Announcement

Collapse
No announcement yet.

Problem with tunnel ipsec on pix 6.3

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Problem with tunnel ipsec on pix 6.3

    Good afternoon everybody,

    the last week I was requested for a new client make a IPSec tunnel between an old PIX with S.O. 6.3 and a new watchguard.

    I have the CCNA certificate and experience with Watchguard devices, Dell, Dlink, Fortigate, etc, but I have a lot of problems with this tunnel.

    Reading a watchguard guide, I only find the way to make a tunnel any to any, but when the tunnel is running, the users connected with the cisco vpn client doesn't connect.
    On the other hand, If I try to filter the incoming connections to connect a specific machine, sometimes the Public IP doesn't respond and sometimes I have a loop debug message of incomplete acl.

    anyone can help me and tell me if I have something very wrong? I paste the running-config.





    pix-test# SH CONF
    : Saved
    : Written by enable_15 at 00:01:41.271 UTC Fri Jan 1 1993
    PIX Version 6.3(3)
    interface ethernet0 auto
    interface ethernet1 auto
    interface ethernet2 auto
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    nameif ethernet2 dmz security50
    enable password /YkF3jFJJD3lD52G encrypted
    passwd M0i.ccMTbS9Biy.W encrypted
    hostname pix-test
    domain-name pruebas.com
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol ils 389
    fixup protocol pptp 1723
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    no fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    access-list 100 permit ip 192.168.0.0 255.255.0.0 192.168.0.0 255.255.0.0
    access-list ping-out permit icmp any any
    access-list ping-out deny udp any any eq tftp
    access-list ping-out deny udp any any eq 135
    access-list ping-out deny udp any any eq netbios-ns
    access-list ping-out deny udp any any eq netbios-dgm
    access-list ping-out deny tcp any any eq 69
    access-list ping-out deny tcp any any eq 135
    access-list ping-out deny tcp any any eq 445
    access-list ping-out deny tcp any any eq 593
    access-list ping-out deny udp any any eq 4665
    access-list ping-out permit tcp any host 96.98.21.169 eq www
    access-list ping-out permit tcp any host 96.98.21.169 eq https
    access-list ping-out permit tcp any host 96.98.21.169 eq pop3
    access-list ping-out permit tcp any host 96.98.21.169 eq smtp
    access-list ping-out permit tcp any host 96.98.21.169 eq pptp
    access-list ping-out permit tcp any host 96.98.21.169 eq 8080
    access-list ping-out permit tcp any host 96.98.21.170 eq www
    access-list ping-out permit tcp any host 96.98.21.170 eq https
    access-list ping-out permit tcp any host 96.98.21.170 eq pop3
    access-list ping-out permit tcp any host 96.98.21.170 eq smtp
    access-list ping-out permit tcp any host 96.98.21.170 eq 8080
    access-list ping-out permit tcp any host 96.98.21.171 eq www
    access-list ping-out permit tcp any host 96.98.21.171 eq https
    access-list ping-out permit tcp any host 96.98.21.171 eq pop3
    access-list ping-out permit tcp any host 96.98.21.171 eq smtp
    access-list ping-out permit tcp any host 96.98.21.171 eq 8080
    access-list ping-out permit tcp any host 96.98.21.172 eq 6666
    access-list LISTDMZ permit ip host 192.1.1.10 150.2.0.0 255.255.0.0
    access-list LISTDMZ permit ip host 192.1.1.12 150.2.0.0 255.255.0.0
    access-list LISTDMZ permit ip host 192.1.1.14 150.2.0.0 255.255.0.0
    access-list LISTDMZ permit ip host 192.1.1.5 150.2.0.0 255.255.0.0
    access-list inside permit ip host 192.168.0.46 any
    access-list inside permit ip host 192.168.0.4 any
    access-list inside permit ip host 192.168.0.5 any
    access-list inside permit ip host 192.168.0.242 any
    access-list inside permit ip host 192.168.0.243 any
    access-list inside permit ip host 192.168.0.7 any
    access-list inside permit ip any any
    access-list inside permit ip host 192.168.1.115 any
    access-list 110 permit ip 192.168.0.0 255.255.255.0 10.28.1.0 255.255.255.0 -- I added this line
    access-list 110 permit ip 10.28.1.0 255.255.255.0 192.168.0.0 255.255.255.0 -- I added this line
    paLISTDMZr lines 24
    logging on
    logging monitor debugging
    logging buffered debugging
    mtu outside 1500
    mtu inside 1500
    mtu dmz 1500
    ip address outside 96.98.21.173 255.255.255.248
    ip address inside 192.168.0.200 255.255.248.0 -- I have found it so, but really the network that is used is 255.255.0.0
    ip address dmz 192.1.1.200 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool vpnlocal2 192.168.1.200-192.168.1.232
    pdm location 111.111.0.0 255.255.255.0 inside
    pdm location 192.168.0.4 255.255.255.255 inside
    pdm location 192.168.0.5 255.255.255.255 inside
    pdm location 192.168.0.0 255.255.0.0 inside
    pdm location 88.2.136.124 255.255.255.255 outside
    pdm location 192.168.0.7 255.255.255.255 inside
    pdm location 192.168.2.167 255.255.255.255 inside
    pdm location 196.168.2.167 255.255.255.255 outside
    pdm location 192.168.1.115 255.255.255.255 inside
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    global (outside) 2 96.98.21.169
    nat (inside) 0 access-list 100
    nat (inside) 0 access-list 110 -- I added this line
    nat (inside) 2 192.168.0.4 255.255.255.255 0 0
    nat (inside) 1 192.168.0.0 255.255.0.0 0 0
    nat (dmz) 0 access-list LISTDMZ
    static (inside,outside) 96.98.21.169 192.168.0.4 netmask 255.255.255.255 0 0
    static (inside,outside) 96.98.21.171 192.168.0.7 netmask 255.255.255.255 0 0
    static (inside,outside) 96.98.21.170 192.168.0.5 netmask 255.255.255.255 0 0
    static (inside,outside) 96.98.21.172 192.168.1.115 netmask 255.255.255.255 0 0
    access-group ping-out in interface outside
    access-group inside in interface inside
    route outside 0.0.0.0 0.0.0.0 96.98.21.174 1
    route inside 111.111.0.0 255.255.255.0 192.168.0.250 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server LOCAL protocol local
    http server enable
    http 192.168.0.0 255.255.0.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    crypto ipsec transform-set VPN esp-3des esp-md5-hmac
    crypto ipsec transform-set GOAL esp-des esp-md5-hmac
    crypto ipsec transform-set VPNNEW esp-3des esp-sha-hmac -- I added this line
    crypto dynamic-map dynmap 1 set transform-set VPN
    crypto dynamic-map dynmapdes 2 set transform-set GOAL
    crypto map vpnmap 1 ipsec-isakmp dynamic dynmap
    crypto map vpnmap 10 ipsec-isakmp
    crypto map vpnmap 10 match address LISTDMZ
    crypto map vpnmap 10 set peer 212.171.22.215
    crypto map vpnmap 10 set transform-set VPN
    crypto map vpnmap 11 ipsec-isakmp -- I added this line
    crypto map vpnmap 11 match address 110 -- I added this line
    crypto map vpnmap 11 set peer 212.179.12.124 -- I added this line
    crypto map vpnmap 11 set transform-set VPNNEW -- I added this line
    crypto map vpnmap 11 set security-association lifetime seconds 360 kilobytes 8192 -- I added this line
    crypto map vpnmap interface outside
    isakmp enable outside
    isakmp key ******** address 212.171.22.215 netmask 255.255.255.255
    isakmp key ******** address 212.179.12.124 netmask 255.255.255.255 -- I added this line
    isakmp identity address
    isakmp policy 1 authentication pre-share
    isakmp policy 1 encryption 3des
    isakmp policy 1 hash md5
    isakmp policy 1 group 2
    isakmp policy 1 lifetime 1800
    isakmp policy 2 authentication pre-share
    isakmp policy 2 encryption des
    isakmp policy 2 hash md5
    isakmp policy 2 group 2
    isakmp policy 2 lifetime 1800
    isakmp policy 3 authentication pre-share
    isakmp policy 3 encryption 3des
    isakmp policy 3 hash md5
    isakmp policy 3 group 2
    isakmp policy 3 lifetime 86400
    isakmp policy 4 authentication pre-share -- I added this line
    isakmp policy 4 encryption des -- I added this line
    isakmp policy 4 hash sha -- I added this line
    isakmp policy 4 group 1 -- I added this line
    isakmp policy 4 lifetime 86400 -- I added this line
    vpngroup vpnmovil address-pool vpnlocal2
    vpngroup vpnmovil dns-server 192.168.0.242
    vpngroup vpnmovil default-domain pruebas.com
    vpngroup vpnmovil idle-time 1800
    vpngroup vpnmovil password ********
    telnet 192.168.0.0 255.255.0.0 inside
    telnet timeout 5
    ssh 88.2.136.124 255.255.255.255 outside
    ssh 84.124.26.122 255.255.255.255 outside
    ssh timeout 5
    console timeout 0
    terminal width 80
    Cryptochecksum:7ee03c8b03958012df5d9973e3b5a8b9




    thank all and best regards,
    Xern

  • #2
    Re: Problem with tunnel ipsec on pix 6.3

    Is this a site to site vpn? If so why would you use a the vpn client software on the client machines? The vpn client is used for remote access ("Easy VPN") which would require the configuration of the "Easy VPN Server" as well as the client.

    Is the tunnel up?

    show crypto isakmp sa

    show crypto ipsec sa
    CCNA, CCNA-Security, CCNP
    CCIE Security (In Progress)

    Comment

    Working...
    X