Firewall Wizards mailing list archives
Cisco PIX VPN Pass-Through
From: "Nick Chettle" <nick.chettle () trinite co uk>
Date: Mon, 13 Dec 2004 14:07:18 -0000
Hi List, I am having a few problems with allowing IPSEC through a Cisco PIX 501. The setup is as follows: Host (Checkpoint Client) (192.168.1.111) | PIX (NAT) | INTERNET | VPN Server (Checkpoint) The problem is, the PIX keeps dropping my outgoing isakmp packets on it's *internal* inetrface! 710005: UDP request discarded from 192.168.1.111/500 to inside:192.168.1.1/isakmp 710005: UDP request discarded from 192.168.1.111/500 to inside:192.168.1.1/isakmp 710005: UDP request discarded from 192.168.1.111/500 to inside:192.168.1.1/isakmp 710005: UDP request discarded from 192.168.1.111/500 to inside:192.168.1.1/isakmp 710005: UDP request discarded from 192.168.1.111/500 to inside:192.168.1.1/isakmp 710005: UDP request discarded from 192.168.1.111/500 to inside:192.168.1.1/isakmp Does anyone know why it's doing this? Anyting from my internal (Security Level 100) should pass straight to my external interface and out onto the net. For some reason though, it's treating isakmp packets differently... I've included my config below, can anyone see anything I've missed or have any ideas why it's dropping the isakmp packets? Thanks for any help. Nick Chettle interface ethernet0 10baset interface ethernet1 100 fullnameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password 3GGXyVtUoSBXYQhs encrypted passwd cKU2di4GRadMEEhe encrypted hostname sokar domain-name example.net fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol ils 389 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 Names access-list 100 permit icmp any any access-list 100 permit tcp any host 213.208.82.183 eq www access-list 100 permit tcp any host 213.208.82.183 eq 3306 access-list 100 permit tcp any host 213.208.82.179 eq 3389 access-list 100 permit tcp any host 213.208.82.182 eq 6881 access-list 100 permit tcp any host 213.208.82.179 eq 6881 access-list 100 permit tcp any host 213.208.82.182 eq pptp access-list 100 permit gre any host 213.208.82.182 access-list 100 permit tcp any host 213.208.82.177 eq 18231 access-list 100 permit udp any host 213.208.82.177 eq 18233 access-list 100 permit udp any host 213.208.82.187 eq 18233 access-list 100 permit tcp any host 213.208.82.187 eq 18231 access-list 100 permit esp any host 213.208.82.187 access-list 100 permit udp any host 213.208.82.187 eq isakmp pager lines 24 logging on logging timestamp logging buffered errors logging trap notifications mtu outside 1500 mtu inside 1500 ip address outside 213.208.82.178 255.255.255.240 ip address inside 192.168.1.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm pdm location 192.168.1.4 255.255.255.255 inside pdm location 192.168.1.5 255.255.255.255 inside pdm location 192.168.1.6 255.255.255.255 inside pdm location 192.168.1.7 255.255.255.255 inside pdm logging informational 100pdm history enable arp timeout 14400 global (outside) 1 interfacenat (inside) 1 0.0.0.0 0.0.0.0 0 0 alias (inside) 213.208.82.183 192.168.1.6 255.255.255.255 alias (inside) 213.208.82.181 192.168.1.4 255.255.255.255 alias (inside) 213.208.82.180 192.168.1.3 255.255.255.255 static (inside,outside) 213.208.82.182 192.168.1.5 netmask 255.255.255.255 0 0 static (inside,outside) 213.208.82.183 192.168.1.6 netmask 255.255.255.255 0 0 static (inside,outside) 213.208.82.181 192.168.1.4 netmask 255.255.255.255 0 0 static (inside,outside) 213.208.82.179 192.168.1.2 netmask 255.255.255.255 0 0 static (inside,outside) 213.208.82.184 192.168.1.7 netmask 255.255.255.255 0 0 static (inside,outside) 213.208.82.180 192.168.1.3 netmask 255.255.255.255 0 0 static (inside,outside) 213.208.82.187 192.168.1.111 netmask 255.255.255.255 0 0 access-group 100 in interface outside route outside 0.0.0.0 0.0.0.0 213.208.82.177 1 timeout xlate 0:05:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absoluteaaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radiusaaa-server LOCAL protocol local http server enable http 192.168.1.0 255.255.255.0 inside no snmp-server locationno snmp-server contact snmp-server community public no snmp-server enable trapsfloodguard enable telnet 192.168.1.0 255.255.255.0 inside telnet timeout 25ssh timeout 5 console timeout 0dhcpd address 192.168.1.21-192.168.1.25 inside dhcpd dns 213.208.106.212 213.208.106.213 dhcpd lease 3600dhcpd ping_timeout 750 dhcpd domain example.net dhcpd auto_config outside dhcpd enable inside terminal width 80 Cryptochecksum:73a08833c4a9243ad6d16e4534bf64b2 : end _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Cisco PIX VPN Pass-Through Nick Chettle (Dec 13)
- <Possible follow-ups>
- Re: Cisco PIX VPN Pass-Through Nick Chettle (Dec 13)