VPN problems when going thru my PIX 506 to a PIX501 offsite

[gman10]

Hello all-

Am trying to VPN from my office PIX 506 to a PIX 501 at a customer site. The connection looks successful BUT I can't ping any of the pc's once I'm connected.

Under a different scenario, when I VPN to this customer's PIX 501 from my home, I am able to connect and CAN ping all the pc's I deployed there without problems.. My home VPN session is going over a cable modem (straight to the Internet) no PIX involved at home just the customer's PIX 501. Is there a special entry needed to allow VPN from a PIX to another PIX? don't know.. any ideas?

Thanks so much for a great forum.

gman

 

[lgarner]

Is the VPN traffic excluded from NAT on both Pix's, and not blocked by any ACL? Also, the customer wouldn't happen to be using the same IP range as exists on your network, would they?

 

[gman10]

Hi LGarner,

I believe the VPN traffic is excluded and not blocked by any ACLs, the IP ranges are definately different between my company and the customers range.. I guess the best way to show you is thru a copy of my config and/or customers config? any other suggestions on what it could be although it would make sense that these two issues could be causing my dilemma..

thx again
gman

 

[gman10]

Hello

Sorry I didn't get back to you sooner.. A pregnant wife can keep a man very busy! Anyway, how can I tell if VPN traffic is being blocked by an access-list? What port does VPN need to work? Just to refresh your memory, I'm trying to VPN from my PIX internally at my office (T1 connection) to a customers Cablemodem connection where there is a PIX 501 there.. The oddest thing.. I can actually VPN right through their PIX BUT what's wierd is that I can't ping anything on their 10.0.0.x network.. I know these IP addresses are correct.. Yet at home when I VPN to this customer but I have nothing more than a cablemodem at home (no firewall), I'm able to VPN in and ping all the 10.0.0.x devices.. The only difference is here is that I'm going thru my office PIX and VPN to their PIX and actually connect.. I check the status parameter and can tell how long I've been connected but can't ping anything! Any clues why this is?? very strange!

gman

 

[dopehead]

ah, your not doing lan-to-lan between the pix'es right ? because you probably are using legacy ipsec on protocol 50/51 it won't work in a pix pat configuration by default you can do 2 things , enable nat-traversal on the 501 or enable ike-esp fixup on your own pix.

501 : isakmp nat-traversal 30
506 : fixup protocol esp

Jan


Network Systems Engineer
CCNA/CQS/CCSP/Infosec

 

[gman10]

Hi Jan-

Thanks for your response.. doing lan-to-lan? well, my PIX 506 VPN's to their PIX 501.. I'm inside my Windows 2000 domain VPNing to their 501 thru the cablemodem but they aren't a domain.. just a bunch of workgroups.. Although, I can VPN in, I can't ping anything. I'm truly connected based on my Cisco client statistics.. seconds keep counting up and I' truly connected. FRom home I VPN to this customers PIX 501 and can ping all the 10.0.0.x devices. no problem.. I'm currently looking at both my config and the customers config, the 506 (mine) doesn't have an entry for fixup protocol esp.. neither does the 501 have an entry for isakmp nat-traversal 30.. your on to something here my friend! I'll try either and see what results I get from my office connection.. EAsier if just added the fixup prot ESP since I'll be in the office tomorrow.. I'm sure this will do the trick! Have any idea why I can't access host shares? I can ping from home on i.e-ping 10.0.0.x (4 good TTL's) but when I tried and access a hosts shared drive i.e - Start/Run - //10.0.0.x/c$ is doesn't see my drive shares..

Anyway, I guess I should handle one thing at a time. I'll let you know how things go and thank you!
gman

 

[gman10]

Hi all,

Still having a problem.. I can VPN in from my office thru my PIX 506 to my customers PIX 501 but still can't actually ping any device on their 10.0.0.x range. Although, from home, I can VPN in thru the customers PIX 501 and ping everything.. The only difference here is that while sitting at home their I don't have a local PIX firewall.. just a plain old cablemodem.. I'm pasted a copy my customers config file.. minus obvious IP addresses of course, If anyone would like to take a stab at it.. I'd really appreciate it! :-(

PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 79ydhj.qE/V4VR3M encrypted
passwd 79ydhj.qE/V4VR3M encrypted
hostname #######
domain-name ######
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list inbound permit ip 10.0.0.0 255.255.255.0 any
access-list ping_acl permit icmp any any
access-list from_outside_coming_in permit ip any any
access-list 101 permit ip 10.0.0.0 255.255.255.0 172.16.0.0 255.255.255.0
access-list msnet permit udp any host 10.0.0.1 eq netbios-dgm
access-list msnet permit udp any host 10.0.0.1 eq netbios-ns
access-list msnet permit tcp any host 10.0.0.1 eq netbios-ssn
access-list msnet permit tcp any host 10.0.0.1 eq 445
access-list msnet permit tcp any host 10.0.0.2 eq 445
access-list msnet permit tcp any host 10.0.0.2 eq netbios-ssn
access-list msnet permit udp any host 10.0.0.2 eq netbios-dgm
access-list msnet permit udp any host 10.0.0.2 eq netbios-ns
access-list msnet permit tcp any host 10.0.0.3 eq 445
access-list msnet permit tcp any host 10.0.0.3 eq netbios-ssn
access-list msnet permit udp any host 10.0.0.3 eq netbios-dgm
access-list msnet permit udp any host 10.0.0.3 eq netbios-ns
access-list msnet permit tcp any host 10.0.0.31 eq 445
access-list msnet permit tcp any host 10.0.0.31 eq netbios-ssn
access-list msnet permit udp any host 10.0.0.31 eq netbios-ns
access-list msnet permit udp any host 10.0.0.31 eq netbios-dgm
access-list msnet permit tcp any host 10.0.0.33 eq 445
access-list msnet permit udp any host 10.0.0.33 eq netbios-dgm
access-list msnet permit udp any host 10.0.0.33 eq netbios-ns
access-list msnet permit udp any host 10.0.0.35 eq netbios-ns
access-list msnet permit udp any host 10.0.0.35 eq netbios-dgm
access-list msnet permit tcp any host 10.0.0.35 eq 445
access-list msnet permit tcp any host 10.0.0.35 eq netbios-ssn
access-list msnet permit udp any host 10.0.0.36 eq netbios-ns
access-list msnet permit tcp any host 10.0.0.36 eq netbios-ssn
access-list msnet permit tcp any host 10.0.0.36 eq 445
access-list msnet permit udp any host 10.0.0.36 eq netbios-dgm
access-list msnet permit udp any host 10.0.0.37 eq netbios-ns
access-list msnet permit tcp any host 10.0.0.37 eq netbios-ssn
access-list msnet permit tcp any host 10.0.0.33 eq netbios-ssn
access-list msnet permit udp any host 10.0.0.38 eq netbios-ns
access-list msnet permit tcp any host 10.0.0.38 eq netbios-ssn
access-list msnet permit tcp any host 10.0.0.38 eq 445
access-list msnet permit udp any host 10.0.0.33 eq 139
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 10.0.0.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool ########172.16.0.0-172.16.0.254
pdm location ######### 255.255.240.0 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group from_outside_coming_in in interface outside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http ######## 255.255.240.0 outside
http 10.0.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp nat-traversal 30
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup BOGUSNAME address-pool BOGUSNAMEPool
vpngroup BOGUSNAME dns-server 10.0.0.1 10.0.0.3
vpngroup BOGUSNAME split-tunnel 101
vpngroup BOGUSNAME idle-time 1800
vpngroup BOGUSNAME password ********
telnet 10.0.0.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
terminal width 80
Cryptochecksum:6bf946d141bb44f79a0fb41923d236eb
: end
[OK]
NSUHPIX501#

cheers to all! and please help if you can..
gman

 

[dopehead]

Check the status on your vpn client when it is connected through the 506, does it say udp encapsulation on port 4500 active anywhere ?
If not, then you need to enable udp encapsulation in your vpn client settings.

Also if you can ping when on your cable modem but can't map a drive you might have an mtu problem on that connection, use the setmtu util that comes with the vpn client to set it lower, usually 1472 will work, but you can try lower and then go upwards to see how far you get, higher is better

Jan


Network Systems Engineer
CCNA/CQS/CCSP/Infosec