SETUP A VPN CONNECTION FROM THE OUTSIDE
SETUP A VPN CONNECTION FROM THE OUTSIDE
am 18.11.2006 19:43:38 von vreyesii
Hi,
Here is the situation. I am trying to allow a VPN connection from the
outside of a PIX Firewall to a Windows 2003 Server which is the VPN
server. In the same LAN where the Windows 2003 Server is located there
is another server. Server A, I am trying to SSH into Server A after I
make a VPN connection to the Windows 2003 Server. However, after I make
the VPN connection and I try to SSH into Server A I get a connection
timeout error. I am able to connect to the VPN server. But after I
connect to the VPN Server, I do not have access to Server A using SSH.
What could I be doing wrong?
Thank You
Re: SETUP A VPN CONNECTION FROM THE OUTSIDE
am 19.11.2006 00:21:59 von roberson
In article <1163875418.715578.95500@f16g2000cwb.googlegroups.com>,
vreyesii wrote:
>Here is the situation. I am trying to allow a VPN connection from the
>outside of a PIX Firewall to a Windows 2003 Server which is the VPN
>server.
Please do not multipost. You posted the same question in
comp.dcom.sys.cisco . If you have the same question for multiple newsgroups
then put all of their names in the Newsgroups: line, commas between
them but no spaces, such as
Newsgroups: comp.security.firewalls,comp.dcom.sys.cisco
Re: SETUP A VPN CONNECTION FROM THE OUTSIDE
am 19.11.2006 05:24:29 von vreyesii
Sorry about that I will correct.
Thanks
On Nov 18, 6:21 pm, rober...@hushmail.com (Walter Roberson) wrote:
> In article <1163875418.715578.95...@f16g2000cwb.googlegroups.com>,
>
> vreyesii wrote:
> >Here is the situation. I am trying to allow a VPN connection from the
> >outside of a PIX Firewall to a Windows 2003 Server which is the VPN
> >server.Please do not multipost. You posted the same question in
> comp.dcom.sys.cisco . If you have the same question for multiple newsgroups
> then put all of their names in the Newsgroups: line, commas between
> them but no spaces, such as
>
> Newsgroups: comp.security.firewalls,comp.dcom.sys.cisco
Re: SETUP A VPN CONNECTION FROM THE OUTSIDE
am 19.11.2006 17:12:00 von vreyesii
All right, I changed a few things on the PIX, and I configured the PIX
as a VPN PPTP Server. From the client side I able to connect to the VPN
Server. However, when I connect to VPN Server I should have access to
the local LAN of the VPN Server. However, when I try to simply SSH into
the PIX or another workstation(AIX Box) on the LAN I am not able. The
other workstations that are on the same LAN as the VPN server I can
establish communication.
Thank You
On Nov 19, 7:31 am, "Brian V" wrote:
> "vreyesii" wrote in messagenews:1163908095.624926.6160@m7g2000cwm.googlegroups.c om...
>
> > Below is a copy of the PIX config.
>
> > pixfirewall# sh run
> > : Saved
> > :
> > PIX Version 6.3(5)
> > interface ethernet0 100full
> > interface ethernet1 100full
> > nameif ethernet0 outside security0
> > nameif ethernet1 inside security100
> > enable password XXXXXXXXX encrypted
> > passwd XXXXXXXXXX encrypted
> > hostname pixfirewall
> > domain-name XXXXX.com
> > clock timezone EST -5
> > clock summer-time EDT recurring
> > fixup protocol dns maximum-length 512
> > fixup protocol ftp 21
> > fixup protocol h323 h225 1720
> > fixup protocol h323 ras 1718-1719
> > fixup protocol http 80
> > fixup protocol pptp 1723
> > fixup protocol rsh 514
> > fixup protocol rtsp 554
> > fixup protocol sip 5060
> > fixup protocol sip udp 5060
> > fixup protocol skinny 2000
> > fixup protocol smtp 25
> > fixup protocol sqlnet 1521
> > fixup protocol tftp 69
> > names
> > access-list 101 permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0
> > access-list allow_inbound deny ip 59.124.0.0 255.252.0.0 any
> > access-list allow_inbound deny ip host 24.71.105.183 any
> > access-list allow_inbound deny ip host 163.27.116.133 any
> > access-list allow_inbound deny ip host 218.189.179.82 any
> > access-list allow_inbound deny ip host 84.60.164.161 any
> > access-list allow_inbound deny ip host 222.128.34.89 any
> > access-list allow_inbound deny ip host 202.64.47.108 any
> > access-list allow_inbound deny ip host 87.162.179.31 any
> > access-list allow_inbound deny ip host 70.255.106.164 any
> > access-list allow_inbound permit tcp any interface outside eq smtp
> > access-list allow_inbound permit tcp any interface outside eq pop3
> > access-list allow_inbound permit tcp any interface outside eq www
> > access-list allow_inbound permit icmp any any source-quench
> > access-list allow_inbound permit icmp any any echo-reply
> > access-list allow_inbound permit tcp any host B.X.X.236 eq www
> > access-list allow_inbound permit tcp any host B.X.X.236 eq h323
> > access-list allow_inbound permit tcp any host B.X.X.236 eq 5060
> > access-list allow_inbound permit tcp any interface outside eq pptp
> > access-list allow_inbound permit gre any interface outside
> > access-list allow_inbound permit tcp any interface outside eq 3000
> > access-list allow_inbound permit udp any interface outside eq 49153
> > access-list allow_inbound permit tcp any interface outside eq 49153
> > access-list allow_inbound permit tcp any interface outside eq 10240
> > access-list allow_inbound permit tcp any interface outside eq 10241
> > access-list allow_inbound permit tcp any interface outside eq 10242
> > access-list allow_inbound permit udp any interface outside eq 10240
> > access-list allow_inbound permit udp any interface outside eq 10241
> > access-list allow_inbound permit udp any interface outside eq 10242
> > access-list allow_inbound permit tcp any interface outside eq 41170
> > access-list allow_inbound permit udp any interface outside eq 41170
> > access-list allow_inbound permit tcp any interface outside eq 4662
> > access-list allow_inbound permit tcp any interface outside eq 4000
> > access-list deny_outbound deny tcp any host 63.236.240.73 eq https
> > access-list deny_outbound deny tcp any host 209.202.9.7 eq https
> > access-list deny_outbound deny tcp any host 63.236.240.73 eq www
> > access-list deny_outbound deny tcp any host 66.28.235.59 eq www
> > access-list deny_outbound deny tcp any host 204.245.86.77 eq www
> > access-list deny_outbound deny tcp any host 69.18.151.78 eq www
> > access-list deny_outbound permit ip any any
> > access-list deny_outbound permit esp any any
> > access-list deny_outbound permit gre any any
> > access-list do_not_nat permit ip 10.1.1.0 255.255.255.0 10.1.2.0
> > 255.255.255.0
> > no pager
> > logging on
> > logging timestamp
> > logging monitor debugging
> > logging trap notifications
> > logging queue 24
> > logging host inside 10.1.1.23
> > icmp deny any outside
> > icmp deny any echo outside
> > mtu outside 1500
> > mtu inside 1500
> > ip address outside A.X.X.85 255.255.255.0
> > ip address inside 10.1.1.1 255.255.255.0
> > ip audit info action alarm
> > ip audit attack action alarm
> > ip local pool ippool 10.1.2.1-10.1.2.254
> > pdm location 10.1.1.6 255.255.255.255 inside
> > pdm location 10.1.1.2 255.255.255.255 inside
> > pdm location 10.1.1.7 255.255.255.255 inside
> > pdm location 10.1.1.23 255.255.255.255 inside
> > pdm location 59.124.0.0 255.252.0.0 outside
> > pdm location 63.236.240.73 255.255.255.255 outside
> > pdm location 84.60.164.161 255.255.255.255 outside
> > pdm location 163.27.116.133 255.255.255.255 outside
> > pdm location 209.202.9.7 255.255.255.255 outside
> > pdm location 218.189.179.82 255.255.255.255 outside
> > pdm location 10.1.1.8 255.255.255.255 inside
> > pdm location 10.1.1.30 255.255.255.255 inside
> > pdm location 10.1.1.251 255.255.255.255 inside
> > pdm location 10.1.1.252 255.255.255.255 inside
> > pdm location 192.168.2.0 255.255.255.0 inside
> > pdm location 192.168.10.0 255.255.255.0 inside
> > pdm location 24.71.105.183 255.255.255.255 outside
> > pdm location 66.28.235.59 255.255.255.255 outside
> > pdm location 202.64.47.108 255.255.255.255 outside
> > pdm location 216.178.32.48 255.255.255.255 outside
> > pdm location 216.178.32.49 255.255.255.255 outside
> > pdm location 216.178.32.50 255.255.255.255 outside
> > pdm location 216.178.32.51 255.255.255.255 outside
> > pdm location 222.128.34.89 255.255.255.255 outside
> > pdm logging informational 100
> > pdm history enable
> > arp timeout 14400
> > global (outside) 1 interface
> > nat (inside) 0 access-list do_not_nat
> > nat (inside) 1 0.0.0.0 0.0.0.0 0 0
> > static (inside,outside) tcp interface pop3 10.1.1.23 pop3 netmask
> > 255.255.255.255 0 0
> > static (inside,outside) tcp interface smtp 10.1.1.23 smtp netmask
> > 255.255.255.255 0 0
> > static (inside,outside) tcp interface 3000 10.1.1.23 3000 netmask
> > 255.255.255.255 0 0
> > static (inside,outside) tcp interface 1000 10.1.1.23 1000 netmask
> > 255.255.255.255 0 0
> > static (inside,outside) tcp interface pptp 10.1.1.23 pptp netmask
> > 255.255.255.255 0 0
> > static (inside,outside) tcp interface 4662 10.1.1.8 4662 netmask
> > 255.255.255.255 0 0
> > static (inside,outside) tcp interface 49153 10.1.1.2 49153 netmask
> > 255.255.255.255 0 0
> > static (inside,outside) udp interface 49153 10.1.1.2 49153 netmask
> > 255.255.255.255 0 0
> > static (inside,outside) tcp interface 4000 10.1.1.251 telnet netmask
> > 255.255.255.255 0 0
> > static (inside,outside) tcp interface www 10.1.1.6 www netmask
> > 255.255.255.255 0 0
> > static (inside,outside) B.X.X.236 10.1.1.7 netmask 255.255.255.255 0 0
> > access-group allow_inbound in interface outside
> > access-group deny_outbound in interface inside
> > route outside 0.0.0.0 0.0.0.0 A.X.X.1 1
> > route inside 192.168.2.0 255.255.255.0 10.1.1.30 1
> > timeout xlate 0:05:00
> > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
> > 1:00:00
> > timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
> > timeout sip-disconnect 0:02:00 sip-invite 0:03:00
> > timeout uauth 0:05:00 absolute
> > aaa-server TACACS+ protocol tacacs+
> > aaa-server TACACS+ max-failed-attempts 3
> > aaa-server TACACS+ deadtime 10
> > aaa-server RADIUS protocol radius
> > aaa-server RADIUS max-failed-attempts 3
> > aaa-server RADIUS deadtime 10
> > aaa-server LOCAL protocol local
> > aaa authentication ssh console LOCAL
> > http server enable
> > http 10.1.1.0 255.255.255.0 inside
> > snmp-server host inside 10.1.1.23
> > snmp-server host inside 10.1.1.252
> > no snmp-server location
> > no snmp-server contact
> > snmp-server community XXXXXXXXX
> > snmp-server enable traps
> > floodguard enable
> > sysopt connection permit-ipsec
> > crypto ipsec transform-set myset esp-3des esp-md5-hmac
> > crypto dynamic-map dynmap 10 set transform-set myset
> > crypto map mymap 10 ipsec-isakmp dynamic dynmap
> > crypto map mymap client authentication LOCAL
> > crypto map mymap interface outside
> > isakmp enable outside
> > isakmp identity address
> > isakmp nat-traversal 20
> > isakmp policy 10 authentication pre-share
> > isakmp policy 10 encryption 3des
> > isakmp policy 10 hash md5
> > isakmp policy 10 group 2
> > isakmp policy 10 lifetime 86400
> > vpngroup vpn3000 address-pool ippool
> > vpngroup vpn3000 default-domain pix.com
> > vpngroup vpn3000 split-tunnel 101
> > vpngroup vpn3000 idle-time 1800
> > vpngroup vpn3000 password ********
> > vpngroup vmr2 address-pool ippool
> > vpngroup vmr2 default-domain pix.com
> > vpngroup vmr2 split-tunnel 101
> > vpngroup vmr2 idle-time 1800
> > vpngroup vmr2 password ********
> > vpngroup grace address-pool ippool
> > vpngroup grace default-domain pix.com
> > vpngroup grace split-tunnel 101
> > vpngroup grace idle-time 1800
> > vpngroup grace password ********
> > telnet timeout 30
> > ssh 10.1.1.0 255.255.255.0 inside
> > ssh 192.168.10.0 255.255.255.0 inside
> > ssh timeout 60
> > console timeout 0
> > username vmr2 password XXXXXXXXXXXX encrypted privilege 15
> > privilege show level 15 command access-group
> > privilege clear level 15 command access-group
> > terminal width 80
> > banner login Unauthorized access and use of this network/device will be
> > prosecuted.
> > banner motd Unauthorized access and use of this network/device will be
> > prosecuted.
> > Cryptochecksum:f02ea73dea8980383b1d6579f900296e
> > : end
>
> > On Nov 18, 5:20 pm, "Brian V" wrote:
> >> "vreyesii" wrote in
> >> messagenews:1163875230.194950.204510@h48g2000cwc.googlegroup s.com...
>
> >> > Hi,
>
> >> > Here is the situation. I am trying to allow a VPN connection from the
> >> > outside of a PIX Firewall to a Windows 2003 Server which is the VPN
> >> > server. In the same LAN where the Windows 2003 Server is located there
> >> > is another server. Server A, I am trying to SSH into Server A after I
> >> > make a VPN connection to the Windows 2003 Server. However, after I make
> >> > the VPN connection and I try to SSH into Server A I get a connection
> >> > timeout error. I am able to connect to the VPN server. But after I
> >> > connect to the VPN Server, I do not have access to Server A using SSH.
> >> > What could I be doing wrong?
>
> >> > Thank You
>
> >> > Victorabout 1000 things...ya gotta post your config if you want help.You cannot use PAT for PPTP, you need to use NAT. PPTP requires 2 things,
> tcp 1723 and GRE, GRE cannot be PAT'd, it needs a allowed to a one-to-one
> NAT. Where you only have a single IP you will need to setup the PPTP on the
> Pix.http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/pr oducts_config...
Re: SETUP A VPN CONNECTION FROM THE OUTSIDE
am 20.11.2006 13:43:26 von Brian V
"vreyesii" wrote in message
news:1163952720.396049.113060@e3g2000cwe.googlegroups.com...
> All right, I changed a few things on the PIX, and I configured the PIX
> as a VPN PPTP Server. From the client side I able to connect to the VPN
> Server. However, when I connect to VPN Server I should have access to
> the local LAN of the VPN Server. However, when I try to simply SSH into
> the PIX or another workstation(AIX Box) on the LAN I am not able. The
> other workstations that are on the same LAN as the VPN server I can
> establish communication.
>
> Thank You
>
> On Nov 19, 7:31 am, "Brian V" wrote:
>> "vreyesii" wrote in
>> messagenews:1163908095.624926.6160@m7g2000cwm.googlegroups.c om...
>>
>> > Below is a copy of the PIX config.
>>
>> > pixfirewall# sh run
>> > : Saved
>> > :
>> > PIX Version 6.3(5)
>> > interface ethernet0 100full
>> > interface ethernet1 100full
>> > nameif ethernet0 outside security0
>> > nameif ethernet1 inside security100
>> > enable password XXXXXXXXX encrypted
>> > passwd XXXXXXXXXX encrypted
>> > hostname pixfirewall
>> > domain-name XXXXX.com
>> > clock timezone EST -5
>> > clock summer-time EDT recurring
>> > fixup protocol dns maximum-length 512
>> > fixup protocol ftp 21
>> > fixup protocol h323 h225 1720
>> > fixup protocol h323 ras 1718-1719
>> > fixup protocol http 80
>> > fixup protocol pptp 1723
>> > fixup protocol rsh 514
>> > fixup protocol rtsp 554
>> > fixup protocol sip 5060
>> > fixup protocol sip udp 5060
>> > fixup protocol skinny 2000
>> > fixup protocol smtp 25
>> > fixup protocol sqlnet 1521
>> > fixup protocol tftp 69
>> > names
>> > access-list 101 permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0
>> > access-list allow_inbound deny ip 59.124.0.0 255.252.0.0 any
>> > access-list allow_inbound deny ip host 24.71.105.183 any
>> > access-list allow_inbound deny ip host 163.27.116.133 any
>> > access-list allow_inbound deny ip host 218.189.179.82 any
>> > access-list allow_inbound deny ip host 84.60.164.161 any
>> > access-list allow_inbound deny ip host 222.128.34.89 any
>> > access-list allow_inbound deny ip host 202.64.47.108 any
>> > access-list allow_inbound deny ip host 87.162.179.31 any
>> > access-list allow_inbound deny ip host 70.255.106.164 any
>> > access-list allow_inbound permit tcp any interface outside eq smtp
>> > access-list allow_inbound permit tcp any interface outside eq pop3
>> > access-list allow_inbound permit tcp any interface outside eq www
>> > access-list allow_inbound permit icmp any any source-quench
>> > access-list allow_inbound permit icmp any any echo-reply
>> > access-list allow_inbound permit tcp any host B.X.X.236 eq www
>> > access-list allow_inbound permit tcp any host B.X.X.236 eq h323
>> > access-list allow_inbound permit tcp any host B.X.X.236 eq 5060
>> > access-list allow_inbound permit tcp any interface outside eq pptp
>> > access-list allow_inbound permit gre any interface outside
>> > access-list allow_inbound permit tcp any interface outside eq 3000
>> > access-list allow_inbound permit udp any interface outside eq 49153
>> > access-list allow_inbound permit tcp any interface outside eq 49153
>> > access-list allow_inbound permit tcp any interface outside eq 10240
>> > access-list allow_inbound permit tcp any interface outside eq 10241
>> > access-list allow_inbound permit tcp any interface outside eq 10242
>> > access-list allow_inbound permit udp any interface outside eq 10240
>> > access-list allow_inbound permit udp any interface outside eq 10241
>> > access-list allow_inbound permit udp any interface outside eq 10242
>> > access-list allow_inbound permit tcp any interface outside eq 41170
>> > access-list allow_inbound permit udp any interface outside eq 41170
>> > access-list allow_inbound permit tcp any interface outside eq 4662
>> > access-list allow_inbound permit tcp any interface outside eq 4000
>> > access-list deny_outbound deny tcp any host 63.236.240.73 eq https
>> > access-list deny_outbound deny tcp any host 209.202.9.7 eq https
>> > access-list deny_outbound deny tcp any host 63.236.240.73 eq www
>> > access-list deny_outbound deny tcp any host 66.28.235.59 eq www
>> > access-list deny_outbound deny tcp any host 204.245.86.77 eq www
>> > access-list deny_outbound deny tcp any host 69.18.151.78 eq www
>> > access-list deny_outbound permit ip any any
>> > access-list deny_outbound permit esp any any
>> > access-list deny_outbound permit gre any any
>> > access-list do_not_nat permit ip 10.1.1.0 255.255.255.0 10.1.2.0
>> > 255.255.255.0
>> > no pager
>> > logging on
>> > logging timestamp
>> > logging monitor debugging
>> > logging trap notifications
>> > logging queue 24
>> > logging host inside 10.1.1.23
>> > icmp deny any outside
>> > icmp deny any echo outside
>> > mtu outside 1500
>> > mtu inside 1500
>> > ip address outside A.X.X.85 255.255.255.0
>> > ip address inside 10.1.1.1 255.255.255.0
>> > ip audit info action alarm
>> > ip audit attack action alarm
>> > ip local pool ippool 10.1.2.1-10.1.2.254
>> > pdm location 10.1.1.6 255.255.255.255 inside
>> > pdm location 10.1.1.2 255.255.255.255 inside
>> > pdm location 10.1.1.7 255.255.255.255 inside
>> > pdm location 10.1.1.23 255.255.255.255 inside
>> > pdm location 59.124.0.0 255.252.0.0 outside
>> > pdm location 63.236.240.73 255.255.255.255 outside
>> > pdm location 84.60.164.161 255.255.255.255 outside
>> > pdm location 163.27.116.133 255.255.255.255 outside
>> > pdm location 209.202.9.7 255.255.255.255 outside
>> > pdm location 218.189.179.82 255.255.255.255 outside
>> > pdm location 10.1.1.8 255.255.255.255 inside
>> > pdm location 10.1.1.30 255.255.255.255 inside
>> > pdm location 10.1.1.251 255.255.255.255 inside
>> > pdm location 10.1.1.252 255.255.255.255 inside
>> > pdm location 192.168.2.0 255.255.255.0 inside
>> > pdm location 192.168.10.0 255.255.255.0 inside
>> > pdm location 24.71.105.183 255.255.255.255 outside
>> > pdm location 66.28.235.59 255.255.255.255 outside
>> > pdm location 202.64.47.108 255.255.255.255 outside
>> > pdm location 216.178.32.48 255.255.255.255 outside
>> > pdm location 216.178.32.49 255.255.255.255 outside
>> > pdm location 216.178.32.50 255.255.255.255 outside
>> > pdm location 216.178.32.51 255.255.255.255 outside
>> > pdm location 222.128.34.89 255.255.255.255 outside
>> > pdm logging informational 100
>> > pdm history enable
>> > arp timeout 14400
>> > global (outside) 1 interface
>> > nat (inside) 0 access-list do_not_nat
>> > nat (inside) 1 0.0.0.0 0.0.0.0 0 0
>> > static (inside,outside) tcp interface pop3 10.1.1.23 pop3 netmask
>> > 255.255.255.255 0 0
>> > static (inside,outside) tcp interface smtp 10.1.1.23 smtp netmask
>> > 255.255.255.255 0 0
>> > static (inside,outside) tcp interface 3000 10.1.1.23 3000 netmask
>> > 255.255.255.255 0 0
>> > static (inside,outside) tcp interface 1000 10.1.1.23 1000 netmask
>> > 255.255.255.255 0 0
>> > static (inside,outside) tcp interface pptp 10.1.1.23 pptp netmask
>> > 255.255.255.255 0 0
>> > static (inside,outside) tcp interface 4662 10.1.1.8 4662 netmask
>> > 255.255.255.255 0 0
>> > static (inside,outside) tcp interface 49153 10.1.1.2 49153 netmask
>> > 255.255.255.255 0 0
>> > static (inside,outside) udp interface 49153 10.1.1.2 49153 netmask
>> > 255.255.255.255 0 0
>> > static (inside,outside) tcp interface 4000 10.1.1.251 telnet netmask
>> > 255.255.255.255 0 0
>> > static (inside,outside) tcp interface www 10.1.1.6 www netmask
>> > 255.255.255.255 0 0
>> > static (inside,outside) B.X.X.236 10.1.1.7 netmask 255.255.255.255 0 0
>> > access-group allow_inbound in interface outside
>> > access-group deny_outbound in interface inside
>> > route outside 0.0.0.0 0.0.0.0 A.X.X.1 1
>> > route inside 192.168.2.0 255.255.255.0 10.1.1.30 1
>> > timeout xlate 0:05:00
>> > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
>> > 1:00:00
>> > timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
>> > timeout sip-disconnect 0:02:00 sip-invite 0:03:00
>> > timeout uauth 0:05:00 absolute
>> > aaa-server TACACS+ protocol tacacs+
>> > aaa-server TACACS+ max-failed-attempts 3
>> > aaa-server TACACS+ deadtime 10
>> > aaa-server RADIUS protocol radius
>> > aaa-server RADIUS max-failed-attempts 3
>> > aaa-server RADIUS deadtime 10
>> > aaa-server LOCAL protocol local
>> > aaa authentication ssh console LOCAL
>> > http server enable
>> > http 10.1.1.0 255.255.255.0 inside
>> > snmp-server host inside 10.1.1.23
>> > snmp-server host inside 10.1.1.252
>> > no snmp-server location
>> > no snmp-server contact
>> > snmp-server community XXXXXXXXX
>> > snmp-server enable traps
>> > floodguard enable
>> > sysopt connection permit-ipsec
>> > crypto ipsec transform-set myset esp-3des esp-md5-hmac
>> > crypto dynamic-map dynmap 10 set transform-set myset
>> > crypto map mymap 10 ipsec-isakmp dynamic dynmap
>> > crypto map mymap client authentication LOCAL
>> > crypto map mymap interface outside
>> > isakmp enable outside
>> > isakmp identity address
>> > isakmp nat-traversal 20
>> > isakmp policy 10 authentication pre-share
>> > isakmp policy 10 encryption 3des
>> > isakmp policy 10 hash md5
>> > isakmp policy 10 group 2
>> > isakmp policy 10 lifetime 86400
>> > vpngroup vpn3000 address-pool ippool
>> > vpngroup vpn3000 default-domain pix.com
>> > vpngroup vpn3000 split-tunnel 101
>> > vpngroup vpn3000 idle-time 1800
>> > vpngroup vpn3000 password ********
>> > vpngroup vmr2 address-pool ippool
>> > vpngroup vmr2 default-domain pix.com
>> > vpngroup vmr2 split-tunnel 101
>> > vpngroup vmr2 idle-time 1800
>> > vpngroup vmr2 password ********
>> > vpngroup grace address-pool ippool
>> > vpngroup grace default-domain pix.com
>> > vpngroup grace split-tunnel 101
>> > vpngroup grace idle-time 1800
>> > vpngroup grace password ********
>> > telnet timeout 30
>> > ssh 10.1.1.0 255.255.255.0 inside
>> > ssh 192.168.10.0 255.255.255.0 inside
>> > ssh timeout 60
>> > console timeout 0
>> > username vmr2 password XXXXXXXXXXXX encrypted privilege 15
>> > privilege show level 15 command access-group
>> > privilege clear level 15 command access-group
>> > terminal width 80
>> > banner login Unauthorized access and use of this network/device will be
>> > prosecuted.
>> > banner motd Unauthorized access and use of this network/device will be
>> > prosecuted.
>> > Cryptochecksum:f02ea73dea8980383b1d6579f900296e
>> > : end
>>
>> > On Nov 18, 5:20 pm, "Brian V" wrote:
>> >> "vreyesii" wrote in
>> >> messagenews:1163875230.194950.204510@h48g2000cwc.googlegroup s.com...
>>
>> >> > Hi,
>>
>> >> > Here is the situation. I am trying to allow a VPN connection from
>> >> > the
>> >> > outside of a PIX Firewall to a Windows 2003 Server which is the VPN
>> >> > server. In the same LAN where the Windows 2003 Server is located
>> >> > there
>> >> > is another server. Server A, I am trying to SSH into Server A after
>> >> > I
>> >> > make a VPN connection to the Windows 2003 Server. However, after I
>> >> > make
>> >> > the VPN connection and I try to SSH into Server A I get a connection
>> >> > timeout error. I am able to connect to the VPN server. But after I
>> >> > connect to the VPN Server, I do not have access to Server A using
>> >> > SSH.
>> >> > What could I be doing wrong?
>>
>> >> > Thank You
>>
>> >> > Victorabout 1000 things...ya gotta post your config if you want
>> >> > help.You cannot use PAT for PPTP, you need to use NAT. PPTP requires
>> >> > 2 things,
>> tcp 1723 and GRE, GRE cannot be PAT'd, it needs a allowed to a one-to-one
>> NAT. Where you only have a single IP you will need to setup the PPTP on
>> the
>> Pix.http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/pr oducts_config...
>
Post your latest config and please stop top posting, makes it very hard to
follow a thread.
Re: SETUP A VPN CONNECTION FROM THE OUTSIDE
am 20.11.2006 15:08:52 von vreyesii
On Nov 20, 7:43 am, "Brian V" wrote:
> "vreyesii" wrote in messagenews:1163952720.396049.113060@e3g2000cwe.googlegroups .com...
>
> > All right, I changed a few things on the PIX, and I configured the PIX
> > as a VPN PPTP Server. From the client side I able to connect to the VPN
> > Server. However, when I connect to VPN Server I should have access to
> > the local LAN of the VPN Server. However, when I try to simply SSH into
> > the PIX or another workstation(AIX Box) on the LAN I am not able. The
> > other workstations that are on the same LAN as the VPN server I can
> > establish communication.
>
> > Thank You
>
> > On Nov 19, 7:31 am, "Brian V" wrote:
> >> "vreyesii" wrote in
> >> messagenews:1163908095.624926.6160@m7g2000cwm.googlegroups.c om...
>
> >> > Below is a copy of the PIX config.
>
> >> > pixfirewall# sh run
> >> > : Saved
> >> > :
> >> > PIX Version 6.3(5)
> >> > interface ethernet0 100full
> >> > interface ethernet1 100full
> >> > nameif ethernet0 outside security0
> >> > nameif ethernet1 inside security100
> >> > enable password XXXXXXXXX encrypted
> >> > passwd XXXXXXXXXX encrypted
> >> > hostname pixfirewall
> >> > domain-name XXXXX.com
> >> > clock timezone EST -5
> >> > clock summer-time EDT recurring
> >> > fixup protocol dns maximum-length 512
> >> > fixup protocol ftp 21
> >> > fixup protocol h323 h225 1720
> >> > fixup protocol h323 ras 1718-1719
> >> > fixup protocol http 80
> >> > fixup protocol pptp 1723
> >> > fixup protocol rsh 514
> >> > fixup protocol rtsp 554
> >> > fixup protocol sip 5060
> >> > fixup protocol sip udp 5060
> >> > fixup protocol skinny 2000
> >> > fixup protocol smtp 25
> >> > fixup protocol sqlnet 1521
> >> > fixup protocol tftp 69
> >> > names
> >> > access-list 101 permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0
> >> > access-list allow_inbound deny ip 59.124.0.0 255.252.0.0 any
> >> > access-list allow_inbound deny ip host 24.71.105.183 any
> >> > access-list allow_inbound deny ip host 163.27.116.133 any
> >> > access-list allow_inbound deny ip host 218.189.179.82 any
> >> > access-list allow_inbound deny ip host 84.60.164.161 any
> >> > access-list allow_inbound deny ip host 222.128.34.89 any
> >> > access-list allow_inbound deny ip host 202.64.47.108 any
> >> > access-list allow_inbound deny ip host 87.162.179.31 any
> >> > access-list allow_inbound deny ip host 70.255.106.164 any
> >> > access-list allow_inbound permit tcp any interface outside eq smtp
> >> > access-list allow_inbound permit tcp any interface outside eq pop3
> >> > access-list allow_inbound permit tcp any interface outside eq www
> >> > access-list allow_inbound permit icmp any any source-quench
> >> > access-list allow_inbound permit icmp any any echo-reply
> >> > access-list allow_inbound permit tcp any host B.X.X.236 eq www
> >> > access-list allow_inbound permit tcp any host B.X.X.236 eq h323
> >> > access-list allow_inbound permit tcp any host B.X.X.236 eq 5060
> >> > access-list allow_inbound permit tcp any interface outside eq pptp
> >> > access-list allow_inbound permit gre any interface outside
> >> > access-list allow_inbound permit tcp any interface outside eq 3000
> >> > access-list allow_inbound permit udp any interface outside eq 49153
> >> > access-list allow_inbound permit tcp any interface outside eq 49153
> >> > access-list allow_inbound permit tcp any interface outside eq 10240
> >> > access-list allow_inbound permit tcp any interface outside eq 10241
> >> > access-list allow_inbound permit tcp any interface outside eq 10242
> >> > access-list allow_inbound permit udp any interface outside eq 10240
> >> > access-list allow_inbound permit udp any interface outside eq 10241
> >> > access-list allow_inbound permit udp any interface outside eq 10242
> >> > access-list allow_inbound permit tcp any interface outside eq 41170
> >> > access-list allow_inbound permit udp any interface outside eq 41170
> >> > access-list allow_inbound permit tcp any interface outside eq 4662
> >> > access-list allow_inbound permit tcp any interface outside eq 4000
> >> > access-list deny_outbound deny tcp any host 63.236.240.73 eq https
> >> > access-list deny_outbound deny tcp any host 209.202.9.7 eq https
> >> > access-list deny_outbound deny tcp any host 63.236.240.73 eq www
> >> > access-list deny_outbound deny tcp any host 66.28.235.59 eq www
> >> > access-list deny_outbound deny tcp any host 204.245.86.77 eq www
> >> > access-list deny_outbound deny tcp any host 69.18.151.78 eq www
> >> > access-list deny_outbound permit ip any any
> >> > access-list deny_outbound permit esp any any
> >> > access-list deny_outbound permit gre any any
> >> > access-list do_not_nat permit ip 10.1.1.0 255.255.255.0 10.1.2.0
> >> > 255.255.255.0
> >> > no pager
> >> > logging on
> >> > logging timestamp
> >> > logging monitor debugging
> >> > logging trap notifications
> >> > logging queue 24
> >> > logging host inside 10.1.1.23
> >> > icmp deny any outside
> >> > icmp deny any echo outside
> >> > mtu outside 1500
> >> > mtu inside 1500
> >> > ip address outside A.X.X.85 255.255.255.0
> >> > ip address inside 10.1.1.1 255.255.255.0
> >> > ip audit info action alarm
> >> > ip audit attack action alarm
> >> > ip local pool ippool 10.1.2.1-10.1.2.254
> >> > pdm location 10.1.1.6 255.255.255.255 inside
> >> > pdm location 10.1.1.2 255.255.255.255 inside
> >> > pdm location 10.1.1.7 255.255.255.255 inside
> >> > pdm location 10.1.1.23 255.255.255.255 inside
> >> > pdm location 59.124.0.0 255.252.0.0 outside
> >> > pdm location 63.236.240.73 255.255.255.255 outside
> >> > pdm location 84.60.164.161 255.255.255.255 outside
> >> > pdm location 163.27.116.133 255.255.255.255 outside
> >> > pdm location 209.202.9.7 255.255.255.255 outside
> >> > pdm location 218.189.179.82 255.255.255.255 outside
> >> > pdm location 10.1.1.8 255.255.255.255 inside
> >> > pdm location 10.1.1.30 255.255.255.255 inside
> >> > pdm location 10.1.1.251 255.255.255.255 inside
> >> > pdm location 10.1.1.252 255.255.255.255 inside
> >> > pdm location 192.168.2.0 255.255.255.0 inside
> >> > pdm location 192.168.10.0 255.255.255.0 inside
> >> > pdm location 24.71.105.183 255.255.255.255 outside
> >> > pdm location 66.28.235.59 255.255.255.255 outside
> >> > pdm location 202.64.47.108 255.255.255.255 outside
> >> > pdm location 216.178.32.48 255.255.255.255 outside
> >> > pdm location 216.178.32.49 255.255.255.255 outside
> >> > pdm location 216.178.32.50 255.255.255.255 outside
> >> > pdm location 216.178.32.51 255.255.255.255 outside
> >> > pdm location 222.128.34.89 255.255.255.255 outside
> >> > pdm logging informational 100
> >> > pdm history enable
> >> > arp timeout 14400
> >> > global (outside) 1 interface
> >> > nat (inside) 0 access-list do_not_nat
> >> > nat (inside) 1 0.0.0.0 0.0.0.0 0 0
> >> > static (inside,outside) tcp interface pop3 10.1.1.23 pop3 netmask
> >> > 255.255.255.255 0 0
> >> > static (inside,outside) tcp interface smtp 10.1.1.23 smtp netmask
> >> > 255.255.255.255 0 0
> >> > static (inside,outside) tcp interface 3000 10.1.1.23 3000 netmask
> >> > 255.255.255.255 0 0
> >> > static (inside,outside) tcp interface 1000 10.1.1.23 1000 netmask
> >> > 255.255.255.255 0 0
> >> > static (inside,outside) tcp interface pptp 10.1.1.23 pptp netmask
> >> > 255.255.255.255 0 0
> >> > static (inside,outside) tcp interface 4662 10.1.1.8 4662 netmask
> >> > 255.255.255.255 0 0
> >> > static (inside,outside) tcp interface 49153 10.1.1.2 49153 netmask
> >> > 255.255.255.255 0 0
> >> > static (inside,outside) udp interface 49153 10.1.1.2 49153 netmask
> >> > 255.255.255.255 0 0
> >> > static (inside,outside) tcp interface 4000 10.1.1.251 telnet netmask
> >> > 255.255.255.255 0 0
> >> > static (inside,outside) tcp interface www 10.1.1.6 www netmask
> >> > 255.255.255.255 0 0
> >> > static (inside,outside) B.X.X.236 10.1.1.7 netmask 255.255.255.255 0 0
> >> > access-group allow_inbound in interface outside
> >> > access-group deny_outbound in interface inside
> >> > route outside 0.0.0.0 0.0.0.0 A.X.X.1 1
> >> > route inside 192.168.2.0 255.255.255.0 10.1.1.30 1
> >> > timeout xlate 0:05:00
> >> > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
> >> > 1:00:00
> >> > timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
> >> > timeout sip-disconnect 0:02:00 sip-invite 0:03:00
> >> > timeout uauth 0:05:00 absolute
> >> > aaa-server TACACS+ protocol tacacs+
> >> > aaa-server TACACS+ max-failed-attempts 3
> >> > aaa-server TACACS+ deadtime 10
> >> > aaa-server RADIUS protocol radius
> >> > aaa-server RADIUS max-failed-attempts 3
> >> > aaa-server RADIUS deadtime 10
> >> > aaa-server LOCAL protocol local
> >> > aaa authentication ssh console LOCAL
> >> > http server enable
> >> > http 10.1.1.0 255.255.255.0 inside
> >> > snmp-server host inside 10.1.1.23
> >> > snmp-server host inside 10.1.1.252
> >> > no snmp-server location
> >> > no snmp-server contact
> >> > snmp-server community XXXXXXXXX
> >> > snmp-server enable traps
> >> > floodguard enable
> >> > sysopt connection permit-ipsec
> >> > crypto ipsec transform-set myset esp-3des esp-md5-hmac
> >> > crypto dynamic-map dynmap 10 set transform-set myset
> >> > crypto map mymap 10 ipsec-isakmp dynamic dynmap
> >> > crypto map mymap client authentication LOCAL
> >> > crypto map mymap interface outside
> >> > isakmp enable outside
> >> > isakmp identity address
> >> > isakmp nat-traversal 20
> >> > isakmp policy 10 authentication pre-share
> >> > isakmp policy 10 encryption 3des
> >> > isakmp policy 10 hash md5
> >> > isakmp policy 10 group 2
> >> > isakmp policy 10 lifetime 86400
> >> > vpngroup vpn3000 address-pool ippool
> >> > vpngroup vpn3000 default-domain pix.com
> >> > vpngroup vpn3000 split-tunnel 101
> >> > vpngroup vpn3000 idle-time 1800
> >> > vpngroup vpn3000 password ********
> >> > vpngroup vmr2 address-pool ippool
> >> > vpngroup vmr2 default-domain pix.com
> >> > vpngroup vmr2 split-tunnel 101
> >> > vpngroup vmr2 idle-time 1800
> >> > vpngroup vmr2 password ********
> >> > vpngroup grace address-pool ippool
> >> > vpngroup grace default-domain pix.com
> >> > vpngroup grace split-tunnel 101
> >> > vpngroup grace idle-time 1800
> >> > vpngroup grace password ********
> >> > telnet timeout 30
> >> > ssh 10.1.1.0 255.255.255.0 inside
> >> > ssh 192.168.10.0 255.255.255.0 inside
> >> > ssh timeout 60
> >> > console timeout 0
> >> > username vmr2 password XXXXXXXXXXXX encrypted privilege 15
> >> > privilege show level 15 command access-group
> >> > privilege clear level 15 command access-group
> >> > terminal width 80
> >> > banner login Unauthorized access and use of this network/device will be
> >> > prosecuted.
> >> > banner motd Unauthorized access and use of this network/device will be
> >> > prosecuted.
> >> > Cryptochecksum:f02ea73dea8980383b1d6579f900296e
> >> > : end
>
> >> > On Nov 18, 5:20 pm, "Brian V" wrote:
> >> >> "vreyesii" wrote in
> >> >> messagenews:1163875230.194950.204510@h48g2000cwc.googlegroup s.com...
>
> >> >> > Hi,
>
> >> >> > Here is the situation. I am trying to allow a VPN connection from
> >> >> > the
> >> >> > outside of a PIX Firewall to a Windows 2003 Server which is the VPN
> >> >> > server. In the same LAN where the Windows 2003 Server is located
> >> >> > there
> >> >> > is another server. Server A, I am trying to SSH into Server A after
> >> >> > I
> >> >> > make a VPN connection to the Windows 2003 Server. However, after I
> >> >> > make
> >> >> > the VPN connection and I try to SSH into Server A I get a connection
> >> >> > timeout error. I am able to connect to the VPN server. But after I
> >> >> > connect to the VPN Server, I do not have access to Server A using
> >> >> > SSH.
> >> >> > What could I be doing wrong?
>
> >> >> > Thank You
>
> >> >> > Victorabout 1000 things...ya gotta post your config if you want
> >> >> > help.You cannot use PAT for PPTP, you need to use NAT. PPTP requires
> >> >> > 2 things,
> >> tcp 1723 and GRE, GRE cannot be PAT'd, it needs a allowed to a one-to-one
> >> NAT. Where you only have a single IP you will need to setup the PPTP on
> >> the
> >> Pix.http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/pr oducts_config...Post your latest config and please stop top posting, makes it very hard to
> follow a thread.
Below is the latest copy of the config.
: Saved
:
PIX Version 6.3(5)
interface ethernet0 100full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password XXXXXXXXXXX encrypted
passwd XXXXXXXXXXXX encrypted
hostname pixfirewall
domain-name XXXXXXXXX.com
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 101 permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0
access-list allow_inbound deny ip 59.124.0.0 255.252.0.0 any
access-list allow_inbound deny ip host 24.71.105.183 any
access-list allow_inbound deny ip host 163.27.116.133 any
access-list allow_inbound deny ip host 218.189.179.82 any
access-list allow_inbound deny ip host 84.60.164.161 any
access-list allow_inbound deny ip host 222.128.34.89 any
access-list allow_inbound deny ip host 202.64.47.108 any
access-list allow_inbound deny ip host 87.162.179.31 any
access-list allow_inbound deny ip host 70.255.106.164 any
access-list allow_inbound permit tcp any interface outside eq smtp
access-list allow_inbound permit tcp any interface outside eq pop3
access-list allow_inbound permit tcp any interface outside eq www
access-list allow_inbound permit icmp any any source-quench
access-list allow_inbound permit tcp any host B.X.X.236 eq www
access-list allow_inbound permit tcp any host B.X.X.236 eq h323
access-list allow_inbound permit tcp any host B.X.X.236 eq 5060
access-list allow_inbound permit gre any interface outside
access-list allow_inbound permit tcp any interface outside eq 3000
access-list allow_inbound permit udp any interface outside eq 49153
access-list allow_inbound permit tcp any interface outside eq 49153
access-list allow_inbound permit tcp any interface outside eq 10240
access-list allow_inbound permit tcp any interface outside eq 10241
access-list allow_inbound permit tcp any interface outside eq 10242
access-list allow_inbound permit udp any interface outside eq 10240
access-list allow_inbound permit udp any interface outside eq 10241
access-list allow_inbound permit udp any interface outside eq 10242
access-list allow_inbound permit tcp any interface outside eq 41170
access-list allow_inbound permit udp any interface outside eq 41170
access-list allow_inbound permit tcp any interface outside eq 4662
access-list allow_inbound permit tcp any interface outside eq 4000
access-list deny_outbound deny tcp any host 63.236.240.73 eq https
access-list deny_outbound deny tcp any host 209.202.9.7 eq https
access-list deny_outbound deny tcp any host 63.236.240.73 eq www
access-list deny_outbound deny tcp any host 66.28.235.59 eq www
access-list deny_outbound deny tcp any host 204.245.86.77 eq www
access-list deny_outbound deny tcp any host 69.18.151.78 eq www
access-list deny_outbound permit ip any any
access-list do_not_nat permit ip 10.1.1.0 255.255.255.0 10.1.2.0
255.255.255.0
no pager
logging on
logging timestamp
logging monitor debugging
logging trap notifications
logging queue 24
logging host inside 10.1.1.23
icmp permit any unreachable outside
icmp deny any echo outside
icmp deny any echo-reply outside
mtu outside 1500
mtu inside 1500
ip address outside A.X.X.85 255.255.255.0
ip address inside 10.1.1.1 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip audit name POLICY1 attack action alarm reset
ip audit name InfoPolicy info action alarm drop
ip audit interface outside InfoPolicy
ip audit interface outside POLICY1
ip audit info action alarm drop
ip audit attack action alarm
ip local pool ippool 10.1.2.1-10.1.2.254
pdm location 10.1.1.6 255.255.255.255 inside
pdm location 10.1.1.2 255.255.255.255 inside
pdm location 10.1.1.7 255.255.255.255 inside
pdm location 10.1.1.23 255.255.255.255 inside
pdm location 59.124.0.0 255.252.0.0 outside
pdm location 63.236.240.73 255.255.255.255 outside
pdm location 84.60.164.161 255.255.255.255 outside
pdm location 163.27.116.133 255.255.255.255 outside
pdm location 209.202.9.7 255.255.255.255 outside
pdm location 218.189.179.82 255.255.255.255 outside
pdm location 10.1.1.8 255.255.255.255 inside
pdm location 10.1.1.30 255.255.255.255 inside
pdm location 10.1.1.251 255.255.255.255 inside
pdm location 10.1.1.252 255.255.255.255 inside
pdm location 192.168.2.0 255.255.255.0 inside
pdm location 192.168.10.0 255.255.255.0 inside
pdm location 24.71.105.183 255.255.255.255 outside
pdm location 66.28.235.59 255.255.255.255 outside
pdm location 202.64.47.108 255.255.255.255 outside
pdm location 216.178.32.48 255.255.255.255 outside
pdm location 216.178.32.49 255.255.255.255 outside
pdm location 216.178.32.50 255.255.255.255 outside
pdm location 216.178.32.51 255.255.255.255 outside
pdm location 222.128.34.89 255.255.255.255 outside
pdm location 69.18.151.78 255.255.255.255 outside
pdm location 70.255.106.164 255.255.255.255 outside
pdm location 87.162.179.31 255.255.255.255 outside
pdm location 204.245.86.77 255.255.255.255 outside
pdm location 10.1.1.253 255.255.255.255 inside
pdm location 64.61.25.171 255.255.255.255 inside
pdm location 64.61.25.171 255.255.255.255 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list do_not_nat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface pop3 10.1.1.23 pop3 netmask
255.255.255.255 0 0
static (inside,outside) tcp interface smtp 10.1.1.23 smtp netmask
255.255.255.255 0 0
static (inside,outside) tcp interface 3000 10.1.1.23 3000 netmask
255.255.255.255 0 0
static (inside,outside) tcp interface 1000 10.1.1.23 1000 netmask
255.255.255.255 0 0
static (inside,outside) tcp interface 4662 10.1.1.8 4662 netmask
255.255.255.255 0 0
static (inside,outside) tcp interface 49153 10.1.1.2 49153 netmask
255.255.255.255 0 0
static (inside,outside) udp interface 49153 10.1.1.2 49153 netmask
255.255.255.255 0 0
static (inside,outside) tcp interface 4000 10.1.1.251 telnet netmask
255.255.255.255 0 0
static (inside,outside) tcp interface www 10.1.1.6 www netmask
255.255.255.255 0 0
static (inside,outside) B.X.X.236 10.1.1.7 netmask 255.255.255.255 0 0
access-group allow_inbound in interface outside
access-group deny_outbound in interface inside
route outside 0.0.0.0 0.0.0.0 A.X.X.1 1
route inside 192.168.2.0 255.255.255.0 10.1.1.30 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa-server AuthInbound protocol tacacs+
aaa-server AuthInbound max-failed-attempts 3
aaa-server AuthInbound deadtime 10
aaa-server AuthInbound (inside) host 10.1.1.253 nyc4u2me timeout 5
aaa authentication ssh console LOCAL
http server enable
http 10.1.1.0 255.255.255.0 inside
snmp-server host inside 10.1.1.23
snmp-server host inside 10.1.1.252
no snmp-server location
no snmp-server contact
snmp-server community nyc4u2me
snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap client authentication LOCAL
crypto map mymap interface outside
isakmp enable outside
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup vpn3000 address-pool ippool
vpngroup vpn3000 default-domain XXXXX.com
vpngroup vpn3000 split-tunnel 101
vpngroup vpn3000 idle-time 1800
vpngroup vpn3000 password ********
vpngroup vmr2 address-pool ippool
vpngroup vmr2 default-domain XXX.com
vpngroup vmr2 split-tunnel 101
vpngroup vmr2 idle-time 1800
vpngroup vmr2 password ********
vpngroup grace address-pool ippool
vpngroup grace default-domain XXXXXX.com
vpngroup grace split-tunnel 101
vpngroup grace idle-time 1800
vpngroup grace password ********
telnet timeout 30
ssh 10.1.1.0 255.255.255.0 inside
ssh 192.168.10.0 255.255.255.0 inside
ssh timeout 60
console timeout 0
vpdn group 1 accept dialin pptp
vpdn group 1 ppp authentication pap
vpdn group 1 ppp authentication chap
vpdn group 1 ppp authentication mschap
vpdn group 1 ppp encryption mppe 128
vpdn group 1 client configuration address local ippool
vpdn group 1 pptp echo 60
vpdn group 1 client authentication local
vpdn username vmr2 password *********
vpdn username test password *********
vpdn enable outside
username vmr2 password XXXXXXXXXXXXXXX encrypted privilege 15
privilege show level 15 command access-group
privilege clear level 15 command access-group
terminal width 80
banner login Unauthorized access and use of this network/device will be
prosecuted.
banner motd Unauthorized access and use of this network/device will be
prosecuted.
Cryptochecksum:24558cdd86e7726fc9cc5e299b277a8c
: end
Re: SETUP A VPN CONNECTION FROM THE OUTSIDE
am 20.11.2006 20:35:03 von Brian V
"vreyesii" wrote in message
news:1164031731.981736.115360@e3g2000cwe.googlegroups.com...
> On Nov 20, 7:43 am, "Brian V" wrote:
>> "vreyesii" wrote in
>> messagenews:1163952720.396049.113060@e3g2000cwe.googlegroups .com...
>>
>> > All right, I changed a few things on the PIX, and I configured the PIX
>> > as a VPN PPTP Server. From the client side I able to connect to the VPN
>> > Server. However, when I connect to VPN Server I should have access to
>> > the local LAN of the VPN Server. However, when I try to simply SSH into
>> > the PIX or another workstation(AIX Box) on the LAN I am not able. The
>> > other workstations that are on the same LAN as the VPN server I can
>> > establish communication.
>>
>> > Thank You
>>
>> > On Nov 19, 7:31 am, "Brian V" wrote:
>> >> "vreyesii" wrote in
>> >> messagenews:1163908095.624926.6160@m7g2000cwm.googlegroups.c om...
>>
>> >> > Below is a copy of the PIX config.
>>
<>
>> >> > On Nov 18, 5:20 pm, "Brian V" wrote:
>> >> >> "vreyesii" wrote in
>> >> >> messagenews:1163875230.194950.204510@h48g2000cwc.googlegroup s.com...
>>
>> >> >> > Hi,
>>
>> >> >> > Here is the situation. I am trying to allow a VPN connection from
>> >> >> > the
>> >> >> > outside of a PIX Firewall to a Windows 2003 Server which is the
>> >> >> > VPN
>> >> >> > server. In the same LAN where the Windows 2003 Server is located
>> >> >> > there
>> >> >> > is another server. Server A, I am trying to SSH into Server A
>> >> >> > after
>> >> >> > I
>> >> >> > make a VPN connection to the Windows 2003 Server. However, after
>> >> >> > I
>> >> >> > make
>> >> >> > the VPN connection and I try to SSH into Server A I get a
>> >> >> > connection
>> >> >> > timeout error. I am able to connect to the VPN server. But after
>> >> >> > I
>> >> >> > connect to the VPN Server, I do not have access to Server A using
>> >> >> > SSH.
>> >> >> > What could I be doing wrong?
>>
>> >> >> > Thank You
>>
>> >> >> > Victorabout 1000 things...ya gotta post your config if you want
>> >> >> > help.You cannot use PAT for PPTP, you need to use NAT. PPTP
>> >> >> > requires
>> >> >> > 2 things,
>> >> tcp 1723 and GRE, GRE cannot be PAT'd, it needs a allowed to a
>> >> one-to-one
>> >> NAT. Where you only have a single IP you will need to setup the PPTP
>> >> on
>> >> the
>> >> Pix.http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/pr oducts_config...Post
>> >> your latest config and please stop top posting, makes it very hard to
>> follow a thread.
>
> Below is the latest copy of the config.
>
> : Saved
> :
> PIX Version 6.3(5)
> interface ethernet0 100full
> interface ethernet1 100full
> nameif ethernet0 outside security0
> nameif ethernet1 inside security100
> enable password XXXXXXXXXXX encrypted
> passwd XXXXXXXXXXXX encrypted
> hostname pixfirewall
> domain-name XXXXXXXXX.com
> clock timezone EST -5
> clock summer-time EDT recurring
> fixup protocol dns maximum-length 512
> fixup protocol ftp 21
> fixup protocol h323 h225 1720
> fixup protocol h323 ras 1718-1719
> fixup protocol http 80
> fixup protocol pptp 1723
> fixup protocol rsh 514
> fixup protocol rtsp 554
> fixup protocol sip 5060
> fixup protocol sip udp 5060
> fixup protocol skinny 2000
> fixup protocol smtp 25
> fixup protocol sqlnet 1521
> fixup protocol tftp 69
> names
> access-list 101 permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0
> access-list allow_inbound deny ip 59.124.0.0 255.252.0.0 any
> access-list allow_inbound deny ip host 24.71.105.183 any
> access-list allow_inbound deny ip host 163.27.116.133 any
> access-list allow_inbound deny ip host 218.189.179.82 any
> access-list allow_inbound deny ip host 84.60.164.161 any
> access-list allow_inbound deny ip host 222.128.34.89 any
> access-list allow_inbound deny ip host 202.64.47.108 any
> access-list allow_inbound deny ip host 87.162.179.31 any
> access-list allow_inbound deny ip host 70.255.106.164 any
> access-list allow_inbound permit tcp any interface outside eq smtp
> access-list allow_inbound permit tcp any interface outside eq pop3
> access-list allow_inbound permit tcp any interface outside eq www
> access-list allow_inbound permit icmp any any source-quench
> access-list allow_inbound permit tcp any host B.X.X.236 eq www
> access-list allow_inbound permit tcp any host B.X.X.236 eq h323
> access-list allow_inbound permit tcp any host B.X.X.236 eq 5060
> access-list allow_inbound permit gre any interface outside
> access-list allow_inbound permit tcp any interface outside eq 3000
> access-list allow_inbound permit udp any interface outside eq 49153
> access-list allow_inbound permit tcp any interface outside eq 49153
> access-list allow_inbound permit tcp any interface outside eq 10240
> access-list allow_inbound permit tcp any interface outside eq 10241
> access-list allow_inbound permit tcp any interface outside eq 10242
> access-list allow_inbound permit udp any interface outside eq 10240
> access-list allow_inbound permit udp any interface outside eq 10241
> access-list allow_inbound permit udp any interface outside eq 10242
> access-list allow_inbound permit tcp any interface outside eq 41170
> access-list allow_inbound permit udp any interface outside eq 41170
> access-list allow_inbound permit tcp any interface outside eq 4662
> access-list allow_inbound permit tcp any interface outside eq 4000
> access-list deny_outbound deny tcp any host 63.236.240.73 eq https
> access-list deny_outbound deny tcp any host 209.202.9.7 eq https
> access-list deny_outbound deny tcp any host 63.236.240.73 eq www
> access-list deny_outbound deny tcp any host 66.28.235.59 eq www
> access-list deny_outbound deny tcp any host 204.245.86.77 eq www
> access-list deny_outbound deny tcp any host 69.18.151.78 eq www
> access-list deny_outbound permit ip any any
> access-list do_not_nat permit ip 10.1.1.0 255.255.255.0 10.1.2.0
> 255.255.255.0
> no pager
> logging on
> logging timestamp
> logging monitor debugging
> logging trap notifications
> logging queue 24
> logging host inside 10.1.1.23
> icmp permit any unreachable outside
> icmp deny any echo outside
> icmp deny any echo-reply outside
> mtu outside 1500
> mtu inside 1500
> ip address outside A.X.X.85 255.255.255.0
> ip address inside 10.1.1.1 255.255.255.0
> ip verify reverse-path interface outside
> ip verify reverse-path interface inside
> ip audit name POLICY1 attack action alarm reset
> ip audit name InfoPolicy info action alarm drop
> ip audit interface outside InfoPolicy
> ip audit interface outside POLICY1
> ip audit info action alarm drop
> ip audit attack action alarm
> ip local pool ippool 10.1.2.1-10.1.2.254
> pdm location 10.1.1.6 255.255.255.255 inside
> pdm location 10.1.1.2 255.255.255.255 inside
> pdm location 10.1.1.7 255.255.255.255 inside
> pdm location 10.1.1.23 255.255.255.255 inside
> pdm location 59.124.0.0 255.252.0.0 outside
> pdm location 63.236.240.73 255.255.255.255 outside
> pdm location 84.60.164.161 255.255.255.255 outside
> pdm location 163.27.116.133 255.255.255.255 outside
> pdm location 209.202.9.7 255.255.255.255 outside
> pdm location 218.189.179.82 255.255.255.255 outside
> pdm location 10.1.1.8 255.255.255.255 inside
> pdm location 10.1.1.30 255.255.255.255 inside
> pdm location 10.1.1.251 255.255.255.255 inside
> pdm location 10.1.1.252 255.255.255.255 inside
> pdm location 192.168.2.0 255.255.255.0 inside
> pdm location 192.168.10.0 255.255.255.0 inside
> pdm location 24.71.105.183 255.255.255.255 outside
> pdm location 66.28.235.59 255.255.255.255 outside
> pdm location 202.64.47.108 255.255.255.255 outside
> pdm location 216.178.32.48 255.255.255.255 outside
> pdm location 216.178.32.49 255.255.255.255 outside
> pdm location 216.178.32.50 255.255.255.255 outside
> pdm location 216.178.32.51 255.255.255.255 outside
> pdm location 222.128.34.89 255.255.255.255 outside
> pdm location 69.18.151.78 255.255.255.255 outside
> pdm location 70.255.106.164 255.255.255.255 outside
> pdm location 87.162.179.31 255.255.255.255 outside
> pdm location 204.245.86.77 255.255.255.255 outside
> pdm location 10.1.1.253 255.255.255.255 inside
> pdm location 64.61.25.171 255.255.255.255 inside
> pdm location 64.61.25.171 255.255.255.255 outside
> pdm logging informational 100
> pdm history enable
> arp timeout 14400
> global (outside) 1 interface
> nat (inside) 0 access-list do_not_nat
> nat (inside) 1 0.0.0.0 0.0.0.0 0 0
> static (inside,outside) tcp interface pop3 10.1.1.23 pop3 netmask
> 255.255.255.255 0 0
> static (inside,outside) tcp interface smtp 10.1.1.23 smtp netmask
> 255.255.255.255 0 0
> static (inside,outside) tcp interface 3000 10.1.1.23 3000 netmask
> 255.255.255.255 0 0
> static (inside,outside) tcp interface 1000 10.1.1.23 1000 netmask
> 255.255.255.255 0 0
> static (inside,outside) tcp interface 4662 10.1.1.8 4662 netmask
> 255.255.255.255 0 0
> static (inside,outside) tcp interface 49153 10.1.1.2 49153 netmask
> 255.255.255.255 0 0
> static (inside,outside) udp interface 49153 10.1.1.2 49153 netmask
> 255.255.255.255 0 0
> static (inside,outside) tcp interface 4000 10.1.1.251 telnet netmask
> 255.255.255.255 0 0
> static (inside,outside) tcp interface www 10.1.1.6 www netmask
> 255.255.255.255 0 0
> static (inside,outside) B.X.X.236 10.1.1.7 netmask 255.255.255.255 0 0
> access-group allow_inbound in interface outside
> access-group deny_outbound in interface inside
> route outside 0.0.0.0 0.0.0.0 A.X.X.1 1
> route inside 192.168.2.0 255.255.255.0 10.1.1.30 1
> timeout xlate 0:05:00
> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
> 1:00:00
> timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
> timeout sip-disconnect 0:02:00 sip-invite 0:03:00
> timeout uauth 0:05:00 absolute
> aaa-server TACACS+ protocol tacacs+
> aaa-server TACACS+ max-failed-attempts 3
> aaa-server TACACS+ deadtime 10
> aaa-server RADIUS protocol radius
> aaa-server RADIUS max-failed-attempts 3
> aaa-server RADIUS deadtime 10
> aaa-server LOCAL protocol local
> aaa-server AuthInbound protocol tacacs+
> aaa-server AuthInbound max-failed-attempts 3
> aaa-server AuthInbound deadtime 10
> aaa-server AuthInbound (inside) host 10.1.1.253 nyc4u2me timeout 5
> aaa authentication ssh console LOCAL
> http server enable
> http 10.1.1.0 255.255.255.0 inside
> snmp-server host inside 10.1.1.23
> snmp-server host inside 10.1.1.252
> no snmp-server location
> no snmp-server contact
> snmp-server community nyc4u2me
> snmp-server enable traps
> floodguard enable
> sysopt connection permit-ipsec
> sysopt connection permit-pptp
> crypto ipsec transform-set myset esp-3des esp-md5-hmac
> crypto dynamic-map dynmap 10 set transform-set myset
> crypto map mymap 10 ipsec-isakmp dynamic dynmap
> crypto map mymap client authentication LOCAL
> crypto map mymap interface outside
> isakmp enable outside
> isakmp identity address
> isakmp nat-traversal 20
> isakmp policy 10 authentication pre-share
> isakmp policy 10 encryption 3des
> isakmp policy 10 hash md5
> isakmp policy 10 group 2
> isakmp policy 10 lifetime 86400
> vpngroup vpn3000 address-pool ippool
> vpngroup vpn3000 default-domain XXXXX.com
> vpngroup vpn3000 split-tunnel 101
> vpngroup vpn3000 idle-time 1800
> vpngroup vpn3000 password ********
> vpngroup vmr2 address-pool ippool
> vpngroup vmr2 default-domain XXX.com
> vpngroup vmr2 split-tunnel 101
> vpngroup vmr2 idle-time 1800
> vpngroup vmr2 password ********
> vpngroup grace address-pool ippool
> vpngroup grace default-domain XXXXXX.com
> vpngroup grace split-tunnel 101
> vpngroup grace idle-time 1800
> vpngroup grace password ********
> telnet timeout 30
> ssh 10.1.1.0 255.255.255.0 inside
> ssh 192.168.10.0 255.255.255.0 inside
> ssh timeout 60
> console timeout 0
> vpdn group 1 accept dialin pptp
> vpdn group 1 ppp authentication pap
> vpdn group 1 ppp authentication chap
> vpdn group 1 ppp authentication mschap
> vpdn group 1 ppp encryption mppe 128
> vpdn group 1 client configuration address local ippool
> vpdn group 1 pptp echo 60
> vpdn group 1 client authentication local
> vpdn username vmr2 password *********
> vpdn username test password *********
> vpdn enable outside
> username vmr2 password XXXXXXXXXXXXXXX encrypted privilege 15
> privilege show level 15 command access-group
> privilege clear level 15 command access-group
> terminal width 80
> banner login Unauthorized access and use of this network/device will be
> prosecuted.
> banner motd Unauthorized access and use of this network/device will be
> prosecuted.
> Cryptochecksum:24558cdd86e7726fc9cc5e299b277a8c
> : end
>
Config looks fine. Can you ping the server?