Announcement

Collapse
No announcement yet.

pix 501 VPN access problem

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • pix 501 VPN access problem

    Hi,

    I'd like to be able to do the following:
    From inside use the pix as a router (for access to the internet).
    From inside be able to run a web server (for access from the internet and inside).
    From the outside be able to VPN in and access the internal servers for things like file sharing.
    I don't want to use the pix internally for DHCP but I would like it to dynamically assign VPN users with an IP.
    VPN users will still need access to their local network (wherever they are).

    What works:
    If I set my gateway as the pix it works as a router.
    I can connect to the VPN and the tunnel secures.
    VPN users are assigned an IP.
    Local users are not assigned an IP.

    What doesn't work:
    VPN users can't access servers on the inside interface.
    The web server can't be seen from the outside interface.

    Any help would be greatly appreciated.

    pixfirewall(config)# wr t
    Building configuration...
    : Saved
    :
    PIX Version 6.3(5)
    interface ethernet0 auto
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password xxx encrypted
    passwd xxx encrypted
    hostname pixfirewall
    domain-name ciscopix.com
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    access-list outside_cryptomap_dyn_20 permit ip any 192.168.0.0 255.255.255.0
    access-list People_splitTunnelAcl permit ip 192.168.0.0 255.255.255.0 any
    access-list inside_access_in permit ip 192.168.0.0 255.255.255.0 any
    pager lines 24
    mtu outside 1500
    mtu inside 1500
    ip address outside 123.123.123.42 255.255.255.240
    ip address inside 192.168.0.254 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool remoteuserspool 192.168.0.250-192.168.0.253
    pdm location 192.168.0.0 255.255.255.0 outside
    pdm logging informational 100
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 1 192.168.0.0 255.255.255.0 0 0
    access-group inside_access_in in interface inside
    route outside 0.0.0.0 0.0.0.0 123.123.123.41 1
    timeout xlate 0:05:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout sip-disconnect 0:02:00 sip-invite 0:03:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local
    http server enable
    http 192.168.0.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
    crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
    crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
    crypto map outside_map client authentication LOCAL
    crypto map outside_map interface outside
    isakmp enable outside
    isakmp policy 20 authentication pre-share
    isakmp policy 20 encryption 3des
    isakmp policy 20 hash md5
    isakmp policy 20 group 2
    isakmp policy 20 lifetime 86400
    vpngroup People address-pool remoteuserspool
    vpngroup People dns-server 123.123.123.41
    vpngroup People split-tunnel People_splitTunnelAcl
    vpngroup People idle-time 1800
    vpngroup People password xxx
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    dhcpd address 192.168.0.2-192.168.0.253 inside
    dhcpd dns 123.123.123.41
    dhcpd lease 3600
    dhcpd ping_timeout 750
    dhcpd auto_config outside
    username user password xxx encrypted privilege 15
    terminal width 80
    Cryptochecksum:af977f9a435e1cd38d8fd96cbbb59c38
    : end
    [OK]
    pixfirewall(config)#

    Note. I've masked my external IP with 123.123.123.42 and my gateway/dns with 123.123.123.41.

    Thanks,

    Seb

  • #2
    Re: pix 501 VPN access problem

    Hi Seb,
    I don't have my notes to hand but off the top of my head
    you don't need this:
    Code:
    dhcpd address 192.168.0.2-192.168.0.253 inside 
    dhcpd dns 123.123.123.41 
    dhcpd lease 3600 
    dhcpd ping_timeout 750 
    dhcpd auto_config outside
    as you are providing DHCP on the external interface.

    You have no static and ACL for inbound traffic therefore you would need to add the following, assuming .0.2 is the www server and you use a specific external IP on the outside of .123.44
    Code:
    static (inside,outside) 123.123.123.44 192.168.0.2
    access-list inbound_on_outside permit tcp any host 123.123.123.44 eq 80
    access-group inbound_on_outside in interface outside
    You VPN will possibly need the:
    Code:
    isakmp nat-traversal 20
    to allow nat-traversal.


    Can you ping anything by IP from the VPN clients?
    Last edited by AndyJG247; 20th January 2009, 13:18.
    cheers
    Andy

    Please read this before you post:


    Quis custodiet ipsos custodes?

    Comment


    • #3
      Re: pix 501 VPN access problem

      Hi Andy,

      Thanks for your help.

      Just to clarify does the follow command map external ip 123.123.123.44 to 192.168.0.2 (ie all ports)? Is it possible to just map specific ports (like port 80) of the outside interface to the web server? (I only have the 1 static external ip which is in use by the outside interface)

      Code:
      static (inside,outside) 123.123.123.44 192.168.0.2
      access-list inbound_on_outside permit tcp any host 123.123.123.44
      access-group inbound_on_outside in interface outside
      Many thanks again.

      Seb

      Comment


      • #4
        Re: pix 501 VPN access problem

        Your subnet for the outside was 240 which implied there were 16 addresses so I went with a 1 - 1.
        Yes it is possible, change it slightly, to this.

        Code:
        static (inside,outside) tcp 123.123.123.44 80 192.168.0.2 80
        access-list inbound_on_outside permit tcp any host 123.123.123.44 eq 80
        access-group inbound_on_outside in interface outside

        Actually just realised the other was slighly wrong, it should have been this

        Code:
        static (inside,outside) 123.123.123.44 192.168.0.2
        access-list inbound_on_outside permit tcp any host 123.123.123.44 eq 80
        access-group inbound_on_outside in interface outside
        I missed the eq 80 bit. I have changed my last post to show this just in case anyone else sees it.
        cheers
        Andy

        Please read this before you post:


        Quis custodiet ipsos custodes?

        Comment


        • #5
          Re: pix 501 VPN access problem

          Thanks Andy, I'll try it all out and let you know how I get on.

          Many thanks,

          Seb

          Comment


          • #6
            Re: pix 501 VPN access problem

            Please do.
            cheers
            Andy

            Please read this before you post:


            Quis custodiet ipsos custodes?

            Comment

            Working...
            X