Cisco VPN Connection Hangs at Securing Communications Channel : Cisco, Pix, 515E, PIX Software 7.2(3) & ASDM 5.2(3)

May 17, 2008 09:32am pdt

1. batry_boy 209,084
2. RobWill 183,875
3. arnold 81,143
4. lrmoore 72,848
5. mwecompu... 55,414
6. MrHusy 36,470
7. ebjers 35,950
8. mkielar 33,600
9. dpk_wal 28,673
10. Cyclops3590 27,700
11. trinak96 22,665
12. TechSoEasy 20,114
13. from_exp 19,775
14. stuknhawaii 18,075
15. johnb6767 16,522

1. RobWill 1,336,768
2. lrmoore 873,591
3. batry_boy 383,794
4. grblades 213,434
5. rsivanandan 138,641
6. calvinetter 112,055
7. TechSoEasy 93,193
8. arnold 83,143
9. dpk_wal 81,673
10. tim_holman 75,964
11. mwecompu... 73,214
12. MrHusy 69,744
13. keith_al... 69,385
14. ewtaylor 68,324
15. plemieux72 64,143

05.08.2008 at 08:55PM PDT, ID: 23388385 | Points: 500

	[x] Attachment Details

Cisco VPN Connection Hangs at Securing Communications Channel

Zones: Virtual Private Networking (VPN), Cisco PIX Firewall

Tags: Cisco, Pix, 515E, PIX Software 7.2(3) & ASDM 5.2(3)

I am working on setting up a VPN connection into our network. I went through the VPN wizard setup in the ASDM. I downloaded the VPN client version 5.0.01.0600 for Windows Vista and setup my connection. When I click connect it asks for my username and password, which I correctly enter in. It then goes to "Securing Communications Channel", where it just hangs. Looking at the log it shows the following:

1 23:38:54.540 05/08/08 Sev=Warning/2      CVPND/0xE3400013
AddRoute failed to add a route: code 5010
      Destination      0.0.0.0
      Netmask      0.0.0.0
      Gateway      10.41.157.1
      Interface      10.41.157.2

2 23:38:54.540 05/08/08 Sev=Warning/2      CM/0xA3100024
Unable to add route. Network: 0, Netmask: 0, Interface: a299d02, Gateway: a299d01.

3 23:38:54.540 05/08/08 Sev=Warning/2      CVPND/0xA3400015
Error with call to IpHlpApi.DLL: DeleteIpForwardEntry, error 1168

4 23:38:54.540 05/08/08 Sev=Warning/2      CM/0xA3100025
Unable to delete route. Network: c0a8feff, Netmask: ffffffff, Interface: c0a8fe01, Gateway: c0a8fe01.

If I do an ipconfig I see where the Virtual VPN adapter received the correct IP, gateway, dns, subnet mask, etc. Also, when I do a route print, it shows the 0.0.0.0 mask 0.0.0.0 gateway 10.41.157.1 interface 10.41.157.2. I am not able to ping the 10.41.157.1 gateway however.

I also want to mention the client seems very flaky, though it may just be due to it hanging at securing communications channel. When it doesn't connect, I have to end the vpngui process and then restart the Cisco VPN CLient service to get things back working.

I have posted my code below, of which i took some out that I didn't think was important or didn't want to be seen.

Thanks for any help.

         
           
             1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:
60:
61:
62:
63:
64:
65:
66:
67:
68:
69:
70:
71:
72:
73:
74:
75:
76:
77:
78:
79:
80:
81:
82:
83:
84:
85:
86:
87:
88:
89:
90:
91:
92:
93:
94:
95:
96:
97:
98:
99:
100:
101:
102:
103:
104:
105:
106:
107:
108:
109:
110:
111:
112:
113:
114:
115:
116:
117:
118:
119:
120:
121:
122:
123:
124:
125:
126:
127:
128:
129:
130:
131:
132:
133:
134:
135:
136:
137:
138:
139:
140:
141:
142:
143:
144:
145:
146:
147:
148:
149:
150:
151:
152:
153:
154:
155:
156:
157:
158:
159:
160:
161:
162:
163:
164:
165:
166:
167:
168:
169:
170:
171:
172:
173:
174:
175:
176:
177:
178:
179:
180:
181:
182:
183:
184:
185:
186:
187:
188:
189:
190:
191:
192:
193:
194:
195:
196:
197:
198:
199:
200:
201:
202:
203:

           
           
             Result of the command: "sh run"
 
: Saved
:
PIX Version 7.2(3) 
!
hostname HCSBPIX
domain-name hcsb.hamilton.k12.fl.us
enable password encrypted
names
 
dns-guard
!
interface Ethernet0
 nameif outside
 security-level 0
 ip address 10.10.10.1 255.255.255.0 
!
interface Ethernet1
 speed 100
 duplex full
 nameif inside
 security-level 100
 ip address 192.1.1.2 255.255.255.0 
!
passwd encrypted
boot system flash:/pix723.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
 domain-name hcsb.hamilton.k12.fl.us
pager lines 24
logging enable
logging asdm-buffer-size 512
logging buffered warnings
logging trap debugging
logging asdm warnings
logging host inside 10.41.159.30
logging permit-hostdown
mtu outside 1500
mtu inside 1500
ip local pool 157 10.41.157.2-10.41.157.254 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm-523.bin
asdm history enable
arp timeout 14400
nat-control
global (outside) 1 10.10.10.128-10.10.10.239 netmask 255.255.255.0
global (outside) 1 10.10.10.240
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 0 FIRNWebsense 255.255.255.0
nat (inside) 1 192.1.1.0 255.255.255.0
nat (inside) 1 10.41.144.0 255.255.240.0
 
access-group outside_access_in in interface outside
access-group outside_access_out out interface outside
access-group outbound in interface inside
route outside 0.0.0.0 0.0.0.0 10.10.10.1 1
route inside 10.41.144.0 255.255.240.0 192.1.1.1 1
route inside FIRNWebsense 255.255.255.0 192.1.1.1 1
timeout xlate 1:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
url-server (inside) vendor websense host 192.168.220.3 timeout 30 protocol TCP version 4 connections 5
filter https 443 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow 
filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow proxy-block 
http server enable
http 10.41.159.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto dynamic-map outside_dyn_map 20 set pfs 
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 20 set reverse-route
crypto dynamic-map outside_dyn_map 40 set pfs 
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set reverse-route
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp identity hostname 
crypto isakmp enable outside
crypto isakmp policy 20
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 40
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal  20
telnet 10.41.144.0 255.255.240.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
ssh version 1
console timeout 0
!
class-map class_http
 match port tcp eq 8080
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map_1 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect http 
  inspect ils 
  inspect netbios 
  inspect rsh 
  inspect rtsp 
  inspect skinny 
  inspect sqlnet 
  inspect sunrpc 
  inspect tftp 
  inspect sip 
  inspect xdmcp 
 class class_http
  inspect http 
!
service-policy global_policy global
tftp-server inside 10.41.159.30 c:\tftp-root\pix
group-policy DfltGrpPolicy attributes
 banner none
 wins-server none
 dns-server none
 dhcp-network-scope none
 vpn-access-hours none
 vpn-simultaneous-logins 3
 vpn-idle-timeout 30
 vpn-session-timeout none
 vpn-filter none
 vpn-tunnel-protocol IPSec l2tp-ipsec 
 password-storage disable
 ip-comp disable
 re-xauth disable
 group-lock none
 pfs disable
 ipsec-udp enable
 ipsec-udp-port 10000
 split-tunnel-policy tunnelall
 split-tunnel-network-list none
 default-domain none
 split-dns none
 intercept-dhcp 255.255.255.255 disable
 secure-unit-authentication disable
 user-authentication disable
 user-authentication-idle-timeout 30
 ip-phone-bypass disable
 leap-bypass disable
 nem disable
 backup-servers keep-client-config
 msie-proxy server none
 msie-proxy method no-modify
 msie-proxy except-list none
 msie-proxy local-bypass disable
 nac disable
 nac-sq-period 300
 nac-reval-period 36000
 nac-default-acl none
 address-pools value 157
 smartcard-removal-disconnect enable
 client-firewall none
 client-access-rule none
group-policy hamilton internal
group-policy hamilton attributes
 dns-server value 10.41.159.66
 vpn-tunnel-protocol IPSec 
 default-domain value hcsb.hamilton.k12.fl.us
username awalker password nt-encrypted
username hcsb password nt-encrypted
username nefec password nt-encrypted
tunnel-group hamilton type ipsec-ra
tunnel-group hamilton general-attributes
 address-pool 157
 default-group-policy hamilton
tunnel-group hamilton ipsec-attributes
 pre-shared-key *
prompt hostname context

           
         

Start your free trial to view this solution

Question Stats

Zone: Software

Question Asked By: grevels

Question Asked On: 05.08.2008

Participating Experts: 1

Points: 500

Translate:

Loading Advertisement...

Microsoft

Internet Protocols
Applications

Development
OS

Hardware
Windows Security

Apple

Operating Systems
Hardware

Programming
Networking

Software

Internet

Search Engines
File Sharing
WebTrends / Stats
Spy / Ad Blockers

Web Browsers
New Net Users
Web Development
Chat / IM

Anti Spam
Web Servers
Anti-Virus
Email Clients

Gamers

Tips
Online / MMORPG
Puzzle
Emulators

Action / Adventure
Role Playing
Consoles
Game Programming

Strategy
Sports
Misc
Computer Games

Digital Living

Hardware
New Net Users
New Users

Software
Digital Music
Gaming World

Home Security
Apple
Networking Hardware

Virus & Spyware

Vulnerabilities
IDS
Encryption
Anti-Virus

Operating Systems Security
Software Firewalls
WebApplications
Cell Phones

Operating Systems
Internet
Hardware Firewalls

Hardware

Handhelds / PDAs
Displays / Monitors
Components
Networking Hardware

Peripherals
Laptops/Notebooks
Storage
Servers

Desktops
New Users
Misc
Apple

Software

System Utilities
Industry Specific
Network Management
Photos / Graphics
Page Layout
VMWare
Misc
Web Development

OS
CYGWIN
Voice Recognition
Message Queue
Quality Assurance
Security
Firewalls
MultiMedia Applications

Development
Database
Office / Productivity
Business Management
OS/2 Apps
Server Software
Internet / Email

ITPro

OS
Storage
Encryption
Operating Systems Security
Apple Hardware
Laptops & Notebooks
Servers
Networking Hardware
Peripherals

Devices
Displays / Monitors
WebTrends / Stats
Search Engines
Firewalls
WebApplications
IDS
Vulnerabilities
Email Clients

File Sharing
Spy / Ad Blockers
Web Browsers
Web Servers
Networking
Anti-Virus
Chat / IM
Anti Spam

Developer

Web Servers
Web Browsers
Game Programming
Dev Tools
Industry Specific
Office / Productivity

Database
CYGWIN
Web Development
Search Engines
File Sharing
WebTrends / Stats

Programming
Content Management
Application Servers
Protocols

Storage

Removable Backup Media
Storage Technology
Servers

Grid
Remote Access
Backup / Restore

Misc
Hard Drives

Miscellaneous
Security
Development
Linux
VMWare

MainFrame OS
Unix
Apple
OS / 2
AS / 400

BeOS
Microsoft
VMS / OpenVMS

Database

Oracle
Miscellaneous
MySQL
Software
Sybase
Contact Management
PostgreSQL
Data Manipulation
Clarion
InterSystems Cache

Siebel
MUMPS
OLAP
SQLBase
SAS
GIS & GPS
4GL
Berkeley DB
DB2
Informix

Interbase / Firebird
FoxPro
Reporting
LDAP
Filemaker Pro
MS SQL Server
dBase
MS Access

Security

Misc
Web Browsers
Software Firewalls
Operating Systems Security
File Sharing

Spy / Ad Blockers
Vulnerabilities
WebApplications
IDS
Anti-Virus

Encryption
Anti Spam
Email Clients
VPN
Chat / IM

Programming

Editors IDEs
Installation
Handhelds / PDAs
Multimedia Programming
System / Kernel

Algorithms
Game
Signal Processing
Project Management
Open Source

Database
Misc
Languages
Processor Platforms
Theory

Web Development

Scripting
Blogs
Web Servers
Software
Search Engines
Web Graphics
Images

Internet Marketing
Images and Photos
Components
Document Imaging
Web Languages/Standards
Illustration
WebApplications

Fonts
WebTrends / Stats
Authoring
Digital Camera Software
Miscellaneous

Networking

Protocols
Apple Networking
Network Management
Message Queue
Application Servers
Content Management
File Servers
Email Servers
Misc
Java Editors & IDEs

Wireless
Networking Hardware
Backup / Restore
System Utilities
ISPs & Hosting
Web Servers
Storage Technology
Removable Backup Media
Servers
Broadband

Grid
OS / 2
Novell Netware
Unix Networking
Windows Networking
Security
Telecommunications
Operating Systems
Linux Networking

Other

Community Advisor
Lounge
Community Support
New Net Users

Philosophy / Religion
Math / Science
Miscellaneous
URLs

Expert Lounge
Politics
Puzzles / Riddles

Community Support

Suggestions
New to EE
New Topics
Community Advisor

CleanUp
Announcements
General

Feedback
Input
EE Bugs

05.09.2008 at 12:57PM PDT, ID: 21535980

Rank: Genius

lrmoore:

Need to see the access-lists
inside_outbound_nat0_acl

>access-group outbound in interface inside
Make sure the outbound acl does not prevent traffic from internal 192.1.1.0 10 the VPN client subnet 10.41.157

>route inside 10.41.144.0 255.255.240.0 192.1.1.1 1
This route mask includes 10.41.157.0 . Your VPN client IP subnet needs to be a different IP address that is not being routed internally elsewhere

>crypto isakmp identity hostname
I would change this to identity address

Also add this command:
same-security-traffic permit intra interface

05.09.2008 at 01:28PM PDT, ID: 21536208

grevels:

Thanks man, I'm leaving work right now, but I'm going to work on this some this weekend so I'll post back. I'm sure I'll have some more questions.

05.12.2008 at 08:09AM PDT, ID: 21547629

grevels:

lrmoore,

>I have made the following changes, but I won't be able to test it until tonight or tomorrow. Feel free to take a look and see if you see anything else in the meantime. I appreciate the help.

>I changed the ip pool to 192.168.254.2 - 192.168.254.254 with subnet mask 255.255.255.0.

>I changed crypto isakmp identity hostname to identify address

>I added the command same-security-traffic permit intra-interface.

>I realize my code may not be real clear because I was changing IP addresses to something different and apparently didn't do a real good job. I've reposted out config with the access-list inside_outbound_nat0_acl listed with it.

                       
                          
                             
                                1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:
60:
61:
62:
63:
64:
65:
66:
67:
68:
69:
70:
71:
72:
73:
74:
75:
76:
77:
78:
79:
80:
81:
82:
83:
84:
85:
86:
87:
88:
89:
90:
91:
92:
93:
94:
95:
96:
97:
98:
99:
100:
101:
102:
103:
104:
105:
106:
107:
108:
109:
110:
111:
112:
113:
114:
115:
116:
117:
118:
119:
120:
121:
122:
123:
124:
125:
126:
127:
128:
129:
130:
131:
132:
133:
134:
135:
136:
137:
138:
139:
140:
141:
142:
143:
144:
145:
146:
147:
148:
149:
150:
151:
152:
153:
154:
155:
156:
157:
158:
159:
160:
161:
162:
163:
164:
165:
166:
167:
168:
169:
170:
171:
172:
173:
174:
175:
176:
177:
178:
179:
180:
181:
182:
183:
184:
185:
186:
187:
188:
189:
190:
191:
192:
193:
194:
195:
196:
197:
198:
199:
200:
201:
202:
203:
204:
205:
206:
207:
208:
209:
210:
211:
212:
213:

                             
                             
                                Result of the command: "show running-config"
 
: Saved
:
PIX Version 7.2(3) 
!
hostname HCSBPIX
domain-name hcsb
enable password encrypted
names
 
dns-guard
!
interface Ethernet0
 nameif outside
 security-level 0
 ip address 150.176.0.2 255.255.255.0 
!
interface Ethernet1
 speed 100
 duplex full
 nameif inside
 security-level 100
 ip address 192.168.254.2 255.255.255.0 
!
passwd  encrypted
boot system flash:/pix723.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
 domain-name hcsb
same-security-traffic permit intra-interface
 
access-list inside_outbound_nat0_acl extended permit ip any 10.41.158.0 255.255.255.0 
access-list inside_outbound_nat0_acl extended permit ip any 10.41.157.0 255.255.255.240 
access-list inside_outbound_nat0_acl extended permit ip 10.41.159.0 255.255.255.0 10.41.157.0 255.255.255.240 
access-list inside_outbound_nat0_acl extended permit ip 10.41.157.0 255.255.255.240 10.41.157.0 255.255.255.240 
 
access-list outside_access_out extended permit ip any any 
pager lines 24
logging enable
logging asdm-buffer-size 512
logging buffered warnings
logging trap debugging
logging asdm warnings
logging host inside 10.41.159.30
logging permit-hostdown
mtu outside 1500
mtu inside 1500
ip local pool VPNPool 192.168.0.2-192.168.0.254 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm-523.bin
asdm history enable
arp timeout 14400
nat-control
global (outside) 1 150.176.0.128-150.176.0.239 netmask 255.255.255.0
global (outside) 1 150.176.0.240
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 0 FIRNWebsense 255.255.255.0
nat (inside) 1 192.168.254.0 255.255.255.0
nat (inside) 1 10.41.144.0 255.255.240.0
 
access-group outside_access_in in interface outside
access-group outside_access_out out interface outside
access-group outbound in interface inside
route outside 0.0.0.0 0.0.0.0 150.176.0.1 1
route inside 10.41.144.0 255.255.240.0 192.168.254.1 1
route inside FIRNWebsense 255.255.255.0 192.168.254.1 1
timeout xlate 1:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
url-server (inside) vendor websense host 192.168.254.3 timeout 30 protocol TCP version 4 connections 5
filter https 443 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow 
filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow proxy-block 
http server enable
http 10.41.159.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto dynamic-map outside_dyn_map 20 set pfs 
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 20 set reverse-route
crypto dynamic-map outside_dyn_map 40 set pfs 
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set reverse-route
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp identity address 
crypto isakmp enable outside
crypto isakmp policy 20
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 40
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal  20
telnet 10.41.144.0 255.255.240.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
ssh version 1
console timeout 0
!
class-map class_http
 match port tcp eq 8080
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map_1 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect http 
  inspect ils 
  inspect netbios 
  inspect rsh 
  inspect rtsp 
  inspect skinny 
  inspect sqlnet 
  inspect sunrpc 
  inspect tftp 
  inspect sip 
  inspect xdmcp 
 class class_http
  inspect http 
!
service-policy global_policy global
tftp-server inside 10.41.159.30 c:\tftp-root\pix
group-policy DfltGrpPolicy attributes
 banner none
 wins-server none
 dns-server none
 dhcp-network-scope none
 vpn-access-hours none
 vpn-simultaneous-logins 3
 vpn-idle-timeout 30
 vpn-session-timeout none
 vpn-filter none
 vpn-tunnel-protocol IPSec l2tp-ipsec 
 password-storage disable
 ip-comp disable
 re-xauth disable
 group-lock none
 pfs disable
 ipsec-udp enable
 ipsec-udp-port 10000
 split-tunnel-policy tunnelall
 split-tunnel-network-list none
 default-domain none
 split-dns none
 intercept-dhcp 255.255.255.255 disable
 secure-unit-authentication disable
 user-authentication disable
 user-authentication-idle-timeout 30
 ip-phone-bypass disable
 leap-bypass disable
 nem disable
 backup-servers keep-client-config
 msie-proxy server none
 msie-proxy method no-modify
 msie-proxy except-list none
 msie-proxy local-bypass disable
 nac disable
 nac-sq-period 300
 nac-reval-period 36000
 nac-default-acl none
 address-pools value 157
 smartcard-removal-disconnect enable
 client-firewall none
 client-access-rule none
group-policy hamilton internal
group-policy hamilton attributes
 dns-server value 10.41.159.66
 vpn-tunnel-protocol IPSec 
 default-domain value hcsb
username 
tunnel-group DefaultRAGroup general-attributes
 address-pool VPNPool
tunnel-group hamilton type ipsec-ra
tunnel-group hamilton general-attributes
 address-pool VPNPool
 default-group-policy hamilton
tunnel-group hamilton ipsec-attributes
 pre-shared-key *
prompt hostname context 
Cryptochecksum:9c3e155bf48fcbffc55d2b90adebc687
: end
                             
                          

                    

Open in New Window

05.12.2008 at 07:26PM PDT, ID: 21551858

grevels:

I just tested out the client and it made it past the securing communications channel message and connected. Now all I need to do is get it talking with other traffic.

I assume since I have it giving out 192.168.0.X class C IP addresses I need to define the 192.168.0.1 IP address and a route somewhere, correct? How do I go about that?

Thanks for your help.

05.13.2008 at 06:21AM PDT, ID: 21554750

grevels:

Just an update lrmoore.

We are successfully connecting by VPN and the able to access the firewall configuration through the VPN connection, but are unable to get to anywhere else.

Looking at syslog, we are getting the following messages.

3 May 13 2008 09:17:07 305005 A32 No translation group found for udp src outside:192.168.0.2/1026 dst inside:A32/53

3 May 13 2008 09:16:43 305005 10.41.159.249 No translation group found for icmp src outside:192.168.0.2 dst inside:10.41.159.249 (type 8, code 0)

05.14.2008 at 06:49AM PDT, ID: 21564117

grevels:

Is there no one besides lrmoore than can help out with this??

Another update from what I did yesterday. I played with this most of the day afternoon, but wasn't able to resolve the translation group not found error message. I changed quite a bit of stuff in the config so I wanted to repost it, but not much related to what we're doing except a couple lines where I tried different things and it still didn't work. I left most of the config in so you could get a more complete picture of what we have.

I also have another strange thing happening, or at least I think it's strange. I had another guy working on it with me yesterday. I connected first and received ip 192.168.0.2 and gateway 192.168.0.1, but when he connected, he received ip 192.168.0.3 and gateway 192.168.0.3. Is that normal or is there somewhere I haven't seen where that is defined.

                       
                          
                             
                                1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:
60:
61:
62:
63:
64:
65:
66:
67:
68:
69:
70:
71:
72:
73:
74:
75:
76:
77:
78:
79:
80:
81:
82:
83:
84:
85:
86:
87:
88:
89:
90:
91:
92:
93:
94:
95:
96:
97:
98:
99:
100:
101:
102:
103:
104:
105:
106:
107:
108:
109:
110:
111:
112:
113:
114:
115:
116:
117:
118:
119:
120:
121:
122:
123:
124:
125:
126:
127:
128:
129:
130:
131:
132:
133:
134:
135:
136:
137:
138:
139:
140:
141:
142:
143:
144:
145:
146:
147:
148:
149:
150:
151:
152:
153:
154:
155:
156:
157:
158:
159:
160:
161:
162:
163:
164:
165:
166:
167:
168:
169:
170:
171:
172:
173:
174:
175:
176:
177:
178:
179:
180:
181:
182:
183:
184:
185:
186:
187:
188:
189:
190:
191:
192:
193:
194:
195:
196:
197:
198:
199:
200:
201:
202:
203:
204:
205:
206:
207:
208:
209:
210:
211:
212:
213:
214:
215:
216:
217:
218:
219:
220:
221:
222:
223:
224:
225:
226:
227:
228:
229:
230:
231:
232:
233:

                             
                             
                                Result of the command: "show running-config"
 
: Saved
:
PIX Version 7.2(3) 
!
hostname HCSBPIX
domain-name hcsb
enable password 
 
dns-guard
!
interface Ethernet0
 nameif outside
 security-level 0
 ip address 150.176.0.2 255.255.255.0 
!
interface Ethernet1
 speed 100
 duplex full
 nameif inside
 security-level 100
 ip address 192.168.254.2 255.255.255.0 
!
passwd
boot system flash:/pix723.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
 domain-name hcsb
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
 
access-list outside_access_in extended deny tcp any host Router eq telnet 
access-list outside_access_in extended permit tcp object-group AS400Access host AS400 
access-list outside_access_in extended permit tcp host A3 host dchcsb01 
access-list outside_access_in extended permit udp host FIRNDNS host dchcsb01 
access-list outside_access_in extended permit tcp host FIRNDNS host dchcsb01 
access-list outside_access_in extended permit tcp host FIRN host Router 
access-list outside_access_in extended permit tcp host Crosspoint host CrystalReports 
access-list outside_access_in extended permit tcp host NEFEC-Perry host Router 
access-list outside_access_in extended permit tcp host ToniaCompass host dchcsb01 object-group RDPTCP 
access-list outside_access_in extended permit gre host GCVPN object-group GatewayCoalitionVPN_ref 
access-list outside_access_in extended permit gre host GCVPN host 150.176.0.18 
access-list outside_access_in extended permit tcp any host dchcsb01 object-group A3 
access-list outside_access_in extended permit icmp any any echo-reply 
access-list outside_access_in extended permit icmp any any unreachable 
access-list outside_access_in extended permit icmp any any time-exceeded 
access-list outside_access_in extended permit tcp any any object-group Polycom 
access-list outside_access_in extended permit ip 192.168.0.0 255.255.255.0 any 
 
access-list inside_outbound_nat0_acl extended permit ip PublicIPs 255.255.255.0 any 
access-list inside_outbound_nat0_acl extended permit ip 192.168.0.0 255.255.255.0 any 
access-list outbound extended permit tcp any host 64.173.86.188 eq smtp 
access-list outbound extended permit tcp any host FirnEmail eq smtp 
access-list outbound extended deny tcp any any eq smtp 
access-list outbound extended permit ip any any 
access-list outbound extended permit icmp any any 
access-list outside_access_out extended permit ip any any 
pager lines 24
logging enable
logging asdm-buffer-size 512
logging buffered warnings
logging trap debugging
logging asdm warnings
logging host inside 10.41.159.30
logging permit-hostdown
mtu outside 1500
mtu inside 1500
ip local pool VPNPool 192.168.0.2-192.168.0.254 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm-523.bin
asdm history enable
arp timeout 14400
nat-control
global (outside) 1 150.176.0.128-150.176.0.239 netmask 255.255.255.0
global (outside) 1 150.176.0.240
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 0 PublicIPs 255.255.255.0
nat (inside) 1 192.168.254.0 255.255.255.0
nat (inside) 1 10.41.144.0 255.255.240.0
 
access-group outside_access_in in interface outside
access-group outside_access_out out interface outside
access-group outbound in interface inside
route outside 0.0.0.0 0.0.0.0 150.176.0.1 1
route inside 10.41.144.0 255.255.240.0 192.168.254.1 1
route inside PublicIPs 255.255.255.0 192.168.254.1 1
timeout xlate 1:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
url-server (inside) vendor websense host 192.168.254.3 timeout 30 protocol TCP version 4 connections 5
filter https 443 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow 
filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow proxy-block 
http server enable
http 10.41.159.0 255.255.255.0 inside
http 192.168.0.0 255.255.255.0 outside
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto dynamic-map outside_dyn_map 20 set pfs 
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 20 set reverse-route
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp identity address 
crypto isakmp enable outside
crypto isakmp policy 20
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 40
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal  20
telnet 10.41.144.0 255.255.240.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
ssh version 1
console timeout 0
!
class-map class_http
 match port tcp eq 8080
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map_1 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect http 
  inspect ils 
  inspect netbios 
  inspect rsh 
  inspect rtsp 
  inspect skinny 
  inspect sqlnet 
  inspect sunrpc 
  inspect tftp 
  inspect sip 
  inspect xdmcp 
 class class_http
  inspect http 
!
service-policy global_policy global
tftp-server inside 10.41.159.30 c:\tftp-root\pix
group-policy DfltGrpPolicy attributes
 banner none
 wins-server none
 dns-server none
 dhcp-network-scope none
 vpn-access-hours none
 vpn-simultaneous-logins 3
 vpn-idle-timeout 30
 vpn-session-timeout none
 vpn-filter none
 vpn-tunnel-protocol IPSec l2tp-ipsec 
 password-storage disable
 ip-comp disable
 re-xauth disable
 group-lock none
 pfs disable
 ipsec-udp enable
 ipsec-udp-port 10000
 split-tunnel-policy tunnelall
 split-tunnel-network-list none
 default-domain none
 split-dns none
 intercept-dhcp 255.255.255.255 disable
 secure-unit-authentication disable
 user-authentication disable
 user-authentication-idle-timeout 30
 ip-phone-bypass disable
 leap-bypass disable
 nem disable
 backup-servers keep-client-config
 msie-proxy server none
 msie-proxy method no-modify
 msie-proxy except-list none
 msie-proxy local-bypass disable
 nac disable
 nac-sq-period 300
 nac-reval-period 36000
 nac-default-acl none
 address-pools value VPNPool
 smartcard-removal-disconnect enable
 client-firewall none
 client-access-rule none
group-policy hamilton internal
group-policy hamilton attributes
 dns-server value 10.41.159.66
 vpn-tunnel-protocol IPSec 
 default-domain value hcsb
 
username vpn password 
 
tunnel-group DefaultRAGroup general-attributes
 address-pool VPNPool
tunnel-group hamilton type ipsec-ra
tunnel-group hamilton general-attributes
 address-pool VPNPool
 default-group-policy hamilton
tunnel-group hamilton ipsec-attributes
 pre-shared-key *
prompt hostname context 
Cryptochecksum:33a11d390cafb22077b03f843a959d27
: end
                             
                          

                    

Open in New Window

20080236-EE-VQP-29 / EE_QW_2_20070628