Question : Problem: VPN Setup

Hi All,

I am trying to figure out how VPN has been implemented on our office network. The information available with me is limited. I know that:

1. All remote users use a Cisco VPN client.
2. There is a PIX firewall filtering and NATing traffic on the network. (The config is attached below)
3. The host address on the VPN client is configured to be our Exchange Server.

Can you take a look at the following PIX config and deduce the most likely VPN setup. I would like to know the following:

1. Which device acts as the VPN server.

2. How is domain authentication taking place in this setup?

3. Why are Cisco's VPN clients being used rather than XP clients.

4. Why is the host address on the VPN client pointing to the Exchange Server?

5. Is there an RAS server involved?

*************************************************
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ########## encrypted
passwd ########## encrypted
hostname ##########
domain-name ###################
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside_access_in permit tcp any host ########## eq smtp
access-list outside_access_in permit tcp any host ########## eq www
access-list outside_access_in permit tcp any host ########## eq 1227
access-list outside_access_in permit tcp any host ########## eq ftp
access-list outside_access_in permit icmp any any echo-reply
access-list outside_access_in permit ip ##########
access-list outside_access_in permit tcp any host ########## eq smtp
access-list outside_access_in permit tcp any host ##########eq https
access-list outside_access_in permit tcp any host ########## eq 5800
access-list outside_access_in permit tcp any host ########## eq www
access-list outside_access_in permit tcp any host ########## eq ftp
access-list outside_access_in permit tcp any host ########## eq https

access-list 102 permit ip 192.168.10.0 255.255.255.0 10.64.12.0 255.255.255.0
access-list 102 permit ip 149.253.50.0 255.255.255.0 10.64.12.0 255.255.255.0
access-list 102 permit ip 192.168.8.0 255.255.255.0 10.64.12.0 255.255.255.0
access-list 102 permit ip 192.168.9.0 255.255.255.0 10.64.12.0 255.255.255.0
access-list 102 permit ip 10.64.12.0 255.255.255.0 192.168.8.0 255.255.255.0
access-list 102 permit ip 10.64.8.0 255.255.255.0 192.168.8.0 255.255.255.0

access-list no-nat permit ip 192.168.8.0 255.255.255.0 10.255.255.0 255.255.255.0
access-list no-nat permit ip 192.168.9.0 255.255.255.0 10.255.255.0 255.255.255.0
access-list no-nat permit ip 192.168.9.0 255.255.255.0 10.64.12.0 255.255.255.0
access-list no-nat permit ip 192.168.8.0 255.255.255.0 10.64.12.0 255.255.255.0

access-list 101 permit ip 10.64.12.0 255.255.255.0 ########## 255.255.255.0
access-list 101 permit ip 10.64.8.0 255.255.255.0 ########## 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500

ip address outside ##########
ip address inside 192.168.8.2 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool VPN 10.255.255.1-10.255.255.254
ip local pool VPN2 10.64.12.1-10.64.12.254

pdm history enable
arp timeout 14400

global (outside) 1 interface
nat (inside) 0 access-list no-nat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp interface smtp 192.168.8.117 smtp netmask 255.255.25
5.255 0 0
static (inside,outside) ########## 192.168.8.119 netmask 255.255.255.255 0 0
static (inside,outside) ########## 192.168.8.13 netmask 255.255.255.255 0 0
static (inside,outside) ########## 192.168.8.129 netmask 255.255.255.255 0 0

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 71.216.22.86 1
route inside 10.64.12.0 255.255.255.0 192.168.8.1 1
route inside ########## 255.255.255.128 192.168.8.1 1
route inside 1########## 255.255.255.0 192.168.8.1 1
route inside ########## 255.255.255.0 192.168.8.1 1
route inside ########## 255.255.255.0 192.168.8.1 1

route inside 192.168.8.0 255.255.252.0 192.168.8.1 1
route inside 192.168.9.0 255.255.255.0 192.168.8.1 1
route inside 192.168.10.0 255.255.255.0 192.168.8.1 1

timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa-server partnerauth protocol radius
aaa-server partnerauth (inside) host 192.168.8.116 ########## timeout 5

http server enable
http 192.168.8.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication partnerauth
crypto map outside_map interface outside

isakmp enable outside
isakmp identity address
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400

vpngroup ########## address-pool VPN2
vpngroup ########## dns-server 192.168.8.115 192.168.8.116
vpngroup ########## split-tunnel 102
vpngroup ########## idle-time 1800
vpngroup ########## password

telnet 192.168.8.0 255.255.252.0 inside
telnet 192.168.8.0 255.255.255.0 inside
telnet timeout 5
ssh ########## outside
ssh timeout 60
console timeout 0
terminal width 80
Cryptochecksum:40ee0d502ee60366e25266cf725574cb
: end
pdxpix#

Thanks

Answer : Problem: VPN Setup

>>What you mean to say is that all smtp packets that arrive on the router interface with an address of 72.x.x.x gets forwarded to the Exchange Server at 192.168.8.117.
Yup, exactly.

>>Any other packet that arrives at that address gets dropped??? or is VPN connection established?
maybe. See the PIX can be configured to accept certain packets itself depending on the services it offers. In this case its offering a VPN service. So when a client connects to the outside interface for the VPN port, the PIX accepts the packet itself. Other than that, you are correct, the packets would be dropped.

>>What IP can I use to establish VPN connection to access a PC on the domain using Remote Desktop.
If you mean which IP you use in the VPN client to establish a VPN connection so you can then in turn Remote Desktop into a PC. You just use the interface IP (same as for Exchange SMTP traffic)

>>Also, why does a ping to 72.x.x.x display as exch.mydomain.com when its the outside address of the PIX?
Now you're talking DNS. When doing ping it usually tries to resolve the IP. In this case, you have a PTR (IP to name mapping) that maps the 72.x.x.x IP to exch.mydomain.com. That is why you see the Exchange name there.

Random Solutions

Problem: Cisco IPSEC VPN on Pix 501 - IAS cannot auth to Exchange Server

Problem: Can a wireless-G repeater be used with a wireless-N router?

Problem: Windows Explorer Opens Every Login

Problem: Acer Aspire 1400 notebook: wireless adapter missing

Problem: Sound Blaster X-Fi I/O Drive - Not Detected - AD_EXT Cable?

Problem: How do I tell if my hard drive has failed?

Problem: Laptop wont Boot OS

Problem: How to make rules on Iphone with Exchange

Problem: LCD Backlight Turns Off On Windows Startup

Problem: Stop Code 0x000000D1 when booting Microsoft Windows WinPE 2.0 with dual Quad-core Processors Installed