Solved

VPN on a PIX 501

Posted on 2003-11-02
29
6,883 Views
Last Modified: 2013-11-16
Hello All,

I am trying to set up a VPN scenario on a PIX 501. I am unsure where to start. I have looked at Cisco's VPN info. It is too generic and gives too many choices. From my understanding, the simplest way to set up VPN would be to use the PPTP option with the VPN client, if I'm not mistaken. I am trying to do this as simple as possible and with no more cost. i.e. - certificates.

Can someone give me a simple and quick way to set this up? Our setup has no special requirements.

Below is my PIX data. Any help and guidance is appreciated. Thanks in advance.

Cepolly

PIX Version 6.3(1)
interface ethernet0 10baset
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 65yY4dZAlX2lNl1k encrypted
hostname pixfirewall
domain-name *****.net
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
name 192.168.1.100 Bigdog
name 192.168.1.3 ***PMS
name 192.168.1.5 OWA***
name 192.168.1.1 APPSERVER
object-group service pcANY tcp
  description pcANYwhere
  port-object range 65301 65301
  port-object eq pcanywhere-data
  port-object range pcanywhere-data 5632
object-group service TermServ tcp
  description RDP
  port-object range 3389 3399
access-list inside_access_in remark outbound
access-list inside_access_in permit tcp any any
access-list letmein remark inbound traffic
access-list letmein permit tcp any host x.x.x.x eq smtp
access-list letmein permit tcp any host x.x.x.x eq www
access-list letmein permit tcp any host x.x.x.x eq https
access-list letmein permit tcp any host x.x.x.x eq pop3
access-list letmein permit tcp any host x.x.x.x eq imap4
access-list letmein permit tcp any host x.x.x.x eq pcanywhere-data
access-list letmein permit tcp any host x.x.x.x eq 3389
access-list letmein permit udp any host x.x.x.x eq 3389
access-list letmein permit udp any host x.x.x.x eq 65301
access-list letmein permit tcp any host x.x.x.x eq 65301
access-list letmein permit udp any host x.x.x.x eq 143
access-list letmein permit udp any host x.x.x.x eq 220
access-list letmein permit tcp any host x.x.x.x eq 220
access-list letmein permit tcp any host x.x.x.x eq 585
access-list letmein permit udp any host x.x.x.x eq 585
access-list letmein permit udp any host x.x.x.x eq 993
access-list letmein permit tcp any host x.x.x.x eq 993
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside pppoe setroute
ip address inside 192.168.1.20 255.255.255.0
ip verify reverse-path interface outside
ip audit name OutAttack attack action drop reset
ip audit interface outside OutAttack
ip audit info action alarm
ip audit attack action alarm
pdm location Bigdog 255.255.255.255 inside
pdm location ***PMS 255.255.255.255 inside
pdm location OWA*** 255.255.255.255 inside
pdm location APPSERVER 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
static (inside,outside) udp interface 143 ***PMS 143 netmask 255.255.255.255 0 0

static (inside,outside) tcp interface imap4 ***PMS imap4 netmask 255.255.255.255
 0 0
static (inside,outside) tcp interface pop3 ***PMS pop3 netmask 255.255.255.255 0
 0
static (inside,outside) tcp interface www OWA*** www netmask 255.255.255.255 0 0

static (inside,outside) udp interface 3389 OWA*** 3389 netmask 255.255.255.255 0
 0
static (inside,outside) tcp interface 3389 OWA*** 3389 netmask 255.255.255.255 0
 0
static (inside,outside) tcp interface https OWA*** https netmask 255.255.255.255
 0 0
static (inside,outside) tcp interface pcanywhere-data APPSERVER pcanywhere-data
netmask 255.255.255.255 0 0
static (inside,outside) udp interface 5631 APPSERVER 5631 netmask 255.255.255.25
5 0 0
static (inside,outside) udp interface pcanywhere-status APPSERVER pcanywhere-sta
tus netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 5632 APPSERVER 5632 netmask 255.255.255.25
5 0 0
static (inside,outside) udp interface 65301 APPSERVER 65301 netmask 255.255.255.
255 0 0
static (inside,outside) tcp interface 65301 APPSERVER 65301 netmask 255.255.255.
255 0 0
static (inside,outside) tcp interface smtp ***PMS smtp netmask 255.255.255.255 0
 0
access-group letmein in interface outside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
x.x.x.x 255.255.255.255 outside
***PMS 255.255.255.255 inside
OWA*** 255.255.255.255 inside
ssh timeout 5
console timeout 0
vpdn group pppoex request dialout pppoe
vpdn group pppoex localname *****
vpdn group pppoex ppp authentication pap
vpdn username ***** password *********
dhcpd address 192.168.1.22-192.168.1.129 inside
dhcpd dns x.x.x.x x.x.x.x
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain *****.com
dhcpd auto_config outside
terminal width 80
Cryptochecksum:40394d7ae7c095168a33497bb4df0729
: end
0
Comment
Question by:cepolly
  • 15
  • 14
29 Comments
 
LVL 2

Expert Comment

by:TomCRiley
Comment Utility
PPTP is for the client that comes with Windows XP/2000.  Ipsec is the way to go with a RADIUS server.  Here's the code:

where 192.168.1.0/24 = inside net
where 192.168.1.254 = RADIUS server

NOTE: aaa code IS case-sensitive

access-list 100 permit ip 192.168.1.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list 100 permit ip 10.10.10.0 255.255.255.0 192.168.1.0 255.255.255.0

ip local pool aaapool 10.10.10.1-10.10.10.254

nat (inside) 0 access-list 100

aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host 192.168.1.254 <shared key> timeout 5

sysopt connection permit-ipsec

crypto ipsec transform-set aaades esp-des esp-sha-hmac
crypto dynamic-map dynomap 10 set transform-set aaades
crypto map vpnpeer 20 ipsec-isakmp dynamic dynomap
crypto map vpnpeer client authentication RADIUS
crypto map vpnpeer interface outside

isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400

vpngroup vpn address-pool aaapool
vpngroup vpn dns-server <dns1> <dns2>
vpngroup vpn wins-server <wins1> <wins2>
vpngroup vpn default-domain <dns domain>
vpngroup vpn split-tunnel 100
vpngroup vpn idle-time 10800
vpngroup vpn max-time 86400
vpngroup vpn password <password>

Let me know if you have any questions.

Tom
0
 
LVL 2

Expert Comment

by:TomCRiley
Comment Utility
If you want to make it simpler, you can do it without RADIUS but I don't recommend it.

Just leave this out:

aaa-server RADIUS (inside) host 192.168.1.254 <shared key> timeout 5
crypto map vpnpeer client authentication RADIUS

Make sure to remove the crypto from the outside interface, make the crypto changes, and then re-apply the crypto to the interface:

For example,

no crypto map vpnpeer interface outside
no crypto map vpnpeer client authentication RADIUS
crypto map vpnpeer interface outside

Tom
0
 
LVL 1

Author Comment

by:cepolly
Comment Utility
Thanks for the fast response. But I dont have a Radius server. There has to be 0 cost on this setup.

Is there a cost for the Radius server?
0
 
LVL 1

Author Comment

by:cepolly
Comment Utility
oops response sent before i read your second.
0
 
LVL 2

Expert Comment

by:TomCRiley
Comment Utility
Tip for the future...I would also remove the passwords when you post your code.  There is software out there that can decipher them.  You mask your IP and all that but you never can be too safe.

Tom
0
 
LVL 2

Expert Comment

by:TomCRiley
Comment Utility
There is no cost if you already own a Windows NT or 2000 server.  It really is a good idea to use it if you can do it.
In Windows NT, it is part of IIS.  In Windows 2000, you can install IAS.

Tom
0
 
LVL 1

Author Comment

by:cepolly
Comment Utility
I did not apply the settings yet.

Just to understand better, I need apply the following: (REM is what i will omit)

where 192.168.1.0/24 = inside net
REM where 192.168.1.254 = RADIUS server

NOTE: aaa code IS case-sensitive

access-list 100 permit ip 192.168.1.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list 100 permit ip 10.10.10.0 255.255.255.0 192.168.1.0 255.255.255.0

ip local pool aaapool 10.10.10.1-10.10.10.254

nat (inside) 0 access-list 100

REM aaa-server RADIUS protocol radius
REM aaa-server RADIUS (inside) host 192.168.1.254 <shared key> timeout 5

sysopt connection permit-ipsec

crypto ipsec transform-set aaades esp-des esp-sha-hmac
crypto dynamic-map dynomap 10 set transform-set aaades
crypto map vpnpeer 20 ipsec-isakmp dynamic dynomap
REM crypto map vpnpeer client authentication RADIUS
crypto map vpnpeer interface outside

isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400

vpngroup vpn address-pool aaapool
vpngroup vpn dns-server <dns1> <dns2>
vpngroup vpn wins-server <wins1> <wins2>
vpngroup vpn default-domain <dns domain>
vpngroup vpn split-tunnel 100
vpngroup vpn idle-time 10800
vpngroup vpn max-time 86400
vpngroup vpn password <password>

Is this correct? Also, will the clients need to use the VPN client or can they use the VPN set in Windows XP?
Thanks.
0
 
LVL 2

Expert Comment

by:TomCRiley
Comment Utility
Just to be clear.  These aren't part of the code, just explanations:

where 192.168.1.0/24 = inside net
REM where 192.168.1.254 = RADIUS server
NOTE: aaa code IS case-sensitive

And, this line is already in the PIX by default so you can leave it alone:

REM aaa-server RADIUS protocol radius


The rest looks good to me.  With this code, the clients will need the Cisco VPN client.

Would you like me to post the PPTP code for use with the Windows XP client?

Tom
0
 
LVL 2

Expert Comment

by:TomCRiley
Comment Utility
Here's the PPTP code, just in case:

access-list 100 permit ip 192.168.1.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list 100 permit ip 10.10.10.0 255.255.255.0 192.168.1.0 255.255.255.0

ip local pool vpnpool 10.10.10.1-10.10.10.254

nat (inside) 0 access-list 100

sysopt connection permit-pptp

vpdn group 1 accept dialin pptp
vpdn group 1 ppp authentication chap
vpdn group 1 ppp authentication mschap
vpdn group 1 ppp encryption mppe 40
vpdn group 1 client configuration address local vpnpool
vpdn group 1 client configuration dns <dns1> <dns2>
vpdn group 1 client configuration wins <wins1> <wins2>
vpdn group 1 pptp echo 60
vpdn group 1 client authentication local
vpdn username <username> password <password>
vpdn enable outside

With this code, you can use the built-in Windows 2000/XP client.

Tom
0
 
LVL 1

Author Comment

by:cepolly
Comment Utility
Thanks Tom. I will try it and post back the results.

Cepolly
0
 
LVL 1

Author Comment

by:cepolly
Comment Utility
I am going for the PPTP configuration.
I have tried the config and everything worked well until i needed to enable vpdn on the outside interface.

I received the following error: 'Can not enable vpdn on the same interface as PPPoE.'

Can this not work with PPPoE?

0
 
LVL 1

Author Comment

by:cepolly
Comment Utility
This is the new config.

PIX Version 6.3(1)
interface ethernet0 10baset
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 6ztx/UAvbLi8D0Sn encrypted
passwd 6ztx/UAvbLi8D0Sn encrypted
hostname pixfirewall
domain-name bellsouth.net
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names        
name 192.168.1.100 Bigdog
name 192.168.1.3 WPBPMS
name 192.168.1.5 OWAWPB
name 192.168.1.1 APPSERVER
object-group service pcANY tcp
  description pcANYwhere
  port-object range 65301 65301
  port-object eq pcanywhere-data
  port-object range pcanywhere-data 5632
object-group service TermServ tcp
  description RDP
  port-object range 3389 3399
access-list inside_access_in remark outbound
access-list inside_access_in permit tcp any any
access-list letmein remark inbound traffic
access-list letmein permit tcp any host 68.213.214.194 eq smtp
access-list letmein permit tcp any host 68.213.214.194 eq www
access-list letmein permit tcp any host 68.213.214.194 eq https
access-list letmein permit tcp any host 68.213.214.194 eq pop3
access-list letmein permit tcp any host 68.213.214.194 eq imap4
access-list letmein permit tcp any host 68.213.214.194 eq pcanywhere-data
access-list letmein permit tcp any host 68.213.214.194 eq 3389
access-list letmein permit udp any host 68.213.214.194 eq 3389
access-list letmein permit udp any host 68.213.214.194 eq 65301
access-list letmein permit tcp any host 68.213.214.194 eq 65301
access-list letmein permit udp any host 68.213.214.194 eq 143
access-list letmein permit udp any host 68.213.214.194 eq 220
access-list letmein permit tcp any host 68.213.214.194 eq 220
access-list letmein permit tcp any host 68.213.214.194 eq 585
access-list letmein permit udp any host 68.213.214.194 eq 585
access-list letmein permit udp any host 68.213.214.194 eq 993
access-list letmein permit tcp any host 68.213.214.194 eq 993
access-list 100 permit ip 192.168.1.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list 100 permit ip 10.10.10.0 255.255.255.0 192.168.1.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside pppoe setroute
ip address inside 192.168.1.20 255.255.255.0
ip audit name OutAttack attack action drop reset
ip audit info action alarm
ip audit attack action alarm
ip local pool TEK-VPN-GROUP 192.168.1.200-192.168.1.250
ip local pool vpnpool 10.10.10.1-10.10.10.254
pdm location Bigdog 255.255.255.255 inside
pdm location WPBPMS 255.255.255.255 inside
pdm location OWAWPB 255.255.255.255 inside
pdm location APPSERVER 255.255.255.255 inside
pdm location 207.87.240.244 255.255.255.255 outside
pdm location 207.87.240.244 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 100
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
static (inside,outside) udp interface 143 WPBPMS 143 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface imap4 WPBPMS imap4 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface pop3 WPBPMS pop3 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface www OWAWPB www netmask 255.255.255.255 0 0
static (inside,outside) udp interface 3389 OWAWPB 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 3389 OWAWPB 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface https OWAWPB https netmask 255.255.255.255 0 0
static (inside,outside) tcp interface pcanywhere-data APPSERVER pcanywhere-data netmask 255.255.255.255 0 0
static (inside,outside) udp interface 5631 APPSERVER 5631 netmask 255.255.255.255 0 0
static (inside,outside) udp interface pcanywhere-status APPSERVER pcanywhere-status netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 5632 APPSERVER 5632 netmask 255.255.255.255 0 0
static (inside,outside) udp interface 65301 APPSERVER 65301 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 65301 APPSERVER 65301 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface smtp WPBPMS smtp netmask 255.255.255.255 0 0
access-group letmein in interface outside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 207.87.240.244 255.255.255.255 outside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-pptp
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
isakmp policy 20 authentication rsa-sig
isakmp policy 20 encryption des
isakmp policy 20 hash sha
isakmp policy 20 group 1
isakmp policy 20 lifetime 86400
vpngroup TEK-VPN-USERS idle-time 1800
telnet 207.87.240.244 255.255.255.255 outside
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh WPBPMS 255.255.255.255 inside
ssh OWAWPB 255.255.255.255 inside
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 60
console timeout 0
vpdn group pppoex request dialout pppoe
vpdn group pppoex localname etektron
vpdn group pppoex ppp authentication pap
vpdn group 1 accept dialin pptp
vpdn group 1 ppp authentication chap
vpdn group 1 ppp authentication mschap
vpdn group 1 ppp encryption mppe 40
vpdn group 1 client configuration address local vpnpool
vpdn group 1 client configuration dns 129.250.35.250
vpdn group 1 client configuration wins APPSERVER
vpdn group 1 pptp echo 60
vpdn group 1 client authentication local
vpdn username etektron password *********
vpdn username vpntest password *********
dhcpd address 192.168.1.22-192.168.1.129 inside
dhcpd dns 205.152.0.5 216.4.122.1
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain etektron.com
dhcpd auto_config outside
terminal width 80
Cryptochecksum:56d1e08be56437d89682a3d0483838c6
: end    
0
 
LVL 2

Expert Comment

by:TomCRiley
Comment Utility
Never tried it with PPoE.  I'll see what I can find.  What are you using the PPoE for anyways?

Tom
0
 
LVL 1

Author Comment

by:cepolly
Comment Utility
I checked Cisco and discovered that PPPoE and pptp cannot work together on the same interface.

I am now trying this via the VPN Client ver 4.0.9 option.

0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
LVL 2

Expert Comment

by:TomCRiley
Comment Utility
Let me know if you have any problems.

Tom
0
 
LVL 1

Author Comment

by:cepolly
Comment Utility
Hi Tom,

I can now connect to the firewall via the VPN Client. However, I am not able to get to the local LAN or ping any device by name or by IP. I enabled the 'allow LAN access' option, but I still am unable to get in. I am now using VPN client version 3.6.

My goal is for users to be able to be on the business network from their remote locations. They need to be able to run Outlook and have Outlook resolve the Exchange server by name or IP.

I added the following line for WINS to help with name resolution internally:

vpngroup vpn3000 wins-server x.x.x.1

I changed the encryption to DES from 3DES. 3DES is not set up on the PIX. I attached the latest config.

What do I need to do to get Local access from a Winxp or win 2000 machine?

Thanks,
Cepolly

PIX Version 6.3(1)
interface ethernet0 10baset
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 6ztx/UAvbLi8D0Sn encrypted
passwd 6ztx/UAvbLi8D0Sn encrypted
hostname pixfirewall
domain-name *****.net
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
name 192.168.1.100 Bigdog
name 192.168.1.3 ***pms
name 192.168.1.5 owa***
name 192.168.1.1 APPSERVER
object-group service pcANY tcp
  description pcANYwhere
  port-object range 65301 65301
  port-object eq pcanywhere-data
  port-object range pcanywhere-data 5632
object-group service TermServ tcp
  description RDP
  port-object range 3389 3399
access-list inside_access_in remark outbound
access-list inside_access_in permit tcp any any
access-list letmein remark inbound traffic
access-list letmein permit tcp any host x.x.x.194 eq smtp
access-list letmein permit tcp any host x.x.x.194 eq www
access-list letmein permit tcp any host x.x.x.194 eq https
access-list letmein permit tcp any host x.x.x.194 eq pop3
access-list letmein permit tcp any host x.x.x.194 eq imap4
access-list letmein permit tcp any host x.x.x.194 eq pcanywhere-data
access-list letmein permit tcp any host x.x.x.194 eq 3389
access-list letmein permit udp any host x.x.x.194 eq 3389
access-list letmein permit udp any host x.x.x.194 eq 65301
access-list letmein permit tcp any host x.x.x.194 eq 65301
access-list letmein permit udp any host x.x.x.194 eq 143
access-list letmein permit udp any host x.x.x.194 eq 220
access-list letmein permit tcp any host x.x.x.194 eq 220
access-list letmein permit tcp any host x.x.x.194 eq 585
access-list letmein permit udp any host x.x.x.194 eq 585
access-list letmein permit udp any host x.x.x.194 eq 993
access-list letmein permit tcp any host x.x.x.194 eq 993
access-list nat0 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside pppoe setroute
ip address inside 192.168.1.20 255.255.255.0
ip audit name OutAttack attack action drop reset
ip audit info action alarm
ip audit attack action alarm
ip local pool ippool 192.168.2.1-192.168.2.254
pdm location Bigdog 255.255.255.255 inside
pdm location ***pms 255.255.255.255 inside
pdm location owa*** 255.255.255.255 inside
pdm location APPSERVER 255.255.255.255 inside
pdm location x.x.x.244 255.255.255.255 outside
pdm location x.x.x.244 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nat0
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
static (inside,outside) udp interface 143 ***pms 143 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface imap4 ***pms imap4 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface pop3 ***pms pop3 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface www owa*** www netmask 255.255.255.255 0 0
static (inside,outside) udp interface 3389 owa*** 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 3389 owa*** 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface https owa*** https netmask 255.255.255.255 0 0
static (inside,outside) tcp interface pcanywhere-data APPSERVER pcanywhere-data netmask 255.255.255.255 0 0
static (inside,outside) udp interface 5631 APPSERVER 5631 netmask 255.255.255.255 0 0
static (inside,outside) udp interface pcanywhere-status APPSERVER pcanywhere-status netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 5632 APPSERVER 5632 netmask 255.255.255.255 0 0
static (inside,outside) udp interface 65301 APPSERVER 65301 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 65301 APPSERVER 65301 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface smtp ***pms smtp netmask 255.255.255.255 0 0
access-group letmein in interface outside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http x.x.x.244 255.255.255.255 outside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map outside_map 90 ipsec-isakmp dynamic dynmap
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp identity address
isakmp policy 20 authentication rsa-sig
isakmp policy 20 encryption des
isakmp policy 20 hash sha
isakmp policy 20 group 1
isakmp policy 20 lifetime 86400
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption des
isakmp policy 30 hash md5
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400
vpngroup TEK-VPN-USERS idle-time 1800
vpngroup vpn3000 address-pool ippool
vpngroup vpn3000 dns-server x.x.x.250
vpngroup vpn3000 wins-server APPSERVER
vpngroup vpn3000 split-tunnel 101
vpngroup vpn3000 idle-time 1800
vpngroup vpn3000 password ********
telnet x.x.x.244 255.255.255.255 outside
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh ***pms 255.255.255.255 inside
ssh owa*** 255.255.255.255 inside
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 60
console timeout 0
vpdn group pppoex request dialout pppoe
vpdn group pppoex localname ****tron
vpdn group pppoex ppp authentication pap
vpdn username ****tron password *********
dhcpd address 192.168.1.22-192.168.1.129 inside
dhcpd dns 205.152.0.5 216.4.122.1
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain ****tron.com
dhcpd auto_config outside
terminal width 80
Cryptochecksum:3a66d08e119d49160e31171b49cc2c11
: end
0
 
LVL 2

Expert Comment

by:TomCRiley
Comment Utility
Post a 'sh ver' and a 'sh crypto ipsec sa' and a 'sh crypto isakmp sa'.  When the client is connected, double-click the lock tray icon and post the IP that the PIX gives you.

Tom
0
 
LVL 1

Author Comment

by:cepolly
Comment Utility
show ver:
Cisco PIX Firewall Version 6.3(1)
Cisco PIX Device Manager Version 3.0(1)

Compiled on Wed 19-Mar-03 11:49 by morlee

pixfirewall up 14 days 17 hours

Hardware:   PIX-501, 16 MB RAM, CPU Am5x86 133 MHz
Flash E28F640J3 @ 0x3000000, 8MB
BIOS Flash E28F640J3 @ 0xfffd8000, 128KB

0: ethernet0: address is 000d.65d0.6220, irq 9
1: ethernet1: address is 000d.65d0.6221, irq 10
Licensed Features:
Failover:           Disabled
VPN-DES:            Enabled
VPN-3DES-AES:       Disabled
Maximum Interfaces: 2
Cut-through Proxy:  Enabled
Guards:             Enabled
URL-filtering:      Enabled
Inside Hosts:       50
Throughput:         Unlimited
IKE peers:          10
             
This PIX has a Restricted (R) license.
             
Serial Number: 807301523 (0x301e7193)
Running Activation Key: 0x5962f660 0x7101e396 0xcc44a4ef 0x64371bdb
Configuration last modified by enable_15 at 08:09:38.311 UTC Tue Nov 4 2003

show crypto ipsec sa:

interface: outside
    Crypto map tag: outside_map, local addr. x.x.214.194

show crypto isakmp sa:

Total     : 0
Embryonic : 0
        dst               src        state     pending     created

IP address received from VPN connection:

Client IP Address: 192.168.2.1
Server IP Address: x.x.214.194

I tried to look at the VPN status in the PDM and received the following error message:

"VPN connection status information is unavailable since "Easy VPN Remote" is disabled on this PIX. To enable "Easy VPN Remote" go to that screen under the VPN tab."

When I tried to use the PDM to take a look at the VPN config and recieved the following error message:

"PDM does not multiple dynamic crypto maps per interface. Please collapse them into one. Other you will not be able to manage Crypto map via PDM"

I'm not sure what this means.
0
 
LVL 1

Author Comment

by:cepolly
Comment Utility
Clarification:

"PDM does not support multiple dynamic crypto maps per interface. Please collapse them into one. Otherwise you will not be able to manage Crypto map via PDM"
0
 
LVL 2

Expert Comment

by:TomCRiley
Comment Utility
I'll go through your config and get back to you in a bit.

Tom
0
 
LVL 2

Expert Comment

by:TomCRiley
Comment Utility
You can't ping anything on the inside net when connected via the VPN client, right?
0
 
LVL 1

Author Comment

by:cepolly
Comment Utility
no I cannot. not by name or IP.
0
 
LVL 1

Author Comment

by:cepolly
Comment Utility
Could this be a split-tunnel issue?

0
 
LVL 2

Expert Comment

by:TomCRiley
Comment Utility
Maybe.  I noticed that you are using access-list nat0 in your nat (inside) 0 but you are using acess-list 101 for your split-tunnel.  Remove the access-list 101 and remove the split tunnel and let me know what happens.

Tom
0
 
LVL 1

Author Comment

by:cepolly
Comment Utility
trying that now...
0
 
LVL 1

Author Comment

by:cepolly
Comment Utility
I removed both entries.
I can still connect. When I run Ipconfig /all, i get the following returned to me:
Ethernet adapter Local Area Connection 4:

        Connection-specific DNS Suffix  . :

        Description . . . . . . . . . . . : 3Com EtherLink 10/100 PCI TX NIC (3C905B-TX) #2
        Physical Address. . . . . . . . . : 00-50-04-74-92-A7
        Dhcp Enabled. . . . . . . . . . . : No
        IP Address. . . . . . . . . . . . : 192.168.1.106
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 192.168.1.1
        DNS Servers . . . . . . . . . . . : 192.168.1.100
                                            x.x.x.5
                                            x.x.x.1
        Primary WINS Server . . . . . . . : 192.168.1.100

(VIRTUAL ADAPTER)
Ethernet adapter Local Area Connection 7:
        Connection-specific DNS Suffix  . :
        Description . . . . . . . . . . . : Cisco Systems VPN Adapter
        Physical Address. . . . . . . . . : 00-05-9A-3C-78-00
        Dhcp Enabled. . . . . . . . . . . : No
        IP Address. . . . . . . . . . . . : 192.168.2.1
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 192.168.2.1
        DNS Servers . . . . . . . . . . . : x.x.x.250
        Primary WINS Server . . . . . . . : 192.168.1.1

I still cannot ping by name or IP.
0
 
LVL 2

Accepted Solution

by:
TomCRiley earned 500 total points
Comment Utility
Add the nat0 ACL in the reverse order and let me know what happens.  I haven't had much time to look at your code but I'll try to check it out some time today.

access-list nat0 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list nat0 permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0

Tom
0
 
LVL 1

Author Comment

by:cepolly
Comment Utility
Woot!

That was it. When the lines were added back in, it worked.

I also did a clear crypto 1st.

Thanks Tom very much for all the time.

Best regards,
Carmine
0
 
LVL 2

Expert Comment

by:TomCRiley
Comment Utility
Glad to help.
0

Featured Post

Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

Join & Write a Comment

Suggested Solutions

There are many useful and sometimes not well documented or forgotten IOS or ASA/PIX commands. See IPE article here , there was also one on PacketU and on Cisco Tips & Tricks. Below are my favorites. I give also a few most often used for Cisco IPS an…
Cisco Pix/ASA hairpinning The term, hairpinning, comes from the fact that the traffic comes from one source into a router or similar device, makes a U-turn, and goes back the same way it came. Visualize this and you will see something that looks …
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now