[VPN] PIX 501 VPN problem

Joshua Vince Josh.Vince at bcgsys.com
Fri Feb 6 20:00:58 EST 2004 

VPN users cannot browse the Internet through the VPN.  Traffic that enters the PIX on an interface cannot exit on the same interface.

Workaround:

setup split-tunneling, so that the VPN user uses their own Internet connection, and only routes traffic destined for the corporate LAN over the VPN.

vpngroup GROUPNAME split-tunnel accesslistname

Where accesslistname is an access-list that defines traffic going from your corporate LAN to the ip pool you have setup for the VPN users.

Keep in mind, this is a security risk, because anything that can touch the VPN users' computer over their Internet connection, now has a link to your corporate network.

HTH.

Josh 

-----Original Message-----
From: vpn-bounces+joshv=bcgsys.com at lists.shmoo.com [mailto:vpn-bounces+joshv=bcgsys.com at lists.shmoo.com] On Behalf Of rob "i"
Sent: Friday, February 06, 2004 4:22 AM
To: 'Siddhartha Jain'; vpn at lists.shmoo.com
Subject: RE: [VPN] PIX 501 VPN problem


There is a working WINS server. I seem to have gotten the VPN to LAN connection working, though the authentication process for the NT domain logon does not work. I hope to fix that with LMHOSTS entries on the Windows 98 client..

Unfortunately, while clients on the LAN can access the Internet, remotely connected VPN clients cannot. In other words, someone on the LAN can ping the ISP gateway address, but someone connected via VPN can not ping the gateway.

While there is only a single user that will be remote, he is the owner of the company.

I tried adding some rules, but the "sysopt connection permit-ipsec"
is supposed to allow VPN connections to bypass access-lists.

I am confused, and the Cisco docs have left me more confused!!


-- Rob --


> -----Original Message-----
> From: vpn-bounces+vpninfo=robi.net at lists.shmoo.com
> [mailto:vpn-bounces+vpninfo=robi.net at lists.shmoo.com]On Behalf Of 
> Siddhartha Jain
> Sent: Thursday, February 05, 2004 9:54 PM
> To: rob.i at iname.com; vpn at lists.shmoo.com
> Subject: Re: [VPN] PIX 501 VPN problem
>
>
> For MS Networking to work on a IPSec tunnel you need to enable NetBIOS 
> over TCP/IP on your remote clients, setup a WINS server and point your 
> remote VPN clients to this WINS server.
>
> "Internet is not available" is ambiguous. Do you mean your inside 
> users cannot access the internet or the remote VON client cannot 
> access the internet once they have established a VPN tunnel with the 
> PIX. In case of latter, that is the expected behaviour. Once a remote 
> client is connected to the VPN box, all traffic originating from the 
> remote client goes to the PIX box. For the remote client to talk to 
> the VPN tunnel and access the internet, both at the same time, you 
> need to configure split tunneling (has to be supported by the VPN 
> client and the PIX).
>
> HTH,
>
> Siddhartha
>
>
> --- "rob \"i\"" <rob.i at iname.com> wrote: > I just spent 8 hours 
> without a break trying to get
> > the
> > VPN setup working, re-configuring the VPN from scratch three times. 
> > I found that the PDM is really dumb when it comes to VPN settings. 
> > The wizard will not properly edit the current settings.
> >
> > The Cisco documentation is not helpful, and is not very logical in 
> > order, and offers few good examples.
> > I've been reading Cisco docs for days now.
> >
> > So, I've got the firewall working just fine. The Cisco VPN client 
> > will connect, too. However, while I can ping LAN equipment, I cannot 
> > do anything with Microsoft services (such as doing a "net view") or 
> > browsing the Internet with IE.
> >
> > >From the LAN itself, everything works great. That
> > is, standard LAN clients work just fine.
> >
> > I spent a lot of time trying to figure out why the VPN wasn't 
> > working, and I even tried to add rules to allow traffic, though that 
> > didn't work because, according to the PDM, there are two "VPNpool01"
> > pools.
> >
> > I finally re-ran the VPN wizard again, which added some additional 
> > commands. The results were the same.
> > The VPN connects, TCP/IP works, but I can't browse Microsoft 
> > networking and the Internet is not available.
> >
> > I am looking at the PDM, and it shows three implicit rules for the 
> > IPsec rules.
> >
> > The config is becoming a mess and I don't know what to change now to 
> > get it all to work.
> >
> > If somone could take a look at my config, I would
> > *really* appreciate it. If the problem can't be resolved, then I'll 
> > have to give up on this.
> >
> > If anyone could offer some insights, I would be eternally grateful!!
> >
> >
> > -- Rob --
> >
> >
> >
> > ------------------ show running-config
> > ------------------
> >
> > : Saved
> > :
> > PIX Version 6.3(1)
> > interface ethernet0 auto
> > interface ethernet1 100full
> > nameif ethernet0 outside security0
> > nameif ethernet1 inside security100
> > enable password xxxxx/xxxxxxxxxx encrypted
> > passwd xxxxx/xxxxxxxxxx encrypted
> > hostname tollbooth
> > domain-name mydomain.com
> > fixup protocol ftp 21
> > fixup protocol h323 h225 1720
> > fixup protocol h323 ras 1718-1719
> > fixup protocol http 80
> > fixup protocol ils 389
> > fixup protocol rsh 514
> > fixup protocol rtsp 554
> > fixup protocol sip 5060
> > fixup protocol sip udp 5060
> > fixup protocol skinny 2000
> > fixup protocol smtp 25
> > no fixup protocol sqlnet 1521
> > names
> > access-list from-outside-coming-in permit ip
> > 192.168.100.0 255.255.255.0 any
> > access-list from-outside-coming-in permit icmp any
> > any echo-reply
> > access-list from-outside-coming-in permit icmp any
> > any unreachable
> > access-list from-outside-coming-in permit icmp any
> > any time-exceeded
> > access-list from-outside-coming-in deny tcp any any
> > eq 135
> > access-list from-outside-coming-in deny udp any any
> > eq netbios-ns
> > access-list from-outside-coming-in deny udp any any
> > eq netbios-dgm
> > access-list from-outside-coming-in deny tcp any any
> > eq netbios-ssn
> > access-list from-outside-coming-in deny tcp any any
> > eq 445
> > access-list from-outside-coming-in permit tcp any
> > interface outside eq smtp
> > access-list from-outside-coming-in permit tcp any
> > interface outside eq www
> > access-list from-inside-going-out permit ip
> > 192.168.100.0 255.255.255.0 any
> > access-list from-inside-going-out deny tcp any any
> > eq 135
> > access-list from-inside-going-out deny udp any any
> > eq netbios-ns
> > access-list from-inside-going-out deny udp any any
> > eq netbios-dgm
> > access-list from-inside-going-out deny tcp any any
> > eq netbios-ssn
> > access-list from-inside-going-out deny tcp any any
> > eq 445
> > access-list from-inside-going-out permit ip any any
> > access-list outside_cryptomap_dyn_20 permit ip any
> > 192.168.100.0 255.255.255.0
> > access-list inside_cryptomap_dyn_20 permit ip any
> > 192.168.100.0 255.255.255.0
> > access-list inside_outbound_nat0_acl permit ip any
> > 192.168.100.0 255.255.255.0
> > access-list outside_cryptomap_dyn_40 permit ip any
> > 192.168.100.0 255.255.255.0
> > pager lines 24
> > mtu outside 1500
> > mtu inside 1500
> > ip address outside xxx.yyy.182.137 255.255.255.0
> > ip address inside 192.168.1.251 255.255.255.0
> > ip audit info action alarm
> > ip audit attack action alarm
> > ip local pool VPNpool01
> > 192.168.100.1-192.168.100.254
> > pdm location 192.168.1.0 255.255.255.255 inside
> > pdm location 192.168.100.0 255.255.255.0 outside
> > pdm location 192.168.1.0 255.255.255.0 inside
> > pdm location 192.168.1.2 255.255.255.255 inside
> > pdm logging informational 100
> > pdm history enable
> > arp timeout 14400
> > global (outside) 1 interface
> > nat (inside) 0 access-list inside_outbound_nat0_acl
> > nat (inside) 1 0.0.0.0 0.0.0.0 0 0
> > static (inside,outside) tcp interface smtp
> > 192.168.1.2 smtp netmask 255.255.255.255 0 0
> > static (inside,outside) tcp interface www
> > 192.168.1.2 www netmask 255.255.255.255 0 0
> > access-group from-outside-coming-in in interface
> > outside
> > access-group from-inside-going-out in interface
> > inside
> > route outside 0.0.0.0 0.0.0.0 xxx.yyy.182.114 1
> > timeout xlate 0:05:00
> > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00
> > rpc 0:10:00 h225 1:00:00
> > timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00
> > sip_media 0:02:00
> > timeout uauth 0:05:00 absolute
> > aaa-server TACACS+ protocol tacacs+
> > aaa-server RADIUS protocol radius
> > aaa-server LOCAL protocol local
> > http server enable
> > http 192.168.1.0 255.255.255.0 inside
> > no snmp-server location
> > no snmp-server contact
> > snmp-server community public
> > no snmp-server enable traps
> > floodguard enable
> > sysopt connection permit-ipsec
> > crypto ipsec transform-set ESP-3DES-MD5 esp-3des
> > esp-md5-hmac
> > crypto dynamic-map outside_dyn_map 20 set
> > transform-set ESP-3DES-MD5
> > crypto dynamic-map outside_dyn_map 40 set
> > transform-set ESP-3DES-MD5
> > crypto dynamic-map inside_dyn_map 20 set
> > transform-set ESP-3DES-MD5
> > crypto map outside_map 65535 ipsec-isakmp dynamic
> > outside_dyn_map
> > crypto map outside_map interface outside
> > crypto map inside_map 65535 ipsec-isakmp dynamic
> > inside_dyn_map
> > crypto map inside_map interface inside
> > isakmp enable outside
> > isakmp nat-traversal 20
> > isakmp policy 20 authentication pre-share
> > isakmp policy 20 encryption 3des
> > isakmp policy 20 hash md5
> > isakmp policy 20 group 2
> > isakmp policy 20 lifetime 86400
> > vpngroup PIXvpn01 address-pool VPNpool01
> > vpngroup PIXvpn01 dns-server xxx.yyy.161.5
> > xxx.yyy.162.5
> > vpngroup PIXvpn01 wins-server 192.168.1.2
> > 192.168.1.2
> > vpngroup PIXvpn01 default-domain mydomain.com
> > vpngroup PIXvpn01 idle-time 1800
> > vpngroup PIXvpn01 password ********
> > telnet 192.168.1.0 255.255.255.0 inside
> > telnet timeout 5
> > ssh 192.168.1.0 255.255.255.0 inside
> > ssh timeout 5
> > management-access inside
> >
> === message truncated ===
>
>
>
>
>
> ___________________________________________________________
> BT Yahoo! Broadband - Free modem offer, sign up online today
> and save £80 http://btyahoo.yahoo.co.uk
> _______________________________________________
> VPN mailing list
> VPN at lists.shmoo.com
> http://lists.shmoo.com/mailman/listinfo/vpn
>
>
>

_______________________________________________
VPN mailing list
VPN at lists.shmoo.com
http://lists.shmoo.com/mailman/listinfo/vpn

More information about the VPN mailing list