.32.49 255.255.255.255 outside pdm location 216.178.32.50 255.255.255.255 outside pdm location 216.178.32.51 255.255.255.255 outside pdm location 222.128.34.89 255.255.255.255 outside pdm logging informational 100 pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list do_not_nat nat (inside) 1 0.0.0.0 0.0.0.0 0 0 static (inside,outside) tcp interface pop3 10.1.1.23 pop3 netmask 255.255.255.255 0 0 static (inside,outside) tcp interface smtp 10.1.1.23 smtp netmask 255.255.255.255 0 0 static (inside,outside) tcp interface 3000 10.1.1.23 3000 netmask 255.255.255.255 0 0 static (inside,outside) tcp interface 1000 10.1.1.23 1000 netmask 255.255.255.255 0 0 static (inside,outside) tcp interface pptp 10.1.1.23 pptp netmask 255.255.255.255 0 0 static (inside,outside) tcp interface 4662 10.1.1.8 4662 netmask 255.255.255.255 0 0 static (inside,outside) tcp interface 49153 10.1.1.2 49153 netmask 255.255.255.255 0 0 static (inside,outside) udp interface 49153 10.1.1.2 49153 netmask 255.255.255.255 0 0 static (inside,outside) tcp interface 4000 10.1.1.251 telnet netmask 255.255.255.255 0 0 static (inside,outside) tcp interface www 10.1.1.6 www netmask 255.255.255.255 0 0 static (inside,outside) B.X.X.236 10.1.1.7 netmask 255.255.255.255 0 0 access-group allow_inbound in interface outside access-group deny_outbound in interface inside route outside 0.0.0.0 0.0.0.0 A.X.X.1 1 route inside 192.168.2.0 255.255.255.0 10.1.1.30 1 timeout xlate 0:05:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout sip-disconnect 0:02:00 sip-invite 0:03:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local aaa authentication ssh console LOCAL http server enable http 10.1.1.0 255.255.255.0 inside snmp-server host inside 10.1.1.23 snmp-server host inside 10.1.1.252 no snmp-server location no snmp-server contact snmp-server community XXXXXXXXX snmp-server enable traps floodguard enable sysopt connection permit-ipsec crypto ipsec transform-set myset esp-3des esp-md5-hmac crypto dynamic-map dynmap 10 set transform-set myset crypto map mymap 10 ipsec-isakmp dynamic dynmap crypto map mymap client authentication LOCAL crypto map mymap interface outside isakmp enable outside isakmp identity address isakmp nat-traversal 20 isakmp policy 10 authentication pre-share isakmp policy 10 encryption 3des isakmp policy 10 hash md5 isakmp policy 10 group 2 isakmp policy 10 lifetime 86400 vpngroup vpn3000 address-pool ippool vpngroup vpn3000 default-domain pix.com vpngroup vpn3000 split-tunnel 101 vpngroup vpn3000 idle-time 1800 vpngroup vpn3000 password ******** vpngroup vmr2 address-pool ippool vpngroup vmr2 default-domain pix.com vpngroup vmr2 split-tunnel 101 vpngroup vmr2 idle-time 1800 vpngroup vmr2 password ******** vpngroup grace address-pool ippool vpngroup grace default-domain pix.com vpngroup grace split-tunnel 101 vpngroup grace idle-time 1800 vpngroup grace password ******** telnet timeout 30 ssh 10.1.1.0 255.255.255.0 inside ssh 192.168.10.0 255.255.255.0 inside ssh timeout 60 console timeout 0 username vmr2 password XXXXXXXXXXXX encrypted privilege 15 privilege show level 15 command access-group privilege clear level 15 command access-group terminal width 80 banner login Unauthorized access and use of this network/device will be prosecuted. banner motd Unauthorized access and use of this network/device will be prosecuted. Cryptochecksum:f02ea73dea8980383b1d6579f900296e : end

On Nov 18, 5:20 pm, "Brian V" wrote:

messagenews: snipped-for-privacy@h48g2000cwc.googlegroups.com...

Reply to
vreyesii

You cannot use PAT for PPTP, you need to use NAT. PPTP requires 2 things, tcp 1723 and GRE, GRE cannot be PAT'd, it needs a allowed to a one-to-one NAT. Where you only have a single IP you will need to setup the PPTP on the Pix.

formatting link

Reply to
Brian V

All right, I changed a few things on the PIX, and I configured the PIX as a VPN PPTP Server. From the client side I able to connect to the VPN Server. However, when I connect to VPN Server I should have access to the local LAN of the VPN Server. However, when I try to simply SSH into the PIX or another workstation(AIX Box) on the LAN I am not able. The other workstations that are on the same LAN as the VPN server I can establish communication.

Thank You

messagenews: snipped-for-privacy@m7g2000cwm.googlegroups.com...

cannot use PAT for PPTP, you need to use NAT. PPTP requires 2 things,

Reply to
vreyesii

Post your latest config and please stop top posting, makes it very hard to follow a thread.

Reply to
Brian V

On Nov 20, 7:43 am, "Brian V" wrote:

messagenews: snipped-for-privacy@e3g2000cwe.googlegroups.com...

Pix.http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_config...Postyour latest config and please stop top posting, makes it very hard to

Below is the latest copy of the config.

: Saved : PIX Version 6.3(5) interface ethernet0 100full interface ethernet1 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password XXXXXXXXXXX encrypted passwd XXXXXXXXXXXX encrypted hostname pixfirewall domain-name XXXXXXXXX.com clock timezone EST -5 clock summer-time EDT recurring fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol pptp 1723 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names access-list 101 permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0 access-list allow_inbound deny ip 59.124.0.0 255.252.0.0 any access-list allow_inbound deny ip host 24.71.105.183 any access-list allow_inbound deny ip host 163.27.116.133 any access-list allow_inbound deny ip host 218.189.179.82 any access-list allow_inbound deny ip host 84.60.164.161 any access-list allow_inbound deny ip host 222.128.34.89 any access-list allow_inbound deny ip host 202.64.47.108 any access-list allow_inbound deny ip host 87.162.179.31 any access-list allow_inbound deny ip host 70.255.106.164 any access-list allow_inbound permit tcp any interface outside eq smtp access-list allow_inbound permit tcp any interface outside eq pop3 access-list allow_inbound permit tcp any interface outside eq www access-list allow_inbound permit icmp any any source-quench access-list allow_inbound permit tcp any host B.X.X.236 eq www access-list allow_inbound permit tcp any host B.X.X.236 eq h323 access-list allow_inbound permit tcp any host B.X.X.236 eq 5060 access-list allow_inbound permit gre any interface outside access-list allow_inbound permit tcp any interface outside eq 3000 access-list allow_inbound permit udp any interface outside eq 49153 access-list allow_inbound permit tcp any interface outside eq 49153 access-list allow_inbound permit tcp any interface outside eq 10240 access-list allow_inbound permit tcp any interface outside eq 10241 access-list allow_inbound permit tcp any interface outside eq 10242 access-list allow_inbound permit udp any interface outside eq 10240 access-list allow_inbound permit udp any interface outside eq 10241 access-list allow_inbound permit udp any interface outside eq 10242 access-list allow_inbound permit tcp any interface outside eq 41170 access-list allow_inbound permit udp any interface outside eq 41170 access-list allow_inbound permit tcp any interface outside eq 4662 access-list allow_inbound permit tcp any interface outside eq 4000 access-list deny_outbound deny tcp any host 63.236.240.73 eq https access-list deny_outbound deny tcp any host 209.202.9.7 eq https access-list deny_outbound deny tcp any host 63.236.240.73 eq www access-list deny_outbound deny tcp any host 66.28.235.59 eq www access-list deny_outbound deny tcp any host 204.245.86.77 eq www access-list deny_outbound deny tcp any host 69.18.151.78 eq www access-list deny_outbound permit ip any any access-list do_not_nat permit ip 10.1.1.0 255.255.255.0 10.1.2.0

255.255.255.0 no pager logging on logging timestamp logging monitor debugging logging trap notifications logging queue 24 logging host inside 10.1.1.23 icmp permit any unreachable outside icmp deny any echo outside icmp deny any echo-reply outside mtu outside 1500 mtu inside 1500 ip address outside A.X.X.85 255.255.255.0 ip address inside 10.1.1.1 255.255.255.0 ip verify reverse-path interface outside ip verify reverse-path interface inside ip audit name POLICY1 attack action alarm reset ip audit name InfoPolicy info action alarm drop ip audit interface outside InfoPolicy ip audit interface outside POLICY1 ip audit info action alarm drop ip audit attack action alarm ip local pool ippool 10.1.2.1-10.1.2.254 pdm location 10.1.1.6 255.255.255.255 inside pdm location 10.1.1.2 255.255.255.255 inside pdm location 10.1.1.7 255.255.255.255 inside pdm location 10.1.1.23 255.255.255.255 inside pdm location 59.124.0.0 255.252.0.0 outside pdm location 63.236.240.73 255.255.255.255 outside pdm location 84.60.164.161 255.255.255.255 outside pdm location 163.27.116.133 255.255.255.255 outside pdm location 209.202.9.7 255.255.255.255 outside pdm location 218.189.179.82 255.255.255.255 outside pdm location 10.1.1.8 255.255.255.255 inside pdm location 10.1.1.30 255.255.255.255 inside pdm location 10.1.1.251 255.255.255.255 inside pdm location 10.1.1.252 255.255.255.255 inside pdm location 192.168.2.0 255.255.255.0 inside pdm location 192.168.10.0 255.255.255.0 inside pdm location 24.71.105.183 255.255.255.255 outside pdm location 66.28.235.59 255.255.255.255 outside pdm location 202.64.47.108 255.255.255.255 outside pdm location 216.178.32.48 255.255.255.255 outside pdm location 216.178.32.49 255.255.255.255 outside pdm location 216.178.32.50 255.255.255.255 outside pdm location 216.178.32.51 255.255.255.255 outside pdm location 222.128.34.89 255.255.255.255 outside pdm location 69.18.151.78 255.255.255.255 outside pdm location 70.255.106.164 255.255.255.255 outside pdm location 87.162.179.31 255.255.255.255 outside pdm location 204.245.86.77 255.255.255.255 outside pdm location 10.1.1.253 255.255.255.255 inside pdm location 64.61.25.171 255.255.255.255 inside pdm location 64.61.25.171 255.255.255.255 outside pdm logging informational 100 pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list do_not_nat nat (inside) 1 0.0.0.0 0.0.0.0 0 0 static (inside,outside) tcp interface pop3 10.1.1.23 pop3 netmask 255.255.255.255 0 0 static (inside,outside) tcp interface smtp 10.1.1.23 smtp netmask 255.255.255.255 0 0 static (inside,outside) tcp interface 3000 10.1.1.23 3000 netmask 255.255.255.255 0 0 static (inside,outside) tcp interface 1000 10.1.1.23 1000 netmask 255.255.255.255 0 0 static (inside,outside) tcp interface 4662 10.1.1.8 4662 netmask 255.255.255.255 0 0 static (inside,outside) tcp interface 49153 10.1.1.2 49153 netmask 255.255.255.255 0 0 static (inside,outside) udp interface 49153 10.1.1.2 49153 netmask 255.255.255.255 0 0 static (inside,outside) tcp interface 4000 10.1.1.251 telnet netmask 255.255.255.255 0 0 static (inside,outside) tcp interface www 10.1.1.6 www netmask 255.255.255.255 0 0 static (inside,outside) B.X.X.236 10.1.1.7 netmask 255.255.255.255 0 0 access-group allow_inbound in interface outside access-group deny_outbound in interface inside route outside 0.0.0.0 0.0.0.0 A.X.X.1 1 route inside 192.168.2.0 255.255.255.0 10.1.1.30 1 timeout xlate 0:05:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout sip-disconnect 0:02:00 sip-invite 0:03:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local aaa-server AuthInbound protocol tacacs+ aaa-server AuthInbound max-failed-attempts 3 aaa-server AuthInbound deadtime 10 aaa-server AuthInbound (inside) host 10.1.1.253 nyc4u2me timeout 5 aaa authentication ssh console LOCAL http server enable http 10.1.1.0 255.255.255.0 inside snmp-server host inside 10.1.1.23 snmp-server host inside 10.1.1.252 no snmp-server location no snmp-server contact snmp-server community nyc4u2me snmp-server enable traps floodguard enable sysopt connection permit-ipsec sysopt connection permit-pptp crypto ipsec transform-set myset esp-3des esp-md5-hmac crypto dynamic-map dynmap 10 set transform-set myset crypto map mymap 10 ipsec-isakmp dynamic dynmap crypto map mymap client authentication LOCAL crypto map mymap interface outside isakmp enable outside isakmp identity address isakmp nat-traversal 20 isakmp policy 10 authentication pre-share isakmp policy 10 encryption 3des isakmp policy 10 hash md5 isakmp policy 10 group 2 isakmp policy 10 lifetime 86400 vpngroup vpn3000 address-pool ippool vpngroup vpn3000 default-domain XXXXX.com vpngroup vpn3000 split-tunnel 101 vpngroup vpn3000 idle-time 1800 vpngroup vpn3000 password ******** vpngroup vmr2 address-pool ippool vpngroup vmr2 default-domain XXX.com vpngroup vmr2 split-tunnel 101 vpngroup vmr2 idle-time 1800 vpngroup vmr2 password ******** vpngroup grace address-pool ippool vpngroup grace default-domain XXXXXX.com vpngroup grace split-tunnel 101 vpngroup grace idle-time 1800 vpngroup grace password ******** telnet timeout 30 ssh 10.1.1.0 255.255.255.0 inside ssh 192.168.10.0 255.255.255.0 inside ssh timeout 60 console timeout 0 vpdn group 1 accept dialin pptp vpdn group 1 ppp authentication pap vpdn group 1 ppp authentication chap vpdn group 1 ppp authentication mschap vpdn group 1 ppp encryption mppe 128 vpdn group 1 client configuration address local ippool vpdn group 1 pptp echo 60 vpdn group 1 client authentication local vpdn username vmr2 password ********* vpdn username test password ********* vpdn enable outside username vmr2 password XXXXXXXXXXXXXXX encrypted privilege 15 privilege show level 15 command access-group privilege clear level 15 command access-group terminal width 80 banner login Unauthorized access and use of this network/device will be prosecuted. banner motd Unauthorized access and use of this network/device will be prosecuted. Cryptochecksum:24558cdd86e7726fc9cc5e299b277a8c : end
Reply to
vreyesii

Pix.http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_config...Post

Config looks fine. Can you ping the server?

Reply to
Brian V

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.