Re: [fw-wiz] Pix to Pix VPN Help

[Prabhu Gurumurthy <pgurumu@gmail.com>]

access-list 130 permit ip 192.168.5.0 255.255.255.0 10.7.1.0 255.255.255.0

you need nat (inside) 0 access-list statement..

that statement will tell the PIX device whether a given traffic needs to ride 
the tunnel, bypass it, otherwise the default action is to discard.

Hope this helps.
Prabhu
-

adrian@itsfhome.co.uk wrote:
> Hi All,
> 
>       I am looking for help in setting up a Pix to Pix VPN. I have gained some
> success in my configurations but I cannot create the VPN tunnel  and this
> is causing issues.
> 
>       The hardware configuration required is as follows:
> 
> Network -->  Inside Pix 506E --> Outside Pix 506E --> Internet
> 
>       The requirement of the Inside and Outside Pix is a Security requirement
> at my site.
> 
> The IP Address ranges are as follows:
> 
> Network: 192.168.5.x
> Internal Pix: Inside: 192.168.5.1
>                      Outside: 192.168.9.3
> Outside Pix: Inside: 192.168.9.1
>                      Outside: 172.30.6.231
> 
> Address 172.30.6.231 is natted out to a public IP address and the Internet.
> 
> What I require: Inside address 192.168.5.2 to connect to a remote address
> 10.7.1.1 via VPN. Therefore Address 192.168.5.2 translated to 192.168.9.2
> for Outside Pix and then translated to 172.30.6.232 and then onto Public
> IP address.
> 
> Here are my successes/failures:
> 
>>>From a Dynamic IP Address on the Network (192.168.5.10) I can access the
> Internet. Proving the path through the network.
> When I configure to 192.168.5.2, I cannot access the internet. Do I have a
> Nat issue here. When I attempt to connect, the logs do not raise Nat
> errors.
> When I try to connect to remote address 10.7.1.1, no VPN tunnel etc.
> 
> What I require it to do:
> With address 192.168.5.2, translate to 192.168.9.2, translate to
> 172.30.6.232.
> If I configure for 192.168.9.2 and connect to Outside Pix I have internet
> connectivity. If I configure for 192.168.5.2 I lose connectivity – no
> clear logged issues.
> Return path should get through to 192.168.5.2
> 
> 
> Finally – from address 172.30.6.230, I should be able to access both pix’s.
> 
> Current Pix Configs
> 
> ********INSIDE***************
> 
> : Saved
> : Written by enable_15 at 12:07:01.353 UTC Mon Oct 16 2006
> PIX Version 6.3(4)
> interface ethernet0 auto
> interface ethernet1 auto
> nameif ethernet0 outside security0
> nameif ethernet1 inside security100
> enable password orMeD9LEZDGVgHNT encrypted
> passwd zdWLaxrocvVoOrCk encrypted
> hostname FWL-BEE-INSIDE
> domain-name qinetiq.com
> fixup protocol dns maximum-length 512
> fixup protocol ftp 21
> fixup protocol h323 h225 1720
> fixup protocol h323 ras 1718-1719
> fixup protocol http 80
> fixup protocol rsh 514
> fixup protocol rtsp 554
> fixup protocol sip 5060
> fixup protocol sip udp 5060
> fixup protocol skinny 2000
> fixup protocol smtp 25
> fixup protocol sqlnet 1521
> fixup protocol tftp 69
> names
> access-list 100 permit ip any host 192.168.5.1
> access-list 100 permit ip any host 192.168.9.2
> access-list 100 permit ah any host 192.168.9.2
> access-list 100 permit esp any host 192.168.9.2
> access-list 100 permit esp any host 192.168.9.1
> access-list 100 permit ah any host 192.168.9.1
> access-list 100 permit ip any host 192.168.9.1
> access-list 100 permit ip 192.168.5.0 255.255.255.0 10.7.1.0 255.255.255.0
> access-list 100 permit ip 10.7.1.0 255.255.255.0 192.168.5.0 255.255.255.0
> access-list 130 permit ip 192.168.5.0 255.255.255.0 10.7.1.0 255.255.255.0
> pager lines 24
> logging on
> logging buffered debugging
> mtu outside 1500
> mtu inside 1500
> ip address outside 192.168.9.3 255.255.255.0
> ip address inside 192.168.5.1 255.255.255.0
> ip audit info action alarm
> ip audit attack action alarm
> pdm logging informational 100
> pdm history enable
> arp timeout 14400
> global (outside) 1 interface
> nat (inside) 1 192.168.5.0 255.255.255.0 0 0
> static (inside,outside) 192.168.9.2 192.168.5.2 netmask 255.255.255.255 0 0
> static (outside,inside) 192.168.5.2 192.168.9.2 netmask 255.255.255.255 0 0
> route outside 0.0.0.0 0.0.0.0 192.168.9.1 1
> timeout xlate 3:00:00
> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
> timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
> timeout uauth 0:05:00 absolute
> aaa-server TACACS+ protocol tacacs+
> aaa-server TACACS+ max-failed-attempts 3
> aaa-server TACACS+ deadtime 10
> aaa-server RADIUS protocol radius
> aaa-server RADIUS max-failed-attempts 3
> aaa-server RADIUS deadtime 10
> aaa-server LOCAL protocol local
> no snmp-server location
> no snmp-server contact
> snmp-server community public
> no snmp-server enable traps
> floodguard enable
> sysopt connection permit-ipsec
> crypto ipsec transform-set secure esp-3des esp-sha-hmac
> crypto map securemap 30 ipsec-isakmp
> crypto map securemap 30 match address 130
> crypto map securemap 30 set peer 213.161.69.90
> crypto map securemap 30 set transform-set secure
> crypto map securemap interface outside
> isakmp enable outside
> isakmp key ******** address 213.161.69.90 netmask 255.255.255.255
> isakmp identity address
> isakmp policy 10 authentication pre-share
> isakmp policy 10 encryption 3des
> isakmp policy 10 hash sha
> isakmp policy 10 group 2
> isakmp policy 10 lifetime 1000
> telnet timeout 5
> ssh 0.0.0.0 0.0.0.0 outside
> ssh timeout 5
> console timeout 0
> dhcpd address 192.168.5.10-192.168.5.41 inside
> dhcpd dns 194.72.6.57 194.73.82.242
> dhcpd lease 3600
> dhcpd ping_timeout 750
> dhcpd auto_config outside
> dhcpd enable inside
> terminal width 80
> banner motd Contact: name
> banner motd Site: BEE
> banner motd Location: loc
> Cryptochecksum:a0ea8db40e0b82673fa526d14173ce83
> 
> 
> 
> **************Outside**************
> 
> : Saved
> : Written by enable_15 at 05:14:26.322 UTC Mon Oct 16 2006
> PIX Version 6.3(5)
> interface ethernet0 auto
> interface ethernet1 auto
> nameif ethernet0 outside security0
> nameif ethernet1 inside security100
> enable password orMeD9LEZDGVgHNT encrypted
> passwd zdWLaxrocvVoOrCk encrypted
> hostname FWL-FRN-OUTSIDE
> domain-name qinetiq.com
> fixup protocol dns maximum-length 512
> fixup protocol ftp 21
> fixup protocol h323 h225 1720
> fixup protocol h323 ras 1718-1719
> fixup protocol http 80
> fixup protocol rsh 514
> fixup protocol rtsp 554
> fixup protocol sip 5060
> fixup protocol sip udp 5060
> fixup protocol skinny 2000
> fixup protocol smtp 25
> fixup protocol sqlnet 1521
> fixup protocol tftp 69
> names
> access-list INSIDE-OUT permit ip any host 192.168.9.1
> access-list INSIDE-OUT permit ah any any
> access-list INSIDE-OUT permit esp any any
> access-list INSIDE-OUT permit ip any any log
> access-list INSIDE-OUT permit icmp any any
> access-list OUTSIDE-IN permit esp any host 172.30.6.232
> access-list OUTSIDE-IN permit ah any host 172.30.6.232
> access-list OUTSIDE-IN permit ip any host 172.30.6.232
> access-list OUTSIDE-IN permit esp any host 172.30.6.231
> access-list OUTSIDE-IN permit ah any host 172.30.6.231
> access-list OUTSIDE-IN permit ip any host 172.30.6.231
> access-list OUTSIDE-IN deny ip any 10.0.0.0 255.0.0.0
> access-list OUTSIDE-IN deny ip any 172.16.0.0 255.240.0.0
> access-list OUTSIDE-IN deny ip any 192.168.0.0 255.255.0.0
> access-list OUTSIDE-IN deny ip any any log
> access-list OUTSIDE-IN permit icmp any any
> pager lines 24
> logging on
> logging buffered debugging
> mtu outside 1500
> mtu inside 1500
> ip address outside 172.30.6.231 255.255.255.0
> ip address inside 192.168.9.1 255.255.255.0
> ip audit info action alarm
> ip audit attack action alarm
> no pdm history enable
> arp timeout 14400
> global (outside) 1 interface
> nat (inside) 1 192.168.9.0 255.255.255.0 0 0
> static (outside,inside) 192.168.9.2 172.30.6.232 netmask 255.255.255.255 0 0
> static (inside,outside) 172.30.6.232 192.168.9.2 netmask 255.255.255.255 0 0
> access-group OUTSIDE-IN in interface outside
> access-group INSIDE-OUT in interface inside
> route outside 0.0.0.0 0.0.0.0 172.30.6.20 1
> timeout xlate 3:00:00
> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
> timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
> timeout sip-disconnect 0:02:00 sip-invite 0:03:00
> timeout uauth 0:05:00 absolute
> aaa-server TACACS+ protocol tacacs+
> aaa-server TACACS+ max-failed-attempts 3
> aaa-server TACACS+ deadtime 10
> aaa-server RADIUS protocol radius
> aaa-server RADIUS max-failed-attempts 3
> aaa-server RADIUS deadtime 10
> aaa-server LOCAL protocol local
> no snmp-server location
> no snmp-server contact
> snmp-server community public
> no snmp-server enable traps
> floodguard enable
> telnet timeout 5
> ssh 172.30.6.228 255.255.255.255 outside
> ssh 172.30.6.229 255.255.255.255 outside
> ssh 172.30.6.230 255.255.255.255 outside
> ssh timeout 5
> console timeout 0
> dhcpd address 192.168.9.10-192.168.9.40 inside
> dhcpd dns 194.72.6.57 194.73.82.242
> dhcpd lease 3600
> dhcpd ping_timeout 750
> dhcpd enable inside
> terminal width 80
> banner motd Contact: name
> banner motd Contact: name
> Cryptochecksum:f9c92b4c259f0cf2fad02ce3cbfcac26
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
> 

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards