Adding VPN Concentrator to PIX 515 DMZ

[DrGreen26]

I have a question.

I am in the process of installing a new Cisco VPN 3020 concentrator into my PIX DMZ (perimeter) interface. What I am having problems with is getting the NAT translations to work correctly. Originally my current VPN 3005 resides on its own interface on the pix and I want to free up this port for another use.

What I have is this.

The DMZ subnet is a 192.168.0.X/24

The private interface of the concentrator has been given a 192.168.0.10 ip.

The configured IP addresses that the concentrator will use for clients is 192.168.201.X, 192.168.202.X, 203.X, 204.x and 205. etc.

What is happening is the following:

I can connect to the concentrator in the DMZ via the cisco vpn client. When I try to access resources on the internal network I get the following error:

305005: No translation group found for udp src dmz:192.168.202.1/3571 dst inside:10.x.x.x/53

Here are the NATs etc:

The vpndmz is the current port the old concentrator is connected to

global (outside) 1 interface
global (dmz) 1 192.168.0.3
nat (inside) 0 access-list nonat
nat (inside) 1 192.168.195.0 255.255.255.0 0 0
nat (inside) 1 10.0.0.0 255.0.0.0 0 0

nat (dmz) 1 192.168.0.0 255.255.255.0 0 0
nat (dmz) 1 192.168.202.0 255.255.255.0 0 0

nat (vpndmz) 1 192.168.201.0 255.255.255.0 0 0
nat (vpndmz) 1 192.168.203.0 255.255.255.0 0 0
nat (vpndmz) 1 192.168.204.0 255.255.255.0 0 0
nat (vpndmz) 1 192.168.205.0 255.255.255.0 0 0

.

static (inside,vpndmz) 10.0.0.0 10.0.0.0 netmask 255.0.0.0 0 0
static (inside,vpndmz) 192.168.201.0 192.168.201.0 netmask 255.255.255.0 0 0
static (inside,vpndmz) 192.168.203.0 192.168.203.0 netmask 255.255.255.0 0 0
static (inside,vpndmz) 192.168.204.0 192.168.204.0 netmask 255.255.255.0 0 0
static (inside,vpndmz) 192.168.205.0 192.168.205.0 netmask 255.255.255.0 0 0

This is the IP address range that the concentrator will give out to the clients when they log in (192.168.202.0)

static (inside,dmz) 192.168.202.0 10.0.0.0 netmask 255.255.255.0 0 0


I have tried a couple different variations of NAT'g to no avail.

Any help would be appreciated.

Mark







Mark C. Greenwood, CNE
m_jgreenwood@yahoo.com

With more than 10 years experience to share.

 

[DrGreen26]

Almost forgot, I am moving all the nats for the VPNDMZ into the DMZ....I am just showing the current working configuration in addition to the changes that I made to install the new concentrator into the DMZ interface.



Mark C. Greenwood, CNE
m_jgreenwood@yahoo.com

With more than 10 years experience to share.

 

[themut]

From your config:

static (inside,dmz) 192.168.202.0 10.0.0.0 netmask 255.255.255.0 0 0

Syslog:

305005: No translation group found for udp src dmz:192.168.202.1/3571 dst inside:10.x.x.x/53

The VPN users are trying to access internal resources at 10.x.x.x but your translation is saying internal resources are seen as 192.168.202.X
You need to modify your translation as follows:

static (inside,dmz) 10.0.0.0 10.0.0.0 netmask 255.255.255.0

And you need an ACL applied to the dmz interface permiting traffic from the VPN pools to the 10.0.0.0 network. Then you need to issue a "clear xlate" command.

 

[DrGreen26]

Thanks, As soon as I get into the office in the morning I will give it a try and see what happens.. I appreciate your help with this and now that you pointed it out, I looked a lil further and found a matching statement for my vpndmz which needs to be re-duplicated..

Will post an update once I test your solution.

Mark

Mark C. Greenwood, CNE
m_jgreenwood@yahoo.com

With more than 10 years experience to share.

 

[DrGreen26]

That worked, I can now access everything on my internal network with no problem

The last thing I need to do is allow this same subnet to access the internet and I am sure this again is another nat issue...the error that I receive is as follows:

D106015: Deny TCP (no connection) from 192.168.202.X to 10.15.60.251/443 flags FIN PSH ACK on interface DMZ

Again thanks for your help with this..

Mark

Mark C. Greenwood, CNE
m_jgreenwood@yahoo.com

With more than 10 years experience to share.

 

[themut]

I am glad the problem was solved. What you need now is as follows:

nat (dmz) 1 192.168.201.0 255.255.255.0
nat (dmz) 1 192.168.202.0 255.255.255.0
nat (dmz) 1 192.168.203.0 255.255.255.0
. . . .
. . . .
. . . .

global (outside) 1 interface

 

[DrGreen26]

This is what I have:

global (outside) 1 interface
global (dmz) 1 192.168.0.3

nat (inside) 0 access-list nonat
nat (inside) 1 10.0.0.0 255.0.0.0 0 0
nat (dmz) 1 192.168.202.0 255.255.255.0 0 0

static (inside,dmz) 10.0.0.0 10.0.0.0 netmask 255.0.0.0 0 0



Mark C. Greenwood, CNE
m_jgreenwood@yahoo.com

With more than 10 years experience to share.

 

[themut]

You are attempting to access host 10.15.60.251 on SSL but you don't have the PIX is denying the traffic. Check your ACL applied to the DMZ it should have a similar entry:

access-list <name> permit tcp 192.168.202.0 255.255.255.0 host 10.15.60.251 eq 443

 

[DrGreen26]

You knwo whats odd, I saw that and it does not make sense as to why my pix thinks I am trying to access that host. I launches a web browse after connecitng to the vpn with the client and all I wanted to do was go to

http://www.yahoo.com

and the pix assumed it needed to go to this internal address.

baffled as usual with this one.

Mark C. Greenwood, CNE
m_jgreenwood@yahoo.com

With more than 10 years experience to share.

 

[themut]

Before going to

http://www.yahoo.com

your PC needs to access your internal DNS server, but this is on UDP port 53, I am puzzeled on the SSL port though. Can you verify the browser doesn't have a proxy server configured?

 

[DrGreen26]

Yeah, I am not sure why it is doing that, I think my pix is getting confused on what needs to get where and why.

Mark C. Greenwood, CNE
m_jgreenwood@yahoo.com

With more than 10 years experience to share.

 

[DrGreen26]

Do you have your concentrator setup in your DMZ?

Just curious as to how your nat statements were setup to make everything work?

Mark C. Greenwood, CNE
m_jgreenwood@yahoo.com

With more than 10 years experience to share.

 

[themut]

I have setup various VPN3000 in a DMZ without any problems. I used to manage a VPN3030 and two PIX 525 in failover configuration and I did not have any problems accessing the HQ network and the Internet using the VPN client.

I had a nat for Internet, static translations for the internal servers and and ACL permitting the required traffic, say mail server:

static (inside, dmz) 10.10.10.10 10.10.10.10 netmask 255.255.255.255

access-list 101 permit tcp 192.168.1.0 255.255.255.0 host 10.10.10.10 eq 25
access-list 101 deny ip 192.168.1.0 255.255.255.0 10.0.0.0 255.0.0.0
access-list 101 pemit tcp 192.168.1.0 255.255.255.0 any eq 80
access-list 101 pemit tcp 192.168.1.0 255.255.255.0 any eq 21
access-list 101 pemit tcp 192.168.1.0 255.255.255.0 any eq 443
access-list 101 pemit udp 192.168.1.0 255.255.255.0 any eq 53

access-group 101 in interface dmz
route dmz 192.168.1.0 255.255.255.0 <private interafe ip address>

192.168.1.0 was the pool assigned to VPN clients. On the VPN 3030 I had a tunnel default gateway pointing to the PIX firewall's DMZ ip address. And that was it if I can remember correctly.

For the syslog you are receiving when attempting to access the Internet:
Deny TCP (no connection) from 192.168.202.X to 10.15.60.251/443 flags FIN PSH ACK on interface DMZ

I am suspecting your machine is looking for a proxy server configured on that machine, otherwise it makes no sense to me.

Hope it helps!