Comments on: PIX Filrewall VPN

By: craiglucca

craiglucca — Mon, 21 Nov 2005 09:36:15 +0000

Aside from ping can you pass any traffic at all. Also, can you traceroute from either the remote end or your internal network? 2 things come to mind 1 a routing issue, where your network does not know how to reply to the host. 2 a possible mtu issue between the client and the pix, which would effect packets between the 2 points. As mentioned in your previous post a config would be helpful

By: astronomer

astronomer — Fri, 18 Nov 2005 14:41:28 +0000

It sounds to me like you don’t have an appropriate pool of addresses set up in the pix. When I set ours up I took addresses from the network the inner interface was connected to. When a client connects it is given one of these addresses so it can communicate with the internal net.
rt

By: vdinenna

vdinenna — Fri, 18 Nov 2005 13:12:03 +0000

The VPN clients are getting 10.1.100.x 255.255.255.128 addresses from the PIX 515. The network inside the FW is 192.168.1.x. The working VPN connections’ are 192.168.x.x. 255.255.255.0

By: wfenech

wfenech — Fri, 18 Nov 2005 12:41:58 +0000

are the machines that the MS clients are trying to ping/access on a separate (internal) network or subnet than the ‘working’ VPN connections?

By: vdinenna

vdinenna — Fri, 18 Nov 2005 11:57:48 +0000

It might be easier if I sent you the config, but…
We have site to site tunnels that work fine. We have both static and dynamic VPN connections from multiple sites. These sites, I believe, use DES.

The remote (MS) VPN clients are connecting thru PPTP.
-Sysopt connection premit-pptp is estabilshed
-Vpdn group PPTP has been created; usernames were created.

When I say, “I can’t PING anything , DNS or IP”, I mean when I’m connect the VPN tunnel thru the VPN client to the PIX. Once I’m authenticated, I can’t PING 192.168.1.x or server.domain.com. I can’t PING any addresses on the inside network. I can PING the gateway and firewall inside and outside addresses.

We are not using GRE.

By: wfenech

wfenech — Thu, 17 Nov 2005 16:20:49 +0000

a couple questions….

is this a new network setup, or is this an existing network that worked previously, but that has been modified?

When you say “When I connect to the PIX, I cannot PING anything, neither DNS or IP”, what do you mean by that? Do you mean that you cannot ping anything from the command line of the PIX, or do you mean that the clients, once connected to the PIX, cannot ping anything internal (behind the PIX itself)? Or?

What type of VPN are you using? IPSec?

You mentioned GRE. Why are you using GRE tunnels? Is this to route multicast traffic, such as Routing updates for a Routing protocol like OSPF or EIGRP?

By: vdinenna

vdinenna — Thu, 17 Nov 2005 14:52:44 +0000

Thanks for your quick replys!

I will try the logging. I am using the PIX Device Manager 3.0, because I’m not proficient with the CLI yet.

When I connect to the PIX, I cannot PING anything, neither DNS or IP. The PIX gives out a class A private network address to the client. It also gives out the internal DNS server IPs- which is funny, ’cause the internal DNS servers are class C. Would NAT translate these 10.1.100.x IPs to the private network?

Thanks, Vince

By: astronomer

astronomer — Thu, 17 Nov 2005 14:18:40 +0000

Vince:
Are your clients getting the right IPs to connect to your net? What can the client ping when it is connected? I don’t expect the problem to be within the external router but there may be routing or filtering issues for the IPs given to the clients.
When we first added a real firewall I discovered that some of the rudimentary filtering in the old architecture was breaking some standard microsoft connectivity. We also were unable to get TCP encapsulation to work. UDP encapsulation works fine.
Another option you may want to investigate after you get this fixed is to use the internal domain controllers as radius servers to manage user connections. This has worked well for us. I can now connect from outside using my domain account, use remote desktop to log in to any server, and even manage the pix from the server.
rt