Cisco PIX VPN Pass-Through

["Nick Chettle" <nick.chettle () trinite co uk>]

Hi List,

I am having a few problems with allowing IPSEC through a Cisco PIX 501.
The setup is as follows:

Host (Checkpoint Client) (192.168.1.111)
|
PIX (NAT)
|
INTERNET
|
VPN Server (Checkpoint)

The problem is, the PIX keeps dropping my outgoing isakmp packets on
it's *internal* inetrface!

710005: UDP request discarded from 192.168.1.111/500 to
inside:192.168.1.1/isakmp
710005: UDP request discarded from 192.168.1.111/500 to
inside:192.168.1.1/isakmp
710005: UDP request discarded from 192.168.1.111/500 to
inside:192.168.1.1/isakmp
710005: UDP request discarded from 192.168.1.111/500 to
inside:192.168.1.1/isakmp
710005: UDP request discarded from 192.168.1.111/500 to
inside:192.168.1.1/isakmp
710005: UDP request discarded from 192.168.1.111/500 to
inside:192.168.1.1/isakmp

Does anyone know why it's doing this? Anyting from my internal (Security
Level 100) should pass straight to my external interface and out onto
the net. For some reason though, it's treating isakmp packets
differently...

I've included my config below, can anyone see anything I've missed or
have any ideas why it's dropping the isakmp packets?

Thanks for any help.

Nick Chettle

interface ethernet0 10baset
interface ethernet1 100
fullnameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 3GGXyVtUoSBXYQhs encrypted
passwd cKU2di4GRadMEEhe encrypted
hostname sokar
domain-name example.net
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
Names
access-list 100 permit icmp any any
access-list 100 permit tcp any host 213.208.82.183 eq www
access-list 100 permit tcp any host 213.208.82.183 eq 3306
access-list 100 permit tcp any host 213.208.82.179 eq 3389
access-list 100 permit tcp any host 213.208.82.182 eq 6881
access-list 100 permit tcp any host 213.208.82.179 eq 6881
access-list 100 permit tcp any host 213.208.82.182 eq pptp
access-list 100 permit gre any host 213.208.82.182
access-list 100 permit tcp any host 213.208.82.177 eq 18231
access-list 100 permit udp any host 213.208.82.177 eq 18233
access-list 100 permit udp any host 213.208.82.187 eq 18233
access-list 100 permit tcp any host 213.208.82.187 eq 18231
access-list 100 permit esp any host 213.208.82.187
access-list 100 permit udp any host 213.208.82.187 eq isakmp
pager lines 24
logging on
logging timestamp
logging buffered errors
logging trap notifications
mtu outside 1500
mtu inside 1500
ip address outside 213.208.82.178 255.255.255.240
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.1.4 255.255.255.255 inside
pdm location 192.168.1.5 255.255.255.255 inside
pdm location 192.168.1.6 255.255.255.255 inside
pdm location 192.168.1.7 255.255.255.255 inside
pdm logging informational 100pdm history enable
arp timeout 14400
global (outside) 1 interfacenat (inside) 1 0.0.0.0 0.0.0.0 0 0
alias (inside) 213.208.82.183 192.168.1.6 255.255.255.255
alias (inside) 213.208.82.181 192.168.1.4 255.255.255.255
alias (inside) 213.208.82.180 192.168.1.3 255.255.255.255
static (inside,outside) 213.208.82.182 192.168.1.5 netmask
255.255.255.255 0 0
static (inside,outside) 213.208.82.183 192.168.1.6 netmask
255.255.255.255 0 0
static (inside,outside) 213.208.82.181 192.168.1.4 netmask
255.255.255.255 0 0
static (inside,outside) 213.208.82.179 192.168.1.2 netmask
255.255.255.255 0 0
static (inside,outside) 213.208.82.184 192.168.1.7 netmask
255.255.255.255 0 0
static (inside,outside) 213.208.82.180 192.168.1.3 netmask
255.255.255.255 0 0
static (inside,outside) 213.208.82.187 192.168.1.111 netmask
255.255.255.255 0 0 
access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0 213.208.82.177 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absoluteaaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radiusaaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server locationno snmp-server contact
snmp-server community public
no snmp-server enable trapsfloodguard enable
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 25ssh timeout 5
console timeout 0dhcpd address 192.168.1.21-192.168.1.25 inside
dhcpd dns 213.208.106.212 213.208.106.213
dhcpd lease 3600dhcpd ping_timeout 750
dhcpd domain example.net
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:73a08833c4a9243ad6d16e4534bf64b2
: end
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards