RE: [fw-wiz] Cisco Pix 515E Configuration

From: Jason Ostrom (justiceguy_at_pobox.com)
Date: 12/12/04

  • Next message: Jason Lewis: "[fw-wiz] Re: Book of rants"
    To: firewall-wizards@honor.icsalabs.com
    Date: Sun, 12 Dec 2004 13:00:23 -0600
    
    

    I have seen similar problems with one-way audio with Cisco soft phone
    client using Cisco IPSec vpn -> PIX, but it sounds different from what
    you are describing.

    Some things to think about in addition to the advice you have already
    received:
    1. The "problem" in which the PIX OS 6.x can not forward a packet back
    out the same interface that it received, known as hairpinning, is
    correct, but may not be an issue soon, assuming that it is your problem.
    This likely will not be an issue in PIX OS 7.0, from what I have heard.
    Also keep in mind that a Cisco VPN router, in addition to the VPN
    Concentrator, would also get around this problem, and has advantages
    such as supporting QoS for VoIP which the Concentrator may not offer.

    2. If the problem is the packets are forwarded back out the same
    interface they were received on the PIX, then this can most likely be
    resolved by setting up static routes or correct crypto map ACLs.

    3. Some general troubleshooting steps:
    Can the soft phones ping each other once both have established an IPSec
    connection and an IP address in the pool?
    Are they located on the same subnet?
    Is the Nortel switch on the same subnet?
    What kind of media protocol is being used on the soft phones? H.323,
    SIP??
    Do call setup packets need to take a different route than RTP and how do
    crypto map ACLs and static routes account for this?

    I don't know what protocols are used by the Nortel switch or soft phones
    you are describing. With SIP and H.323, the call setup will normally be
    established through the switch, and the direct audio RTP will take place
    directly between soft phones. It sounds like the second step is
    failing. So I would ask you, would it be possible to run debug with
    Ethereal and see where the RTP packets are being sent? Are they being
    sent to the switch or directly between the soft phones?

    Jason

    On Sat, 2004-12-11 at 16:29 -0500, Sanford Reed wrote:
    > I have done both.
    >
    > I have installed several 515E and the 506/506E PIXs. In all installs I have
    > used the same interface to connect direct to the Internet. It I called
    > 'split tunneling' in the PIX setup. Having to use a Proxy to get 'back out'
    > that your configuration is not setup for split tunneling so the outbound
    > ACL's don't include the VPN Client subnet as an allowed.
    >
    > As for the IP Phones, as I stated before I had this working using an Avaya
    > Switch. It uses 2 interfaces on the switch to establish the call but if the
    > IP extensions are on the same switch it then drops the "Control' channel and
    > continues the call via only the Voice channel. It still controls the call
    > thru the switch so the path is really IP Phone #1 -> VPN Client -> PIX ->
    > Switch -> PIX -> VPN client -> IP Phone. If I remember the Nortel setup
    > correctly, it works the same. I did have a lot of problems with the IP
    > Phones software getting it to recognize the VPN Client as the correct
    > interface to use because the PC running the client maintains its 'real' IP
    > address for the network. It was finally solved by Avaya issuing new software
    > that had and 'override' setting that the user had to set each VPN Session to
    > match the assigned VPN address received. Once this occurred it took some
    > tweaking of the protocols that the Switch used to establish the VOIP Session
    > and everything works great.
    >
    > Sanford Reed
    > (V) 7575.406.7067
    >
    > -----Original Message-----
    > From: firewall-wizards-admin@honor.icsalabs.com
    > [mailto:firewall-wizards-admin@honor.icsalabs.com] On Behalf Of Eric Gunnett
    > Sent: Tuesday, December 07, 2004 4:36 PM
    > To: firewall-wizards@honor.icsalabs.com; bruce_the_loon@worldonline.co.za
    > Subject: RE: [fw-wiz] Cisco Pix 515E Configuration
    >
    > That is the exact problem we are having. As I have found out. Our
    > phone switch is a Nortel and I have the admin of it looking in it. Otherwise
    > it looks like we will have to scrap the idea and move to a VPN connectrator
    > or reconfigure a section of our network in order to get the phone switch and
    > vpn working in conjunction.
    >
    >
    >
    > Eric Gunnett
    > System Administrator
    > Zoovy, Inc.
    > eric@zoovy.com
    >
    >
    > >>> "Bruce Smith" <bruce_the_loon@worldonline.co.za> 12/07/04 01:15PM >>>
    > Hi Eric
    >
    > As far as I am aware, the PIX will not route out via the same interface the
    > packet came in on. For example if I connect to our VPN from the Internet, I
    > cannot get direct access to the Internet unless I use the proxy server
    > inside the network. If I am wrong on this, can someone tell me what I've
    > misconfigured.
    >
    > So the ability for the two VPN clients to connect via the IP phone switch
    > depends on how the system works. If all traffic is routed explicitly to the
    > phone switch and out, you shouldn't have a problem if all ACLs are set up
    > correctly to allow the IP phone traffic. If the system only uses the switch
    > to setup the call and then the two hosts begin talking directly to each
    > other, as Skype does and a couple of IP phone systems I've seen, then I
    > guess you're buggered. But before you give up if the ip phones talk
    > directly, check whether the software can be configured to route all traffic
    > via the phone switch.
    >
    > Regards
    >
    > Bruce Smith
    > Firewall Administrator
    > Port Elizabeth Technikon
    >
    > -----Original Message-----
    > From: firewall-wizards-admin@honor.icsalabs.com
    > [mailto:firewall-wizards-admin@honor.icsalabs.com] On Behalf Of Eric Gunnett
    > Sent: 03 December 2004 11:33 PM
    > To: firewall-wizards@honor.icsalabs.com
    > Subject: [fw-wiz] Cisco Pix 515E Configuration
    >
    >
    > I am hoping someone can help me with this problem. I have a Cisco
    > 515E with 6.3 on it. I have configured to pix for vpn connections with
    > authenticaiton through a radius. My connections from Client -> Pix ->
    > Internal Network, work great. But we are using a phone switch that is trying
    > to pass of the ip phone connection between two clients that are connected
    > through the pix, such as VPN Client 1 -> Pix -> VPN Client 2, is this
    > possible. I have attached my config below.
    >
    > PIX Version 6.3(3)
    > interface ethernet0 10baset
    > interface ethernet1 10baset
    > nameif ethernet0 outside security0
    > nameif ethernet1 inside security100
    > enable password 8eATWrVtoJW4T5CL encrypted
    > passwd BGogFIdB6jmwTyg7 encrypted
    > hostname PIX
    > domain-name example.com
    > clock timezone PDT -8
    > clock summer-time PDT recurring
    > fixup protocol dns maximum-length 512
    > fixup protocol ftp 21
    > no fixup protocol h323 h225 1720
    > no fixup protocol h323 ras 1718-1719
    > fixup protocol http 80
    > fixup protocol http 443
    > fixup protocol http 8080
    > no fixup protocol rsh 514
    > no fixup protocol rtsp 554
    > fixup protocol sip 5060
    > fixup protocol sip udp 5060
    > no fixup protocol skinny 2000
    > no fixup protocol smtp 25
    > no fixup protocol sqlnet 1521
    > no fixup protocol tftp 69
    > names
    > access-list acl_outbound permit tcp any any
    > access-list acl_outbound permit ip any any
    > access-list acl_outbound permit udp any any
    > access-list acl_outbound permit icmp any any
    > access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.50
    > access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.51
    > access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.52
    > access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.53
    > access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.54
    > access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.55
    > access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.56
    > access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.57
    > access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.58
    > access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.59
    > access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.60
    > access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.61
    > access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.62
    > access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.63
    > access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.64
    > access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.65
    > access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.66
    > access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.67
    > access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.68
    > access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.69
    > access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.70
    > access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.71
    > access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.72
    > access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.73
    > access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.74
    > access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.75
    > access-list 80 permit ip 192.168.99.0 255.255.255.0 192.168.99.0
    > 255.255.255.0 access-list 80 permit ip host 192.168.99.56 host 192.168.99.57
    > access-list 80 permit ip host 192.168.99.57 host 192.168.99.56 access-list
    > 80 permit ip 192.168.99.0 255.255.255.0 any access-list split permit tcp
    > 192.168.0.0 255.255.0.0 192.168.0.0 255.255.0.0 pager lines 40 logging on
    > logging timestamp logging monitor notifications logging trap notifications
    > icmp permit any outside icmp permit any inside mtu outside 1500 mtu inside
    > 1500 ip address outside 66.67.68.69 255.255.255.224 ip address inside
    > 192.168.99.1 255.255.255.0 ip audit info action alarm ip audit attack action
    > alarm ip local pool VPN 192.168.99.50-192.168.99.75 no failover failover
    > timeout 0:00:00 failover poll 15 no failover ip address outside no failover
    > ip address inside no pdm history enable arp timeout 14400 global (outside) 1
    > 63.108.93.25 nat (inside) 0 access-list 80 nat (inside) 1 192.168.1.0
    > 255.255.255.0 0 0 access-group acl_outbound in interface outside route
    > outside 0.0.0.0 0.0.0.0 66.67.68.1 1 route inside 192.168.1.0 255.255.255.0
    > 192.168.99.1 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed
    > 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp
    > 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute
    > aaa-server radius-authport 1812 aaa-server radius-acctport 1813 aaa-server
    > TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server RADIUS
    > (inside) host 192.168.1.12 secretpass timeout 15 aaa-server LOCAL protocol
    > local aaa-server local protocol radius aaa-server partnerauth protocol
    > radius aaa-server partnerauth (inside) host 192.168.1.12 secretpass timeout
    > 15 ntp server 130.126.24.24 source outside snmp-server enable traps
    > floodguard enable sysopt connection permit-ipsec crypto ipsec transform-set
    > ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto dynamic-map outside_dyn_map
    > 20 set transform-set ESP-AES-256-MD5 crypto map outside_map 20 ipsec-isakmp
    > dynamic outside_dyn_map crypto map outside_map client configuration address
    > initiate crypto map outside_map client authentication partnerauth crypto map
    > outside_map interface outside isakmp enable outside isakmp key ********
    > address 0.0.0.0 netmask 0.0.0.0 isakmp client configuration address-pool
    > local VPN outside isakmp policy 20 authentication pre-share isakmp policy 20
    > encryption aes-256 isakmp policy 20 hash md5 isakmp policy 20 group 5 isakmp
    > policy 20 lifetime 86400 vpngroup group idle-time 1800 vpngroup enable
    > idle-time 1800 vpngroup Developers address-pool VPN vpngroup Developers
    > idle-time 1800 vpngroup Developers device-pass-through telnet timeout 1 ssh
    > 192.168.1.0 255.255.255.0 inside ssh timeout 5 console timeout 15 terminal
    > width 80 Cryptochecksum:c7f91c5bc5fef54edd6d720856a6429f
    > : end
    >
    > _______________________________________________
    > firewall-wizards mailing list firewall-wizards@honor.icsalabs.com
    > http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    >
    > _______________________________________________
    > firewall-wizards mailing list
    > firewall-wizards@honor.icsalabs.com
    > http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    >
    > _______________________________________________
    > firewall-wizards mailing list
    > firewall-wizards@honor.icsalabs.com
    > http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    >
    >

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Jason Lewis: "[fw-wiz] Re: Book of rants"

    Relevant Pages

    • Re: PIX to PIX VPN problem
      ... I am trying to establish a VPN tunnel between 2 PIX 506E's. ... Crypto map tag: CRYPTO_MAP, local addr. ... fixup protocol dns maximum-length 700 ...
      (comp.dcom.sys.cisco)
    • PIX 501 VPN client to VPN client connections
      ... Internal LAN subnet: 192.168.1.0 ... I would like to be able to have the VPN clients be able to connect to ... eachother through the PIX VPN. ... fixup protocol dns maximum-length 512 ...
      (comp.dcom.vpn)
    • PIX 501 VPN client to VPN client connections
      ... Internal LAN subnet: 192.168.1.0 ... I would like to be able to have the VPN clients be able to connect to ... eachother through the PIX VPN. ... fixup protocol dns maximum-length 512 ...
      (comp.dcom.vpn)
    • Re: Nat Translation
      ... If you want your inside to be accessible from the outside through a vpn you ... fixup protocol dns maximum-length 512 ... aaa-server RADIUS max-failed-attempts 3 ... isakmp policy 10 authentication pre-share ...
      (comp.dcom.sys.cisco)
    • Re: Nat Translation
      ... It's normal no being able to ping the inside interface from the outside, ... If you want your inside to be accessible from the outside through a vpn you ... fixup protocol dns maximum-length 512 ... aaa-server RADIUS max-failed-attempts 3 ...
      (comp.dcom.sys.cisco)