Just received a PIX 515 and I have confgured it and it is working on our new ADSL line in so far as a test machine is able to download web pages etc...
I have attempted to setup client VPN using the VPN Wizzard in the web interface but when I try to connect from home I just get the error message "Client terminated connection. Reason 412: The remote peer is no longer responding"
I am connecting to the external IP address of the firewall and am using the VPN CLient 4.0.3(F). I have installed the updated key on the pix to gain support for 3DES/AES.
From home I am using a Linksys router with IPSEC passthrough turned on and I know this works as I have been able to use the cisco client to connect elsewhere previously.
Our ADSL is with Star Internet and they fully support VPN and the router they supply has suposidly been configured with no firewall. It is not doing NAT.
The only easy way to test is from home. I can test the VPN on my windows machine and from my Linux machine I can SSH through our old ADSL and onto the PIX so I can diagnose both ends at the same time.
I have included my PIX configuration below.
Can someone give be a brief guide to seeing if the PIX is receiving any VPN connection attempts.
Can you see any ovious errors in the configuration?
Ignore the inside_access_in ACL as the first entry permits everything while I build up the full set of rules that I require.
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname lingpixuk
domain-name linguaphone-intranet.co.uk
clock timezone GMT 0
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
no names
name 217.42.252.9 Home_Marcos
name 10.0.250.189 gblades
name 10.0.250.0 Users
name 10.0.1.9 file2
name 80.1.240.91 Home_Tanner_P
name 10.0.250.174 Tanner_P
name 192.168.140.2 Mail
object-group service VNC tcp
description VNC server ports
port-object eq 5900
port-object eq 5800
port-object eq 5500
port-object eq 5700
object-group service dns_ntp udp
description DNS and NTP
port-object eq domain
port-object eq ntp
object-group service Allowed_tcp tcp
description Ports all users are allowed to access
port-object eq irc
port-object eq ssh
port-object eq pop3
port-object eq imap4
object-group service Mail tcp
description Mail ports
port-object eq www
port-object eq ssh
port-object eq https
port-object eq smtp
port-object eq imap4
object-group service Inbound_Mail tcp
description Ports permitted to mail server from Internet
port-object eq www
port-object eq https
port-object eq smtp
port-object eq imap4
access-list smtp remark Mail server accepts imap, smtp, and http(s) connections from Internet.
access-list smtp permit tcp any host 81.171.176.43 object-group Inbound_Mail
access-list groupstaff_splitTunnelAcl permit ip 10.0.0.0 255.255.0.0 any
access-list inside_outbound_nat0_acl permit ip 10.0.0.0 255.255.0.0 10.0.100.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip any 10.0.101.0 255.255.255.248
access-list outside_cryptomap_dyn_20 permit ip any 10.0.100.0 255.255.255.0
access-list outside_cryptomap_dyn_40 permit ip any 10.0.101.0 255.255.255.248
access-list inside_access_in remark Allow all outbound
access-list inside_access_in permit ip 10.0.0.0 255.255.0.0 any
access-list inside_access_in remark File2 Allow all tcp
access-list inside_access_in permit tcp host 10.0.1.9 any
access-list inside_access_in remark File2 DNS and NTP access
access-list inside_access_in permit udp host 10.0.1.9 any object-group dns_ntp
access-list inside_access_in remark Allow everyone to access POP3, IMAP, IRC, SSH
access-list inside_access_in permit tcp 10.0.0.0 255.255.0.0 any object-group Allowed_tcp
access-list inside_access_in remark Marcos access to home VNC machine
access-list inside_access_in permit tcp 10.0.250.0 255.255.255.0 host 217.42.252.9 object-group VNC
access-list inside_access_in remark Tanner_p access to home VNC machine
access-list inside_access_in permit tcp 10.0.250.0 255.255.255.0 host 80.1.240.91 object-group VNC
pager lines 24
logging on
logging timestamp
logging console errors
logging monitor errors
logging buffered debugging
logging trap debugging
logging facility 21
logging host inside 10.0.1.9
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside 81.171.176.42 255.255.255.248
ip address inside 10.0.0.2 255.255.0.0
ip address dmz 192.168.140.1 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip verify reverse-path interface dmz
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnpoolstaff 10.0.100.1-10.0.100.254
ip local pool vpnpoolexact 10.0.101.1-10.0.101.5
ip local pool vpnpoolbutthead 10.0.102.1-10.0.102.5
pdm location 10.0.1.9 255.255.255.255 inside
pdm location 10.0.250.189 255.255.255.255 inside
pdm location 192.168.140.2 255.255.255.255 dmz
pdm location 10.0.0.0 255.255.0.0 dmz
pdm location 10.0.250.174 255.255.255.255 inside
pdm location 10.0.250.0 255.255.255.0 inside
pdm location 80.1.240.91 255.255.255.255 outside
pdm location 217.42.252.9 255.255.255.255 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 81.171.176.44
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 10.0.0.0 255.255.0.0 0 0
static (dmz,outside) 81.171.176.43 192.168.140.2 netmask 255.255.255.255 0 0
static (inside,dmz) 10.0.0.0 10.0.0.0 netmask 255.255.0.0 0 0
access-group smtp in interface outside
route outside 0.0.0.0 0.0.0.0 81.171.176.41 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
ntp server 10.0.1.9 source inside prefer
http server enable
http 10.0.0.0 255.255.0.0 inside
snmp-server location Mitcham
snmp-server contact Gareth Blades
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-AES-256-SHA
crypto dynamic-map outside_dyn_map 40 match address outside_cryptomap_dyn_40
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-AES-256-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption aes-256
isakmp policy 20 hash sha
isakmp policy 20 group 5
isakmp policy 20 lifetime 86400
vpngroup groupstaff address-pool vpnpoolstaff
vpngroup groupstaff dns-server 10.0.1.9
vpngroup groupstaff wins-server 10.0.1.5 10.0.1.3
vpngroup groupstaff default-domain linguaphone-intranet.co.uk
vpngroup groupstaff split-tunnel groupstaff_splitTunnelAcl
vpngroup groupstaff split-dns linguaphone-intranet.co.uk
vpngroup groupstaff idle-time 1800
vpngroup groupstaff password ********
vpngroup groupexact address-pool vpnpoolexact
vpngroup groupexact dns-server 10.0.1.9
vpngroup groupexact idle-time 1800
vpngroup groupexact password ********
telnet 10.0.0.0 255.255.0.0 inside
telnet timeout 5
ssh 10.0.0.0 255.255.0.0 inside
ssh timeout 60
console timeout 0
username root password uocyn1CZEiKIx0Eg encrypted privilege 15
terminal width 80
Cryptochecksum:fe4fd99e03c
ccf525655b
7501c6fa59
6
: end
Start Free Trial
