consistel
asked on
Configuring VPN with Cisco PIX 506E
Hello Experts, I'm a newbie in PIX Firewall. I'm trying to setup VPN using PIX 506E Firewall. We have a domain network with about 200 users. I configured VPN using VPN Wizard in the PDM. I created a new group with a group password and I assigned the same range of IP (Same range as our network IPs) for the VPN Pool.
This is how I configured VPN with the VPN Wizard:
1. VPN Type: Remote Access VPN, Interface: Outside
2. Remote Access Client: Cisco VPN Client, Release 3.x or higher
3. Group Name: domainRA, Preshared Key (Group Password): ********
4. Did not choose "Enable Extended Client Authentication"
5. Selected Pool Name: domainRA, Ranging: 192.168.0.222 to 192.168.0.233 (Same range as our network)
6. Entered Primary DNS, Primary WINS and Domain Name
7. IKE Policty - Encryption: 3DES, Authentication: MD5, DH Group: Group 2 (1024-bit)
8. Transform Set - Encryption: 3DES, Authentication: MD5
9. Address Translation Excemption - Did not do anything
Now, do I need to create seperate VPN logins for each and every user? When I use Cisco VPN client 4.0.1 and enter the group authentication credentials and try to connect, it prompts me for the user name and password, but it does not accept the domain user names and passwords. Let me know what I should do. Thanks in advance for all your help.
This is my config:
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 1wB4DCvG9Z4Uct9. encrypted
passwd 1wB4DCvG9Z4Uct9. encrypted
hostname cisco
domain-name cisco.com
clock timezone SGT 8
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
names
name 192.168.0.0 domain.sg
name 192.168.1.0 domain.my
access-list inside_access_in permit ip any any
access-list inside_outbound_nat0_acl permit ip any 192.168.3.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip domain.sg 255.255.255.0 consis
tel.my 255.255.255.0
access-list inside_outbound_nat0_acl permit ip any 192.168.0.192 255.255.255.192
access-list outside_cryptomap_dyn_20 permit ip any 192.168.3.0 255.255.255.0
access-list outside_cryptomap_20 permit ip domain.sg 255.255.255.0 domain.
my 255.255.255.0
access-list outside_cryptomap_dyn_40 permit ip any 192.168.0.192 255.255.255.192
pager lines 24
logging on
mtu outside 1500
mtu inside 1500
ip address outside 2xx.1xx.2xx.xx 255.255.255.192
ip address inside 192.168.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool domainRA 192.168.0.222-192.168.0.23 3
pdm location 192.168.0.10 255.255.255.255 inside
pdm location siint01 255.255.255.255 outside
pdm location 192.168.0.15 255.255.255.255 inside
pdm location 192.168.0.16 255.255.255.255 inside
pdm location 192.168.0.50 255.255.255.255 inside
pdm location ganesan 255.255.255.255 outside
pdm location 192.168.0.45 255.255.255.255 inside
pdm location 192.168.3.0 255.255.255.0 outside
pdm location domain.my 255.255.255.0 outside
pdm location 192.168.0.20 255.255.255.255 inside
pdm history enable
arp timeout 14400
global (outside) 1 2xx.1xx.2xx.7x
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 2xx.1xx.2xx.6x 192.168.0.10 netmask 255.255.255.255 0 0
static (inside,outside) 2xx.1xx.2xx.7x 192.168.0.15 netmask 255.255.255.255 0 0
static (inside,outside) 2xx.1xx.2xx.7x 192.168.0.20 netmask 255.255.255.255 0 0
conduit permit tcp host 2xx.1xx.2xx.6x eq www any
conduit permit tcp host 2xx.1xx.2xx.6x eq pop3 any
conduit permit tcp host 2xx.1xx.2xx.6x eq smtp any
conduit permit tcp host 2xx.1xx.2xx.6x eq ldap any
conduit permit tcp host 2xx.1xx.2xx.6x eq https any
conduit permit tcp host 2xx.1xx.2xx.6x eq 995 any
conduit permit tcp host 2xx.1xx.2xx.7x eq ftp any
conduit permit tcp host 2xx.1xx.2xx.7x eq pptp any
conduit permit gre host 2xx.1xx.2xx.7x any
conduit permit tcp host 2xx.1xx.2xx.7x eq 1721 any
conduit deny udp any eq 1434 any
conduit deny tcp any eq 135 any
conduit deny tcp any eq 4444 any
conduit deny udp any eq tftp any
conduit permit icmp any any echo-reply
conduit permit tcp host 2xx.1xx.2xx.7x eq ftp-data any
conduit permit tcp host 2xx.1xx.2xx.6x eq ftp any
conduit permit tcp host 2xx.1xx.2xx.7x eq 3101 any
outbound 1 permit 0.0.0.0 0.0.0.0 8 icmp
route outside 0.0.0.0 0.0.0.0 2xx.1xx.2xx.65 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:00:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.0.10 255.255.255.255 inside
http 192.168.0.15 255.255.255.255 inside
http 192.168.0.50 255.255.255.255 inside
http 192.168.0.45 255.255.255.255 inside
http 192.168.0.16 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server inside 192.168.0.45 \
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 40 match address outside_cryptomap_dyn_40
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-MD5
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 202.75.164.50
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication LOCAL
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 2xx.7x.1xx.5x netmask 255.255.255.255 no-xauth no-co
nfig-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup domainRA address-pool domainRA
vpngroup domainRA dns-server 192.168.0.10
vpngroup domainRA wins-server 192.168.0.10
vpngroup domainRA default-domain domain.com
vpngroup domainRA idle-time 1800
vpngroup domainRA password ********
telnet 192.168.0.10 255.255.255.255 inside
telnet 192.168.0.15 255.255.255.255 inside
telnet 192.168.0.16 255.255.255.255 inside
telnet 192.168.0.50 255.255.255.255 inside
telnet 192.168.0.45 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
username superadmin password Dev19PUcULsdpnpK encrypted privilege 2
terminal width 80
Cryptochecksum:a95a8ddb770 6d52385001 dd16c5ec48 c
: end
This is how I configured VPN with the VPN Wizard:
1. VPN Type: Remote Access VPN, Interface: Outside
2. Remote Access Client: Cisco VPN Client, Release 3.x or higher
3. Group Name: domainRA, Preshared Key (Group Password): ********
4. Did not choose "Enable Extended Client Authentication"
5. Selected Pool Name: domainRA, Ranging: 192.168.0.222 to 192.168.0.233 (Same range as our network)
6. Entered Primary DNS, Primary WINS and Domain Name
7. IKE Policty - Encryption: 3DES, Authentication: MD5, DH Group: Group 2 (1024-bit)
8. Transform Set - Encryption: 3DES, Authentication: MD5
9. Address Translation Excemption - Did not do anything
Now, do I need to create seperate VPN logins for each and every user? When I use Cisco VPN client 4.0.1 and enter the group authentication credentials and try to connect, it prompts me for the user name and password, but it does not accept the domain user names and passwords. Let me know what I should do. Thanks in advance for all your help.
This is my config:
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 1wB4DCvG9Z4Uct9. encrypted
passwd 1wB4DCvG9Z4Uct9. encrypted
hostname cisco
domain-name cisco.com
clock timezone SGT 8
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
names
name 192.168.0.0 domain.sg
name 192.168.1.0 domain.my
access-list inside_access_in permit ip any any
access-list inside_outbound_nat0_acl permit ip any 192.168.3.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip domain.sg 255.255.255.0 consis
tel.my 255.255.255.0
access-list inside_outbound_nat0_acl permit ip any 192.168.0.192 255.255.255.192
access-list outside_cryptomap_dyn_20 permit ip any 192.168.3.0 255.255.255.0
access-list outside_cryptomap_20 permit ip domain.sg 255.255.255.0 domain.
my 255.255.255.0
access-list outside_cryptomap_dyn_40 permit ip any 192.168.0.192 255.255.255.192
pager lines 24
logging on
mtu outside 1500
mtu inside 1500
ip address outside 2xx.1xx.2xx.xx 255.255.255.192
ip address inside 192.168.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool domainRA 192.168.0.222-192.168.0.23
pdm location 192.168.0.10 255.255.255.255 inside
pdm location siint01 255.255.255.255 outside
pdm location 192.168.0.15 255.255.255.255 inside
pdm location 192.168.0.16 255.255.255.255 inside
pdm location 192.168.0.50 255.255.255.255 inside
pdm location ganesan 255.255.255.255 outside
pdm location 192.168.0.45 255.255.255.255 inside
pdm location 192.168.3.0 255.255.255.0 outside
pdm location domain.my 255.255.255.0 outside
pdm location 192.168.0.20 255.255.255.255 inside
pdm history enable
arp timeout 14400
global (outside) 1 2xx.1xx.2xx.7x
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 2xx.1xx.2xx.6x 192.168.0.10 netmask 255.255.255.255 0 0
static (inside,outside) 2xx.1xx.2xx.7x 192.168.0.15 netmask 255.255.255.255 0 0
static (inside,outside) 2xx.1xx.2xx.7x 192.168.0.20 netmask 255.255.255.255 0 0
conduit permit tcp host 2xx.1xx.2xx.6x eq www any
conduit permit tcp host 2xx.1xx.2xx.6x eq pop3 any
conduit permit tcp host 2xx.1xx.2xx.6x eq smtp any
conduit permit tcp host 2xx.1xx.2xx.6x eq ldap any
conduit permit tcp host 2xx.1xx.2xx.6x eq https any
conduit permit tcp host 2xx.1xx.2xx.6x eq 995 any
conduit permit tcp host 2xx.1xx.2xx.7x eq ftp any
conduit permit tcp host 2xx.1xx.2xx.7x eq pptp any
conduit permit gre host 2xx.1xx.2xx.7x any
conduit permit tcp host 2xx.1xx.2xx.7x eq 1721 any
conduit deny udp any eq 1434 any
conduit deny tcp any eq 135 any
conduit deny tcp any eq 4444 any
conduit deny udp any eq tftp any
conduit permit icmp any any echo-reply
conduit permit tcp host 2xx.1xx.2xx.7x eq ftp-data any
conduit permit tcp host 2xx.1xx.2xx.6x eq ftp any
conduit permit tcp host 2xx.1xx.2xx.7x eq 3101 any
outbound 1 permit 0.0.0.0 0.0.0.0 8 icmp
route outside 0.0.0.0 0.0.0.0 2xx.1xx.2xx.65 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:00:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.0.10 255.255.255.255 inside
http 192.168.0.15 255.255.255.255 inside
http 192.168.0.50 255.255.255.255 inside
http 192.168.0.45 255.255.255.255 inside
http 192.168.0.16 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server inside 192.168.0.45 \
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 40 match address outside_cryptomap_dyn_40
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-MD5
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 202.75.164.50
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication LOCAL
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 2xx.7x.1xx.5x netmask 255.255.255.255 no-xauth no-co
nfig-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup domainRA address-pool domainRA
vpngroup domainRA dns-server 192.168.0.10
vpngroup domainRA wins-server 192.168.0.10
vpngroup domainRA default-domain domain.com
vpngroup domainRA idle-time 1800
vpngroup domainRA password ********
telnet 192.168.0.10 255.255.255.255 inside
telnet 192.168.0.15 255.255.255.255 inside
telnet 192.168.0.16 255.255.255.255 inside
telnet 192.168.0.50 255.255.255.255 inside
telnet 192.168.0.45 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
username superadmin password Dev19PUcULsdpnpK encrypted privilege 2
terminal width 80
Cryptochecksum:a95a8ddb770
: end
ASKER
Thanks Rajesh. I have setup the RADIUS server using the documentation. I reconfigured the VPN and assigned another range of IP addresses for the VPN pool.
When I try to connect, its still not accepting any of the domain user names and passwords, only change is that it takes longer to check the user name and password before it returns the user authentication failed error. Any ideas or alternatives?
Regards,
Nanda.
When I try to connect, its still not accepting any of the domain user names and passwords, only change is that it takes longer to check the user name and password before it returns the user authentication failed error. Any ideas or alternatives?
Regards,
Nanda.
Okay everything that is mentioned is done ?
Then why it isn't working is, go to the AD and grant the user 'Dial-in' access. I guess, you should be good to go after that.
Cheers,
Rajesh
Then why it isn't working is, go to the AD and grant the user 'Dial-in' access. I guess, you should be good to go after that.
Cheers,
Rajesh
ASKER
Rajesh, dial-in access has already been given for the users. Still no luck. I guess I've done something wrong. Shall I post the new config? How else do I check what I have done is right? Thanks.
Regards,
Nanda.
Regards,
Nanda.
Yeah, post it. Also look at the IAS logs to see if the attempts are reaching there.
Cheers,
Rajesh
Cheers,
Rajesh
ASKER
Thanks Rajesh, I will look at the IAS logs. In the mean time, I'm posting the current config:
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 1wB4DCvG9Z4Uct9. encrypted
passwd 1wB4DCvG9Z4Uct9. encrypted
hostname cisco
domain-name cisco.com
clock timezone SGT 8
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list inside_access_in permit ip any any
access-list inside_outbound_nat0_acl permit ip any 192.168.3.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip domain.sg 255.255.255.0 consis
tel.my 255.255.255.0
access-list inside_outbound_nat0_acl permit ip any 192.168.0.192 255.255.255.192
access-list inside_outbound_nat0_acl permit ip any 192.168.4.0 255.255.255.224
access-list outside_cryptomap_dyn_20 permit ip any 192.168.3.0 255.255.255.0
access-list outside_cryptomap_20 permit ip domain.sg 255.255.255.0 domain.
my 255.255.255.0
access-list outside_cryptomap_dyn_40 permit ip any 192.168.0.192 255.255.255.192
access-list outside_cryptomap_dyn_100 permit ip any 192.168.4.0 255.255.255.224
pager lines 24
logging on
mtu outside 1500
mtu inside 1500
ip address outside 2xx.1xx.2xx.6x 255.255.255.192
ip address inside 192.168.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool domainRA 192.168.4.1-192.168.4.20
pdm location 192.168.0.10 255.255.255.255 inside
pdm location 2xx.1xx.220.118 255.255.255.255 outside
pdm location siint01 255.255.255.255 outside
pdm location 192.168.0.15 255.255.255.255 inside
pdm location 192.168.0.16 255.255.255.255 inside
pdm location 192.168.0.50 255.255.255.255 inside
pdm location ganesan 255.255.255.255 outside
pdm location 2xx.1xx.2xx.69 255.255.255.255 inside
pdm location 192.168.0.45 255.255.255.255 inside
pdm location 192.168.3.0 255.255.255.0 outside
pdm location domain.my 255.255.255.0 outside
pdm location 192.168.0.20 255.255.255.255 inside
pdm location 192.168.0.192 255.255.255.192 outside
pdm location 192.168.4.0 255.255.255.224 outside
pdm history enable
arp timeout 14400
global (outside) 1 2xx.1xx.2xx.7x
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 2xx.1xx.2xx.6x 192.168.0.10 netmask 255.255.255.255 0 0
static (inside,outside) 2xx.1xx.2xx.7x 192.168.0.15 netmask 255.255.255.255 0 0
static (inside,outside) 2xx.1xx.2xx.7x 192.168.0.20 netmask 255.255.255.255 0 0
conduit permit tcp host 2xx.1xx.2xx.6x eq www any
conduit permit tcp host 2xx.1xx.2xx.6x eq pop3 any
conduit permit tcp host 2xx.1xx.2xx.6x eq smtp any
conduit permit tcp host 2xx.1xx.2xx.6x eq ldap any
conduit permit tcp host 2xx.1xx.2xx.6x eq https any
conduit permit tcp host 2xx.1xx.2xx.6x eq 995 any
conduit permit tcp host 2xx.1xx.2xx.7x eq ftp any
conduit permit tcp host 2xx.1xx.2xx.7x eq pptp any
conduit permit gre host 2xx.1xx.2xx.7x any
conduit permit tcp host 2xx.1xx.2xx.7x eq 1721 any
conduit deny udp any eq 1434 any
conduit deny tcp any eq 135 any
conduit deny tcp any eq 4444 any
conduit deny udp any eq tftp any
conduit permit icmp any any echo-reply
conduit permit tcp host 2xx.1xx.2xx.7x eq ftp-data any
conduit permit tcp host 2xx.1xx.2xx.6x eq ftp any
conduit permit tcp host 2xx.1xx.2xx.7x eq 3101 any
outbound 1 permit 0.0.0.0 0.0.0.0 8 icmp
route outside 0.0.0.0 0.0.0.0 2xx.1xx.2xx.6x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:00:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host 192.168.0.15 timeout 10
aaa-server LOCAL protocol local
http server enable
http 192.168.0.10 255.255.255.255 inside
http 192.168.0.15 255.255.255.255 inside
http 192.168.0.50 255.255.255.255 inside
http 192.168.0.45 255.255.255.255 inside
http 192.168.0.16 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server inside 192.168.0.45 \
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 40 match address outside_cryptomap_dyn_40
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 100 match address outside_cryptomap_dyn_100
crypto dynamic-map outside_dyn_map 100 set transform-set ESP-3DES-MD5
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 2xx.7x.1xx.5x
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication RADIUS
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 2xx.7x.1xx.5x netmask 255.255.255.255 no-xauth no-co
nfig-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup domain address-pool domain
vpngroup domain dns-server 192.168.0.10 192.168.0.15
vpngroup domain wins-server 192.168.0.10 192.168.0.15
vpngroup domain default-domain domain.com
vpngroup domain idle-time 1800
vpngroup domain password ********
vpngroup domainRA address-pool domainRA
vpngroup domainRA dns-server 192.168.0.10 192.168.0.15
vpngroup domainRA wins-server 192.168.0.10 192.168.0.15
vpngroup domainRA default-domain domain.com
vpngroup domainRA idle-time 1800
vpngroup domainRA password ********
telnet 192.168.0.10 255.255.255.255 inside
telnet 192.168.0.15 255.255.255.255 inside
telnet 192.168.0.16 255.255.255.255 inside
telnet 192.168.0.50 255.255.255.255 inside
telnet 192.168.0.45 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
username superadmin password Dev19PUcULsdpnpK encrypted privilege 2
terminal width 80
Cryptochecksum:0824c0db8cd 2b33be414f 2a96b1d083 6
: end
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 1wB4DCvG9Z4Uct9. encrypted
passwd 1wB4DCvG9Z4Uct9. encrypted
hostname cisco
domain-name cisco.com
clock timezone SGT 8
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list inside_access_in permit ip any any
access-list inside_outbound_nat0_acl permit ip any 192.168.3.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip domain.sg 255.255.255.0 consis
tel.my 255.255.255.0
access-list inside_outbound_nat0_acl permit ip any 192.168.0.192 255.255.255.192
access-list inside_outbound_nat0_acl permit ip any 192.168.4.0 255.255.255.224
access-list outside_cryptomap_dyn_20 permit ip any 192.168.3.0 255.255.255.0
access-list outside_cryptomap_20 permit ip domain.sg 255.255.255.0 domain.
my 255.255.255.0
access-list outside_cryptomap_dyn_40 permit ip any 192.168.0.192 255.255.255.192
access-list outside_cryptomap_dyn_100 permit ip any 192.168.4.0 255.255.255.224
pager lines 24
logging on
mtu outside 1500
mtu inside 1500
ip address outside 2xx.1xx.2xx.6x 255.255.255.192
ip address inside 192.168.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool domainRA 192.168.4.1-192.168.4.20
pdm location 192.168.0.10 255.255.255.255 inside
pdm location 2xx.1xx.220.118 255.255.255.255 outside
pdm location siint01 255.255.255.255 outside
pdm location 192.168.0.15 255.255.255.255 inside
pdm location 192.168.0.16 255.255.255.255 inside
pdm location 192.168.0.50 255.255.255.255 inside
pdm location ganesan 255.255.255.255 outside
pdm location 2xx.1xx.2xx.69 255.255.255.255 inside
pdm location 192.168.0.45 255.255.255.255 inside
pdm location 192.168.3.0 255.255.255.0 outside
pdm location domain.my 255.255.255.0 outside
pdm location 192.168.0.20 255.255.255.255 inside
pdm location 192.168.0.192 255.255.255.192 outside
pdm location 192.168.4.0 255.255.255.224 outside
pdm history enable
arp timeout 14400
global (outside) 1 2xx.1xx.2xx.7x
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 2xx.1xx.2xx.6x 192.168.0.10 netmask 255.255.255.255 0 0
static (inside,outside) 2xx.1xx.2xx.7x 192.168.0.15 netmask 255.255.255.255 0 0
static (inside,outside) 2xx.1xx.2xx.7x 192.168.0.20 netmask 255.255.255.255 0 0
conduit permit tcp host 2xx.1xx.2xx.6x eq www any
conduit permit tcp host 2xx.1xx.2xx.6x eq pop3 any
conduit permit tcp host 2xx.1xx.2xx.6x eq smtp any
conduit permit tcp host 2xx.1xx.2xx.6x eq ldap any
conduit permit tcp host 2xx.1xx.2xx.6x eq https any
conduit permit tcp host 2xx.1xx.2xx.6x eq 995 any
conduit permit tcp host 2xx.1xx.2xx.7x eq ftp any
conduit permit tcp host 2xx.1xx.2xx.7x eq pptp any
conduit permit gre host 2xx.1xx.2xx.7x any
conduit permit tcp host 2xx.1xx.2xx.7x eq 1721 any
conduit deny udp any eq 1434 any
conduit deny tcp any eq 135 any
conduit deny tcp any eq 4444 any
conduit deny udp any eq tftp any
conduit permit icmp any any echo-reply
conduit permit tcp host 2xx.1xx.2xx.7x eq ftp-data any
conduit permit tcp host 2xx.1xx.2xx.6x eq ftp any
conduit permit tcp host 2xx.1xx.2xx.7x eq 3101 any
outbound 1 permit 0.0.0.0 0.0.0.0 8 icmp
route outside 0.0.0.0 0.0.0.0 2xx.1xx.2xx.6x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:00:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host 192.168.0.15 timeout 10
aaa-server LOCAL protocol local
http server enable
http 192.168.0.10 255.255.255.255 inside
http 192.168.0.15 255.255.255.255 inside
http 192.168.0.50 255.255.255.255 inside
http 192.168.0.45 255.255.255.255 inside
http 192.168.0.16 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server inside 192.168.0.45 \
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 40 match address outside_cryptomap_dyn_40
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 100 match address outside_cryptomap_dyn_100
crypto dynamic-map outside_dyn_map 100 set transform-set ESP-3DES-MD5
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 2xx.7x.1xx.5x
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication RADIUS
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 2xx.7x.1xx.5x netmask 255.255.255.255 no-xauth no-co
nfig-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup domain address-pool domain
vpngroup domain dns-server 192.168.0.10 192.168.0.15
vpngroup domain wins-server 192.168.0.10 192.168.0.15
vpngroup domain default-domain domain.com
vpngroup domain idle-time 1800
vpngroup domain password ********
vpngroup domainRA address-pool domainRA
vpngroup domainRA dns-server 192.168.0.10 192.168.0.15
vpngroup domainRA wins-server 192.168.0.10 192.168.0.15
vpngroup domainRA default-domain domain.com
vpngroup domainRA idle-time 1800
vpngroup domainRA password ********
telnet 192.168.0.10 255.255.255.255 inside
telnet 192.168.0.15 255.255.255.255 inside
telnet 192.168.0.16 255.255.255.255 inside
telnet 192.168.0.50 255.255.255.255 inside
telnet 192.168.0.45 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
username superadmin password Dev19PUcULsdpnpK encrypted privilege 2
terminal width 80
Cryptochecksum:0824c0db8cd
: end
Nanda,
This seems to be a cumulative configuration of what you had previously and added now ? You are trying to configure Remote Access VPN for User's right ?
In that case I would suggest to remove everything and configure only that is required as per the document.
Cheers,
Rajesh
This seems to be a cumulative configuration of what you had previously and added now ? You are trying to configure Remote Access VPN for User's right ?
In that case I would suggest to remove everything and configure only that is required as per the document.
Cheers,
Rajesh
ASKER
Rajesh, I redid everything and I'm still getting the User Authentication error. I'm not sure why. My guess is the RADIUS server part is not configured correctly. How else can I authenticate? Can I define users in PIX itself? If yes, how can I do that? Thanks.
ASKER
I redid everything and configured VPN using VPN Wizard as follows:
1. VPN Type: Remote Access VPN, Interface: Outside
2. Remote Access Client: Cisco VPN Client, Release 3.x or higher
3. Group Name: RAVPN, Preshared Key (Group Password): ********
4. Did not choose "Enable Extended Client Authentication"
5. Selected Pool Name: domainRA, Ranging: 192.168.4.1 to 192.168.4.20
6. Entered Primary DNS, Primary WINS and Domain Name
7. IKE Policty - Encryption: 3DES, Authentication: MD5, DH Group: Group 2 (1024-bit)
8. Transform Set - Encryption: 3DES, Authentication: MD5
9. Address Translation Excemption - Did not do anything
So, I disabled the RADIUS authentication and created seperate VPN username for myself in the PIX. When I tried connecting using that, it failed in the User Authentication again. This is my latest config:
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 1wB4DCvG9Z4Uct9. encrypted
passwd 1wB4DCvG9Z4Uct9. encrypted
hostname cisco
domain-name cisco.com
clock timezone SGT 8
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list inside_access_in permit ip any any
access-list inside_outbound_nat0_acl permit ip any 192.168.3.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip domain.sg 255.255.255.0 domain.my 255.255.255.0
access-list inside_outbound_nat0_acl permit ip any 192.168.4.0 255.255.255.224
access-list outside_cryptomap_dyn_20 permit ip any 192.168.3.0 255.255.255.0
access-list outside_cryptomap_20 permit ip domain.sg 255.255.255.0 domain.
my 255.255.255.0
access-list outside_cryptomap_dyn_40 permit ip any 192.168.4.0 255.255.255.224
pager lines 24
logging on
mtu outside 1500
mtu inside 1500
ip address outside 2xx.2xx.2xx.6x 255.255.255.192
ip address inside 192.168.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool domain 192.168.3.1-192.168.3.128
ip local pool domainRA 192.168.4.1-192.168.4.20
pdm location 192.168.0.10 255.255.255.255 inside
pdm location 2xx.2xx.2xx.1xx 255.255.255.255 outside
pdm location siint01 255.255.255.255 outside
pdm location 192.168.0.15 255.255.255.255 inside
pdm location 192.168.0.16 255.255.255.255 inside
pdm location 192.168.0.50 255.255.255.255 inside
pdm location ganesan 255.255.255.255 outside
pdm location 2xx.2xx.2xx.6x 255.255.255.255 inside
pdm location 192.168.0.45 255.255.255.255 inside
pdm location 192.168.3.0 255.255.255.0 outside
pdm location domain.my 255.255.255.0 outside
pdm location 192.168.0.20 255.255.255.255 inside
pdm location 192.168.0.192 255.255.255.192 outside
pdm location 192.168.4.0 255.255.255.224 outside
pdm history enable
arp timeout 14400
global (outside) 1 2xx.2xx.2xx.7x
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 2xx.2xx.2xx.6x 192.168.0.10 netmask 255.255.255.255 0 0
static (inside,outside) 2xx.2xx.2xx.7x 192.168.0.15 netmask 255.255.255.255 0 0
static (inside,outside) 2xx.2xx.2xx.7x 192.168.0.20 netmask 255.255.255.255 0 0
conduit permit tcp host 2xx.2xx.2xx.6x eq www any
conduit permit tcp host 2xx.2xx.2xx.6x eq pop3 any
conduit permit tcp host 2xx.2xx.2xx.6x eq smtp any
conduit permit tcp host 2xx.2xx.2xx.6x eq ldap any
conduit permit tcp host 2xx.2xx.2xx.6x eq https any
conduit permit tcp host 2xx.2xx.2xx.6x eq 995 any
conduit permit tcp host 2xx.2xx.2xx.7x eq ftp any
conduit permit tcp host 2xx.2xx.2xx.7x eq pptp any
conduit permit gre host 2xx.2xx.2xx.7x any
conduit permit tcp host 2xx.2xx.2xx.7x eq 1721 any
conduit deny udp any eq 1434 any
conduit deny tcp any eq 135 any
conduit deny tcp any eq 4444 any
conduit deny udp any eq tftp any
conduit permit icmp any any echo-reply
conduit permit tcp host 2xx.2xx.2xx.7x eq ftp-data any
conduit permit tcp host 2xx.2xx.2xx.6x eq ftp any
conduit permit tcp host 2xx.2xx.2xx.7x eq 3101 any
outbound 1 permit 0.0.0.0 0.0.0.0 8 icmp
route outside 0.0.0.0 0.0.0.0 2xx.2xx.2xx.6x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:00:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host 192.168.0.15 timeout 10
aaa-server LOCAL protocol local
http server enable
http 192.168.0.10 255.255.255.255 inside
http 192.168.0.15 255.255.255.255 inside
http 192.168.0.50 255.255.255.255 inside
http 192.168.0.45 255.255.255.255 inside
http 192.168.0.16 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server inside 192.168.0.45 \
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 40 match address outside_cryptomap_dyn_40
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-MD5
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 202.75.164.50
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication RADIUS
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 2xx.7x.1xx.5x netmask 255.255.255.255 no-xauth no-co
nfig-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup domain address-pool domain
vpngroup domain dns-server 192.168.0.10 192.168.0.15
vpngroup domain wins-server 192.168.0.10 192.168.0.15
vpngroup domain default-domain domain.com
vpngroup domain idle-time 1800
vpngroup domain password ********
vpngroup RAVPN address-pool domainRA
vpngroup RAVPN dns-server 192.168.0.10 192.168.0.15
vpngroup RAVPN wins-server 192.168.0.10 192.168.0.15
vpngroup RAVPN default-domain domain.com
vpngroup RAVPN idle-time 1800
vpngroup RAVPN password ********
telnet 192.168.0.10 255.255.255.255 inside
telnet 192.168.0.15 255.255.255.255 inside
telnet 192.168.0.16 255.255.255.255 inside
telnet 192.168.0.50 255.255.255.255 inside
telnet 192.168.0.45 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group domain accept dialin pptp
vpdn group domain ppp authentication mschap
vpdn group domain client configuration address local domain
vpdn group domain client configuration dns 192.168.0.10 192.168.0.15
vpdn group domain client configuration wins 192.168.0.10 192.168.0.15
vpdn group domain pptp echo 60
vpdn group domain client authentication local
vpdn username nandas password *********
username superadmin password Dev19PUcULsdpnpK encrypted privilege 2
username nandas password o/1gWn0i7hBF4Ewp encrypted privilege 2
terminal width 80
Cryptochecksum:2ed04a8771b c318f35272 ab912197d9 1
: end
1. VPN Type: Remote Access VPN, Interface: Outside
2. Remote Access Client: Cisco VPN Client, Release 3.x or higher
3. Group Name: RAVPN, Preshared Key (Group Password): ********
4. Did not choose "Enable Extended Client Authentication"
5. Selected Pool Name: domainRA, Ranging: 192.168.4.1 to 192.168.4.20
6. Entered Primary DNS, Primary WINS and Domain Name
7. IKE Policty - Encryption: 3DES, Authentication: MD5, DH Group: Group 2 (1024-bit)
8. Transform Set - Encryption: 3DES, Authentication: MD5
9. Address Translation Excemption - Did not do anything
So, I disabled the RADIUS authentication and created seperate VPN username for myself in the PIX. When I tried connecting using that, it failed in the User Authentication again. This is my latest config:
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 1wB4DCvG9Z4Uct9. encrypted
passwd 1wB4DCvG9Z4Uct9. encrypted
hostname cisco
domain-name cisco.com
clock timezone SGT 8
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list inside_access_in permit ip any any
access-list inside_outbound_nat0_acl permit ip any 192.168.3.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip domain.sg 255.255.255.0 domain.my 255.255.255.0
access-list inside_outbound_nat0_acl permit ip any 192.168.4.0 255.255.255.224
access-list outside_cryptomap_dyn_20 permit ip any 192.168.3.0 255.255.255.0
access-list outside_cryptomap_20 permit ip domain.sg 255.255.255.0 domain.
my 255.255.255.0
access-list outside_cryptomap_dyn_40 permit ip any 192.168.4.0 255.255.255.224
pager lines 24
logging on
mtu outside 1500
mtu inside 1500
ip address outside 2xx.2xx.2xx.6x 255.255.255.192
ip address inside 192.168.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool domain 192.168.3.1-192.168.3.128
ip local pool domainRA 192.168.4.1-192.168.4.20
pdm location 192.168.0.10 255.255.255.255 inside
pdm location 2xx.2xx.2xx.1xx 255.255.255.255 outside
pdm location siint01 255.255.255.255 outside
pdm location 192.168.0.15 255.255.255.255 inside
pdm location 192.168.0.16 255.255.255.255 inside
pdm location 192.168.0.50 255.255.255.255 inside
pdm location ganesan 255.255.255.255 outside
pdm location 2xx.2xx.2xx.6x 255.255.255.255 inside
pdm location 192.168.0.45 255.255.255.255 inside
pdm location 192.168.3.0 255.255.255.0 outside
pdm location domain.my 255.255.255.0 outside
pdm location 192.168.0.20 255.255.255.255 inside
pdm location 192.168.0.192 255.255.255.192 outside
pdm location 192.168.4.0 255.255.255.224 outside
pdm history enable
arp timeout 14400
global (outside) 1 2xx.2xx.2xx.7x
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 2xx.2xx.2xx.6x 192.168.0.10 netmask 255.255.255.255 0 0
static (inside,outside) 2xx.2xx.2xx.7x 192.168.0.15 netmask 255.255.255.255 0 0
static (inside,outside) 2xx.2xx.2xx.7x 192.168.0.20 netmask 255.255.255.255 0 0
conduit permit tcp host 2xx.2xx.2xx.6x eq www any
conduit permit tcp host 2xx.2xx.2xx.6x eq pop3 any
conduit permit tcp host 2xx.2xx.2xx.6x eq smtp any
conduit permit tcp host 2xx.2xx.2xx.6x eq ldap any
conduit permit tcp host 2xx.2xx.2xx.6x eq https any
conduit permit tcp host 2xx.2xx.2xx.6x eq 995 any
conduit permit tcp host 2xx.2xx.2xx.7x eq ftp any
conduit permit tcp host 2xx.2xx.2xx.7x eq pptp any
conduit permit gre host 2xx.2xx.2xx.7x any
conduit permit tcp host 2xx.2xx.2xx.7x eq 1721 any
conduit deny udp any eq 1434 any
conduit deny tcp any eq 135 any
conduit deny tcp any eq 4444 any
conduit deny udp any eq tftp any
conduit permit icmp any any echo-reply
conduit permit tcp host 2xx.2xx.2xx.7x eq ftp-data any
conduit permit tcp host 2xx.2xx.2xx.6x eq ftp any
conduit permit tcp host 2xx.2xx.2xx.7x eq 3101 any
outbound 1 permit 0.0.0.0 0.0.0.0 8 icmp
route outside 0.0.0.0 0.0.0.0 2xx.2xx.2xx.6x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:00:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host 192.168.0.15 timeout 10
aaa-server LOCAL protocol local
http server enable
http 192.168.0.10 255.255.255.255 inside
http 192.168.0.15 255.255.255.255 inside
http 192.168.0.50 255.255.255.255 inside
http 192.168.0.45 255.255.255.255 inside
http 192.168.0.16 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server inside 192.168.0.45 \
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 40 match address outside_cryptomap_dyn_40
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-MD5
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 202.75.164.50
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication RADIUS
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 2xx.7x.1xx.5x netmask 255.255.255.255 no-xauth no-co
nfig-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup domain address-pool domain
vpngroup domain dns-server 192.168.0.10 192.168.0.15
vpngroup domain wins-server 192.168.0.10 192.168.0.15
vpngroup domain default-domain domain.com
vpngroup domain idle-time 1800
vpngroup domain password ********
vpngroup RAVPN address-pool domainRA
vpngroup RAVPN dns-server 192.168.0.10 192.168.0.15
vpngroup RAVPN wins-server 192.168.0.10 192.168.0.15
vpngroup RAVPN default-domain domain.com
vpngroup RAVPN idle-time 1800
vpngroup RAVPN password ********
telnet 192.168.0.10 255.255.255.255 inside
telnet 192.168.0.15 255.255.255.255 inside
telnet 192.168.0.16 255.255.255.255 inside
telnet 192.168.0.50 255.255.255.255 inside
telnet 192.168.0.45 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group domain accept dialin pptp
vpdn group domain ppp authentication mschap
vpdn group domain client configuration address local domain
vpdn group domain client configuration dns 192.168.0.10 192.168.0.15
vpdn group domain client configuration wins 192.168.0.10 192.168.0.15
vpdn group domain pptp echo 60
vpdn group domain client authentication local
vpdn username nandas password *********
username superadmin password Dev19PUcULsdpnpK encrypted privilege 2
username nandas password o/1gWn0i7hBF4Ewp encrypted privilege 2
terminal width 80
Cryptochecksum:2ed04a8771b
: end
That is what I am saying, you are having too many things in there. Lets first get one tunnel up and running. Then you can go for others? You get what I'm saying ?
Remove all other tunnels and just keep one to see if you can connect.
Cheers,
Rajesh
Remove all other tunnels and just keep one to see if you can connect.
Cheers,
Rajesh
ASKER
Rajesh, Thanks for all your help. It works now!
I have successfully setup the VPN now. Also, I have enabled split tunnelling.
One question: Now, when I'm connecting, it straight away connects with the vpn groupname and password. Its not prompting for any individual username and password. Does that mean, all the users will connect this way?
Regards,
Nanda.
I have successfully setup the VPN now. Also, I have enabled split tunnelling.
One question: Now, when I'm connecting, it straight away connects with the vpn groupname and password. Its not prompting for any individual username and password. Does that mean, all the users will connect this way?
Regards,
Nanda.
No, if you have enabled Radius authentication integrated with Active Directory, it should first get authenticated to the PIX using groupname and password, then a classic logon box will come for your Windows Logon.
The way you have it now, is okay but not the best.
Cheers,
Rajesh
The way you have it now, is okay but not the best.
Cheers,
Rajesh
ASKER
Oh, is there a way to check if my RADIUS server configuration is correct? I used the link you gave before to configure it. If it is correct, how do I integrate RADIUS authetication to the existing VPN configuration? Thanks.
Regards,
Nanda.
Regards,
Nanda.
The configuration part for both pix and the IAS is there on the document itself. If you have performed 'em then you should check the IAS logs for (Permit/Deny requests) for users. It should be under System32\Logfiles folder by default if you haven't changed it.
Cheers,
Rajesh
Cheers,
Rajesh
ASKER
Ok, I will try that.
I just tried connecting from multiple computers for the VPN and it doesn't work. When one of the computers is connected, the other one is not getting connected.
The second computer returns an error: Unable to contact the security gateway.
If I disconnect the VPN from the first computer and try on the second, it gets connected. The only difference between two computers is that I'm logging in to domain account in the first one and in logging in to local computer account in the second one.
Any ideas? Thanks.
Regards,
Nanda.
I just tried connecting from multiple computers for the VPN and it doesn't work. When one of the computers is connected, the other one is not getting connected.
The second computer returns an error: Unable to contact the security gateway.
If I disconnect the VPN from the first computer and try on the second, it gets connected. The only difference between two computers is that I'm logging in to domain account in the first one and in logging in to local computer account in the second one.
Any ideas? Thanks.
Regards,
Nanda.
Are these 2 computers using same public ip address for loggin in to the PIX ? If so that won't work. A single public ip can have only one connections (Remote access).
Cheers,
Rajesh
Cheers,
Rajesh
ASKER
Yes Rajesh, both the computers are using same Public IP address.
Will it work in multiple computers from inside a network configured with PAT?
Regards,
Nanda.
Will it work in multiple computers from inside a network configured with PAT?
Regards,
Nanda.
Nope. It won't since it has to establish connections based on the ip address as well. So it won't work.
Cheers,
Rajesh
Cheers,
Rajesh
ASKER
Oh my god. :-(
The reason I setup this VPN is to let a group of our staffs working from my company's client network to access my network. The other network is using NAT/PAT. What do I do now? Is there any other workaround for this? Thanks.
Regards,
Nanda.
The reason I setup this VPN is to let a group of our staffs working from my company's client network to access my network. The other network is using NAT/PAT. What do I do now? Is there any other workaround for this? Thanks.
Regards,
Nanda.
Hmmmm... What is the other end having as their internet device ? A Cisco Router/PIX ? If so, a site-to-site vpn can be setup for that.
Enquire about it and see if that is feasible.
Usually what happens is, say PIX A accepts a connection from PublicIPA, then that connection is established. Now if there is another pc that goes through the same PublicIPA, then PIXA would drop the first connection and then entertain the 2nd one.
The reason is that, SAs are defined and maintained based on these public ips. Let me know, I'm going to get some sleep now, will look tomorrow morning.
Cheers,
Rajesh
Enquire about it and see if that is feasible.
Usually what happens is, say PIX A accepts a connection from PublicIPA, then that connection is established. Now if there is another pc that goes through the same PublicIPA, then PIXA would drop the first connection and then entertain the 2nd one.
The reason is that, SAs are defined and maintained based on these public ips. Let me know, I'm going to get some sleep now, will look tomorrow morning.
Cheers,
Rajesh
ASKER
Ok Rajesh. Will keep you posted tomorrow.
Good Night. Thanks for your efforts to help me.
Regards,
Nanda.
Good Night. Thanks for your efforts to help me.
Regards,
Nanda.
ASKER
Rajesh, I went to my clients network and tried connecting to the VPN.
VPN gets connected, but I could not access anything in the remote network. In the statistics, I could see that the packets are sent, but no packets are recieved. Any ideas?
Regards,
Nanda.
VPN gets connected, but I could not access anything in the remote network. In the statistics, I could see that the packets are sent, but no packets are recieved. Any ideas?
Regards,
Nanda.
Okay, questions.
1. You client's local lan ip address isn't the same as the office right ?
2. You do have nonat access-list for the traffic between the office network and his vpn assigned ip address ?
If the answer to both are YES, then I would need to see your current configuration and you also need to tell me what ip's are concerned here.
If no, then you correct 'em.
Cheers,
Rajesh
1. You client's local lan ip address isn't the same as the office right ?
2. You do have nonat access-list for the traffic between the office network and his vpn assigned ip address ?
If the answer to both are YES, then I would need to see your current configuration and you also need to tell me what ip's are concerned here.
If no, then you correct 'em.
Cheers,
Rajesh
ASKER
Rajesh, I'm right now at home using wireless broadband, connected to VPN and everything works perfect.
This is the setup now:
My Wireless LAN's IP is 192.168.11.2
My VPN assigned IP is 192.168.4.1
My office networks are: 192.168.0.0 series
Now, I can access all my office network, connect to exchange and everything.
When I tried in the morning from my client's network:
My laptops IP was 10.1.0.0 series
My VPN assisgned IP was 192.168.4.1
I could not access anything from my office network.
This is my current config:
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 1wB4DCvG9Z4Uct9. encrypted
passwd 1wB4DCvG9Z4Uct9. encrypted
hostname cisco
domain-name cisco.com
clock timezone SGT 8
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list inside_access_in permit ip any any
access-list inside_outbound_nat0_acl permit ip any 192.168.4.0 255.255.255.224
access-list outside_cryptomap_dyn_20 permit ip any 192.168.4.0 255.255.255.224
access-list RAVPN_splitTunnelAcl permit ip 192.0.0.0 255.0.0.0 any
pager lines 24
logging on
mtu outside 1500
mtu inside 1500
ip address outside 2xx.1xx.2xx.6x 255.255.255.192
ip address inside 192.168.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool domainRA 192.168.4.1-192.168.4.20
pdm location 192.168.0.10 255.255.255.255 inside
pdm location 2xx.1xx.2xx.1xx 255.255.255.255 outside
pdm location siint01 255.255.255.255 outside
pdm location 192.168.0.15 255.255.255.255 inside
pdm location 192.168.0.16 255.255.255.255 inside
pdm location 192.168.0.50 255.255.255.255 inside
pdm location ganesan 255.255.255.255 outside
pdm location 2xx.1xx.2xx.6x 255.255.255.255 inside
pdm location 192.168.0.45 255.255.255.255 inside
pdm location 192.168.3.0 255.255.255.0 outside
pdm location domain.my 255.255.255.0 outside
pdm location 192.168.0.20 255.255.255.255 inside
pdm location 192.168.0.192 255.255.255.192 outside
pdm location 192.168.4.0 255.255.255.224 outside
pdm history enable
arp timeout 14400
global (outside) 1 2xx.1xx.2xx.7x
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 2xx.1xx.2xx.6x 192.168.0.10 netmask 255.255.255.255 0 0
static (inside,outside) 2xx.1xx.2xx.7x 192.168.0.15 netmask 255.255.255.255 0 0
static (inside,outside) 2xx.1xx.2xx.7x 192.168.0.20 netmask 255.255.255.255 0 0
conduit permit tcp host 2xx.1xx.2xx.6x eq www any
conduit permit tcp host 2xx.1xx.2xx.6x eq pop3 any
conduit permit tcp host 2xx.1xx.2xx.6x eq smtp any
conduit permit tcp host 2xx.1xx.2xx.6x eq ldap any
conduit permit tcp host 2xx.1xx.2xx.6x eq https any
conduit permit tcp host 2xx.1xx.2xx.6x eq 995 any
conduit permit tcp host 2xx.1xx.2xx.7x eq ftp any
conduit permit tcp host 2xx.1xx.2xx.7x eq pptp any
conduit permit gre host 2xx.1xx.2xx.7x any
conduit permit tcp host 2xx.1xx.2xx.7x eq 1721 any
conduit deny udp any eq 1434 any
conduit deny tcp any eq 135 any
conduit deny tcp any eq 4444 any
conduit deny udp any eq tftp any
conduit permit icmp any any echo-reply
conduit permit tcp host 2xx.1xx.2xx.7x eq ftp-data any
conduit permit tcp host 2xx.1xx.2xx.6x eq ftp any
conduit permit tcp host 2xx.1xx.2xx.7x eq 3101 any
outbound 1 permit 0.0.0.0 0.0.0.0 8 icmp
route outside 0.0.0.0 0.0.0.0 2xx.1xx.2xx.6x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:00:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.0.10 255.255.255.255 inside
http 192.168.0.15 255.255.255.255 inside
http 192.168.0.50 255.255.255.255 inside
http 192.168.0.45 255.255.255.255 inside
http 192.168.0.16 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server inside 192.168.0.45 \
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 202.75.164.50 netmask 255.255.255.255 no-xauth no-co
nfig-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup RAVPN address-pool domainRA
vpngroup RAVPN dns-server 192.168.0.10 192.168.0.15
vpngroup RAVPN wins-server 192.168.0.10 192.168.0.15
vpngroup RAVPN default-domain domain.com
vpngroup RAVPN split-tunnel RAVPN_splitTunnelAcl
vpngroup RAVPN idle-time 1800
vpngroup RAVPN password ********
telnet 192.168.0.10 255.255.255.255 inside
telnet 192.168.0.15 255.255.255.255 inside
telnet 192.168.0.16 255.255.255.255 inside
telnet 192.168.0.50 255.255.255.255 inside
telnet 192.168.0.45 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
username superadmin password Dev19PUcULsdpnpK encrypted privilege 2
username nandas password o/1gWn0i7hBF4Ewp encrypted privilege 2
terminal width 80
Cryptochecksum:3fd8e895169 50973a49bd 06dcabd0bd 6
: end
This is the setup now:
My Wireless LAN's IP is 192.168.11.2
My VPN assigned IP is 192.168.4.1
My office networks are: 192.168.0.0 series
Now, I can access all my office network, connect to exchange and everything.
When I tried in the morning from my client's network:
My laptops IP was 10.1.0.0 series
My VPN assisgned IP was 192.168.4.1
I could not access anything from my office network.
This is my current config:
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 1wB4DCvG9Z4Uct9. encrypted
passwd 1wB4DCvG9Z4Uct9. encrypted
hostname cisco
domain-name cisco.com
clock timezone SGT 8
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list inside_access_in permit ip any any
access-list inside_outbound_nat0_acl permit ip any 192.168.4.0 255.255.255.224
access-list outside_cryptomap_dyn_20 permit ip any 192.168.4.0 255.255.255.224
access-list RAVPN_splitTunnelAcl permit ip 192.0.0.0 255.0.0.0 any
pager lines 24
logging on
mtu outside 1500
mtu inside 1500
ip address outside 2xx.1xx.2xx.6x 255.255.255.192
ip address inside 192.168.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool domainRA 192.168.4.1-192.168.4.20
pdm location 192.168.0.10 255.255.255.255 inside
pdm location 2xx.1xx.2xx.1xx 255.255.255.255 outside
pdm location siint01 255.255.255.255 outside
pdm location 192.168.0.15 255.255.255.255 inside
pdm location 192.168.0.16 255.255.255.255 inside
pdm location 192.168.0.50 255.255.255.255 inside
pdm location ganesan 255.255.255.255 outside
pdm location 2xx.1xx.2xx.6x 255.255.255.255 inside
pdm location 192.168.0.45 255.255.255.255 inside
pdm location 192.168.3.0 255.255.255.0 outside
pdm location domain.my 255.255.255.0 outside
pdm location 192.168.0.20 255.255.255.255 inside
pdm location 192.168.0.192 255.255.255.192 outside
pdm location 192.168.4.0 255.255.255.224 outside
pdm history enable
arp timeout 14400
global (outside) 1 2xx.1xx.2xx.7x
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 2xx.1xx.2xx.6x 192.168.0.10 netmask 255.255.255.255 0 0
static (inside,outside) 2xx.1xx.2xx.7x 192.168.0.15 netmask 255.255.255.255 0 0
static (inside,outside) 2xx.1xx.2xx.7x 192.168.0.20 netmask 255.255.255.255 0 0
conduit permit tcp host 2xx.1xx.2xx.6x eq www any
conduit permit tcp host 2xx.1xx.2xx.6x eq pop3 any
conduit permit tcp host 2xx.1xx.2xx.6x eq smtp any
conduit permit tcp host 2xx.1xx.2xx.6x eq ldap any
conduit permit tcp host 2xx.1xx.2xx.6x eq https any
conduit permit tcp host 2xx.1xx.2xx.6x eq 995 any
conduit permit tcp host 2xx.1xx.2xx.7x eq ftp any
conduit permit tcp host 2xx.1xx.2xx.7x eq pptp any
conduit permit gre host 2xx.1xx.2xx.7x any
conduit permit tcp host 2xx.1xx.2xx.7x eq 1721 any
conduit deny udp any eq 1434 any
conduit deny tcp any eq 135 any
conduit deny tcp any eq 4444 any
conduit deny udp any eq tftp any
conduit permit icmp any any echo-reply
conduit permit tcp host 2xx.1xx.2xx.7x eq ftp-data any
conduit permit tcp host 2xx.1xx.2xx.6x eq ftp any
conduit permit tcp host 2xx.1xx.2xx.7x eq 3101 any
outbound 1 permit 0.0.0.0 0.0.0.0 8 icmp
route outside 0.0.0.0 0.0.0.0 2xx.1xx.2xx.6x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:00:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.0.10 255.255.255.255 inside
http 192.168.0.15 255.255.255.255 inside
http 192.168.0.50 255.255.255.255 inside
http 192.168.0.45 255.255.255.255 inside
http 192.168.0.16 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server inside 192.168.0.45 \
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 202.75.164.50 netmask 255.255.255.255 no-xauth no-co
nfig-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup RAVPN address-pool domainRA
vpngroup RAVPN dns-server 192.168.0.10 192.168.0.15
vpngroup RAVPN wins-server 192.168.0.10 192.168.0.15
vpngroup RAVPN default-domain domain.com
vpngroup RAVPN split-tunnel RAVPN_splitTunnelAcl
vpngroup RAVPN idle-time 1800
vpngroup RAVPN password ********
telnet 192.168.0.10 255.255.255.255 inside
telnet 192.168.0.15 255.255.255.255 inside
telnet 192.168.0.16 255.255.255.255 inside
telnet 192.168.0.50 255.255.255.255 inside
telnet 192.168.0.45 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
username superadmin password Dev19PUcULsdpnpK encrypted privilege 2
username nandas password o/1gWn0i7hBF4Ewp encrypted privilege 2
terminal width 80
Cryptochecksum:3fd8e895169
: end
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
And as well, if it still doesn't work after that, then connect to VPN, and take an output of 'route print' from that machine where it is failing and post it here.
Cheers,
Rajesh
Cheers,
Rajesh
1. Your VPN IP pool *CANNOT* be the same as your internal network (Choose any other private network range).
2. Your best bet is to have a radius server authenticate your users via Active Directory. Windows Inbuild IAS can be used for that. Don't start to think it is too difficult. Follow the Cisco help page below to set it up and it wouldn't take much time before you get this up and running.
http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_example09186a00806de37e.shtml
That is the ONLY link you want to get this up and running :-) Configure it and if need help after setting up everything, then we can go on to troubleshooting mode.
Cheers,
Rajesh