RE: Cisco PiX 501 running 6.2 - Defying me for no reason

["Steven A. Fletcher" <sfletcher () integrityts com>]

I think I see where your problem is.  I have never tried doing this, but
a little research on Cisco's site has made it clear.

First, think you will want to change your vpnclient mode from
client-mode to network-extension-mode.  Details on what this does can be
found at:
http://www.cisco.com/univercd/cc/td/doc/product/vpn/vpn3002/3_0/getstart
/gs1under.htm.

You also might want to look at
http://www.cisco.com/en/US/partner/products/sw/secursw/ps2120/products_c
ommand_reference_chapter09186a0080104256.html#1048520, which provides
information on the format of the vpnclient command.

Also, I found a link to how to configure the hardware VPN client at
http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps2030/products_c
onfiguration_example09186a0080094cf8.shtml.

NOTE:  All of these links require a CCO login. If you don't have one
already, create one.  It's free and I believe gives you access to some
areas of the Cisco site that are not otherwise available.

Second, you will want to make sure the device is in a group on the VPN
Concentrator that is configured for split-tunneling.  Otherwise, ALL
traffic will go through the VPN Concentrator, instead of just the
traffic destined for the other network.  There are reasons why you might
want this to happen, but it sounds like this is not what you wanted.

Finally, you might need to add a route for the internal network at the
main office.  I am not sure if this is necessary or not, since I have
not configured a PIX for this.  The best way to find out would be to
leave it out and see what happens.

I hope this helps.  Let me know if you need any more help.

Thanks,

Steve Fletcher
Senior Network Engineer, MCSE, Master ASE, CCNA
Integrity Technology Solutions
Phone: (309)664-8129
Toll Free: (888) 764-8100 ext. 129
Fax: (309) 662-6421
sfletcher () integrityts com

-----Original Message-----
From: Kyle King [mailto:KKing () Bankshill com] 
Sent: Monday, March 15, 2004 6:29 PM
To: FW Wizards; Steven A. Fletcher
Subject: Re: [fw-wiz] Cisco PiX 501 running 6.2 - Defying me for no
reason

> Can you send the configuration for your PIX?  I think that would be
more
> helpful in determining the problem.  Of course, I would change all
> external addresses, just to be safe.
Note : Since I am a c++ programmer by training, and because i don't know
the
correct delimiter, all comments will be preceded by '//'

nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxx encrypted //password removed, even tho encrypted
passwd xxx encrypted
hostname pixfirewall //will be changed
domain-name ciscopix.com //also will be changed
fixup protocol ftp 21 //when I reset the firewall to factory standards,
these are in place
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list acl_out permit icmp any any //just for debug purposes, will
be
taken out later
access-list acl_in permit icmp any any
pager lines 24
interface ethernet0 10baset
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address outside y.y.y.146 255.255.252.0 //address taken out, and
final
number changed
ip address inside x.x.x.1 255.255.255.0 //address taken out, and final
number changed
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface //PAT translate for all computers to
outside
line
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group acl_out in interface outside //used with the access-list
command, to be taken out
access-group acl_in in interface inside
route outside 0.0.0.0 0.0.0.0 y.y.y.1 1 //this command actually fails
when i
use the startup wiz
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00
udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http x.x.x.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet timeout 5 ssh timeout 5
dhcpd address x.x.x.11-x.x.x.30 inside //address hidden
dhcpd lease 28800 //correct timeout, we wanted 8 hour time out
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
vpnclient vpngroup *********** password ******** //group and password
removed
vpnclient username ******* password ***** //user and password removed
vpnclient server x.x.x.x //server removed - see note 2 below
vpnclient mode client-mode terminal width 80
//vpnclient enable not turned on at this time
Note 2 : we know we have the right information there because the VPN
client
we were going to use originally works when we place a computer on its
own
line without a firewall.  I just transpose the group and group password
fields from the client to the vpngroup command, and the user/password
that
comes up during connect, to the username command.

> Also, do you have a Smartnet contract on your PIX?

Sadly no.

Steve Fletcher


> When I configure one of the computers with the appropriate information
for
a
> static IP, the computer connects to the internet fine (this is when not
> connected with the PiX between it).  However, it requires that I supply
the
> DNS servers.  When I configure the PiX to access the internet using a
static
> IP, no where do I find the command/option to input the DNS servers; and
> besides that, when I use static IP, the computers behind the firewall
cannot
> access the internet.

This turned out to be an issue with our modem.  It used MAC address's to
assign static IPs, so when I transfered the static to the firewall, the
modem did not like that.  A modem reset fixed that issue. However, when
I
use the configuration I have shown above, I can only ping address's from
both the firewall and PC.  I cannot ping names, such as www.google.ca
(which
I use as my test page simply cause i know the address for it
(66.102.7.104)).  When I try to ping a name from the PC, it comes back
as no
such name exists, and I can't seem to make the firewall ping any name,
possibly due to the way the ping command on the firewall works.

Anyway, when I enable the VPN client, all access, including those pings,
stops working.  However, according to the little led on the front, I am
connected to the VPN.  I don't have access to anything on their end
however.

Well, there is the needed information.  I hope it helps.

Kyle King


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards