Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations Chriss Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Local Lan Routes PIX 506E
- Thread starter mlarsson
- Start date
- Thread starter
- #3
Here is the config. My first time setting up a PIX.
Thx /M
show conf
: Saved
:
PIX Version 6.1(4)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password *************** encrypted
passwd **********.***** encrypted
hostname 00298-1
domain-name mydomain.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list nonat permit ip 10.106.132.0 255.255.252.0 192.168.10.0 255.255.255.0
access-list 100 permit tcp any eq 443 any eq 443
access-list 100 permit tcp any eq eq www
access-list 100 permit tcp any eq 52 any eq 52
access-list 100 permit udp any eq 52 any eq 52
access-list 100 permit tcp any eq 22 any eq 22
access-list 100 permit tcp any eq 431 any eq 431
access-list 100 permit udp any eq 431 any eq 431
access-list 100 permit tcp any eq pop3 any eq pop3
access-list 100 permit udp any any
access-list 100 permit tcp any any
access-list 100 permit icmp any any
access-list 100 permit icmp any any echo-reply
access-list 100 deny tcp any any range 1 ftp
access-list 100 deny tcp any any range 24 finger
access-list 100 deny tcp any any range 81 pop2
access-list 100 deny tcp any any range sunrpc nntp
access-list 100 deny tcp any any range 121 430
access-list 100 deny tcp any any range 432 442
access-list 100 deny tcp any any range 444 20000
pager lines 24
logging on
interface ethernet0 auto
interface ethernet1 auto
mtu outside 1500
mtu inside 1500
ip address outside 202.211.224.23 255.255.255.0
ip address inside 10.106.132.11 255.255.252.0
ip verify reverse-path interface outside
ip audit info action alarm
ip audit attack action alarm drop
ip local pool ippool 192.168.10.10-192.168.10.15
pdm location 10.106.132.1 255.255.255.255 inside
pdm location 10.0.0.0 255.0.0.0 inside
pdm logging warnings 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group 100 in interface inside
route outside 0.0.0.0 0.0.0.0 215.213.225.1 1
route inside 10.0.0.0 255.0.0.0 10.106.132.1 1
route inside 192.168.0.0 255.255.0.0 10.106.132.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
url-cache dst 64KB
http server enable
http 10.106.132.13 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set vpnclient esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set vpnclient
crypto dynamic-map dynmap 20 set transform-set vpnclient
crypto dynamic-map dynmap 30 set transform-set vpnclient
crypto map vpn 20 ipsec-isakmp dynamic dynmap
crypto map vpn interface outside
isakmp enable outside
isakmp identity address
isakmp client configuration address-pool local ippool outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup myname address-pool ippool
vpngroup myname dns-server 10.106.30.10
vpngroup myname wins-server 10.106.132.31
vpngroup myname default-domain mydomain.com
vpngroup myname split-tunnel nonat
vpngroup myname idle-time 1800
vpngroup myname password ********
telnet 10.106.132.1 255.255.255.255 inside
telnet 10.106.132.31 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:********************************
00298-1#
Thx /M
show conf
: Saved
:
PIX Version 6.1(4)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password *************** encrypted
passwd **********.***** encrypted
hostname 00298-1
domain-name mydomain.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list nonat permit ip 10.106.132.0 255.255.252.0 192.168.10.0 255.255.255.0
access-list 100 permit tcp any eq 443 any eq 443
access-list 100 permit tcp any eq eq www
access-list 100 permit tcp any eq 52 any eq 52
access-list 100 permit udp any eq 52 any eq 52
access-list 100 permit tcp any eq 22 any eq 22
access-list 100 permit tcp any eq 431 any eq 431
access-list 100 permit udp any eq 431 any eq 431
access-list 100 permit tcp any eq pop3 any eq pop3
access-list 100 permit udp any any
access-list 100 permit tcp any any
access-list 100 permit icmp any any
access-list 100 permit icmp any any echo-reply
access-list 100 deny tcp any any range 1 ftp
access-list 100 deny tcp any any range 24 finger
access-list 100 deny tcp any any range 81 pop2
access-list 100 deny tcp any any range sunrpc nntp
access-list 100 deny tcp any any range 121 430
access-list 100 deny tcp any any range 432 442
access-list 100 deny tcp any any range 444 20000
pager lines 24
logging on
interface ethernet0 auto
interface ethernet1 auto
mtu outside 1500
mtu inside 1500
ip address outside 202.211.224.23 255.255.255.0
ip address inside 10.106.132.11 255.255.252.0
ip verify reverse-path interface outside
ip audit info action alarm
ip audit attack action alarm drop
ip local pool ippool 192.168.10.10-192.168.10.15
pdm location 10.106.132.1 255.255.255.255 inside
pdm location 10.0.0.0 255.0.0.0 inside
pdm logging warnings 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group 100 in interface inside
route outside 0.0.0.0 0.0.0.0 215.213.225.1 1
route inside 10.0.0.0 255.0.0.0 10.106.132.1 1
route inside 192.168.0.0 255.255.0.0 10.106.132.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
url-cache dst 64KB
http server enable
http 10.106.132.13 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set vpnclient esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set vpnclient
crypto dynamic-map dynmap 20 set transform-set vpnclient
crypto dynamic-map dynmap 30 set transform-set vpnclient
crypto map vpn 20 ipsec-isakmp dynamic dynmap
crypto map vpn interface outside
isakmp enable outside
isakmp identity address
isakmp client configuration address-pool local ippool outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup myname address-pool ippool
vpngroup myname dns-server 10.106.30.10
vpngroup myname wins-server 10.106.132.31
vpngroup myname default-domain mydomain.com
vpngroup myname split-tunnel nonat
vpngroup myname idle-time 1800
vpngroup myname password ********
telnet 10.106.132.1 255.255.255.255 inside
telnet 10.106.132.31 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:********************************
00298-1#
HI.
> can not see my server
What do you mean?
What did you try (EXACTLY)? What did you get?
I don't know what causes the problem, but here are some troubleshooting tips:
* Use syslog message.
* Maybe the problem is a firewall/nat device at the client side.
Try to connect using Ethernet (a client directly connected to pix outside) and/or using analog dial-up modem instead of ADSL.
Make sure that the VPN client does not have any software/hardware firewall that might be blocking the ESP traffic. Not even Windows XP built in ICF!
If this is the issue, you can consider upgrading the pix OS to version 6.3 that supports NAT-Traversal.
* Use the "Event Viewer" at the VPN client side and some "debug" commands at the pix to get more info.
* Try to generate a sample config using pixcript, and compare it to yours:
* And again, use syslog message.
Good luck.
Yizhar Hurwitz
> can not see my server
What do you mean?
What did you try (EXACTLY)? What did you get?
I don't know what causes the problem, but here are some troubleshooting tips:
* Use syslog message.
* Maybe the problem is a firewall/nat device at the client side.
Try to connect using Ethernet (a client directly connected to pix outside) and/or using analog dial-up modem instead of ADSL.
Make sure that the VPN client does not have any software/hardware firewall that might be blocking the ESP traffic. Not even Windows XP built in ICF!
If this is the issue, you can consider upgrading the pix OS to version 6.3 that supports NAT-Traversal.
* Use the "Event Viewer" at the VPN client side and some "debug" commands at the pix to get more info.
* Try to generate a sample config using pixcript, and compare it to yours:
* And again, use syslog message.
Good luck.
Yizhar Hurwitz
- Status
Similar threads
- Locked
- Question
- Locked
- Question
- Locked
- Question