- Posts: 7
- Thank you received: 0
Need Help - First Time VPN Setup On Pix 501
17 years 7 months ago - 10 years 6 months ago #20788
by tonyr
Need Help - First Time VPN Setup On Pix 501 was created by tonyr
Having problem getting my VPN setup correctly on my Pix 501.
I can connect with the Cisco VPN Client but cannot access any of the servers on the internal network. (I'm trying this from the inside interface first.) See below for config.
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password XXXXXXXXXXXXX encrypted
passwd XXXXXXXXXXX encrypted
hostname pixfirewall
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 10.0.0.141 EDI
name xxx.xxx.xxx.xxx company205
name xxx.xxx.xxx.xxx company
name xxx.xxx.xxx.xxx company29
name xxx.xxx.xxx.xxx company28
name xxx.xxx.xxx.xxx company27
name xxx.xxx.xxx.xxx company26
object-group network companyAS2
description company AS2 Servers
network-object company255.255.255.255
network-object company205 255.255.255.255
network-object company26 255.255.255.255
network-object company27 255.255.255.255
network-object company28 255.255.255.255
network-object company29 255.255.255.255
access-list outside_in permit tcp any host 74.xxx.xxx.xxx eq 3389
access-list outside_in permit tcp object-group companyAS2 host 74.xxx.xxx.xxx
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 74.xxx.xxx.162 255.255.255.0
ip address inside 10.0.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool ipvpn 10.0.0.20-10.0.0.29 mask 255.255.255.0
pdm location 10.0.0.10 255.255.255.255 inside
pdm location 74.xxx.xxx.162 255.255.255.255 inside
pdm location EDI 255.255.255.255 inside
pdm location company255.255.255.255 outside
pdm location company205 255.255.255.255 outside
pdm location company26 255.255.255.255 outside
pdm location company27 255.255.255.255 outside
pdm location company28 255.255.255.255 outside
pdm location company29 255.255.255.255 outside
pdm location 74.xxx.xxx.163 255.255.255.255 outside
pdm location 10.0.0.0 255.255.255.192 inside
pdm group companyAS2 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 3389 10.0.0.10 3389 netmask 255.255.255.255 0 0
static (inside,outside) 74.xxx.xxx.163 EDI netmask 255.255.255.255 0 0
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 74.xxx.xxx.161 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 10.0.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map inside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map inside_map 65535 ipsec-isakmp dynamic inside_dyn_map
crypto map inside_map interface inside
isakmp enable outside
isakmp enable inside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup vpnin address-pool ipvpn
vpngroup vpnin dns-server 10.0.0.10
vpngroup vpnin wins-server 10.0.0.10
vpngroup vpnin idle-time 1800
vpngroup vpnin password ********
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
terminal width 80
Cryptochecksum:993646ac2986d991970e32f9934f9d7a
: end
[OK]
I can connect with the Cisco VPN Client but cannot access any of the servers on the internal network. (I'm trying this from the inside interface first.) See below for config.
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password XXXXXXXXXXXXX encrypted
passwd XXXXXXXXXXX encrypted
hostname pixfirewall
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 10.0.0.141 EDI
name xxx.xxx.xxx.xxx company205
name xxx.xxx.xxx.xxx company
name xxx.xxx.xxx.xxx company29
name xxx.xxx.xxx.xxx company28
name xxx.xxx.xxx.xxx company27
name xxx.xxx.xxx.xxx company26
object-group network companyAS2
description company AS2 Servers
network-object company255.255.255.255
network-object company205 255.255.255.255
network-object company26 255.255.255.255
network-object company27 255.255.255.255
network-object company28 255.255.255.255
network-object company29 255.255.255.255
access-list outside_in permit tcp any host 74.xxx.xxx.xxx eq 3389
access-list outside_in permit tcp object-group companyAS2 host 74.xxx.xxx.xxx
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 74.xxx.xxx.162 255.255.255.0
ip address inside 10.0.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool ipvpn 10.0.0.20-10.0.0.29 mask 255.255.255.0
pdm location 10.0.0.10 255.255.255.255 inside
pdm location 74.xxx.xxx.162 255.255.255.255 inside
pdm location EDI 255.255.255.255 inside
pdm location company255.255.255.255 outside
pdm location company205 255.255.255.255 outside
pdm location company26 255.255.255.255 outside
pdm location company27 255.255.255.255 outside
pdm location company28 255.255.255.255 outside
pdm location company29 255.255.255.255 outside
pdm location 74.xxx.xxx.163 255.255.255.255 outside
pdm location 10.0.0.0 255.255.255.192 inside
pdm group companyAS2 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 3389 10.0.0.10 3389 netmask 255.255.255.255 0 0
static (inside,outside) 74.xxx.xxx.163 EDI netmask 255.255.255.255 0 0
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 74.xxx.xxx.161 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 10.0.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map inside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map inside_map 65535 ipsec-isakmp dynamic inside_dyn_map
crypto map inside_map interface inside
isakmp enable outside
isakmp enable inside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup vpnin address-pool ipvpn
vpngroup vpnin dns-server 10.0.0.10
vpngroup vpnin wins-server 10.0.0.10
vpngroup vpnin idle-time 1800
vpngroup vpnin password ********
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
terminal width 80
Cryptochecksum:993646ac2986d991970e32f9934f9d7a
: end
[OK]
Last edit: 10 years 6 months ago by Chris.
- FiercePowahs
- Offline
- Junior Member
Less
More
- Posts: 37
- Thank you received: 0
17 years 7 months ago #20897
by FiercePowahs
Replied by FiercePowahs on topic Re: Need Help - First Time VPN Setup On Pix 501
you have to allow your ip local pool to access your network via an access list.
Your local pool:
ip local pool ipvpn 10.0.0.20-10.0.0.29 mask 255.255.255.0
Example access-list which will give that pool access to your network:
access-list NoNAT permit ip 10.0.0.0 255.255.255.0 10.0.0.20 255.255.255.240
Then if you didn't want those connections to be NAT'd then you could add:
nat (inside) 0 access-list NoNAT
Your local pool:
ip local pool ipvpn 10.0.0.20-10.0.0.29 mask 255.255.255.0
Example access-list which will give that pool access to your network:
access-list NoNAT permit ip 10.0.0.0 255.255.255.0 10.0.0.20 255.255.255.240
Then if you didn't want those connections to be NAT'd then you could add:
nat (inside) 0 access-list NoNAT
17 years 7 months ago - 10 years 6 months ago #20976
by tonyr
Replied by tonyr on topic Still Have Same Problem. Can't access internal network.
Building configuration...
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxxxx encrypted
hostname pixfirewall
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 10.0.0.141 EDI
name 161.165.202.25 company205
name 161.165.202.24 company
name 161.165.202.29 company29
name 161.165.202.28 company28
name 161.165.202.27 company27
name 161.165.202.26 company26
object-group network companyAS2
description companyAS2 Servers
network-object company255.255.255.255
network-object company205 255.255.255.255
network-object company26 255.255.255.255
network-object company27 255.255.255.255
network-object company28 255.255.255.255
network-object company29 255.255.255.255
access-list outside_in permit tcp any host 74.xxx.xxx.162 eq 3389
access-list outside_in permit tcp object-group companyAS2 host 74.xxx.xxx.163
access-list outside_in permit ip 10.0.1.0 255.255.255.224 any
access-list inside_outbound_nat0_acl permit ip any 10.0.1.0 255.255.255.224
access-list outside_cryptomap_dyn_20 permit ip any 10.0.1.0 255.255.255.224
access-list inside_cryptomap_dyn_20 permit ip any 10.0.1.0 255.255.255.224
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 74.xxx.xxx.162 255.255.255.0
ip address inside 10.0.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnip 10.0.1.10-10.0.1.19 mask 255.255.255.0
pdm location 10.0.0.10 255.255.255.255 inside
pdm location 74.xxx.xxx.162 255.255.255.255 inside
pdm location EDI 255.255.255.255 inside
pdm location company255.255.255.255 outside
pdm location company205 255.255.255.255 outside
pdm location company26 255.255.255.255 outside
pdm location company27 255.255.255.255 outside
pdm location company28 255.255.255.255 outside
pdm location company29 255.255.255.255 outside
pdm location 74.xxx.xxx.163 255.255.255.255 outside
pdm location 10.0.0.0 255.255.255.192 inside
pdm location 10.0.1.0 255.255.255.224 outside
pdm group companyAS2 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 3389 10.0.0.10 3389 netmask 255.255.255.255 0 0
static (inside,outside) 74.xxx.xxx.163 EDI netmask 255.255.255.255 0 0
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 74.xxx.xxx.161 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 10.0.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto dynamic-map inside_dyn_map 20 match address inside_cryptomap_dyn_20
crypto dynamic-map inside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic inside_dyn_map
crypto map inside_map interface inside
isakmp enable outside
isakmp enable inside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup vpnext address-pool vpnip
vpngroup vpnext idle-time 1800
vpngroup vpnext password ********
vpngroup vpnin address-pool vpnip
vpngroup vpnin idle-time 1800
vpngroup vpnin password ********
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
terminal width 80
Cryptochecksum:c431e795458b73d17a2776d6840d430d
: end
[OK]
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxxxx encrypted
hostname pixfirewall
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 10.0.0.141 EDI
name 161.165.202.25 company205
name 161.165.202.24 company
name 161.165.202.29 company29
name 161.165.202.28 company28
name 161.165.202.27 company27
name 161.165.202.26 company26
object-group network companyAS2
description companyAS2 Servers
network-object company255.255.255.255
network-object company205 255.255.255.255
network-object company26 255.255.255.255
network-object company27 255.255.255.255
network-object company28 255.255.255.255
network-object company29 255.255.255.255
access-list outside_in permit tcp any host 74.xxx.xxx.162 eq 3389
access-list outside_in permit tcp object-group companyAS2 host 74.xxx.xxx.163
access-list outside_in permit ip 10.0.1.0 255.255.255.224 any
access-list inside_outbound_nat0_acl permit ip any 10.0.1.0 255.255.255.224
access-list outside_cryptomap_dyn_20 permit ip any 10.0.1.0 255.255.255.224
access-list inside_cryptomap_dyn_20 permit ip any 10.0.1.0 255.255.255.224
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 74.xxx.xxx.162 255.255.255.0
ip address inside 10.0.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnip 10.0.1.10-10.0.1.19 mask 255.255.255.0
pdm location 10.0.0.10 255.255.255.255 inside
pdm location 74.xxx.xxx.162 255.255.255.255 inside
pdm location EDI 255.255.255.255 inside
pdm location company255.255.255.255 outside
pdm location company205 255.255.255.255 outside
pdm location company26 255.255.255.255 outside
pdm location company27 255.255.255.255 outside
pdm location company28 255.255.255.255 outside
pdm location company29 255.255.255.255 outside
pdm location 74.xxx.xxx.163 255.255.255.255 outside
pdm location 10.0.0.0 255.255.255.192 inside
pdm location 10.0.1.0 255.255.255.224 outside
pdm group companyAS2 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 3389 10.0.0.10 3389 netmask 255.255.255.255 0 0
static (inside,outside) 74.xxx.xxx.163 EDI netmask 255.255.255.255 0 0
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 74.xxx.xxx.161 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 10.0.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto dynamic-map inside_dyn_map 20 match address inside_cryptomap_dyn_20
crypto dynamic-map inside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic inside_dyn_map
crypto map inside_map interface inside
isakmp enable outside
isakmp enable inside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup vpnext address-pool vpnip
vpngroup vpnext idle-time 1800
vpngroup vpnext password ********
vpngroup vpnin address-pool vpnip
vpngroup vpnin idle-time 1800
vpngroup vpnin password ********
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
terminal width 80
Cryptochecksum:c431e795458b73d17a2776d6840d430d
: end
[OK]
Last edit: 10 years 6 months ago by Chris.
17 years 7 months ago #20977
by tonyr
Replied by tonyr on topic Re: Need Help - First Time VPN Setup On Pix 501
Please look at above configuration. Made changes but still no luck accessing internal network. Any help is appreciated.
17 years 4 months ago #22486
by Bikramjit
Replied by Bikramjit on topic Re: Need Help - First Time VPN Setup On Pix 501
Apply the following commands:
no crypto dynamic-map inside_dyn_map 20 match address inside_cryptomap_dyn_20
no crypto dynamic-map inside_dyn_map 20 set transform-set ESP-3DES-MD5
no crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
no access-list inside_outbound_nat0_acl permit ip any 10.0.1.0 255.255.255.224
no isakmp enable inside
isakmp identity address
crypto isakmp nat-t 20
access-list inside_outbound_nat0_acl permit ip 10.0.0.0 255.255.255.0 10.0.1.0 255.255.255.224
access-list splitTunnelAcl permit ip 10.0.0.0 255.255.255.0 10.0.1.0 255.255.255.224
vpngroup vpnext split-tunnel splitTunnelAcl
Try to avoid PDM for the configuration. Use CLI prompt..
no crypto dynamic-map inside_dyn_map 20 match address inside_cryptomap_dyn_20
no crypto dynamic-map inside_dyn_map 20 set transform-set ESP-3DES-MD5
no crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
no access-list inside_outbound_nat0_acl permit ip any 10.0.1.0 255.255.255.224
no isakmp enable inside
isakmp identity address
crypto isakmp nat-t 20
access-list inside_outbound_nat0_acl permit ip 10.0.0.0 255.255.255.0 10.0.1.0 255.255.255.224
access-list splitTunnelAcl permit ip 10.0.0.0 255.255.255.0 10.0.1.0 255.255.255.224
vpngroup vpnext split-tunnel splitTunnelAcl
Try to avoid PDM for the configuration. Use CLI prompt..
Time to create page: 0.129 seconds