Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations Rhinorhino on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
PIX gets errors when I try to VPN from inside to another network
- Thread starter ForumKid
- Start date
I'm in this same boat. I have gone through almost exactly the same frustrations that ForumKid has gone through and come to the same understanding. I have a PIX 520 and also need the image for 6.3. Can someone send that to me as well??? Thx. aharper@escient.com
- Thread starter
- #22
I have done this now:
access-list acl_out permit gre host <pptp server> host <public static IP that is available in our block (not outside int. address)>
static (inside,outside) <public static IP that is available in our block (not outside int. address)> 192.168.1.50 netmask 255.255.255.255 0 0
I can connect to the PPTP server. But it just hangs on verifiying password. No syslog errors. No nothing..
access-list acl_out permit gre host <pptp server> host <public static IP that is available in our block (not outside int. address)>
static (inside,outside) <public static IP that is available in our block (not outside int. address)> 192.168.1.50 netmask 255.255.255.255 0 0
I can connect to the PPTP server. But it just hangs on verifiying password. No syslog errors. No nothing..
This public outside address available in your block - is it on the outside range of THE PIX (NOT the router)?
Can you please post something with ip addresses in it, just change one of the octets or something, so we can see if you're using public ip addresses, private ip addresses or what.
Please post the outside ip of your pix, and the interface addresses of your router, they don't have to be the ACTUAL addresses, just something we can figure out what you're doing.
eg,
if the outside address of your pix is 62.25.50.15, just post something like 62.25.40.15 instead
At the moment it's really unclear what ip you're using
You can obtain the latest image for the pix by contacting cisco and buying it, or if you have Smartnet on your cisco device you can download it.
CCNA, MCSE, Cisco Firewall specialist, VPN specialist, wannabe CCSP
Can you please post something with ip addresses in it, just change one of the octets or something, so we can see if you're using public ip addresses, private ip addresses or what.
Please post the outside ip of your pix, and the interface addresses of your router, they don't have to be the ACTUAL addresses, just something we can figure out what you're doing.
eg,
if the outside address of your pix is 62.25.50.15, just post something like 62.25.40.15 instead
At the moment it's really unclear what ip you're using
You can obtain the latest image for the pix by contacting cisco and buying it, or if you have Smartnet on your cisco device you can download it.
CCNA, MCSE, Cisco Firewall specialist, VPN specialist, wannabe CCSP
- Thread starter
- #24
OK. It public outside address that I am using is just an available static IP address that is in my block of static IPs from my ISP.
Here is my config using IP's as you have suggested.
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz1 security10
nameif ethernet3 dmz2 security9
enable password xxx encrypted
passwd xxx encrypted
hostname pixfirewall
domain-name XXX.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
names
access-list acl_out permit tcp any host 65.198.124.69 eq www
access-list acl_out permit tcp any host 65.198.124.70 eq smtp
access-list acl_out permit tcp any host 65.198.124.69 eq 443
access-list acl-out permit gre host <pptp server> host 65.198.124.68
access-list in_out permit ip any any
access-list dmz2_out permit tcp host 192.168.3.2 any eq smtp
access-list dmz2_out permit tcp host 192.168.3.2 any eq ident
access-list dmz1_out permit tcp host 192.168.2.2 host 192.168.3.2 eq smtp
pager lines 24
logging on
logging trap warnings
logging history warnings
logging host inside 192.168.1.8
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 100full
interface ethernet3 100full
icmp deny any echo-reply outside
icmp permit any unreachable outside
mtu outside 1500
mtu inside 1500
mtu dmz1 1500
mtu dmz2 1500
ip address outside 65.198.124.66 255.255.255.0
ip address inside 192.168.1.200 255.255.255.0
ip address dmz1 192.168.2.200 255.255.255.0
ip address dmz2 192.168.3.200 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip verify reverse-path interface dmz1
ip verify reverse-path interface dmz2
ip audit name attack1 info action alarm drop reset
ip audit interface outside attack1
ip audit info action alarm drop reset
ip audit attack action alarm drop reset
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
failover ip address dmz1 0.0.0.0
failover ip address dmz2 0.0.0.0
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
static (dmz1,outside) 65.198.124.69 192.168.2.2 netmask 255.255.255.255 0 0
static (dmz2,outside) 65.198.124.70 192.168.3.2 netmask 255.255.255.255 0 0
static (inside,dmz2) 192.168.1.2 192.168.1.2 netmask 255.255.255.255 0 0
static (dmz1,dmz2) 192.168.2.2 192.168.2.2 netmask 255.255.255.255 0 0
static (inside,dmz1) 192.168.1.7 192.168.1.7 netmask 255.255.255.255 0 0
static (inside,dmz1) 192.168.1.8 192.168.1.8 netmask 255.255.255.255 0 0
static (inside,dmz2) 192.168.1.8 192.168.1.8 netmask 255.255.255.255 0 0
static (inside,dmz1) 192.168.1.2 192.168.1.2 netmask 255.255.255.255 0 0
static (inside,outside) 65.198.124.68 192.168.1.50 netmask 255.255.255.255 0 0
access-group acl_out in interface outside
access-group in_out in interface inside
access-group dmz1_out in interface dmz1
access-group dmz2_out in interface dmz2
route outside 0.0.0.0 0.0.0.0 65.198.124.65 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
filter java 443 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
filter activex 443 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
filter java 80 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
filter activex 80 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
telnet timeout 60
ssh 192.168.1.2 255.255.255.255 inside
ssh timeout 60
terminal width 80
Here is my config using IP's as you have suggested.
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz1 security10
nameif ethernet3 dmz2 security9
enable password xxx encrypted
passwd xxx encrypted
hostname pixfirewall
domain-name XXX.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
names
access-list acl_out permit tcp any host 65.198.124.69 eq www
access-list acl_out permit tcp any host 65.198.124.70 eq smtp
access-list acl_out permit tcp any host 65.198.124.69 eq 443
access-list acl-out permit gre host <pptp server> host 65.198.124.68
access-list in_out permit ip any any
access-list dmz2_out permit tcp host 192.168.3.2 any eq smtp
access-list dmz2_out permit tcp host 192.168.3.2 any eq ident
access-list dmz1_out permit tcp host 192.168.2.2 host 192.168.3.2 eq smtp
pager lines 24
logging on
logging trap warnings
logging history warnings
logging host inside 192.168.1.8
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 100full
interface ethernet3 100full
icmp deny any echo-reply outside
icmp permit any unreachable outside
mtu outside 1500
mtu inside 1500
mtu dmz1 1500
mtu dmz2 1500
ip address outside 65.198.124.66 255.255.255.0
ip address inside 192.168.1.200 255.255.255.0
ip address dmz1 192.168.2.200 255.255.255.0
ip address dmz2 192.168.3.200 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip verify reverse-path interface dmz1
ip verify reverse-path interface dmz2
ip audit name attack1 info action alarm drop reset
ip audit interface outside attack1
ip audit info action alarm drop reset
ip audit attack action alarm drop reset
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
failover ip address dmz1 0.0.0.0
failover ip address dmz2 0.0.0.0
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
static (dmz1,outside) 65.198.124.69 192.168.2.2 netmask 255.255.255.255 0 0
static (dmz2,outside) 65.198.124.70 192.168.3.2 netmask 255.255.255.255 0 0
static (inside,dmz2) 192.168.1.2 192.168.1.2 netmask 255.255.255.255 0 0
static (dmz1,dmz2) 192.168.2.2 192.168.2.2 netmask 255.255.255.255 0 0
static (inside,dmz1) 192.168.1.7 192.168.1.7 netmask 255.255.255.255 0 0
static (inside,dmz1) 192.168.1.8 192.168.1.8 netmask 255.255.255.255 0 0
static (inside,dmz2) 192.168.1.8 192.168.1.8 netmask 255.255.255.255 0 0
static (inside,dmz1) 192.168.1.2 192.168.1.2 netmask 255.255.255.255 0 0
static (inside,outside) 65.198.124.68 192.168.1.50 netmask 255.255.255.255 0 0
access-group acl_out in interface outside
access-group in_out in interface inside
access-group dmz1_out in interface dmz1
access-group dmz2_out in interface dmz2
route outside 0.0.0.0 0.0.0.0 65.198.124.65 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
filter java 443 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
filter activex 443 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
filter java 80 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
filter activex 80 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
telnet timeout 60
ssh 192.168.1.2 255.255.255.255 inside
ssh timeout 60
terminal width 80
- Thread starter
- #25
FYI: This is my router access-list. NOt sure if that is causing any issues.....
access-list 1 deny any
access-list 101 deny ip 65.198.124.64 0.0.0.7 any
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip any host 65.198.124.65
access-list 101 permit icmp any 65.198.124.64 0.0.0.7 echo-reply
access-list 101 permit tcp any any established
access-list 101 permit tcp any 65.198.124.64 0.0.0.7 eq www
access-list 101 permit tcp any 65.198.124.64 0.0.0.7 eq 443
access-list 101 permit tcp any 65.198.124.64 0.0.0.7 eq smtp
access-list 101 permit udp any eq domain any
access-list 1 deny any
access-list 101 deny ip 65.198.124.64 0.0.0.7 any
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip any host 65.198.124.65
access-list 101 permit icmp any 65.198.124.64 0.0.0.7 echo-reply
access-list 101 permit tcp any any established
access-list 101 permit tcp any 65.198.124.64 0.0.0.7 eq www
access-list 101 permit tcp any 65.198.124.64 0.0.0.7 eq 443
access-list 101 permit tcp any 65.198.124.64 0.0.0.7 eq smtp
access-list 101 permit udp any eq domain any
Your router has access lists on it ... right - you know that access lists deny everything that's not explicitly allowed? Can you see a rule on the router allowing GRE traffic?
I'm assuming the router is ip-unnumbered, but maybe I'm wrong to make assumptions ... Any danger of you posting the router config?
This is like a jigsaw puzzle where you get given a piece a day
CCNA, MCSE, Cisco Firewall specialist, VPN specialist, wannabe CCSP
I'm assuming the router is ip-unnumbered, but maybe I'm wrong to make assumptions ... Any danger of you posting the router config?
This is like a jigsaw puzzle where you get given a piece a day
CCNA, MCSE, Cisco Firewall specialist, VPN specialist, wannabe CCSP
Hi Chicocuk,
I was admired by you trying to help ForumKid with his config.. I was wondering if I may send you my config and question concerning a PIX 501/VPN issue.. I already posted it on this forum but haven't heard back from anyone yet.. Just let me know if thats ok.. i also have the full config on the post I sent..
thx
gman![[morning]](/data/assets/smilies/morning.gif "[morning] [morning]")
I was admired by you trying to help ForumKid with his config.. I was wondering if I may send you my config and question concerning a PIX 501/VPN issue.. I already posted it on this forum but haven't heard back from anyone yet.. Just let me know if thats ok.. i also have the full config on the post I sent..
thx
gman
Hey Chicocouk-
I wish I had a way to email you directly with this post but here goes anyway..
I had this PIX deployed at customer site which was configured by someone that doesn't work here anymore.. I'd like certain people including myself to be able to VPN to it from our remote office.. I will post the config and am wondering what I need to edit in order for this functionality to happen. It doesn't look like there is an outside address configured on the PIX so my VPN client needs an outside address interface (entry) to be inputted.. Also, this PIX is sitting behind a cable modem where addresses are probably assigned via DHCP from what I gather. Well, here's the config, if anyone can shed some light, that would be great!
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 4.hz0DbMxoBv3gTr encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname NSUHPIX501
domain-name CANSUH.net
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list inside_outbound_nat0_acl permit ip any 10.0.0.144 255.255.255.240
access-list outside_cryptomap_dyn_20 permit ip any 10.0.0.144 255.255.255.240
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 10.0.0.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool NSUHAdminsPool 10.0.0.151-10.0.0.155
pdm location 24.46.16.0 255.255.240.0 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 24.46.16.0 255.255.240.0 outside
http 10.0.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup NSUHAdmins address-pool NSUHAdminsPool
vpngroup NSUHAdmins idle-time 1800
vpngroup NSUHAdmins password ********
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
terminal width 80
Cryptochecksum:477fea9b79bc2365b88b40548f5fb962
: end
[OK]
thx again!
gman
I wish I had a way to email you directly with this post but here goes anyway..
I had this PIX deployed at customer site which was configured by someone that doesn't work here anymore.. I'd like certain people including myself to be able to VPN to it from our remote office.. I will post the config and am wondering what I need to edit in order for this functionality to happen. It doesn't look like there is an outside address configured on the PIX so my VPN client needs an outside address interface (entry) to be inputted.. Also, this PIX is sitting behind a cable modem where addresses are probably assigned via DHCP from what I gather. Well, here's the config, if anyone can shed some light, that would be great!
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 4.hz0DbMxoBv3gTr encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname NSUHPIX501
domain-name CANSUH.net
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list inside_outbound_nat0_acl permit ip any 10.0.0.144 255.255.255.240
access-list outside_cryptomap_dyn_20 permit ip any 10.0.0.144 255.255.255.240
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 10.0.0.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool NSUHAdminsPool 10.0.0.151-10.0.0.155
pdm location 24.46.16.0 255.255.240.0 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 24.46.16.0 255.255.240.0 outside
http 10.0.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup NSUHAdmins address-pool NSUHAdminsPool
vpngroup NSUHAdmins idle-time 1800
vpngroup NSUHAdmins password ********
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
terminal width 80
Cryptochecksum:477fea9b79bc2365b88b40548f5fb962
: end
[OK]
thx again!
gman
- Thread starter
- #29
Yes I understand and sorry for dragging this out. I do not have an explicit acl for allowing gre traffic into my router.
Here is my router config if it helps.
Current configuration:
!
version 12.1
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname xxx
!
enable password xxx
!
!
!
!
!
ip subnet-zero
no ip finger
ip domain-name xxx.NET
ip name-server xxx.xxx.xxx.xxx
!
no ip bootp server
!
!
!
interface FastEthernet0/0
description To Office FastEthernet
ip address 65.198.124.65 255.255.255.248
duplex auto
speed auto
!
interface Serial0/0
description To xxx
bandwidth 1536
no ip address
encapsulation frame-relay IETF
no fair-queue
service-module t1 clock source internal
frame-relay lmi-type ansi
!
interface Serial0/0.1 point-to-point
bandwidth 1536
ip unnumbered FastEthernet0/0
ip access-group 101 in
frame-relay interface-dlci 500 IETF
!
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0.1
no ip http server
!
access-list 1 deny any
access-list 101 deny ip 65.198.124.64 0.0.0.7 any
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip any host 65.198.124.65
access-list 101 permit icmp any 65.198.124.64 0.0.0.7 echo-reply
access-list 101 permit tcp any any established
access-list 101 permit tcp any 65.198.124.64 0.0.0.7 eq www
access-list 101 permit tcp any 65.198.124.64 0.0.0.7 eq 443
access-list 101 permit tcp any 65.198.124.64 0.0.0.7 eq smtp
access-list 101 permit udp any eq domain any
snmp-server engineID local 0000000902000030854D17C0
snmp-server community 6db68826a3 RO
snmp-server packetsize 2048
snmp-server enable traps snmp
!
!
line con 0
password xxx
login
transport preferred none
transport input none
line aux 0
password xxx
login
modem InOut
transport preferred none
transport input all
transport output pad v120 telnet rlogin udptn
stopbits 1
flowcontrol hardware
line vty 0 4
access-class 1 in
login
transport preferred none
!
no scheduler allocate
end
Here is my router config if it helps.
Current configuration:
!
version 12.1
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname xxx
!
enable password xxx
!
!
!
!
!
ip subnet-zero
no ip finger
ip domain-name xxx.NET
ip name-server xxx.xxx.xxx.xxx
!
no ip bootp server
!
!
!
interface FastEthernet0/0
description To Office FastEthernet
ip address 65.198.124.65 255.255.255.248
duplex auto
speed auto
!
interface Serial0/0
description To xxx
bandwidth 1536
no ip address
encapsulation frame-relay IETF
no fair-queue
service-module t1 clock source internal
frame-relay lmi-type ansi
!
interface Serial0/0.1 point-to-point
bandwidth 1536
ip unnumbered FastEthernet0/0
ip access-group 101 in
frame-relay interface-dlci 500 IETF
!
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0.1
no ip http server
!
access-list 1 deny any
access-list 101 deny ip 65.198.124.64 0.0.0.7 any
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip any host 65.198.124.65
access-list 101 permit icmp any 65.198.124.64 0.0.0.7 echo-reply
access-list 101 permit tcp any any established
access-list 101 permit tcp any 65.198.124.64 0.0.0.7 eq www
access-list 101 permit tcp any 65.198.124.64 0.0.0.7 eq 443
access-list 101 permit tcp any 65.198.124.64 0.0.0.7 eq smtp
access-list 101 permit udp any eq domain any
snmp-server engineID local 0000000902000030854D17C0
snmp-server community 6db68826a3 RO
snmp-server packetsize 2048
snmp-server enable traps snmp
!
!
line con 0
password xxx
login
transport preferred none
transport input none
line aux 0
password xxx
login
modem InOut
transport preferred none
transport input all
transport output pad v120 telnet rlogin udptn
stopbits 1
flowcontrol hardware
line vty 0 4
access-class 1 in
login
transport preferred none
!
no scheduler allocate
end
It sounds like version 6.3 for the PIX 5xx firewall is the best fix for the protocol 47 problem. My effort to download the upgrade from Cisco was unsuccessful. It appears I must be a reseller or Cisco engineer or something to download from their site. Is this correct?
I'm running a 501 and also getting the protocol 47 failure when I attempt to establish a VPN connection through the 501 to another host. I "discovered" I'm running version 6.1(1). It sounds like upgrading to 6.3 is the only solution since, in one case, the IP address of the VPN I'll be trying to connect to is dynamic. Inbound VPN has been working fine.
Brian
I'm running a 501 and also getting the protocol 47 failure when I attempt to establish a VPN connection through the 501 to another host. I "discovered" I'm running version 6.1(1). It sounds like upgrading to 6.3 is the only solution since, in one case, the IP address of the VPN I'll be trying to connect to is dynamic. Inbound VPN has been working fine.
Brian
- Thread starter
- #31
Well adding this to my router access-list fixes the problem
access-list 101 permit gre any any
although this doesnt work
access-list 101 permit gre host <pptp> any
this doesnt work
access-list 101 permit gre any host 65.198.124.64
So as far at the protocol 47 thing, check my pix config. If you set it up like that it will work. But my last question on this topic is why do i have to have my router acl opened to "any any"? That is a risk.
Thanks
access-list 101 permit gre any any
although this doesnt work
access-list 101 permit gre host <pptp> any
this doesnt work
access-list 101 permit gre any host 65.198.124.64
So as far at the protocol 47 thing, check my pix config. If you set it up like that it will work. But my last question on this topic is why do i have to have my router acl opened to "any any"? That is a risk.
Thanks
Okay, I think we're really nearly there mate. Your router is ip-unnumbered, but its acl blocks gre traffic from the pptp server coming back to the pix. I think all you're going to need now is a line like
access-list 101 permit gre host <pptp server> host 65.198.124.68
Where 65.198.124.68 is the static address you used to translate your internal 192.168.1.50 machine.
So your access list on the router ends up looking something like;
access-list 101 deny ip 65.198.124.64 0.0.0.7 any
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip any host 65.198.124.65
access-list 101 permit icmp any 65.198.124.64 0.0.0.7 echo-reply
access-list 101 permit tcp any any established
access-list 101 permit tcp any 65.198.124.64 0.0.0.7 eq www
access-list 101 permit tcp any 65.198.124.64 0.0.0.7 eq 443
access-list 101 permit tcp any 65.198.124.64 0.0.0.7 eq smtp
access-list 101 permit udp any eq domain any
access-list 101 permit gre host <pptp server> host 65.198.124.68
Also, although it's not relevant to the problem you've got, the subnet mask of your outside interface of the pix is wrong. The line should read
ip address outside 65.198.124.66 255.255.255.248
rather than using 255.255.255.0. This won't affect this problem at all, but I *think* it will mean that your local machines can't reach websites on the 65.198.124.0 range outside of your 65.198.124.64 - .71 range, because the pix will think they're on the same subnet as it's outside address, so it will arp for them, rather than forwarding that traffic to the router. You could easily test that by trying to get to websites on the 65.198.124.0 range.
I *think* this should now work ... but I may have missed something ...
Best of luck!
CCNA, MCSE, Cisco Firewall specialist, VPN specialist, wannabe CCSP
access-list 101 permit gre host <pptp server> host 65.198.124.68
Where 65.198.124.68 is the static address you used to translate your internal 192.168.1.50 machine.
So your access list on the router ends up looking something like;
access-list 101 deny ip 65.198.124.64 0.0.0.7 any
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip any host 65.198.124.65
access-list 101 permit icmp any 65.198.124.64 0.0.0.7 echo-reply
access-list 101 permit tcp any any established
access-list 101 permit tcp any 65.198.124.64 0.0.0.7 eq www
access-list 101 permit tcp any 65.198.124.64 0.0.0.7 eq 443
access-list 101 permit tcp any 65.198.124.64 0.0.0.7 eq smtp
access-list 101 permit udp any eq domain any
access-list 101 permit gre host <pptp server> host 65.198.124.68
Also, although it's not relevant to the problem you've got, the subnet mask of your outside interface of the pix is wrong. The line should read
ip address outside 65.198.124.66 255.255.255.248
rather than using 255.255.255.0. This won't affect this problem at all, but I *think* it will mean that your local machines can't reach websites on the 65.198.124.0 range outside of your 65.198.124.64 - .71 range, because the pix will think they're on the same subnet as it's outside address, so it will arp for them, rather than forwarding that traffic to the router. You could easily test that by trying to get to websites on the 65.198.124.0 range.
I *think* this should now work ... but I may have missed something ...
Best of luck!
CCNA, MCSE, Cisco Firewall specialist, VPN specialist, wannabe CCSP
- Thread starter
- #34
The acl works great. Everything is working excellent now. I however didnt change my subnet of my outside interface. I will run the test that you stated. Although I semi-understand why it should be 255.255.255.248. It makes sense. I will change that off hours just incase that causes an issue.
Thanks again!!!!! I can't thank you enough.
Thanks again!!!!! I can't thank you enough.
Hi Chicocouk,
I know your an ace with VPN concepts and was wondering if you can take a glance at the thread I sent you within this forum.. I didn't know how else to reach you but you'll find my post within this thread afew entires up.. thanks bud! If you have time ofcourse..
gman
I know your an ace with VPN concepts and was wondering if you can take a glance at the thread I sent you within this forum.. I didn't know how else to reach you but you'll find my post within this thread afew entires up.. thanks bud! If you have time ofcourse..
gman
- Status
Similar threads
- Locked
- Question
- Locked
- Question
- Locked
- Question