Cisco PIX 501 help

[Carapace]

I posted this as Speedguide as well.

Hello all,

I have a Cisco PIX 501 firewall with 3DES set up at a location that I VPN to via Cisco VPN Client 3.5.1.
I can connect to the site just fine, even remotely control desktops via pcAnywhere, but what I can't do is use the Internet from the VPN client machine.
First, let me tell you about my skill level......basically I have none. I've never been to a Cisco class, never read a Cisco book, nothing. I have somehow managed to set up a site to site VPN and a Site to VPN Client VPN fairly easily. I have been use the PDM (integrated web server) interface from day one. At this point I don't care to learn the CLI interface at all. I sometimes support this thing over the phone (the pix is about 1.5 hours away from me now) and have found that the PDM is hands down the easiest way to walk someone through troubleshooting. anyway, the reason I bring this up is so you all will understand I'm trying my best to make this work. So just keep in mind that when you give advice that I'm still a newbie.

With that said, here is a link to a screenshot of my error log:
Linky


It looks like the damn thing is not letting my DNS requests through. The 10.0.0.0 IP pool is my VPN pool and the other IPs you see are my external DNS severs (there are no internal servers on this network). It's boggling my mind because I used the VPN wizard to set this up. One would figure it would automatically configre the thing to allow that sort of traffic (and yes, I did give the IPs of the DNS servers when it asked for them)

Anyone have any ideas? I can post more info or screenshots if needed.

Thanks in advance.

 

[mboy]

You most likely do not have split tunneling allowed (which I do not recommend). I have the same issu with my Sonicwal when a client is connect to it from the LAN. You will probably need a router behind your PIX and have that set as the gateway for the VPN client.

 

[MysticLlama]

I'm having the exact same problem with a PIX, and posted in another thread just a few days ago.

The basic issue is the routing of the Internet traffic.

The way to enable split-tunneling on the PIX is as follows:
1. Connect to the Internet via Dial-up or Broadband, receive default gateway address.
2. Use VPN client to connect to remote network, but do not add default gateway address (this is a checkbox in most clients).
--At this point you can get on the Internet, but still not pass VPN traffic.
3. Determine your VPN assigned address, and set that address as the default gateway for your internal network.
--i.e. route add 192.168.0.xxx mask 255.255.255.0 *IP assigned by PIX for VPN*

That will then pass Internet traffic through your default gateway, and private traffic through your VPN connection.

I don't really like it either, and I need it to not be a two-step process since the old system was a Windows PPTP system and it works in one stage. It causes problems with login scripts, and I have to get the users to do two things when it was hard enough getting them to do one.

I have a call into Cisco to see if I can make it work with a router to turn around the traffic from the private network and go back to the Internet, and they are supposed to get back to me today after doing some labs. On Friday he basically told me that he didn't think it was possible, but he was going to try a couple things over the weekend.

I'll post with what I hear from them.

 

[cmetz]

Carapace, you need to ensure that you have a nat 0 command pointing to an access-list that permits the IP address range of the VPN clients. Put another way, do not try to NAT or PAT traffic to or from the VPN clients.

The PIX really, really likes to PAT. So you have to tell it not to do that.

The same ACL if thoughtfully written can be used as the ACL for a vpngroup <x> split-tunnel command.

MysticLlama, I can't figure out what you're doing, but it's not split tunnelling to my knowledge. See the vpngroup <x> split-tunnel command. The goal is to push an IPsec SPD policy out to the VPN client. This is orthogonal to routing. (it SHOULDN'T be, but the person who edited the IPsec specs made it so, and that causes oh so many VPN headaches!)

 

[MysticLlama]

Actually, mine is split-tunneling according to what the guy at Cisco told me (he could be wrong) it may be different because I'm using PPTP vs. IPSec though. We were just trying to keep the think 100% consistent to the users.

I'm going to try the new Cisco client software and IPSec, but I'm not sure yet if it's going to work. Supposedly the newest version can install as a driver and be fired upon login, but I'll have to see what it looks like.

Good call on the ACL and NAT 0 command though, I do that so automatically now that I didn't even think of it.

 

[cmetz]

MysticLlama, didn't realize you were using PPTP. I dislike it greatly and so I only use IPsec.

The 4.0.3(D) client works pretty well. In Windows land, it is often necessary to log into the VPN connection first and THEN log into the local Windows system/domain, otherwise Windows networking authentication might not work right. Why this is so, I don't know... I've long since stopped trying to make Windows networking work sensibly, I just do what actually works

IPsec itself has a lot more sensitivity to intermediate systems (esp. NAT/PAT devices and firewalls) than PPTP does. Unfortunately, this does mean higher support load. Cisco's client supports a proprietary IPsec-over-TCP mode, but only to a VPN Concentrator series, not to a PIX.

 

[Carapace]

Originally posted by: cmetz
Carapace, you need to ensure that you have a nat 0 command pointing to an access-list that permits the IP address range of the VPN clients. Put another way, do not try to NAT or PAT traffic to or from the VPN clients.

The PIX really, really likes to PAT. So you have to tell it not to do that.

The same ACL if thoughtfully written can be used as the ACL for a vpngroup <x> split-tunnel command.

MysticLlama, I can't figure out what you're doing, but it's not split tunnelling to my knowledge. See the vpngroup <x> split-tunnel command. The goal is to push an IPsec SPD policy out to the VPN client. This is orthogonal to routing. (it SHOULDN'T be, but the person who edited the IPsec specs made it so, and that causes oh so many VPN headaches!)

The pool of IPs is exempt from NAT. I can see it in the PDM, and when I do a show config. Split tunneling is enabled, but from what I understand the only thing it will do is allow me to have an ecrypted tunnel for data, and a non-encrypted tunnel for Internet.
I wish the damn VPN client allowed me to use my own default gateway.
It seems like the thing is bouncing my DNS requests, but I can't figure out why when the 10.0.0.0 IP pool is right there in my access list as ALLOW interface outside, inbound traffic.

Any other ideas?

 

[Boscoh]

can you post your config?

 

[MysticLlama]

Well, I just got a call back from the Cisco tech today, and he told me there is no way to do it besides the batch file to manually set up routes.

I still think there has to be a way to do it, but they couldn't get it working automatically in the lab with a PIX and a router, and said that you can do it LAN to LAN, but not with roaming clients.

What a crock.

 

[Carapace]

^^

I don't think this is true. About a year ago I myself used to VPN in to this exact same PIX with the exact same software and was able to get to the Internet.

I will post a pick of my config later. I need to be at home to do this, plus I'll need to bleep out confidential IP's.

 

[Carapace]

Sorry it took so long. Here is a copy of my config:

PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable (deleted for security reasons)
passwd (deleted for security reasons)
hostname cuid
domain-name ciscopix.com
clock timezone PST -8
clock summer-time PDT recurring
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
name 172.16.2.0 ESP_Tunnel
access-list inside_outbound_nat0_acl permit ip any 10.0.0.0 255.255.255.224
access-list inside_outbound_nat0_acl permit ip 172.16.58.0 255.255.255.0 ESP_Tunnel 255.255.255.0
access-list outside_cryptomap_dyn_10 permit ip any 10.0.0.0 255.255.255.224
access-list outside_access_in permit ip 10.0.0.0 255.255.255.224 any
access-list outside_cryptomap_50 permit ip 172.16.58.0 255.255.255.0 ESP_Tunnel 255.255.255.0
access-list inside_access_in permit ip 172.16.58.0 255.255.255.0 ESP_Tunnel 255.255.255.0
access-list inside_access_in permit ip any any
pager lines 24
logging on
logging trap warnings
logging host (outside ip deleted for security)
interface ethernet0 10baset
interface ethernet1 10full
icmp deny any outside
mtu outside 1500
mtu inside 1500
ip address outside (ip deleted for security) 255.255.255.0
ip address inside 172.16.58.251 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip audit info action alarm
ip audit attack action alarm
ip local pool oifcu_pool 10.0.0.1-10.0.0.25
pdm location 172.16.58.0 255.255.255.0 inside
pdm location (ip deleted for security) 255.255.255.0 outside
pdm location 10.0.0.0 255.255.255.0 outside
pdm location 10.0.0.0 255.0.0.0 outside
pdm location ESP_Tunnel 255.255.255.0 outside
pdm location (ip deleted for security) 255.255.255.255 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 (ip deleted for security) 1
route outside 10.0.0.0 255.255.255.0 64.65.143.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http (ip deleted for security) 255.255.255.0 outside
http 10.0.0.0 255.255.255.0 outside
http 172.16.58.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
no sysopt route dnat
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set fireesp esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 10 match address outside_cryptomap_dyn_10
crypto dynamic-map outside_dyn_map 10 set transform-set ESP-3DES-SHA
crypto map outside_map 50 ipsec-isakmp
crypto map outside_map 50 match address outside_cryptomap_50
crypto map outside_map 50 set peer (ip deleted for security)
crypto map outside_map 50 set transform-set fireesp
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto map oimainmap 10 ipsec-isakmp
isakmp enable outside
isakmp key ******** address (IP deleted)
netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp keepalive 60 60
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
isakmp policy 50 authentication pre-share
isakmp policy 50 encryption 3des
isakmp policy 50 hash sha
isakmp policy 50 group 1
isakmp policy 50 lifetime 1000
isakmp policy 70 authentication pre-share
isakmp policy 70 encryption 3des
isakmp policy 70 hash md5
isakmp policy 70 group 1
isakmp policy 70 lifetime 86400
vpngroup oifcu address-pool oifcu_pool
vpngroup oifcu dns-server (DNS IPs deleted)
vpngroup oifcu split-tunnel outside_cryptomap_dyn_10
vpngroup oifcu idle-time 1800
vpngroup oifcu password ********
telnet 10.0.0.0 255.0.0.0 outside
telnet 10.0.0.0 255.255.255.0 outside
telnet 172.16.58.0 255.255.255.0 inside
telnet timeout 5
ssh 10.0.0.0 255.255.255.0 outside
ssh 10.0.0.0 255.0.0.0 outside
ssh timeout 5
vpdn group PPTP-VPDN-GROUP accept dialin pptp
vpdn group PPTP-VPDN-GROUP ppp authentication pap
vpdn group PPTP-VPDN-GROUP ppp authentication chap
vpdn group PPTP-VPDN-GROUP ppp authentication mschap
vpdn group PPTP-VPDN-GROUP ppp encryption mppe auto
vpdn group PPTP-VPDN-GROUP client configuration address local oifcu_pool
vpdn group PPTP-VPDN-GROUP client configuration dns (VPN DNS IPs deleted)
vpdn group PPTP-VPDN-GROUP pptp echo 60
vpdn group PPTP-VPDN-GROUP client authentication local
vpdn username brendan password ********
vpdn enable outside
dhcpd address 172.16.58.30-172.16.58.40 inside
dhcpd dns (DHCP DNS IPs deleted)
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80

Any ideas?

 

[me19562]

You need to add an access-list allow the traffic from your inside network to the outside.

Example

access-list outside_access_in permit ip 172.16.58.0 255.255.255.0 any

 

[Carapace]

OK, I'll try this later when I get home, BUT.....if my inside network didn't already have access to the outside, wouldn't they have trouble connecting to the Internet?


Also, wouldn't this rule: access-list inside_access_in permit ip any any
permit any IP on the inside interface access to the outside?

 

[me19562]

Ok, the PIX is directly connected to the internet or is behind something?

 

[Carapace]

Directly to the Internet.

 

[Phoenixhunter]

What is the best way to learn how to use a Pix 501?

 

[Carapace]

Originally posted by: Phoenixhunter
What is the best way to learn how to use a Pix 501?

Trial and error is how I did it. Before this PIX, I had never worked with a Cisco device, or anything more complex than a Linksys router.

I started off with the PDM interface which is the built in web server. I continue to use it because I feel it is the easiest to support over the phone. I do some CLI stuff, but most of the time I just translate it and use the PDM to input it.
It has wizards that will walk you through basic setup. After the wizard completes you get a chance to see where it uses the settings you input, i.e. default gateway, DNS, external IP, internal IP, etc.....

I had the chance to use it at home for 2 months before I had to implement it, so that helped.

 

[me19562]

Which dns servers you are using? can you resolve any address?

 

[Carapace]

Originally posted by: me19562
Which dns servers you are using? can you resolve any address?

I am using the DNS server IPs that were provided to me from my ISP. As a VPN client I can't resolve anything. I can't even go to a website by typing in it's IP.