#1
  1. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jan 2012
    Posts
    1
    Rep Power
    0

    PIX 501 VPN issue


    Hi. I am trying to set up a VPN connection using the PIX 501 firewall. This is my first experience with this type of product. I am able to connect internally with my VPN connection but I get the famous error 800 when I try from outside the network. Im not sure if its a NAT issue or what. Any kind of help would be very appreciated. Here is my config file. Thanks.

    Building configuration...
    : Saved
    :
    PIX Version 6.3(5)
    interface ethernet0 auto
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password xxxxxxxxxxx encrypted
    passwd xxxxxxxxx encrypted
    hostname xxxxxfw
    domain-name xxxxxxx.com
    clock timezone EST -5
    clock summer-time EDT recurring
    no fixup protocol dns
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol http 807-7013
    fixup protocol pptp 1723
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    no fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    object-group service camera tcp-udp
    description cameras
    access-list bypassnat permit 10.200.10.0 255.255.255.0
    access-list from-outside permit icmp any any
    access-list inside_out deny tcp host 192.168.2.107 any eq smtp
    access-list inside_out permit ip any any
    access-list outside_in permit tcp any interface outside eq ssh
    access-list outside_in permit tcp any interface outside eq smtp
    access-list outside_in permit tcp any interface outside eq imap4
    access-list outside_in permit tcp any interface outside eq pop3
    access-list outside_in permit tcp any interface outside eq www
    access-list outside_in permit tcp any interface outside eq https
    access-list BLOCKSMTP permit tcp host 192.168.2.7 any eq smtp
    access-list BLOCKSMTP deny tcp any any eq smtp log
    access-list BLOCKSMTP permit ip any any
    access-list outside_cryptomap_dyn_30 permit ip any 192.168.2.40 255.255.255.248
    access-list outside_cryptomap_dyn_50 permit ip any 10.1.1.0 255.255.255.240
    pager lines 24
    logging on
    logging monitor notifications
    logging buffered debugging
    logging message 106100 level notifications
    mtu outside 1500
    mtu inside 1500
    ip address outside pppoe setroute
    ip address inside 192.168.2.1 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    pdm location 192.168.2.7 255.255.255.255 inside
    pdm location 216.8.176.0 255.255.252.0 outside
    pdm location 192.168.0.101 255.255.255.255 inside
    pdm location 192.168.0.102 255.255.255.255 inside
    pdm location 192.168.0.103 255.255.255.255 inside
    pdm location 192.168.0.104 255.255.255.255 inside
    pdm location 192.168.0.105 255.255.255.255 inside
    pdm location 192.168.0.106 255.255.255.255 inside
    pdm location 192.168.0.107 255.255.255.255 inside
    pdm location 192.168.0.108 255.255.255.255 inside
    pdm location 192.168.0.109 255.255.255.255 inside
    pdm location 192.168.0.110 255.255.255.255 inside
    pdm location 192.168.0.111 255.255.255.255 inside
    pdm location 192.168.0.112 255.255.255.255 inside
    pdm location 192.168.0.114 255.255.255.255 inside
    pdm location 192.168.0.115 255.255.255.255 inside
    pdm location 192.168.0.116 255.255.255.255 inside
    pdm location 192.168.0.4 255.255.255.255 inside
    pdm location 192.168.2.40 255.255.255.248 outside
    pdm location 10.1.1.0 255.255.255.240 outside
    pdm logging informational 100
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list bypassnat
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    static (inside,outside) tcp interface smtp 192.168.2.7 smtp netmask 255.255.255.255 0 0
    static (inside,outside) tcp interface pop3 192.168.2.7 pop3 netmask 255.255.255.255 0 0
    static (inside,outside) tcp interface imap4 192.168.2.7 imap4 netmask 255.255.255.255 0 0
    static (inside,outside) tcp interface www 192.168.2.7 www netmask 255.255.255.255 0 0
    static (inside,outside) tcp interface https 192.168.2.7 https netmask 255.255.255.255 0 0
    static (inside,outside) tcp interface 5111 192.168.0.101 5111 netmask 255.255.255.255 0 0
    static (inside,outside) tcp interface 5112 192.168.0.102 5112 netmask 255.255.255.255 0 0
    static (inside,outside) tcp interface 5113 192.168.0.103 5113 netmask 255.255.255.255 0 0
    static (inside,outside) tcp interface 5114 192.168.0.104 5114 netmask 255.255.255.255 0 0
    static (inside,outside) tcp interface 5115 192.168.0.105 5115 netmask 255.255.255.255 0 0
    static (inside,outside) tcp interface 5116 192.168.0.106 5116 netmask 255.255.255.255 0 0
    static (inside,outside) tcp interface 5117 192.168.0.107 5117 netmask 255.255.255.255 0 0
    static (inside,outside) tcp interface 5118 192.168.0.108 5118 netmask 255.255.255.255 0 0
    static (inside,outside) tcp interface 5119 192.168.0.109 5119 netmask 255.255.255.255 0 0
    static (inside,outside) tcp interface 5120 192.168.0.110 5120 netmask 255.255.255.255 0 0
    static (inside,outside) tcp interface 5121 192.168.0.111 5121 netmask 255.255.255.255 0 0
    static (inside,outside) tcp interface 5122 192.168.0.112 5122 netmask 255.255.255.255 0 0
    static (inside,outside) tcp interface 5124 192.168.0.114 5124 netmask 255.255.255.255 0 0
    static (inside,outside) tcp interface 5125 192.168.0.115 5125 netmask 255.255.255.255 0 0
    static (inside,outside) tcp interface 5126 192.168.0.116 5126 netmask 255.255.255.255 0 0
    static (inside,outside) tcp interface 8213 192.168.0.4 8213 netmask 255.255.255.255 0 0
    static (inside,outside) tcp interface 8200 192.168.0.4 8200 netmask 255.255.255.255 0 0
    static (inside,outside) tcp interface 8201 192.168.0.4 8201 netmask 255.255.255.255 0 0
    static (inside,outside) tcp interface 8202 192.168.0.4 8202 netmask 255.255.255.255 0 0
    static (inside,outside) tcp interface 8203 192.168.0.4 8203 netmask 255.255.255.255 0 0
    static (inside,outside) tcp interface 8204 192.168.0.4 8204 netmask 255.255.255.255 0 0
    static (inside,outside) tcp interface 8205 192.168.0.4 8205 netmask 255.255.255.255 0 0
    static (inside,outside) tcp interface 8206 192.168.0.4 8206 netmask 255.255.255.255 0 0
    static (inside,outside) tcp interface 8207 192.168.0.4 8207 netmask 255.255.255.255 0 0
    static (inside,outside) tcp interface 8208 192.168.0.4 8208 netmask 255.255.255.255 0 0
    static (inside,outside) tcp interface 8209 192.168.0.4 8209 netmask 255.255.255.255 0 0
    static (inside,outside) tcp interface 8210 192.168.0.4 8210 netmask 255.255.255.255 0 0
    static (inside,outside) tcp interface 8211 192.168.0.4 8211 netmask 255.255.255.255 0 0
    static (inside,outside) tcp interface 8212 192.168.0.4 8212 netmask 255.255.255.255 0 0
    static (inside,outside) tcp interface 8214 192.168.0.4 8214 netmask 255.255.255.255 0 0
    static (inside,outside) tcp interface 8215 192.168.0.4 8215 netmask 255.255.255.255 0 0
    static (inside,outside) tcp interface 8216 192.168.0.4 8216 netmask 255.255.255.255 0 0
    static (inside,outside) tcp interface 8217 192.168.0.4 8217 netmask 255.255.255.255 0 0
    static (inside,outside) tcp interface 8218 192.168.0.4 8218 netmask 255.255.255.255 0 0
    static (inside,outside) tcp interface 8219 192.168.0.4 8219 netmask 255.255.255.255 0 0
    static (inside,outside) tcp interface 8220 192.168.0.4 8220 netmask 255.255.255.255 0 0
    static (inside,outside) tcp interface 8221 192.168.0.4 8221 netmask 255.255.255.255 0 0
    static (inside,outside) tcp interface 8222 192.168.0.4 8222 netmask 255.255.255.255 0 0
    static (inside,outside) tcp interface 8223 192.168.0.4 8223 netmask 255.255.255.255 0 0
    static (inside,outside) tcp interface 8224 192.168.0.4 8224 netmask 255.255.255.255 0 0
    static (inside,outside) tcp interface 8225 192.168.0.4 8225 netmask 255.255.255.255 0 0
    static (inside,outside) tcp interface pptp 192.168.2.1 pptp netmask 255.255.255.255 0 0
    access-group outside_in in interface outside
    access-group BLOCKSMTP in interface inside
    timeout xlate 0:05:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout sip-disconnect 0:02:00 sip-invite 0:03:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local
    aaa authentication ssh console LOCAL
    http server enable
    http 192.168.2.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    tftp-server outside 216.8.176.61 /xxxx.cfg
    floodguard enable
    sysopt connection permit-ipsec
    sysopt connection permit-pptp
    crypto ipsec transform-set harvan esp-3des esp-md5-hmac
    crypto dynamic-map user 10 set transform-set harvan
    crypto dynamic-map user 30 match address outside_cryptomap_dyn_30
    crypto dynamic-map user 30 set transform-set harvan
    crypto dynamic-map user 50 match address outside_cryptomap_dyn_50
    crypto dynamic-map user 50 set transform-set harvan
    crypto map remote 10 ipsec-isakmp dynamic user
    crypto map remote client authentication LOCAL
    crypto map remote interface outside
    isakmp enable outside
    isakmp key ******** address 0.0.0.0 netmask 0.0.0.0 no-xauth no-config-mode
    isakmp identity address
    isakmp nat-traversal 20
    isakmp policy 1 authentication pre-share
    isakmp policy 1 encryption des
    isakmp policy 1 hash md5
    isakmp policy 1 group 2
    isakmp policy 1 lifetime 86400
    isakmp policy 21 authentication pre-share
    isakmp policy 21 encryption 3des
    isakmp policy 21 hash md5
    isakmp policy 21 group 2
    isakmp policy 21 lifetime 86400
    telnet 192.168.2.0 255.255.255.0 inside
    telnet timeout 5
    ssh timeout 5
    management-access inside
    console timeout 0
    vpdn group pppoex request dialout pppoe
    vpdn group pppoex ppp authentication pap
    vpdn group 1 ppp authentication pap
    vpdn group 1 ppp authentication chap
    vpdn group 1 ppp authentication mschap
    vpdn group 1 ppp encryption mppe auto
    vpdn username xxxxxxx.com password *********
    vpdn username remote password *********
    vpdn username kevin password *********
    vpdn enable inside
    username xxxxxxxxx password xxxxxxxxxxx encrypted privilege 15
    username xxxx password xxxxxxxxxxx encrypted privilege 15
    vpnclient server 192.168.2.7
    vpnclient mode client-mode
    vpnclient vpngroup VPN password ********
    terminal width 80
    Cryptochecksum:xxxxxxxxxxxxxxxxxxxxxxxxx
    : end
    [OK]
  2. #2
  3. Automagically Delicious
    Devshed Regular (2000 - 2499 posts)

    Join Date
    May 2004
    Location
    127.0.0.2 - I live next door.
    Posts
    2,200
    Rep Power
    2737
    Yep, NAT would be the issue. You will need to set up some rules in your router to pass the traffic along. Keep in mind both 10.x.x.x and 192.168.x.x addresses are NOT ROUTABLE through the Inter net. You will NEED a publicly routable address, statically assigned preferred, to get this to work at all.
    Adam TT

IMN logo majestic logo threadwatch logo seochat tools logo