Re: [fw-wiz] cisco crypto dynamic map problem?

• Previous message: Mason Schmitt: "[fw-wiz] Soap - Was RPCs over HTTPS through the firewall"
• In reply to: Meindert Uitman: "[fw-wiz] cisco crypto dynamic map problem?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: firewall-wizards@honor.icsalabs.com
Date: 01 May 2003 18:53:47 -0400

sounds like your NAT 0 is not configured correctly. PIX is still trying
to NAT the IP pool to your terminal service IP per the Deny log.

check your ACL 101 again for typo's and correct networks

(I once overlooked 255.255.225.0 for 255.255.255.0 in a BGP config :)
not hard to do when your looking at loads of code

On Thu, 2003-05-01 at 11:04, Meindert Uitman wrote:
> cisco crypto dynamic map problem?
>
> Here's the story:
> Cisco's vpn client 3.5 once connected to my pix515. all worked fine. After
> accidentally overwriting configuration, and reentering it, :-{ , clients
> can connect, but traffic through the pix isn't possible.
>
> In short:
>
> ip local pool defined
> acl 101 permit ip for ip local pool
> acl 102 permit ip for cryptomap 'q'
> nat 0 for acl 101
> static(inside,outside) public_ip_TS_server local_ip netmask
>
> sysopt connection permit ipsec
> isakmp and vpngroup defined
>
> crypto ipsec transform-set 'a'
> crypto dynamic-map 'q' nn match adr acl 102
> crypto dynamic-map 'q' nn set transform set 'a'
>
> crypto map oustside-map nnnn ipsec-isakmp dynamic 'q'
> crypto map oustside-map interface outside
>
> vpn client connects to outside intf of pix.
> Terminal services tries to connect to static for TS-server.
> vpn client states 'connected' (correct adress from ip local pool). Pix
> Logging shows: sa's established.
> After attempts to 'terminal-service' through the Pix, Pix logging shows:
> deny inbound, no xlate src correct_ip_local_pool dst
> outside_publ_addr_client_machine
>
> Overlooked config several times, could use a pointed stick towards
> solution..
> Thanks in advance..
>
>
>
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@honor.icsalabs.com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

• Previous message: Mason Schmitt: "[fw-wiz] Soap - Was RPCs over HTTPS through the firewall"
• In reply to: Meindert Uitman: "[fw-wiz] cisco crypto dynamic map problem?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Order significance for PIX nat / global statements? ... >> Studying PIX firewall configuration I'm confused by some contradictions ... > addition to the two nat statements shown above. ... >> PAT address pool? ... > The PIX will NAT first, then PAT. ... (comp.security.firewalls) Re: Order significance for PIX nat / global statements? ... sure whether the pix would use the most specific statement first, ... nat id, or use some other method of determining how to nat the traffic. ... >>> PAT address pool? ... >> The PIX will NAT first, then PAT. ... (comp.security.firewalls) "secondary" PIX NAT/PAT pools ... All the configuration examples I've been able to find for PIXes show NAT ... interface of the PIX. ... separate pool of addresses which could be routed to the PIX? ... (comp.dcom.sys.cisco) Re: Issue with Ipsec and pptp clients ... just some thoughts - you're using this pool: ... does the pix know what to do with that network? ... and also, on the nat statement: ... (comp.dcom.sys.cisco) Re: PIX DOS (config problem) - Similar to NetScreen ScreenOS... ... as manually configuring access to the NAT pool. ... I always prefer explicit filters when configuring routers, ... PIX hard enough that it matters, they probably shouldn't be using that PIX ... Maybe Cisco should change the PIX ... (Bugtraq)