Cisco PIX VPN Problem [Imoore?]

I'll address the top issues first.
>but once conneced i am given the IP which matches the gateway
Can you be more specifc? What IP address do you get on the client? (use ipconfig/all to see)

>I cannot ping anything on the internal network
Can you ping if "use remote gateway" is checked?

>SSH from outside to manage the VPN
use the following command on the PIX if you want to be able to ssh to it from wherever you find yourself:
  ssh 0.0.0.0 0.0.0.0 outside

Or, if you want to lock it down to your home IP:
  ssh 12.34.56.76 255.255.255.255 outside

>i am willing to change dhcp to 2003 server
Won't make a bit of difference.

>Test the VPN from inside the network (if possible)
Can't do it because you have to attach to the outside interface

>If "use remote gateway" is unchecked through xp i can access the internet,
You're going to have to make an informed decision on this one. It is truely one or the other, not both in this case. Either a user connects to you with "use remote gateway" checked, and has full access to your network, but not the Internet, or not.
There are a couple of things to try as workarounds, but there are no guarantees:
1. On the client, you can add a static route after you connect. Look at your ipconfig to get your IP address, then add a static route:
 C:\>route add A.B.C.D mask 255.255.255.0 <gateway>
Where A.B.C.D = your internal LAN of the PIX
Where <gateway> = your client IP address

2. On the PIX, setup the client pool as a sub-set of the existing internal LAN, not a separate subnet. (may or may not work for you, mileage may vary)

>for the vdpn dns ip, should it be my ISP's dns or my Win2003 server?
Your Win2003 server, for sure, since the purpose of the connection is to access your internal network, not the Internet.
That server "should" forward any requests to Internet anyway.

In response, when i say given the same IP, it is in this case 10.10.10.11 and so is the Gateway IP when doing the ipconfig cmd. If unchecked, there is no IP listed. I can't ping internally regardless of the gateway checkbox.

I have the SSH command:
ssh HomeIP 255.255.255.255 outside
When i try to connect with putty i get an access denied when i put in the password. Is there a place where i can edit the username and password for ssh account?

I can go without internet access, i need to be able to use remote desktop and browse the network as though i was there. In this case Station 21 and Station 11 are my test boxes for now. Do i need to setup some static routes on the Pix to those machines? I am not sure if there is a client issue, but even when connected with the VPN client 4.0, i can get an IP and connect, but no network. I can't ping my home or office network with or without the Gateway checkbox, all that is determining is whether or not i get internet access. I have not once been able to access the internal network thru the VPN.

I did the add route with the gateway checked and still nothing. I am not if this is something to do with me being on a workgroup through a router at home? When i go to network places it tried to find my Workgroup and obviously doesnt. All my testing has been via Cmd prompt using ping.

When connected here is my IPConfig settings
IP: 10.10.10.11
Sub: 255.255.255.255
Gateway: 10.10.10.11
DNS: 192.168.5.30 <- Win2003 Server
DNS: xxx.174.194.53 <- ISP DNS

Should I change my VPN Pool? I had it at 192.168.100.0, but changed it when i started over to avoid confusion of old settings.  So for your #2 suggestion, i would need to 192.168.5.0? All of things i have read from you, you have said change them. Will the 192.168.100.0 work for what you are talking about?
Thanks Imoore

I found this, but i dunno if this is correct..  Basically put my VPN Pool on the 192.168.5.0 subnet?

"I have managed to resolve this problem to a certain extent. If split tunneling is enable on the PIX then the users can browse both the internet and the internal network at the same time. This does cause a security weakness in that the entire area protected by the firewall is then relying on the client for the same protection as the firewall. With a number of clients obviously the number of possible vulnerable points of entry onto the internal network increases. The solution was to use a proxy server on the inside (which we already have) to allow web access etc. to outside. We have not decided which solution we will use long term, it may paritally depend on how easily our users can manage with setting and unsetting the proxy server depending on connection (and whether the automatic solution works satisfactorily).

The command for enabling the split tunneling was:
vpngroup vpngp3 split-tunnel 101"

Do i need to add a router in the mix? Or set my Win2003 server as a proxy server? Basically right now i just need to get the remote desktop working, i can deal with internet connection up and running later. So tomorrow i am going to try and change the VPN Pool to the same subnet unless you say otherwise Imoore, it is the only thing i haven't tried because i read so much that said to separate them.

Or if the split tunneling will make a difference? Or upgrading to 6.3 and 3.0 versions for the pix?

I am willing to try anything.. i need this working by Thursday, so 2 days.

> I am hoping I could get some input from Imoore since he seems to be the far and beyond expert.

He just types fast...    ;)

Also, what's vpdn ??  Should be vpnd - is this a typo ?

vpdn group PPTP-VPDN-GROUP accept dialin pptp
vpdn group PPTP-VPDN-GROUP ppp authentication pap
vpdn group PPTP-VPDN-GROUP ppp authentication chap
vpdn group PPTP-VPDN-GROUP ppp authentication mschap
vpdn group PPTP-VPDN-GROUP ppp encryption mppe auto
vpdn group PPTP-VPDN-GROUP client configuration address local VPNGroup
vpdn group PPTP-VPDN-GROUP client configuration dns win2003 xxx.174.194.53
vpdn group PPTP-VPDN-GROUP pptp echo 60
vpdn group PPTP-VPDN-GROUP client authentication local
vpdn username arnvpn password *********
vpdn enable outside
vpdn enable inside

You only want vpnd enable OUTSIDE, and NOT inside.  Also, take out win2003 from this line:
vpnd group PPTP-VPDN-GROUP client configuration dns xxx.174.194.53

This is normal:

IP: 10.10.10.11
Sub: 255.255.255.255
Gateway: 10.10.10.11
DNS: 192.168.5.30 <- Win2003 Server
DNS: xxx.174.194.53 <- ISP DNS

Does your internal network know that to reach 10.10.10.10-20 it MUST route via the internal interface of the PIX ?
It's all very well giving your VPN Clients a different pool of addresses, but if internal routers don't know about this, traffic will be forwarded to their default gateway, which is perhaps different from the PIX ?

Well, I will try and do the VPN Pool change, because I am not sure how I would set this up:

"Does your internal network know how to get to the 10.10.10.x subnet by routing to the PIX?"  

All i did was make up some random subnet to be different and i saw a lot of examples that just used 10.10.10.0. I am not sure of the significance. But even if i need to have another subnet, i will use 192.168.6.0 as opposed to the 10 for simplicity. But first the same, then if that doesnt work, then use the 192.168.6.0, and hopefully either of you could help me setup so i can answer that question. Because I am assuming at this point the answer is no.  

i was hoping to have the vpdn enable inside, so i could maybe connect to the vpn inside my network, but obviously it isnt working since i cant ping the external ip of the pix.  There isn't a way i can setup a static nat or anything to one machine for testing purposes at the office since I do have more than one external IP address I can use? I wansn't completely clear if there is NO WAY of doing it or just not easy.

Still my first priority is to get on the internal network, next SSH'ing in from home to test it and make changes, and then down the road internet access from within the VPN and even.

Either of you know what is wrong with my SSH issue? I put in the password I am asked for when i access the pdm or via console hyper terminal, but is there a different default username and password for SSH?

You still need to answer the basic question:
What is the default gateway of the hosts on your network that you are tying to access?
Can you post the results of
C:\>route print
From the Windows2003 server?

If you can access the PIX from outside via PDM GUI, then I would expect that you would also be able to SSH. Is your Putty client setup to accept SSHv1? I would expect it to be a client issue. I use the "free-for-personal-use" client from http://www.ssh.com/support/downloads/secureshellwks/non-commercial.html

A diagram like this would help:

VPN Client
|
Internet
|
PIX
|
Internal Router
|
Inside

It's very difficult to understand topology just from plain text !   ;)

VPN Client -> D-Link Router -> Cable Modem -> DSL Modem -> PIX -> Linksys Hub -> Client Machines
                                                                                              |
                                                                                       Win2003 Server

And I cannot access the PDM Gui from outside. Never have.

Here is the route print from inside the network at my machine, or aka Station11 as it is labeled in the Pix Config.

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

H:\>route print
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 b0 d0 e4 e1 d1 ...... 3Com 3C920 Integrated Fast Ethernet Controller (
3C905C-TX Compatible) - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.5.1     192.168.5.7       20
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
      192.168.5.0    255.255.255.0      192.168.5.7     192.168.5.7       20
      192.168.5.7  255.255.255.255        127.0.0.1       127.0.0.1       20
    192.168.5.255  255.255.255.255      192.168.5.7     192.168.5.7       20
        224.0.0.0        240.0.0.0      192.168.5.7     192.168.5.7       20
  255.255.255.255  255.255.255.255      192.168.5.7     192.168.5.7       1
Default Gateway:       192.168.5.1
===========================================================================
Persistent Routes:
  None

Per your advice, i removed win2003 (aka 192.168.5.30) from both DNS, switched the VPN Pool to 192.168.5.200-210

This is from the Win2003 server....

Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

C:\Documents and Settings\Administrator.SERVER.002>route print

IPv4 Route Table
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 07 e9 3b 0a 0c ...... Intel(R) PRO/100 VE Network Connection - Network
 Load Balancing Filter Device
===========================================================================
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.5.1     192.168.5.30     20
        127.0.0.0        255.0.0.0        127.0.0.1        127.0.0.1      1
      192.168.5.0    255.255.255.0     192.168.5.30     192.168.5.30     20
     192.168.5.30  255.255.255.255        127.0.0.1        127.0.0.1     20
    192.168.5.255  255.255.255.255     192.168.5.30     192.168.5.30     20
        224.0.0.0        240.0.0.0     192.168.5.30     192.168.5.30     20
  255.255.255.255  255.255.255.255     192.168.5.30     192.168.5.30      1
Default Gateway:       192.168.5.1
===========================================================================
Persistent Routes:
  None

Well.. Tried it .. No luck Here is Route with Gateway UNchecked and below the route checked from my home machine. 192.168.10.0 is my subnet at home. Obviously I could connect to the internet with no problem, but still can't ping anything thru the VPN.


C:\Documents and Settings\Red Vs Blue>route print
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 30 1b 3a 4b 02 ...... NVIDIA nForce MCP Networking Controller - Packet
 Scheduler Miniport
0x120004 ...00 53 45 00 00 00 ...... WAN (PPP/SLIP) Interface
===========================================================================
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0     192.168.10.1  192.168.10.107       20
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
      192.168.5.0    255.255.255.0    192.168.5.200   192.168.5.200       1
    192.168.5.200  255.255.255.255        127.0.0.1       127.0.0.1       50
    192.168.5.255  255.255.255.255    192.168.5.200   192.168.5.200       50
     192.168.10.0    255.255.255.0   192.168.10.107  192.168.10.107       20
   192.168.10.107  255.255.255.255        127.0.0.1       127.0.0.1       20
   192.168.10.255  255.255.255.255   192.168.10.107  192.168.10.107       20
  216.210.150.146  255.255.255.255     192.168.10.1  192.168.10.107       20
        224.0.0.0        240.0.0.0    192.168.5.200   192.168.5.200       50
        224.0.0.0        240.0.0.0   192.168.10.107  192.168.10.107       20
  255.255.255.255  255.255.255.255   192.168.10.107  192.168.10.107       1
Default Gateway:      192.168.10.1
===========================================================================
Persistent Routes:
  None


This is with the Gateway Checkbox.
C:\Documents and Settings\Red Vs Blue>route print
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 30 1b 3a 4b 02 ...... NVIDIA nForce MCP Networking Controller - Packet
 Scheduler Miniport
0x140004 ...00 53 45 00 00 00 ...... WAN (PPP/SLIP) Interface
===========================================================================
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0    192.168.5.200   192.168.5.200       1
          0.0.0.0          0.0.0.0     192.168.10.1  192.168.10.107       21
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
    192.168.5.200  255.255.255.255        127.0.0.1       127.0.0.1       50
    192.168.5.255  255.255.255.255    192.168.5.200   192.168.5.200       50
     192.168.10.0    255.255.255.0   192.168.10.107  192.168.10.107       20
   192.168.10.107  255.255.255.255        127.0.0.1       127.0.0.1       20
   192.168.10.255  255.255.255.255   192.168.10.107  192.168.10.107       20
  216.210.150.146  255.255.255.255     192.168.10.1  192.168.10.107       20
        224.0.0.0        240.0.0.0   192.168.10.107  192.168.10.107       20
        224.0.0.0        240.0.0.0    192.168.5.200   192.168.5.200       1
  255.255.255.255  255.255.255.255   192.168.10.107  192.168.10.107       1
Default Gateway:     192.168.5.200
===========================================================================
Persistent Routes:
  None

Tried to SSH still getting pw denied. For username i put admin, but i never put one in when i connect via console or PDM, it is just blank and i put in a pw.

User name should be PIX

Can you paste your current running
access-list inside_outbound_nat0_acl

I know we have to be close on this....

> cannot access the PDM Gui from outside
Sorry, I thought you could.
Do you just get a "page cannot be displayed", or do you get a security alert popup?
If you get a username/login prompt, try logging in with a blank username and the enable password
Same with SSH - blank username, enable password

This link may help
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a008009448c.shtml

>http xxx.210.150.144 255.255.255.248 outside

This entry is the equivelent of an access list for https access.
make sure you have an entry for yourself like this:

http HomeIP 255.255.255.255 outside

This is the current config..  Not sure if this is important, but the outside interface is xxx.210.150.145, and that is the only IP we use. the 150.144 we have, but dont use, so i switched that and did put the http as my HomeIP

PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxx encrypted
hostname pixfirewall
domain-name ciscopix.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
name 192.168.5.30 win2003
name xxx.210.150.146 pix-out
name 192.168.5.1 pix-in
name xxx.17.164.57 HomeIP
name xxx.96.240.50 PeaceHealth
name 192.168.5.21 Station21
name 192.168.5.7 Station11
access-list outside_cryptomap_20 permit ip 192.168.5.0 255.255.255.0 xxx.96.64.0 255.255.224.0
access-list inside_outbound_nat0_acl permit ip 192.168.5.0 255.255.255.0 xxx.96.64.0 255.255.224.0
access-list inside_outbound_nat0_acl permit ip host Station21 192.168.5.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip host Station11 192.168.5.0 255.255.255.0
pager lines 50
logging on
logging console debugging
interface ethernet0 10baset
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address outside pix-out 255.255.255.248
ip address inside pix-in 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool VPNGroup 192.168.5.200-192.168.5.210
pdm location 192.168.5.0 255.255.255.0 inside
pdm location xxx.210.150.0 255.255.255.0 outside
pdm location xxx.210.150.144 255.255.255.248 outside
pdm location xxx.96.64.0 255.255.224.0 outside
pdm location HomeIP 255.255.255.255 outside
pdm location Station11 255.255.255.255 inside
pdm location Station21 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 xxx.210.150.145 1
route outside xxx.96.64.0 255.255.224.0 xxx.210.150.145 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http HomeIP 255.255.255.255 outside
http 192.168.5.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server outside pix-out c:\temp\tftp
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
no sysopt route dnat
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer PeaceHealth
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 20 set security-association lifetime seconds 86400 kilobytes 4608000
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address PeaceHealth netmask 255.255.255.255
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
isakmp policy 40 authentication pre-share
isakmp policy 40 encryption 3des
isakmp policy 40 hash sha
isakmp policy 40 group 2
isakmp policy 40 lifetime 86400
vpngroup arnvpn address-pool VPNGroup
vpngroup arnvpn dns-server xxx.174.194.53
vpngroup arnvpn default-domain arnw.local
vpngroup arnvpn idle-time 1800
vpngroup arnvpn password ********
telnet timeout 5
ssh HomeIP 255.255.255.255 outside
ssh timeout 5
vpdn group PPTP-VPDN-GROUP accept dialin pptp
vpdn group PPTP-VPDN-GROUP ppp authentication pap
vpdn group PPTP-VPDN-GROUP ppp authentication chap
vpdn group PPTP-VPDN-GROUP ppp authentication mschap
vpdn group PPTP-VPDN-GROUP ppp encryption mppe auto
vpdn group PPTP-VPDN-GROUP client configuration address local VPNGroup
vpdn group PPTP-VPDN-GROUP pptp echo 60
vpdn group PPTP-VPDN-GROUP client authentication local
vpdn username arnvpn password *********
vpdn enable outside
vpdn enable inside
dhcpd address 192.168.5.5-192.168.5.29 inside
dhcpd dns xxx.174.194.53 xxx.174.194.54
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain callatg.com
dhcpd auto_config outside
dhcpd enable inside
terminal width 100
Cryptochecksum:9fefc77bb2902ce129b2ec6a247dbaee
: end

Good News.. I am typing this right now Remote Desktop'd in. However there is a problem. When i was pinging ip's once connected to the VPN, I couldn't ping 192.168.5.1 or 192.168.5.30.  Shouldn't I be able to ping these for sure? what's that about? We are almost through.. WoOHoO! Thanks so much so far.

What i hope to do is be able to access just the Server to some shared drives without having to completely remote desktop if that is possible. It seems as though it would. So now i just need to refine things and make them cleaner. Or should i make a new question to give ya the points and then more on the little things? Let me know.

I'm lost....  what exactly is the problem now ?
Are PPTP clients working OK ?
I don't think PING won't work with this configuration, as replies from 192.168.5.1 and 192.168.5.30 are going to hit the local subnet, and aren't going to route out via the VPN tunnel as locally attached subnets take priority during routing.

It would have been useful to put some real IP addresses in the diagram to aid troublehooting -

VPN Client -> D-Link Router -> Cable Modem -> DSL Modem -> PIX -> Linksys Hub -> Client Machines / W2K Server

Let us know if you need more help...

Yes, you can access the shared drives on the server over the vpn.
If you can't get that working, post a new question for that issue.

I posted a new thread about refining those details, but as far as fixing, i think it might have been the same IP Pool for the VPN since the routing wasn't working right? I dunno, if you guys could tell me? However, today i tried connecting via Dial-up on the VPN and was back at square one getting an IP, but still couldn't access anything on the network, so i dunno if it was having my Home IP address setup somewhere, but i dont think so. HTTP, SSH and PDM commands wouldnt do that would they? I need the VPN open to any IP address since there will be a lot of moving and never knowing the exact IP.

VPN Client (192.168.5.200 [VPN] & 192.168.10.107) -> D-Link Router (192.168.10.1) -> Cable Modem (xxx.17.164.57)-> DSL Modem (xxx.210.150.146) -> PIX (192.168.5.1) -> Client Machines (192.168.5.7) / W2003 Server (192.168.5.30)


This is the config setup i was using that seemed to work.
What does NOT work now is :
VPN Client (192.168.5.200 [VPN] & 66.109.196.233 [Dialup]) -> DSL Modem (xxx.210.150.146) -> PIX (192.168.5.1) -> Client Machines (192.168.5.7) / W2003 Server (192.168.5.30)

Hmpf... I dunno..

Nevermind, it is working, it was a DHCP problem changing the ip's around on me and thus not working. Still need access to shared folders and Network Places when just VPN'd. Any thoughts?

Use LMHOSTS or WINS for shared folders/network places...
Not much of an alternative unless you have DDNS and/or WINS setup on your servers.

You will always run into problems if you've identical IP subnets at the client end and network end BEFORE the VPN comes up, so this configuration would be problematic:

VPN Client (192.168.5.200 [VPN] & 192.168.10.107) -> D-Link Router (192.168.10.1) -> Cable Modem (xxx.17.164.57)-> DSL Modem (xxx.210.150.146) -> PIX (192.168.5.1) -> Client Machines (192.168.5.7) / W2003 Server (192.168.5.30)

To get round this, either change the remote client IP range, or use NAT on the PIX to translate its own network to something else.

I have wins running on the Win2003 server, but still nothing. Not sure if i understand exaclty how to use LMHOSTS, but ill try to set it up.

Tim, the reason we are using the same subnet is because it wasn't working beforehand. So i dunno. I am willing to try anything, if u can give some examples of how u would do it, that would be nice.

I'm putting in:
access-list inside_outbound_nat0_acl permit ip host Win2003 192.168.5.0 255.255.255.0
So maybe once they can get access to the server, they can then resolve. I dunno, makes sense, i'll give it a shot.