Gmail Calendar Documents Reader Web more »
Recently Visited Groups | Help | Sign in
Google Groups Home
comp.dcom.sys.cisco
+ new post
About this group
Subscribe to this group
This is a Usenet group - learn more
pix/vpn/dmz - config problems
Options
There are currently too many topics in this group that display first. To make this topic appear first, remove this option from another topic.
There was an error processing your request. Please try again.
flag
   6 messages - Collapse all  -  Translate all to Translated (View all originals)
The group you are posting to is a Usenet group. Messages posted to this group will make your email address visible to anyone on the Internet.
Your reply message has not been sent.
Your post was successful
 
From:
To:
Cc:
Followup To:
Add Cc | Add Followup-to | Edit Subject
Subject:
Validation:
For verification purposes please type the characters you see in the picture below or the numbers you hear by clicking the accessibility icon. Listen and type the numbers you hear
 
Hendrik Danz  
View profile  
 More options Jan 20 2003, 5:44 am
Newsgroups: comp.dcom.sys.cisco
From: hendrik.d...@gmx.net (Hendrik Danz)
Date: 20 Jan 2003 02:44:49 -0800
Local: Mon, Jan 20 2003 5:44 am
Subject: pix/vpn/dmz - config problems
Forward | Print | Individual message | Show original | Report this message | Find messages by this author
hi all,

have some trouble with pix/vpn/dmz configuration.

szenario:

cisco pix (PIX-515E, ver 6.2(2)) configured with inside, outside, dmz
interfaces. additional vpn settings for remote users using cisco vpn
client ver 3.6.3(A) for win2k.

there is a server located in the dmz, reachable from inside.
remote users connected via vpn, should have access to this server too.

the vpn connections seems to be ok. i can create a vpn ipsec tunnel
from remote client. but i can not reach (using ping) the server.

during the ping test there are no packets coming back from the pix,
only the tx counter shows traffic.

pix config details:
(source: cisco online docu "configuring pix to pix dynamic-to-static-
ipsec with nat and cisco vpn client" - but it is without the dmz
thing)

############################################################
.
.
access-list acl_inside permit ip any any
access-list acl_inside permit icmp any any
access-list acl_inside deny ip any any
access-list acl_dmz permit icmp any any
access-list acl_dmz deny ip any any
access-list vpn permit ip 10.3.0.0 255.255.255.0 10.3.1.0
255.255.255.0
.
.
ip address outside xxx.xxx.xxx.xxx 255.255.255.192
ip address inside 192.168.0.1 255.255.255.252
ip address dmz 10.3.0.1 255.255.255.0
.
.
ip local pool vpn_ippool 10.3.1.1-10.3.1.254
.
.
global (ouside) 1 interface
global (dmz) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 0 access-list vpn
.
.
access-group acl_outside in interface outside
access-group acl_inside in interface inside
access-group acl_dmz in interface dmz
.
.
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set myset esp-3des esp esp-md5-hash
crypto dynamic-map dynmap 1 set transform-set myset
crypto map mymap 20 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
isakmp enable outside
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup myname address-pool vpn_ippool
vpngroup myname idle-time 1800
vpngroup mayname password mypw
.
############################################################

questions:
        o config snips detailed enough?
        o anything missconfigured?
        o anything additinonal infos needed (log, debug...)?
        o is there any strange pix behavior for that vpn thing?

final notes:
i also replaced dmz with inside settings - after that it was possible
to reach inside ip addresses.

hope you can give any useful advice

thnx

Hendrik Danz


    Forward  
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
Rickan Lee  
View profile  
 More options Jan 20 2003, 6:12 am
Newsgroups: comp.dcom.sys.cisco
From: "Rickan Lee" <rickan2...@hotmail.com>
Date: Mon, 20 Jan 2003 12:12:10 +0100
Local: Mon, Jan 20 2003 6:12 am
Subject: Re: pix/vpn/dmz - config problems
Forward | Print | Individual message | Show original | Report this message | Find messages by this author
Hi Hendrik,

I think the NAT-setting for your vpn-clients is false. Since the inside
interface has a higher security lever than the dmz interface, you should
define NAT for your vpn clients at the interface inside but not dmz.

Try to do either:
: direction from vpn clients to dmz
access-list vpn permit ip 10.3.1.0 255.255.255.0 10.3.0.0 255.255.255.0
: deactive dmz nat setting
no nat (dmz) 0 access-list vpn
: set nat for your vpn cients at the inside interface
nat(inside) 0 access-list vpn

or define a static for your vpn clients:

static (inside, dmz) 10.3.1.0 10.3.1.0 netmask 255.255.255.0

Regards,

Rickan

"Hendrik Danz" <hendrik.d...@gmx.net> schrieb im Newsbeitrag
news:d60a13d7.0301200244.2765e1b0@posting.google.com...


    Forward  
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
Hendrik Danz  
View profile  
 More options Jan 20 2003, 8:55 am
Newsgroups: comp.dcom.sys.cisco
From: hendrik.d...@gmx.net (Hendrik Danz)
Date: 20 Jan 2003 05:55:41 -0800
Local: Mon, Jan 20 2003 8:55 am
Subject: Re: pix/vpn/dmz - config problems
Forward | Print | Individual message | Show original | Report this message | Find messages by this author
thanx for your help - but it doesn't help.
i changed the pix config.
same result.
i send encrypted packets but don't get back any packets.

any further ideas?

rgds.
       hendrik


    Forward  
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
Rickan Lee  
View profile  
 More options Jan 20 2003, 10:52 am
Newsgroups: comp.dcom.sys.cisco
From: "Rickan Lee" <rickan2...@hotmail.com>
Date: Mon, 20 Jan 2003 16:52:02 +0100
Local: Mon, Jan 20 2003 10:52 am
Subject: Re: pix/vpn/dmz - config problems
Forward | Print | Individual message | Show original | Report this message | Find messages by this author

sorry, please forget my previous posting. your configuration was correct,
the "nat 0" must be deployed at the dmz interface and the access-list vpn
was also correct.

you may try to use "debug packet dmz dst ..." to see if any packets arrive
at the interface dmz.

Regards

rickan

"Hendrik Danz" <hendrik.d...@gmx.net> schrieb im Newsbeitrag
news:d60a13d7.0301200555.6cbc32fb@posting.google.com...

> thanx for your help - but it doesn't help.
> i changed the pix config.
> same result.
> i send encrypted packets but don't get back any packets.

> any further ideas?

> rgds.
>        hendrik

> "Rickan Lee" <rickan2...@hotmail.com> wrote in message

<news:3e2bd98a$1@news.fhg.de>...


    Forward  
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
Hendrik Danz  
View profile  
 More options Jan 21 2003, 5:05 am
Newsgroups: comp.dcom.sys.cisco
From: hendrik.d...@gmx.net (Hendrik Danz)
Date: 21 Jan 2003 02:05:54 -0800
Local: Tues, Jan 21 2003 5:05 am
Subject: Re: pix/vpn/dmz - config problems
Forward | Print | Individual message | Show original | Report this message | Find messages by this author
hi rickan
ok - i've forgot it and switched back to the old config.
the debug packet commands gives no output (didn't forget "term mon"
cmd)
also strange: can not see any incomming packets, if i debug packet
outside src 10.3.1.1 255.255.255.

any further ideas for packet debug?
are there any other possibilities to check the vpn connection?
(counter for encrypted/decrypted packets in/out?)

i'm getting really confused by that

rgds.
    hendrik


    Forward  
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
danz  
View profile  
 More options Jan 30 2003, 8:25 am
Newsgroups: comp.dcom.sys.cisco
From: danz <d...@lewron.de>
Date: Thu, 30 Jan 2003 14:12:57 +0100
Local: Thurs, Jan 30 2003 8:12 am
Subject: Re: pix/vpn/dmz - config problems
Forward | Print | Individual message | Show original | Report this message | Find messages by this author
ok - i solved the problem - or better my customer did it by himself.

the right way to check the connection is:
        debug packet dmz dst <server ip>
hey - there are packets to the server i want to reach
        debug packet dmz src <server ip>
no debug output
        debug packet dmz dst <client ip>
no debug output

there are packets into the dmz, but no packet comes back - strange.
looks like a missing route - but the server settings should be ok.
after a call i found out, that there was no default route at all on the
servers side. add a default route and everything works fine.

think it is important to stay in closer contact to customers befor spend
    hours in troubleshooting.

rgds.
        hendrik


    Forward  
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
End of messages
« Back to Discussions « Newer topic     Older topic »

Create a group - Google Groups - Google Home - Terms of Service - Privacy Policy
©2010 Google