_Stu_
asked on
PIX 501 - VPN Connection Fails, no entries in logs when VPN connection is attempted
Hi. I've have done a quick search before posting but can't find any posts with a similar problem. I have a PIX 501 connected to a Cisco 837 Router. I've configured the PIX as per the config below to allow remote users to VPN into the network (Cisco 837 Config also below). Currently the firewall is using PAT with all clients behind one IP address, and in terms of normal connectivity all internal clients can acess the internet as required. When I test a VPN connection from outside our network to the PIX, the client appears to be trying to connect, but there are no entries in the PIX logs to show a client attempting to connect, or failing to connect. Eventually the client times-out and displays an error that the PIX isn't responding. I thought the 837 router may have been blocking the connection, but as with the PIX, there are no log entries showing the VPN connection being bloacked. The 837 is configured to block illegal internet addresses, and restrict unwanted ICMP but no other filtering takes place at the router.
Can anyone suggest what I'm doing wrong ? Have I mis-configured the PIX ?
Network Details
837 Router IP: 217.xxx.xxx.65
PIX External IP: 217.xxx.xxx.72
PIX Intenal IP : 10.0.0.1
Internal Clients: 10.0.0.0 255.255.255.0
VPN Clients: 10.0.2.0 255.255.255.240
VPN Settings: AES 256 with SHA and DH Group 5
Cisco VPN Client Version 4.0.1
Thanks for any help,
Stuart.
PIX CONFIGURATION
: Saved
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password [password] encrypted
passwd [encrypted] encrypted
hostname pixfirewall
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list inside_outbound_nat0_acl permit ip 10.0.0.0 255.255.255.0 10.0.2.0 255.255.255.240
pager lines 24
logging on
logging trap informational
logging host inside 10.0.0.10 6/1468
mtu outside 1500
mtu inside 1500
ip address outside 217.xxx.xxx.72 255.255.255.240
ip address inside 10.0.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnpool1 10.0.2.1-10.0.2.14
pdm history enable
arp timeout 14400
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
global (outside) 1 interface
route outside 0.0.0.0 0.0.0.0 217.xxx.xxx.65 1
route inside 10.0.2.0 255.255.255.240 10.0.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no http server enable
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto dynamic-map map2 10 set transform-set ESP-AES-256-SHA
crypto map map1 10 ipsec-isakmp dynamic map2
crypto map map1 interface outside
isakmp enable outside
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes-256
isakmp policy 10 hash sha
isakmp policy 10 group 5
isakmp policy 10 lifetime 86400
vpngroup test address-pool vpnpool1
vpngroup test dns-server 10.0.0.10
vpngroup test wins-server 10.0.0.10
vpngroup test split-tunnel inside_outbound_nat0_acl
vpngroup test idle-time 1800
vpngroup test password [password]
telnet timeout 5
ssh 10.0.0.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
terminal width 80
banner login Access to this device is only permitted by authorised users.
banner login All Access to this device is logged and monitored.
: end
CIsco 837 Router Configuration:
!
version 12.3
! IP and network services section
!
! Default Disabled Services, still disabled
no service config
no service tcp-small-servers
no service udp-small-servers
no boot network
! Default Enabled Services, now disabled
no cdp run
no ip bootp server
no ip domain lookup
no ip finger
no service finger
no ip http server
no ip http secure-server
no ip source-route
no service pad
! Default Disabled Services, now enabled
ip cef
! Service Configurations
service password-encryption
service tcp-keepalives-in
service tcp-keepalives-out
enable secret 5 [password]
ip subnet-zero
!
! SNMP Section - SNMP Disabled
no snmp-server community public RO
no snmp-server community admin RW
no snmp-server enable traps
no snmp-server system-shutdown
no snmp-server trap-auth
no snmp-server
!
hostname R1
!
!
! Logging Options
! SYSLOG
logging trap information
logging xxx.xxx.xxx.xxx
logging facility local0
logging source-interface Ethernet0
logging source-interface Dialer0
!
! Console
no logging console
!
!
! AAA Settings
aaa new-model
username [username] password 7 [password]
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
!
! Access Lists
! SSH Access List
access-list 50 permit xxx.xxx.xxx.xxx
access-list 50 deny any log
!
!
! Internet-In Access List (Dialer0 In)
ip access-list extended Internet-in
! Host Local Loop Back Address
deny ip 127.0.0.0 0.255.255.255 any log
! Land Attack Protection
deny ip host 217.xxx.xxx.65 host 217.xxx.xxx.65 log
! RFC-1918 Private Network Addresses
! AND IP Address Spoof Protection - deny internal addresses
deny ip 0.0.0.0 0.255.255.255 any log
deny ip 10.0.0.0 0.255.255.255 any log
deny ip 172.16.0.0 0.15.255.255 any log
deny ip 192.168.0.0 0.0.255.255 any log
! Documentation/Test Network
deny ip 192.0.2.0 0.0.0.255 any log
! DHCP Local Link Address
deny ip 169.254.0.0 0.0.255.255 any log
! IP Multicast Address Range
deny ip 224.0.0.0 15.255.255.255 any log
! Smurf Attack Protection
deny ip any host 217.xxx.241.64 log
deny ip any host 217.xxx.241.79 log
!
deny ip host 255.255.255.255 any log
! ICMP Types and Traceroute
permit icmp any 217.xxx.xxx.65 0.0.0.15 echo-reply
permit icmp any 217.xxx.xxx.65 0.0.0.15 ttl-exceeded
permit icmp any 217.xxx.xxx.65 0.0.0.15 net-unreachable
permit icmp any 217.xxx.xxx.65 0.0.0.15 host-unreachable
permit icmp any 217.xxx.xxx.65 0.0.0.15 port-unreachable
permit icmp any 217.xxx.xxx.65 0.0.0.15 packet-too-big
permit icmp any 217.xxx.xxx.65 0.0.0.15 administratively-prohibite
permit icmp any 217.xxx.xxx.65 0.0.0.15 source-quench
deny icmp any any log
! Allow ANY Remaining Data to Allocated Subnet
permit ip any 217.xxx.xxx.64 0.0.0.15
! Deny ANY Remaining Data
deny ip any any log
deny tcp any any log
deny udp any any log
exit
!
!
! Internet-Out Access List (Ethernet0 In)
ip access-list extended Ethernet-in
! Deny illegal, unused, reserved, DHCP Local Link destination IP addresses
deny ip any 0.0.0.0 0.255.255.255 log
deny ip any 10.0.0.0 0.255.255.255 log
deny ip any 127.0.0.0 0.255.255.255 log
deny ip any 172.16.0.0 0.15.255.255 log
deny ip any 192.168.0.0 0.0.255.255 log
deny ip any 224.0.0.0 31.255.255.255 log
deny ip any 169.254.0.0 0.0.255.255 log
! Allow All Outgoing Data from Allocated Subnet
permit ip 217.xxx.xxx.64 0.0.0.15 any
! Deny Any Remaining Data
deny ip any any log
exit
!
!
!
!
!Router Interfaces
!
interface ATM0
description ADSL Service
no ip address
no ip directed-broadcast
no ip mroute-cache
no ip proxy-arp
no ip redirect
no ip unreachables
no atm auto-configuration
no atm ilmi-keepalive
no atm address-registration
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
dsl operating-mode auto
!
!
interface Dialer0
description ADSL Service
ip unnumbered Ethernet0
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname [username]@[isp].co.uk
ppp chap password 7 [password]
no cdp enable
no ip directed-broadcast
no ip mask-reply
no ip mroute-cache
no ip proxy-arp
no ip redirect
no ip unreachables
! Applied Access List(s)
ip access-group Internet-in in
!
!
ip route 0.0.0.0 0.0.0.0 Dialer0
!
!
!
interface Ethernet0
ip address 217.xxx.xxx.65 255.255.255.240
no cdp enable
no ip directed-broadcast
no ip mask-reply
no ip mroute-cache
no ip proxy-arp
no ip redirect
no ip unreachables
! Applied Access List(s)
ip access-group Ethernet-in in
!
!
interface loopback0
description Loopback interface for service bindings
no ip proxy-arp
no ip directed-broadcast
no ip unreachable
no ip redirect
!
!
! Serial Port
line con 0
password 7 [password]
no modem enable
transport preferred all
transport output all
stopbits 1
!
! Aux Port Access
line aux 0
exec-timeout 0 1
no exec
transport input none
!
! SSH/Telnet Access
line vty 0 4
! ip access-group RouterSSH-in in
! access-class 105 in
access-class 50 in
transport input ssh
!
!
end
Can anyone suggest what I'm doing wrong ? Have I mis-configured the PIX ?
Network Details
837 Router IP: 217.xxx.xxx.65
PIX External IP: 217.xxx.xxx.72
PIX Intenal IP : 10.0.0.1
Internal Clients: 10.0.0.0 255.255.255.0
VPN Clients: 10.0.2.0 255.255.255.240
VPN Settings: AES 256 with SHA and DH Group 5
Cisco VPN Client Version 4.0.1
Thanks for any help,
Stuart.
PIX CONFIGURATION
: Saved
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password [password] encrypted
passwd [encrypted] encrypted
hostname pixfirewall
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list inside_outbound_nat0_acl permit ip 10.0.0.0 255.255.255.0 10.0.2.0 255.255.255.240
pager lines 24
logging on
logging trap informational
logging host inside 10.0.0.10 6/1468
mtu outside 1500
mtu inside 1500
ip address outside 217.xxx.xxx.72 255.255.255.240
ip address inside 10.0.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnpool1 10.0.2.1-10.0.2.14
pdm history enable
arp timeout 14400
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
global (outside) 1 interface
route outside 0.0.0.0 0.0.0.0 217.xxx.xxx.65 1
route inside 10.0.2.0 255.255.255.240 10.0.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no http server enable
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto dynamic-map map2 10 set transform-set ESP-AES-256-SHA
crypto map map1 10 ipsec-isakmp dynamic map2
crypto map map1 interface outside
isakmp enable outside
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes-256
isakmp policy 10 hash sha
isakmp policy 10 group 5
isakmp policy 10 lifetime 86400
vpngroup test address-pool vpnpool1
vpngroup test dns-server 10.0.0.10
vpngroup test wins-server 10.0.0.10
vpngroup test split-tunnel inside_outbound_nat0_acl
vpngroup test idle-time 1800
vpngroup test password [password]
telnet timeout 5
ssh 10.0.0.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
terminal width 80
banner login Access to this device is only permitted by authorised users.
banner login All Access to this device is logged and monitored.
: end
CIsco 837 Router Configuration:
!
version 12.3
! IP and network services section
!
! Default Disabled Services, still disabled
no service config
no service tcp-small-servers
no service udp-small-servers
no boot network
! Default Enabled Services, now disabled
no cdp run
no ip bootp server
no ip domain lookup
no ip finger
no service finger
no ip http server
no ip http secure-server
no ip source-route
no service pad
! Default Disabled Services, now enabled
ip cef
! Service Configurations
service password-encryption
service tcp-keepalives-in
service tcp-keepalives-out
enable secret 5 [password]
ip subnet-zero
!
! SNMP Section - SNMP Disabled
no snmp-server community public RO
no snmp-server community admin RW
no snmp-server enable traps
no snmp-server system-shutdown
no snmp-server trap-auth
no snmp-server
!
hostname R1
!
!
! Logging Options
! SYSLOG
logging trap information
logging xxx.xxx.xxx.xxx
logging facility local0
logging source-interface Ethernet0
logging source-interface Dialer0
!
! Console
no logging console
!
!
! AAA Settings
aaa new-model
username [username] password 7 [password]
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
!
! Access Lists
! SSH Access List
access-list 50 permit xxx.xxx.xxx.xxx
access-list 50 deny any log
!
!
! Internet-In Access List (Dialer0 In)
ip access-list extended Internet-in
! Host Local Loop Back Address
deny ip 127.0.0.0 0.255.255.255 any log
! Land Attack Protection
deny ip host 217.xxx.xxx.65 host 217.xxx.xxx.65 log
! RFC-1918 Private Network Addresses
! AND IP Address Spoof Protection - deny internal addresses
deny ip 0.0.0.0 0.255.255.255 any log
deny ip 10.0.0.0 0.255.255.255 any log
deny ip 172.16.0.0 0.15.255.255 any log
deny ip 192.168.0.0 0.0.255.255 any log
! Documentation/Test Network
deny ip 192.0.2.0 0.0.0.255 any log
! DHCP Local Link Address
deny ip 169.254.0.0 0.0.255.255 any log
! IP Multicast Address Range
deny ip 224.0.0.0 15.255.255.255 any log
! Smurf Attack Protection
deny ip any host 217.xxx.241.64 log
deny ip any host 217.xxx.241.79 log
!
deny ip host 255.255.255.255 any log
! ICMP Types and Traceroute
permit icmp any 217.xxx.xxx.65 0.0.0.15 echo-reply
permit icmp any 217.xxx.xxx.65 0.0.0.15 ttl-exceeded
permit icmp any 217.xxx.xxx.65 0.0.0.15 net-unreachable
permit icmp any 217.xxx.xxx.65 0.0.0.15 host-unreachable
permit icmp any 217.xxx.xxx.65 0.0.0.15 port-unreachable
permit icmp any 217.xxx.xxx.65 0.0.0.15 packet-too-big
permit icmp any 217.xxx.xxx.65 0.0.0.15 administratively-prohibite
permit icmp any 217.xxx.xxx.65 0.0.0.15 source-quench
deny icmp any any log
! Allow ANY Remaining Data to Allocated Subnet
permit ip any 217.xxx.xxx.64 0.0.0.15
! Deny ANY Remaining Data
deny ip any any log
deny tcp any any log
deny udp any any log
exit
!
!
! Internet-Out Access List (Ethernet0 In)
ip access-list extended Ethernet-in
! Deny illegal, unused, reserved, DHCP Local Link destination IP addresses
deny ip any 0.0.0.0 0.255.255.255 log
deny ip any 10.0.0.0 0.255.255.255 log
deny ip any 127.0.0.0 0.255.255.255 log
deny ip any 172.16.0.0 0.15.255.255 log
deny ip any 192.168.0.0 0.0.255.255 log
deny ip any 224.0.0.0 31.255.255.255 log
deny ip any 169.254.0.0 0.0.255.255 log
! Allow All Outgoing Data from Allocated Subnet
permit ip 217.xxx.xxx.64 0.0.0.15 any
! Deny Any Remaining Data
deny ip any any log
exit
!
!
!
!
!Router Interfaces
!
interface ATM0
description ADSL Service
no ip address
no ip directed-broadcast
no ip mroute-cache
no ip proxy-arp
no ip redirect
no ip unreachables
no atm auto-configuration
no atm ilmi-keepalive
no atm address-registration
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
dsl operating-mode auto
!
!
interface Dialer0
description ADSL Service
ip unnumbered Ethernet0
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname [username]@[isp].co.uk
ppp chap password 7 [password]
no cdp enable
no ip directed-broadcast
no ip mask-reply
no ip mroute-cache
no ip proxy-arp
no ip redirect
no ip unreachables
! Applied Access List(s)
ip access-group Internet-in in
!
!
ip route 0.0.0.0 0.0.0.0 Dialer0
!
!
!
interface Ethernet0
ip address 217.xxx.xxx.65 255.255.255.240
no cdp enable
no ip directed-broadcast
no ip mask-reply
no ip mroute-cache
no ip proxy-arp
no ip redirect
no ip unreachables
! Applied Access List(s)
ip access-group Ethernet-in in
!
!
interface loopback0
description Loopback interface for service bindings
no ip proxy-arp
no ip directed-broadcast
no ip unreachable
no ip redirect
!
!
! Serial Port
line con 0
password 7 [password]
no modem enable
transport preferred all
transport output all
stopbits 1
!
! Aux Port Access
line aux 0
exec-timeout 0 1
no exec
transport input none
!
! SSH/Telnet Access
line vty 0 4
! ip access-group RouterSSH-in in
! access-class 105 in
access-class 50 in
transport input ssh
!
!
end
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Sorry for the extended delay in answering..
These two lines don't show up in the example in that link, but I took them from my (working) config. The VPN Wizard apparently created them:
> access-list outside_cryptomap_dyn_10 permit ip 10.0.0.0 255.255.255.0 10.0.2.0 255.255.255.240
> crypto dynamic-map map2 10 match address outside_cryptomap_dyn_10
I know the link shows using the same acl for both the nat 0 and the split-tunnel, but there are several cases where this has shown to cause problems. The convention is to use independent acls for different processes..
If you do not want to permit split-tunneling while clients are connected (most secure, but clients hate it), then simply leave off the split-tunnel command, and the related acls:
no vpngroup test split-tunnel split-tunnel-acl
^^
These two lines don't show up in the example in that link, but I took them from my (working) config. The VPN Wizard apparently created them:
> access-list outside_cryptomap_dyn_10 permit ip 10.0.0.0 255.255.255.0 10.0.2.0 255.255.255.240
> crypto dynamic-map map2 10 match address outside_cryptomap_dyn_10
I know the link shows using the same acl for both the nat 0 and the split-tunnel, but there are several cases where this has shown to cause problems. The convention is to use independent acls for different processes..
If you do not want to permit split-tunneling while clients are connected (most secure, but clients hate it), then simply leave off the split-tunnel command, and the related acls:
no vpngroup test split-tunnel split-tunnel-acl
^^
Are you still working on this? Do you need more information?
Can you close out this question?
Can you close out this question?
How's it going? Have you found a solution? Do you need more information?
Can you close this question?
https://www.experts-exchange.com/help.jsp#hs5
Thanks for attending to this long-forgotten question.
<-8}
Can you close this question?
https://www.experts-exchange.com/help.jsp#hs5
Thanks for attending to this long-forgotten question.
<-8}
ASKER
access-list outside_cryptomap_dyn_10 permit ip 10.0.0.0 255.255.255.0 10.0.2.0 255.255.255.240
crypto dynamic-map map2 10 match address outside_cryptomap_dyn_10
access-list split-tunnel-acl permit ip 10.0.0.0 255.255.255.0 10.0.2.0 255.255.255.240
vpngroup test split-tunnel split-tunnel-acl
With the existing entry of :
access-list inside_outbound_nat0_acl permit ip 10.0.0.0 255.255.255.0 10.0.2.0 255.255.255.240
nat (inside) 0 access-list inside_outbound_nat0_acl
If you don't mind me asking, could you explain why the second crypto dynamic command is required and what it does compared with the ?
Also, I don't want to allow split-tunneling for any VPN client because they will already be connecting in from the internet. The ACL you've suggested for split-tunelling, does that only allow access to the internet network ?
Sorry for the questions, I'm still not 100% up on Cisco commands, but getting there :) I followed the instructions on the Cisco site on the link below, which is why I'm confused about the problems :
http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_configuration_example09186a00801e71c0.shtml
Thanks again,
Stuart.