[fw-wiz] Cisco PIX VPN Pass-Through

From: Nick Chettle (nick.chettle_at_trinite.co.uk)
Date: 12/13/04

  • Next message: Paul D. Robertson: "Re: Archives (was Re: [fw-wiz] Re: Book of rants)"
    To: <firewall-wizards@honor.icsalabs.com>
    Date: Mon, 13 Dec 2004 14:07:18 -0000
    
    

    Hi List,

    I am having a few problems with allowing IPSEC through a Cisco PIX 501.
    The setup is as follows:

    Host (Checkpoint Client) (192.168.1.111)
    |
    PIX (NAT)
    |
    INTERNET
    |
    VPN Server (Checkpoint)

    The problem is, the PIX keeps dropping my outgoing isakmp packets on
    it's *internal* inetrface!

    710005: UDP request discarded from 192.168.1.111/500 to
    inside:192.168.1.1/isakmp
    710005: UDP request discarded from 192.168.1.111/500 to
    inside:192.168.1.1/isakmp
    710005: UDP request discarded from 192.168.1.111/500 to
    inside:192.168.1.1/isakmp
    710005: UDP request discarded from 192.168.1.111/500 to
    inside:192.168.1.1/isakmp
    710005: UDP request discarded from 192.168.1.111/500 to
    inside:192.168.1.1/isakmp
    710005: UDP request discarded from 192.168.1.111/500 to
    inside:192.168.1.1/isakmp

    Does anyone know why it's doing this? Anyting from my internal (Security
    Level 100) should pass straight to my external interface and out onto
    the net. For some reason though, it's treating isakmp packets
    differently...

    I've included my config below, can anyone see anything I've missed or
    have any ideas why it's dropping the isakmp packets?

    Thanks for any help.

    Nick Chettle

    interface ethernet0 10baset
    interface ethernet1 100
    fullnameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password 3GGXyVtUoSBXYQhs encrypted
    passwd cKU2di4GRadMEEhe encrypted
    hostname sokar
    domain-name example.net
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol ils 389
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    Names
    access-list 100 permit icmp any any
    access-list 100 permit tcp any host 213.208.82.183 eq www
    access-list 100 permit tcp any host 213.208.82.183 eq 3306
    access-list 100 permit tcp any host 213.208.82.179 eq 3389
    access-list 100 permit tcp any host 213.208.82.182 eq 6881
    access-list 100 permit tcp any host 213.208.82.179 eq 6881
    access-list 100 permit tcp any host 213.208.82.182 eq pptp
    access-list 100 permit gre any host 213.208.82.182
    access-list 100 permit tcp any host 213.208.82.177 eq 18231
    access-list 100 permit udp any host 213.208.82.177 eq 18233
    access-list 100 permit udp any host 213.208.82.187 eq 18233
    access-list 100 permit tcp any host 213.208.82.187 eq 18231
    access-list 100 permit esp any host 213.208.82.187
    access-list 100 permit udp any host 213.208.82.187 eq isakmp
    pager lines 24
    logging on
    logging timestamp
    logging buffered errors
    logging trap notifications
    mtu outside 1500
    mtu inside 1500
    ip address outside 213.208.82.178 255.255.255.240
    ip address inside 192.168.1.1 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    pdm location 192.168.1.4 255.255.255.255 inside
    pdm location 192.168.1.5 255.255.255.255 inside
    pdm location 192.168.1.6 255.255.255.255 inside
    pdm location 192.168.1.7 255.255.255.255 inside
    pdm logging informational 100pdm history enable
    arp timeout 14400
    global (outside) 1 interfacenat (inside) 1 0.0.0.0 0.0.0.0 0 0
    alias (inside) 213.208.82.183 192.168.1.6 255.255.255.255
    alias (inside) 213.208.82.181 192.168.1.4 255.255.255.255
    alias (inside) 213.208.82.180 192.168.1.3 255.255.255.255
    static (inside,outside) 213.208.82.182 192.168.1.5 netmask
    255.255.255.255 0 0
    static (inside,outside) 213.208.82.183 192.168.1.6 netmask
    255.255.255.255 0 0
    static (inside,outside) 213.208.82.181 192.168.1.4 netmask
    255.255.255.255 0 0
    static (inside,outside) 213.208.82.179 192.168.1.2 netmask
    255.255.255.255 0 0
    static (inside,outside) 213.208.82.184 192.168.1.7 netmask
    255.255.255.255 0 0
    static (inside,outside) 213.208.82.180 192.168.1.3 netmask
    255.255.255.255 0 0
    static (inside,outside) 213.208.82.187 192.168.1.111 netmask
    255.255.255.255 0 0
    access-group 100 in interface outside
    route outside 0.0.0.0 0.0.0.0 213.208.82.177 1
    timeout xlate 0:05:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absoluteaaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radiusaaa-server LOCAL protocol local
    http server enable
    http 192.168.1.0 255.255.255.0 inside
    no snmp-server locationno snmp-server contact
    snmp-server community public
    no snmp-server enable trapsfloodguard enable
    telnet 192.168.1.0 255.255.255.0 inside
    telnet timeout 25ssh timeout 5
    console timeout 0dhcpd address 192.168.1.21-192.168.1.25 inside
    dhcpd dns 213.208.106.212 213.208.106.213
    dhcpd lease 3600dhcpd ping_timeout 750
    dhcpd domain example.net
    dhcpd auto_config outside
    dhcpd enable inside
    terminal width 80
    Cryptochecksum:73a08833c4a9243ad6d16e4534bf64b2
    : end
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Paul D. Robertson: "Re: Archives (was Re: [fw-wiz] Re: Book of rants)"

    Relevant Pages

    • Re: PIX VPN help.
      ... have to use to connect to the remote host. ... static 192.168.100.0 192.168.10.0 netmask ... access-list 100 permit tcp any host a.a.a.102 eq ident ... access-group 100 in interface outside ...
      (comp.dcom.sys.cisco)
    • Re: PIX VPN help.
      ... have to use to connect to the remote host. ... static 192.168.100.0 192.168.10.0 netmask ... access-list 100 permit tcp any host a.a.a.102 eq ident ... access-group 100 in interface outside ...
      (comp.dcom.sys.cisco)
    • Re: PIX VPN help.
      ... have to use to connect to the remote host. ... static 192.168.100.0 192.168.10.0 netmask ... access-list 100 permit tcp any host a.a.a.102 eq ident ... access-group 100 in interface outside ...
      (comp.dcom.sys.cisco)
    • Re: PIX VPN help.
      ... have to use to connect to the remote host. ... static 192.168.100.0 192.168.10.0 netmask ... access-list 100 permit tcp any host a.a.a.102 eq ident ... access-group 100 in interface outside ...
      (comp.dcom.sys.cisco)
    • Re: PIX VPN help.
      ... have to use to connect to the remote host. ... access-list 100 permit tcp any host a.a.a.102 eq ident ... static a.a.a.100 192.168.10.12 netmask ... access-group 100 in interface outside ...
      (comp.dcom.sys.cisco)