1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Setting up a PIX with 6.3(x) Code to Allow QuickVPN Through It!

Discussion in 'Other Cisco Equipment' started by eric_stewart, Jan 12, 2007.

Thread Status:
Not open for further replies.
  1. eric_stewart

    eric_stewart Super Moderator Staff Member Member

    ==============================================================================
    Sidebar...these are largely the same steps you would use for *any* VPN device behind your PIX where the PIX itself is not the endpoint and the VPN traffic must pass through where it is initiated from the outside. This traffic is low-to-high security level traffic so you need a static translation and an access list as you do any other traffic traversing in this direction. Don't get fooled into thinking that just remote access VPN traffic like QuickVPN is initiated from the outside. Site-to-Site VPNs fall into this category too, where the remote gateway is trying to solicit a connection to an inside gateway. Note that we have to allow NAT-T (ie: UDP port 4500 traffic) through as well, in case the VPN peers negotiate it for IKE Phase II.
    ==============================================================================


    Enable port forwarding to the RVxxx or WRVxxx (My PIX is PAT'ng). Also, my RV042 uses WAN address 192.168.99.99 Since I am using TCP port 443 for remote administration, I am forwarding 60443 instead since QuickVPN can use this as an alternate port.
    ---------------------------------------------------
    static (inside,outside) tcp interface 60443 192.168.99.99 60443 netmask 255.255.255.255 0 0
    static (inside,outside) udp interface isakmp 192.168.99.99 isakmp netmask 255.255.255.255 0 0
    static (inside,outside) udp interface 4500 192.168.99.99 4500 netmask 255.255.255.255 0 0

    Adjust access-lists to allow both ESP and ISAKMP (this access list is on the outside interface:
    ---------------------------------------------------
    access-list inside-servers line 19 permit udp any any eq isakmp ! Phase I
    access-list inside-servers line 20 permit esp any any ! Phase II
    access-list inside-servers line 21 permit udp any any eq 4500 ! NAT-T

    Turn on the fixup for ESP-IKE (eg: VPN pass-through)
    ---------------------------------------------------
    fixup protocol esp-ike


    Disable the VPN from terminating on the PIX
    ---------------------------------------------------
    no isakmp enable outside

    This is all well and good, but it breaks VPN connectivity *to* my PIX since I cannot have site-to-site VPNs and tunnel QVPN through the box. Obviously I can’t have my cake and eat it too! But, if you have to try out QuickVPN, I've probably saved you a bit of work!

    I can now ping the inside of my network and I am no longer getting the “Negotiating IP Security” message continuously. The 1st couple of packets *do* get this message, then there are a couple of timed out packets then it succeeds.

    Here are “hits” on all my access-list lines that pertain to the QuickVPN configuration:
    ---------------------------------------------------

    pix(config)# sh access-list inside-servers
    access-list inside-servers; 15 elements
    access-list inside-servers line 1 permit tcp any any eq 60443 (hitcnt=19)
    access-list inside-servers line 2 permit tcp any any eq ftp log 6 interval 300 (hitcnt=0)
    access-list inside-servers line 3 permit tcp any any eq https log 6 interval 300 (hitcnt=2)
    access-list inside-servers line 4 permit tcp any any eq www log 6 interval 300 (hitcnt=84)
    access-list inside-servers line 5 permit tcp any any eq 3389 log 6 interval 300 (hitcnt=0)
    access-list inside-servers line 6 permit tcp any any eq pptp (hitcnt=0)
    access-list inside-servers line 7 remark -------- begin email servers -------------
    access-list inside-servers line 8 remark Secure IMAP/SSL = TCP port 993
    access-list inside-servers line 9 permit tcp any any eq 993 (hitcnt=0)
    access-list inside-servers line 10 permit tcp any any eq 465 (hitcnt=0)
    access-list inside-servers line 11 remark Secure POP3/SSL = TCP port 995
    access-list inside-servers line 12 permit tcp any any eq smtp (hitcnt=8)
    access-list inside-servers line 13 permit tcp any any eq 995 (hitcnt=0)
    access-list inside-servers line 14 remark -------- end email servers -------------
    access-list inside-servers line 15 remark --- allow SIP inbound ------
    access-list inside-servers line 16 permit udp any any eq 5060 (hitcnt=0)
    access-list inside-servers line 17 permit tcp any any eq 5060 (hitcnt=0)
    access-list inside-servers line 18 permit tcp any any eq 2222 (hitcnt=0)
    access-list inside-servers line 19 permit udp any any eq isakmp (hitcnt=2)
    access-list inside-servers line 20 permit esp any any (hitcnt=48)
    access-list inside-servers line 21 permit udp any any eq 4500 (hitcnt=38)

    Anyway, this was a lot of fun but wouldn't you know it...I got it to work for a test bed that consisted of a PC with QuickVPN 1.0.47 (beta) on it, using a dialup Internet connection and a public IP address. Poor Simon (our esteemed site admin) couldn't get it working to the same PIX but where his client was behind a (you guessed it) Linksys firewall.

    Fun and games maybe, but I'm not wasting anymore oxygen over this Not-so-Quick VPN thing. I'll stick with my Cisco VPN solution which is no loss to me since I bought my RV042 to establish a DMZ for my web/mail/X server in any case.

    /Eric
     
  2. Toxic

    Toxic Administrator Staff Member

    Thanks Eric for the detailed explaination. I will also be adding my PIX (506e) as my main firewall over the next comming month or so.
     
  3. kspare

    kspare Computer Guy Staff Member Member

    If you have a pix, why would you bother with quickvpn?
     
  4. eric_stewart

    eric_stewart Super Moderator Staff Member Member

    Read the last paragraph of the post smart guy ;-)

    Actually, it's a philosophy thing. A common axiom in the network security business is "separation of services". While the PIX is capable of supporting/terminating a VPN, its primary purpose is to be an edge firewall, establishing one perimeter in a multi-tiered, multi-zone network. The other thing is, if I establish the VPN to the RV042, I am taking advantage of its hardware-accelerated encryption VPN capability...thus (theoretically) improving throughput. The PIX 501 that I'm using supports software-only encryption VPNs....adding a measurable burden to the little chipmunk-on-a-rubber-band AMD 133 MHz processor.

    That said, I still use the Cisco VPN solution since it...(wait for it).....works.

    How's that?

    /Eric
     
Thread Status:
Not open for further replies.

Share This Page