Solved

Trying to set up VPN to a PIX 501

Posted on 2004-08-13
34
254 Views
Last Modified: 2013-11-16
Im new to the cisco Pix arena.  I'm trying to set up a vpn to my network, but having a little trouble.  Im trying to connect to my network using cisco vpn client version 4.0.2(b)  When I select my network in the client adn hit connect it says securing channels.  Then i get prompted for user name and password.  I enter in my credentials, but then get a user authentication error in the client.  I also check the syslog server at it says "authentication for (user_name) failed on interface outside"  

Like I said Im new so I'm sure its a setting somewhere

Here is the config

Rayspixfirewall(config)# sh run
: Saved
:

Rayspixfirewall# sh run
: Saved
:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password O56K8D.xqN/Hcd36 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname Rayspixfirewall
domain-name raydoran.com
clock timezone CST -6
clock summer-time CDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol ftp 2121
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.1.10 Server
name 192.168.1.2 raysathlon
access-list outside_in permit tcp any any eq www
access-list outside_in permit tcp any any eq 3389
access-list outside_in permit tcp any any eq 2121
access-list outside_in permit tcp any any eq 4899
access-list outside_in permit tcp any any eq 1755
access-list outside_in permit tcp any any eq smtp
access-list outside_in permit tcp any any eq 554
access-list outside_in permit tcp any any eq 69
access-list outside_in permit tcp any any eq ftp
access-list outside_in permit tcp any any eq pop3
access-list outbound deny icmp any any echo
access-list outbound permit ip any any
access-list outbound permit 21 any any
access-list inside_outbound_nat0_acl permit ip any 192.168.1.32 255.255.255.224
access-list outside_cryptomap_dyn_20 permit ip any 192.168.1.32 255.255.255.224
pager lines 24
logging on
logging timestamp
logging console errors
logging monitor debugging
logging trap informational
logging host inside Server
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpn_pool 192.168.1.40-192.168.1.50
pdm location Server 255.255.255.255 inside
pdm location 0.0.0.0 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface www Server www netmask 255.255.255.255 0 0
static (inside,outside) tcp interface smtp Server smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 3389 Server 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 2121 Server 2121 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 4899 Server 4899 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 1755 Server 1755 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 554 Server 554 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 69 Server 69 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface ftp Server ftp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface pop3 Server pop3 netmask 255.255.255.255 0 0
access-group outside_in in interface outside
access-group outbound in interface inside
rip inside default version 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa-server RaysAAA protocol tacacs+
aaa-server RaysAAA (inside) host Server 252438896 timeout 10
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication RaysAAA
crypto map outside_map interface outside
crypto map inside_map client configuration address respond
crypto map inside_map client authentication RaysAAA
crypto map inside_map interface inside
isakmp enable outside
isakmp enable inside
isakmp keepalive 10 10
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption 3des
isakmp policy 30 hash md5
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400
vpngroup pixvpn address-pool vpn_pool
vpngroup pixvpn dns-server Server
vpngroup pixvpn default-domain raydoran.com
vpngroup pixvpn idle-time 1800
vpngroup pixvpn password ********
telnet 0.0.0.0 255.255.255.255 inside
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 60
console timeout 0
vpdn username raydoran password *********
vpdn enable outside
vpdn enable inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
username raydoran password cUynQTe6ojEYJ1VX encrypted privilege 15
terminal width 100
Cryptochecksum:e56e0d8bed74bd281ea22a9ba8616c93
: end
Rayspixfirewall#    
0
Comment
Question by:RayDoran
  • 18
  • 16
34 Comments
 
LVL 36

Expert Comment

by:grblades
Comment Utility
Hi RayDoran,
Your configuration looks correct. You have a few parts of the configuration which are not actually needed:-
access-list outside_cryptomap_dyn_20 permit ip any 192.168.1.32 255.255.255.224
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto map inside_map client configuration address respond
crypto map inside_map client authentication RaysAAA
crypto map inside_map interface inside
isakmp enable inside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpdn username raydoran password *********
vpdn enable outside
vpdn enable inside

You are using a TACACS server for user authentication. Can you check its logs to see what it sais about the authentication attempts.
0
 

Author Comment

by:RayDoran
Comment Utility
Ok I know that it says that im using a TACACS server,but there is not one configured on the network.  I know this is a problem.  This is what I want to happen.  All I want to do is to be able to get into my network using the vpn client.  What is the easiest way to set this up?
0
 
LVL 36

Expert Comment

by:grblades
Comment Utility
If you change
crypto map outside_map client authentication RaysAAA
to
crypto map outside_map client authentication LOCAL
it will use the local username you have defined using the 'username' keyword on the PIX.
When you setup the VPN client you enter the group username (pixvpn) and password and then it will ask you for the XAUTH username (raydoran) and password.
0
 

Author Comment

by:RayDoran
Comment Utility
Ok I got authenticated into the network using the client, but I can get anywhere.  I cant see any of the shares on the network.  I cant talk to the exchange server....?
0
 
LVL 36

Expert Comment

by:grblades
Comment Utility
> ip local pool vpn_pool 192.168.1.40-192.168.1.50
Just spotted that you have defined the ip pool to be on your local lan. This is a mistake virtually everyone does the first time. You need to put the pool on a different IP address range. Try entering the following commands :-

no ip local pool vpn_pool 192.168.1.40-192.168.1.50
ip local pool vpn_pool 192.168.2.1-192.168.2.10
access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.255

Once you have done that test connectivity over the VPN by pinging the IP address.

In order for you to resolve machine names via VPN client machines which are not part of your windows domain I would advise that you setup a WINS server and configure the PIX to issue this as part of the dhcp to the clients. For example :-
vpngroup pixvpn wins-server Server
0
 

Author Comment

by:RayDoran
Comment Utility
Rayspixfirewall(config)# no ip local pool vpn_pool 192.168.1.40-192.168.1.50
pool in use by vpngroup command, remove it firs
0
 
LVL 36

Expert Comment

by:grblades
Comment Utility
OK. Try :-

no vpngroup pixvpn address-pool vpn_pool
no ip local pool vpn_pool 192.168.1.40-192.168.1.50
ip local pool vpn_pool 192.168.2.1-192.168.2.10
access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.255
vpngroup pixvpn address-pool vpn_pool
0
 

Author Comment

by:RayDoran
Comment Utility
i removed vpngroup pixvpn address-pool vpn_pool.  Is that correct?
0
 
LVL 36

Expert Comment

by:grblades
Comment Utility
Did you post your comment at the same time as mine?
Yes you just remove that line which enables you to delete and recreate the address pool and then you can put it back again as per the script in my previous post.
0
 

Author Comment

by:RayDoran
Comment Utility
now when i try to connect i get Secure vpn connection terminated locally by the client.  Reason.  unable to contact the security gateway.  Here is running config.

Rayspixfirewall(config)# sh run
: Saved
:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password O56K8D.xqN/Hcd36 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname Rayspixfirewall
domain-name raydoran.com
clock timezone CST -6
clock summer-time CDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol ftp 2121
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.1.10 Server
name 192.168.1.2 raysathlon
access-list outside_in permit tcp any any eq www
access-list outside_in permit tcp any any eq 3389
access-list outside_in permit tcp any any eq 2121
access-list outside_in permit tcp any any eq 4899
access-list outside_in permit tcp any any eq 1755
access-list outside_in permit tcp any any eq smtp
access-list outside_in permit tcp any any eq 554
access-list outside_in permit tcp any any eq 69
access-list outside_in permit tcp any any eq ftp
access-list outside_in permit tcp any any eq pop3
access-list outbound deny icmp any any echo
access-list outbound permit ip any any
access-list outbound permit 21 any any
access-list inside_outbound_nat0_acl permit ip any 192.168.1.32 255.255.255.224
access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 host 192.168.2.0
access-list outside_cryptomap_dyn_20 permit ip any 192.168.1.32 255.255.255.224
pager lines 24
logging on    
logging timestamp
logging console errors
logging monitor debugging
logging trap informational
logging host inside Server
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpn_pool 192.168.2.1-192.168.2.10
pdm location Server 255.255.255.255 inside
pdm location 0.0.0.0 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface www Server www netmask 255.255.255.255 0 0
static (inside,outside) tcp interface smtp Server smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 3389 Server 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 2121 Server 2121 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 4899 Server 4899 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 1755 Server 1755 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 554 Server 554 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 69 Server 69 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface ftp Server ftp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface pop3 Server pop3 netmask 255.255.255.255 0 0
access-group outside_in in interface outside
access-group outbound in interface inside
rip inside default version 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa-server RaysAAA protocol tacacs+
aaa-server RaysAAA (inside) host Server 252438896 timeout 10
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication LOCAL
crypto map outside_map interface outside
crypto map inside_map interface inside
isakmp enable outside
isakmp enable inside
isakmp keepalive 10 10
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption 3des
isakmp policy 30 hash md5
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400
vpngroup pixvpn address-pool vpn_pool
vpngroup pixvpn dns-server Server
vpngroup pixvpn default-domain raydoran.com
vpngroup pixvpn idle-time 1800
vpngroup pixvpn password ********
telnet 0.0.0.0 255.255.255.255 inside
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 60
console timeout 0
vpdn username raydoran password *********
vpdn enable outside
vpdn enable inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
username raydoran password cUynQTe6ojEYJ1VX encrypted privilege 15
terminal width 100
Cryptochecksum:3df8eaeb6cc3073d4f16e528bf049ce4
: end
Rayspixfirewall(config)#
0
 
LVL 36

Expert Comment

by:grblades
Comment Utility
Sorry I made a typo. Enter :-

access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
0
 

Author Comment

by:RayDoran
Comment Utility
still getting the same error on the vpn client after entering in the last command on the pix.
0
 

Author Comment

by:RayDoran
Comment Utility
was i supposed to cancel out any other command before entering in the last one?
0
 
LVL 36

Expert Comment

by:grblades
Comment Utility
Maybe the command 'crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20' is causing a problem now. You don't need it for client VPN's so it would be best to remove it:-

no crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
0
 
LVL 36

Expert Comment

by:grblades
Comment Utility
You could have canceled it out just to make it look neater but it would not have had any negative effects. You can tidy things up once you have a fully working configuration which you can revert back to if there is a problem later.
0
 

Author Comment

by:RayDoran
Comment Utility
ok I'm back in again.  But I still cant get to anything.  I tried going to my server using its ip address.  Im looking at the output from ipconfig and my local machine did pickup the 192.168.2.1 address on the ethernet vpn adapter.
0
 

Author Comment

by:RayDoran
Comment Utility
thaks for all you help btw....
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 36

Expert Comment

by:grblades
Comment Utility
I see that you have the logging enabled to the server. So you have a syslog running on your server?
Try adding:-
logging trap debugging

Then have a look in the log and you should see that the PIX has built an incoming connection when you try to ping the server. It might give an indication if there is something wrong.

I assume the server has a default gateway defined as the PIX and there is no firewall which might be blocking access from 192.168.2.x ?
0
 

Author Comment

by:RayDoran
Comment Utility
syslog server says im in.  I dont see any errors or warnings.  it says Authen session start:raydoran sid 13.  My setup is this Internet->cable modem -> PIX->cisco 2950->all the clients and server.

Im just wondering if it does not know about the .2 network.  Like in a cisco router for 2 different networks to talk to each other both networks have to be defined
cisco# router rip
cisco#network 192.168.1.0
cisco#network 192.168.2.0

is the pix like this also?
0
 

Author Comment

by:RayDoran
Comment Utility
thats why i was a little confused when you put the 192.168.2.0 network in the config????
0
 

Author Comment

by:RayDoran
Comment Utility
cant ping 192.168.1.1 or .10
0
 
LVL 36

Expert Comment

by:grblades
Comment Utility
I don't like running routing protocols on a firewall and so I normally fix all the routes.

What network addresses do you use the other side of the router as the PIX will need to be configured to permit these across the VPN aswell.
0
 

Author Comment

by:RayDoran
Comment Utility
right now there is no router involved.  its a connection from the pix to the cable modem.  No router.
0
 
LVL 36

Expert Comment

by:grblades
Comment Utility
How are you testing the VPN by the way?
I assume you have another machine connected to the internet. How is this connected?
0
 

Author Comment

by:RayDoran
Comment Utility
im at work right now.  I'm using remote admin to connect back to my machines at home.  Im testing bu using the vpn client here at work.  
0
 
LVL 36

Expert Comment

by:grblades
Comment Utility
Is there a firewall at work?
If esp (IP protocol number 50) is blocked then you will be able to connect but not transfer anything over the VPN.
0
 

Author Comment

by:RayDoran
Comment Utility
i can check our firewall and open ports if needed.  Only port 50 needs to be open?
0
 
LVL 36

Expert Comment

by:grblades
Comment Utility
esp is ip protocol 50 in the same way that tcp, udp and icmp and all ip protocols. It is not a port.

Authentication is done using ISAKMP which uses udp port 500 and this is oviously permitted.
0
 

Author Comment

by:RayDoran
Comment Utility
so just permit esp and it should work?
0
 
LVL 36

Expert Comment

by:grblades
Comment Utility
I would check to make sure esp is permitted. I can't see any problems with the PIX configuration that would cause it not to work so it is worth checking other things now.
0
 

Author Comment

by:RayDoran
Comment Utility
so it should look something like this?

conduit permit esp any any

realize that we are running a PIX 515 with code 6.1(1)
0
 
LVL 36

Expert Comment

by:grblades
Comment Utility
Yes something like that. I am not familiar with the old PIX 'conduit' commands.

There are issues with VPN clients behing this version of software which may cause problems if multiple machines need to connect to the 501.

See lrmoore's comments in this topic
http://www.experts-exchange.com/Networking/Q_21090315.html
0
 

Author Comment

by:RayDoran
Comment Utility
Still getting the same results after entering in the command

conduit permit esp any any

in our firewall here at work.

hmmmmmmmm.
0
 
LVL 36

Accepted Solution

by:
grblades earned 500 total points
Comment Utility
Can you establish a VPN to your PIX and leave your work machine pinging one of your home machines so there is traffic being sent across the VPN.
Wait at least 10 seconds then type the command 'show crypto ipsec sa' on the PIX and paste the output here. It should show you the total number of packets encrypted and decrypted which will at least tell us whether the esp packets are getting to your PIX.
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now