Announcement

Collapse
No announcement yet.

seeking similar sample pix 501 running config

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • seeking similar sample pix 501 running config

    Ive been thrown in at the deep end with a pix config for a client. Im seeking a sample pix 501 config to help me troubleshoot.

    Its a basic single NAT'd private LAN 172.16.1.0/24, with ethernet single WAN. it has an ipsec vpn tunnel routing to remote nets 10.1.1.0/24, 10.1.2.0/24 and 10.1.3.0/24.

    I think its the access lists that have slipped me up -
    Desired access lists need to be relaxed
    ie allow default outbound for LAN users
    Port forward port 25 inbound.
    Unrestricted access out and inbound to the vpn remote networks

    Many thanks for your help.
    best
    string
    sydney australia

  • #2
    Re: seeking similar sample pix 501 running config

    If you have a config already done maybe you could post it and see if somebody can troubleshoot that? Just remove your specific details...

    Comment


    • #3
      Re: seeking similar sample pix 501 running config

      Thanks for your reply.. ive xx, yy'd and zz'd all the confidencial stuff (i hope).
      I belive its the access lists throwing me out... further, im also wondering what show commands should be used to verify the vpn is up?

      Thanks again for any help...
      String



      User Access Verification

      Password:
      Type help or '?' for a list of available commands.
      pixfirewall> en
      Password: ********
      pixfirewall# show run
      : Saved
      :
      PIX Version 6.3(5)
      interface ethernet0 auto
      interface ethernet1 auto
      nameif ethernet0 outside security0
      nameif ethernet1 inside security100
      enable password xyz encrypted
      passwd xyz encrypted
      hostname pixfirewall
      domain-name xxxxxx
      fixup protocol dns maximum-length 512
      fixup protocol ftp 21
      fixup protocol h323 h225 1720
      fixup protocol h323 ras 1718-1719
      fixup protocol http 80
      fixup protocol rsh 514
      fixup protocol rtsp 554
      fixup protocol sip 5060
      fixup protocol sip udp 5060
      fixup protocol skinny 2000
      fixup protocol smtp 25
      fixup protocol sqlnet 1521
      fixup protocol tftp 69
      names
      name 172.16.1.0 internal
      name 10.1.6.0 remotenet6
      name 10.1.7.0 remotenet7
      name 10.1.10.0 remotenet10
      access-list 101 permit ip internal 255.255.255.0 any
      access-list 150 permit ip internal 255.255.255.0 10.1.0.0 255.255.0.0
      pager lines 24
      mtu outside 1500
      mtu inside 1500
      ip address outside 61.xx.xx.xxx 255.255.255.252
      ip address inside 172.16.1.253 255.255.255.0
      ip audit info action alarm
      ip audit attack action alarm
      pdm history enable
      arp timeout 14400
      global (outside) 1 interface
      nat (inside) 1 internal 255.255.255.0 0 0
      conduit permit icmp any any
      route outside 0.0.0.0 0.0.0.0 61.xx.xx.xxx 1
      timeout xlate 3:00:00
      timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
      timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
      timeout sip-disconnect 0:02:00 sip-invite 0:03:00
      timeout uauth 0:05:00 absolute
      aaa-server TACACS+ protocol tacacs+
      aaa-server TACACS+ max-failed-attempts 3
      aaa-server TACACS+ deadtime 10
      aaa-server RADIUS protocol radius
      aaa-server RADIUS max-failed-attempts 3
      aaa-server RADIUS deadtime 10
      aaa-server LOCAL protocol local
      no snmp-server location
      no snmp-server contact
      snmp-server community public
      no snmp-server enable traps
      floodguard enable
      sysopt connection permit-ipsec
      crypto ipsec transform-set vpn esp-3des esp-md5-hmac
      crypto map zzzzz 5 ipsec-isakmp
      crypto map zzzzz 5 match address 150
      crypto map zzzzz 5 set peer 218.yy.yy.yyy
      crypto map zzzzz 5 set transform-set vpn
      crypto map zzzzz interface outside
      isakmp enable outside
      isakmp key ******** address 218.yy.yy.yyy netmask 255.255.255.255
      isakmp identity address
      isakmp keepalive 60 60
      isakmp nat-traversal 20
      isakmp policy 1 authentication pre-share
      isakmp policy 1 encryption 3des
      isakmp policy 1 hash md5
      isakmp policy 1 group 2
      isakmp policy 1 lifetime 86400
      isakmp policy 10 authentication pre-share
      isakmp policy 10 encryption 3des
      isakmp policy 10 hash sha
      isakmp policy 10 group 2
      isakmp policy 10 lifetime 86400
      telnet internal 255.255.255.0 inside
      telnet timeout 5
      ssh timeout 5
      console timeout 0
      terminal width 80
      Cryptochecksum:96754e735700e6b5191366fb7de7fb4b
      : end
      pixfirewall#

      Comment


      • #4
        Re: seeking similar sample pix 501 running config

        'show crypto map' will show which crypto map is in use. There will be none if the tunnel is down, two if they're both up. I suppose that's the first thing to establish.

        Also try turning on some debugging and pinging addresses at either end of the tunnel. Assuming you're using the console cable, try from config prompt -
        'debug route'
        'logging on'
        'logging terminal 7'

        Then do your pings from a PC. You should see some debug info appear that may point you in the right direction.

        You might try removing the crypto acl and see if the VPN works then. Try the debg again at this point and see if the output has improved.

        Have a look at this - http://www.cisco.com/en/US/products/...html#wp1027198 under "How ACL Access Checking Worked Prior to This Feature". Handy diagrams that explain how the ACLs and crypto ACLs are applied...

        Can't help you further I'm adraid, as you'll see from my thread I'm in a similar situation with about the same or less knowledge of Ciscos . Hopefully somebody will come on and rescue the two of us...
        Last edited by Zenith; 10th October 2006, 23:37.

        Comment


        • #5
          Re: seeking similar sample pix 501 running config

          This should work for you. I've built a site to site using 3 pix's:

          One on 172.16.1.0/24
          One on 10.1.1.0/24
          One on 10.1.2.0/24

          172.16.1.0(LAN1) is the 'hub'- other 2 are spokes.
          LAN1 is also receiving inbound traffic on tcp 25 and forwarding it to 172.16.1.10

          All PIXes are permitting all traffic originating on the inside outside, without restriction.

          This is built using the following topology (ascii, use yr imagination):::

          LAN1
          (PIX INSIDE= .1)------>(PIX OUTSIDE=.1)------(LOCAL ROUTER=.2)------>TO LANs 2 & 3

          172.16.1.0/24----------->80.80.80.0.30----------->80.80.80.0/30

          ------------------------------------------------------------------------------------------

          LAN2
          (REMOTE ROUTER= .2)------>(PIX OUTSIDE=.1)------(PIX INSIDE=.1)

          90.90.90.0/24----------------->90.90.90.0/24----------->10.1.1.0/24

          ------------------------------------------------------------------------------------------
          LAN3
          (REMOTE ROUTER= .2)------>(PIX OUTSIDE=.1)------(PIX INSIDE=.1)

          10.100.100.0/24-------------->100.100.100.0/24------->10.1.2.0/24

          ------------------------------------------------------------------------------------------

          CONFIG FOR LAN1 PIX::-NB, all PIXEN ARE 6.3(5)

          PIX Version 6.3(3)

          interface ethernet0 auto

          interface ethernet1 100full

          nameif ethernet0 outside security0

          nameif ethernet1 inside security100

          enable password cisco

          passwd cisco

          hostname lan1pix

          domain-name inside.co.uk

          fixup protocol dns maximum-length 512

          fixup protocol ftp 21

          fixup protocol h323 h225 1720

          fixup protocol h323 ras 1718-1719

          fixup protocol http 80

          fixup protocol rsh 514

          fixup protocol rtsp 554

          fixup protocol sip 5060

          fixup protocol sip udp 5060

          fixup protocol skinny 2000

          no fixup protocol smtp 25

          fixup protocol sqlnet 1521

          fixup protocol tftp 69

          names

          access-list lan1_to_lan2_vpn permit ip 172.16.1.0 255.255.255.0 10.1.1.0 255.255.255.0

          access-list outside_access_in permit tcp any interface outside eq smtp

          access-list lan1_to_lan3_vpn permit ip 172.16.1.0 255.255.255.0 10.1.2.0 255.255.255.0

          access-list lan_to_lan_vpn permit ip 172.16.1.0 255.255.255.0 10.1.1.0 255.255.255.0

          access-list lan_to_lan_vpn permit ip 172.16.1.0 255.255.255.0 10.1.2.0 255.255.255.0

          pager lines 100

          mtu outside 1500

          mtu inside 1500

          ip address outside 80.80.80.1 255.255.255.252

          ip address inside 172.16.1.1 255.255.255.0

          ip audit info action alarm

          ip audit attack action alarm

          pdm history enable

          arp timeout 14400

          global (outside) 1 interface

          nat (inside) 0 access-list lan_to_lan_vpn

          nat (inside) 1 172.16.1.0 255.255.255.0 0 0

          static (inside,outside) tcp interface smtp 172.16.1.10 smtp netmask 255.255.255.255 0 0

          access-group outside_access_in in interface outside

          route outside 0.0.0.0 0.0.0.0 80.80.80.2 1

          timeout xlate 3:00:00

          timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

          timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

          timeout uauth 0:05:00 absolute

          aaa-server TACACS+ protocol tacacs+

          aaa-server RADIUS protocol radius

          aaa-server LOCAL protocol local

          http server enable

          http 172.16.1.0 255.255.255.0 inside

          no snmp-server location

          no snmp-server contact

          snmp-server community public

          no snmp-server enable traps

          floodguard enable

          sysopt connection permit-ipsec

          crypto ipsec transform-set secure esp-3des esp-md5-hmac

          crypto ipsec security-association lifetime seconds 86400 kilobytes 50000

          crypto map lan_to_lan 10 ipsec-isakmp

          crypto map lan_to_lan 10 match address lan1_to_lan2_vpn

          crypto map lan_to_lan 10 set peer 90.90.90.1

          crypto map lan_to_lan 10 set transform-set secure

          crypto map lan_to_lan 20 ipsec-isakmp

          crypto map lan_to_lan 20 match address lan1_to_lan3_vpn

          crypto map lan_to_lan 20 set peer 100.100.100.1

          crypto map lan_to_lan 20 set transform-set secure

          crypto map lan_to_lan interface outside

          isakmp enable outside

          isakmp key asdfghjkl address 90.90.90.1 netmask 255.255.255.255

          isakmp key qwertyuiop address 100.100.100.1 netmask 255.255.255.255

          isakmp policy 10 authentication pre-share

          isakmp policy 10 encryption 3des

          isakmp policy 10 hash md5

          isakmp policy 10 group 2

          isakmp policy 10 lifetime 86400

          telnet timeout 5

          ssh timeout 5

          console timeout 0

          terminal width 80


          ------------------------------------------------------------------------------------------
          CONFIG FOR LAN2 PIX (truncated)








          access-list lan1_to_lan2_vpn permit ip 10.1.1.0 255.255.255.0 172.16.1.0 255.255.255.0



          ip address outside 90.90.90.1 255.255.255.0

          ip address inside 10.1.1.1 255.255.255.0


          global (outside) 1 interface

          nat (inside) 0 access-list lan1_to_lan2_vpn

          nat (inside) 1 10.1.1.0 255.255.255.0 0 0

          route outside 0.0.0.0 0.0.0.0 90.90.90.2 1


          sysopt connection permit-ipsec

          crypto ipsec transform-set secure esp-3des esp-md5-hmac

          crypto ipsec security-association lifetime seconds 86400 kilobytes 50000

          crypto map lan_to_lan 10 ipsec-isakmp

          crypto map lan_to_lan 10 match address lan1_to_lan2_vpn

          crypto map lan_to_lan 10 set peer 80.80.80.1

          crypto map lan_to_lan 10 set transform-set secure

          crypto map lan_to_lan interface outside

          isakmp enable outside

          isakmp key asdfghjkl address 80.80.80.1 netmask 255.255.255.255

          isakmp policy 10 authentication pre-share

          isakmp policy 10 encryption 3des

          isakmp policy 10 hash md5

          isakmp policy 10 group 2

          isakmp policy 10 lifetime 86400



          ------------------------------------------------------------------------------------------
          CONFIG FOR LAN3 PIX (truncated)



          hostname lan3pix

          domain-name lan2.co.uk


          access-list lan3_to_lan1_vpn permit ip 10.1.2.0 255.255.255.0 172.16.1.0 255.255.255.0


          ip address outside 100.100.100.1 255.255.255.0

          ip address inside 10.1.2.1 255.255.255.0


          global (outside) 1 interface

          nat (inside) 0 access-list lan3_to_lan1_vpn

          nat (inside) 1 10.1.2.0 255.255.255.0 0 0

          route outside 0.0.0.0 0.0.0.0 100.100.100.2 1

          sysopt connection permit-ipsec

          crypto ipsec transform-set secure esp-3des esp-md5-hmac

          crypto ipsec security-association lifetime seconds 86400 kilobytes 50000

          crypto map lan_to_lan 10 ipsec-isakmp

          crypto map lan_to_lan 10 match address lan3_to_lan1_vpn

          crypto map lan_to_lan 10 set peer 80.80.80.1

          crypto map lan_to_lan 10 set transform-set secure

          crypto map lan_to_lan interface outside

          isakmp enable outside

          isakmp key qwertyuiop address 80.80.80.1 netmask 255.255.255.255

          isakmp policy 10 authentication pre-share

          isakmp policy 10 encryption 3des

          isakmp policy 10 hash md5

          isakmp policy 10 group 2

          isakmp policy 10 lifetime 86400
          Last edited by theterranaut; 13th October 2006, 16:01.

          Comment


          • #6
            Re: seeking similar sample pix 501 running config

            yes it is the access list
            Originally posted by -string- View Post
            Ive been thrown in at the deep end with a pix config for a client. Im seeking a sample pix 501 config to help me troubleshoot.

            Its a basic single NAT'd private LAN 172.16.1.0/24, with ethernet single WAN. it has an ipsec vpn tunnel routing to remote nets 10.1.1.0/24, 10.1.2.0/24 and 10.1.3.0/24.

            I think its the access lists that have slipped me up -
            Desired access lists need to be relaxed
            ie allow default outbound for LAN users
            Port forward port 25 inbound.
            Unrestricted access out and inbound to the vpn remote networks

            Many thanks for your help.
            best
            string
            sydney australia

            Comment


            • #7
              Re: seeking similar sample pix 501 running config

              String, I should also have said:
              verify your vpn works by doing the following:

              -clear isakmp sa
              -clear ipsec sa

              This will tear down the tunnels (IKE & IPSec) used for the vpn.

              Then you want to ping from a core device to a remote site device. Are you getting a response from your ping? If so, your vpn is (probably) up, but if not you can test/ verify with:

              -sh isakmp sa

              Which will show the number of IKE/ISAKMP (Stage 1) tunnels operational

              then

              -sh ipsec sa

              Which will show IPSec (Stage 2) traffic. On 6.x PIX'es its quite obtuse; you can refine it by adding the 'bar' character (or pipe, if you prefer, looks like: |) and filtering results.

              Generally, if the tunnel shows packets being sent, received (encapsulated and decrypted) and the figures increment when you ping, then traffic is moving across the tunnel.

              The above is a general guide, of course, but 9 times out of 10 can show you if you have a problem. Ie- sh isakmp sa shows an active association, but sh ipsec sa shows nothing? Then stage 1 is good, so check your stage 2 settings carefully. I'm sure you get the idea.

              In the interests of completeness, I always do the above (clear then ping) from both sides, to make sure my proposals work bidirectionally. Pedantic or thorough, you choose!

              theterranaut

              Comment

              Working...
              X