No announcement yet.

PIX config problem

  • Filter
  • Time
  • Show
Clear All
new posts

  • PIX config problem

    I manage an existing PIX 501 firewall which was not originally setup by me. It works fine. We have an additional DSL connection which I need to setup another PIX 501 for. I configured the DSL router with the LAN IP gateway (70.zzz.xx.153, connected to it with a laptop and was able to get to the internet. I then proceeded to setup the PIX with inside, and outside (PAT)70.zzz.xx.158 and route outside 70.zzz.xx.153. This is the first time configuring a PIX and I thought I had everything setup correctly, but I cannot ping anything on the outside from the PIX, and I cannot get to the outside when I connect a laptop to it (static IP gateway Any help is greatly appreciated. Here is the configuration:

    Building configuration...
    : Saved
    PIX Version 6.3(3)
    interface ethernet0 auto
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password tdkuTUSh53d2MT6B encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    hostname attdslpix2
    clock timezone EST -5
    clock summer-time EDT recurring
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    access-list inside_outbound_nat0_acl permit ip any
    access-list outside_cryptomap_dyn_20 remark implicit rule
    access-list outside_cryptomap_dyn_20 permit ip any any
    access-list inside_access_in remark MYC
    access-list inside_access_in permit ip any
    pager lines 24
    mtu outside 1500
    mtu inside 1500
    ip address outside 70.zzz.xx.158
    ip address inside
    ip verify reverse-path interface outside
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool pptp-client-ip
    pdm location outside
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list inside_outbound_nat0_acl
    nat (inside) 1 0 0
    access-group inside_access_in in interface inside
    route outside 70.zzz.xx.153 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server LOCAL protocol local
    http server enable
    http inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-pptp
    sysopt connection permit-l2tp
    crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
    crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
    crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
    crypto map outside_map interface outside
    isakmp enable outside
    isakmp key ******** address netmask
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption 3des
    isakmp policy 10 hash md5
    isakmp policy 10 group 2
    isakmp policy 10 lifetime 86400
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    vpdn group PPTP-VPDN-GROUP accept dialin pptp
    vpdn group PPTP-VPDN-GROUP ppp authentication pap
    vpdn group PPTP-VPDN-GROUP client configuration address local pptp-client-ip
    vpdn group PPTP-VPDN-GROUP client configuration dns
    vpdn group PPTP-VPDN-GROUP pptp echo 60
    vpdn group PPTP-VPDN-GROUP client authentication local
    vpdn username myname password *********
    vpdn enable outside
    vpdn enable inside
    dhcpd address inside
    dhcpd lease 3600
    dhcpd ping_timeout 750
    dhcpd auto_config outside
    dhcpd enable inside
    terminal width 80
    : end

  • #2
    Re: PIX config problem

    Based on the crypto-map "match address" definition, you are tunneling everything. So "any" NAT'd packet from the inside interface never makes it to the outside interface. Instead.. it gets encrypted and sent to the vpn endpoint.

    To clarify, you have the following crypto-map match address:

    crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
    The referenced match address ACL "outside_cryptomap_dyn_20" specifies permit any any (or tunnel everything)

    access-list outside_cryptomap_dyn_20 remark implicit rule
    access-list outside_cryptomap_dyn_20 permit ip any any
    Based on the dhcp pool you have configured for VPN clients, try changing the ACL to only tunnel traffic to the VPN endpoints netblock. i.e. based on the defined DHCP pool. Something like...

    access-list outside_cryptomap_dyn_20 line 1 remark implicit rule
    access-list outside_cryptomap_dyn_20 line 2 extended permit ip any
    With the above changes, the logic for a packet traversing inside to outside...

    source= -> destination= (vpn endpoint) nat exclude the packet using (nat 0) and encrypt using crypto-map match address

    source= -> destination=any (internet) NAT/PAT the packet using (nat 1, global 1) and send on outside interface

    Hope this helps


    • #3
      Re: PIX config problem

      Thank you, thank you, thank you. Oh, and in case I forget - thank you!
      Works like a charm now.


      • #4
        Re: PIX config problem

        Glad to hear the confiig changed worked.