Solved

PIX 501 - VPN Connection Fails, no entries in logs when VPN connection is attempted

Posted on 2004-08-21
7
448 Views
Last Modified: 2013-11-16
Hi.  I've have done a quick search before posting but can't find any posts with a similar problem.  I have a PIX 501 connected to a Cisco 837 Router.  I've configured the PIX as per the config below to allow remote users to VPN into the network (Cisco 837 Config also below).  Currently the firewall is using PAT with all clients behind one IP address, and in terms of normal connectivity all internal clients can acess the internet as required.  When I test a VPN connection from outside our network to the PIX, the client appears to be trying to connect, but there are no entries in the PIX logs to show a client attempting to connect, or failing to connect.  Eventually the client times-out and displays an error that the PIX isn't responding.  I thought the 837 router may have been blocking the connection, but as with the PIX, there are no log entries showing the VPN connection being bloacked.  The 837 is configured to block illegal internet addresses, and restrict unwanted ICMP but no other filtering takes place at the router.

Can anyone suggest what I'm doing wrong ?  Have I mis-configured the PIX ?

Network Details
837 Router IP: 217.xxx.xxx.65
PIX External IP: 217.xxx.xxx.72
PIX Intenal IP : 10.0.0.1
Internal Clients: 10.0.0.0 255.255.255.0
VPN Clients: 10.0.2.0 255.255.255.240
VPN Settings: AES 256 with SHA and DH Group 5

Cisco VPN Client Version 4.0.1

Thanks for any help,
Stuart.


PIX CONFIGURATION
: Saved
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100

enable password [password] encrypted
passwd [encrypted] encrypted
hostname pixfirewall

fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names

access-list inside_outbound_nat0_acl permit ip 10.0.0.0 255.255.255.0 10.0.2.0 255.255.255.240

pager lines 24
logging on
logging trap informational
logging host inside 10.0.0.10 6/1468
mtu outside 1500
mtu inside 1500

ip address outside 217.xxx.xxx.72 255.255.255.240
ip address inside 10.0.0.1 255.255.255.0

ip audit info action alarm
ip audit attack action alarm
ip local pool vpnpool1 10.0.2.1-10.0.2.14
pdm history enable
arp timeout 14400

nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
global (outside) 1 interface

route outside 0.0.0.0 0.0.0.0 217.xxx.xxx.65 1
route inside 10.0.2.0 255.255.255.240 10.0.0.1 1

timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local

no http server enable
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable

sysopt connection permit-ipsec
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto dynamic-map map2 10 set transform-set ESP-AES-256-SHA
crypto map map1 10 ipsec-isakmp dynamic map2
crypto map map1 interface outside

isakmp enable outside
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes-256
isakmp policy 10 hash sha
isakmp policy 10 group 5
isakmp policy 10 lifetime 86400

vpngroup test address-pool vpnpool1
vpngroup test dns-server 10.0.0.10
vpngroup test wins-server 10.0.0.10
vpngroup test split-tunnel inside_outbound_nat0_acl
vpngroup test idle-time 1800
vpngroup test password [password]

telnet timeout 5
ssh 10.0.0.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
terminal width 80

banner login Access to this device is only permitted by authorised users.
banner login All Access to this device is logged and monitored.
: end


CIsco 837 Router Configuration:
!
version 12.3
! IP and network services section
!
! Default Disabled Services, still disabled
no service config
no service tcp-small-servers
no service udp-small-servers
no boot network
! Default Enabled Services, now disabled
no cdp run
no ip bootp server
no ip domain lookup
no ip finger
no service finger
no ip http server
no ip http secure-server
no ip source-route
no service pad
! Default Disabled Services, now enabled
ip cef
! Service Configurations
service password-encryption
service tcp-keepalives-in
service tcp-keepalives-out
enable secret 5 [password]
ip subnet-zero
!
! SNMP Section - SNMP Disabled
no snmp-server community public RO
no snmp-server community admin RW
no snmp-server enable traps
no snmp-server system-shutdown
no snmp-server trap-auth
no snmp-server
!
hostname R1
!
!
! Logging Options
! SYSLOG
logging trap information
logging xxx.xxx.xxx.xxx
logging facility local0
logging source-interface Ethernet0
logging source-interface Dialer0
!
! Console
no logging console
!
!
! AAA Settings
aaa new-model
username [username] password 7 [password]
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
!
! Access Lists
! SSH Access List
access-list 50 permit xxx.xxx.xxx.xxx
access-list 50 deny any log
!
!
! Internet-In Access List (Dialer0 In)
ip access-list extended Internet-in
 ! Host Local Loop Back Address
  deny   ip    127.0.0.0 0.255.255.255   any log
 ! Land Attack Protection
  deny   ip    host 217.xxx.xxx.65 host 217.xxx.xxx.65  log
 ! RFC-1918 Private Network Addresses
 ! AND IP Address Spoof Protection - deny internal addresses
  deny   ip    0.0.0.0 0.255.255.255     any log
  deny   ip    10.0.0.0 0.255.255.255    any log
  deny   ip    172.16.0.0 0.15.255.255   any log
  deny   ip    192.168.0.0 0.0.255.255   any log
 ! Documentation/Test Network
  deny   ip    192.0.2.0 0.0.0.255       any log
 ! DHCP Local Link Address
  deny   ip    169.254.0.0 0.0.255.255   any log
 ! IP Multicast Address Range
  deny   ip    224.0.0.0 15.255.255.255  any log
 ! Smurf Attack Protection
  deny   ip    any  host 217.xxx.241.64      log
  deny   ip    any  host 217.xxx.241.79      log
 !
  deny   ip    host 255.255.255.255      any log
 ! ICMP Types and Traceroute
  permit icmp  any 217.xxx.xxx.65 0.0.0.15 echo-reply  
  permit icmp  any 217.xxx.xxx.65 0.0.0.15 ttl-exceeded
  permit icmp  any 217.xxx.xxx.65 0.0.0.15 net-unreachable
  permit icmp  any 217.xxx.xxx.65 0.0.0.15 host-unreachable
  permit icmp  any 217.xxx.xxx.65 0.0.0.15 port-unreachable
  permit icmp  any 217.xxx.xxx.65 0.0.0.15 packet-too-big
  permit icmp  any 217.xxx.xxx.65 0.0.0.15 administratively-prohibited
  permit icmp  any 217.xxx.xxx.65 0.0.0.15 source-quench
  deny   icmp  any                       any log
 ! Allow ANY Remaining Data to Allocated Subnet
  permit ip    any 217.xxx.xxx.64 0.0.0.15
 ! Deny ANY Remaining Data
  deny   ip  any                         any log
  deny   tcp any                         any log
  deny   udp any                         any log
exit
!
!
! Internet-Out Access List (Ethernet0 In)
ip access-list extended Ethernet-in
  ! Deny illegal, unused, reserved, DHCP Local Link destination IP addresses
   deny   ip  any 0.0.0.0     0.255.255.255   log
   deny   ip  any 10.0.0.0    0.255.255.255   log
   deny   ip  any 127.0.0.0   0.255.255.255   log
   deny   ip  any 172.16.0.0  0.15.255.255    log
   deny   ip  any 192.168.0.0 0.0.255.255     log
   deny   ip  any 224.0.0.0   31.255.255.255  log
   deny   ip  any 169.254.0.0 0.0.255.255     log
  ! Allow All Outgoing Data from Allocated Subnet
   permit ip   217.xxx.xxx.64 0.0.0.15    any
  ! Deny Any Remaining Data
   deny   ip    any                       any log
exit
!
!
!
!
!Router Interfaces
!
interface ATM0
 description ADSL Service
 no ip address
 no ip directed-broadcast
 no ip mroute-cache
 no ip proxy-arp
 no ip redirect
 no ip unreachables
 no atm auto-configuration
 no atm ilmi-keepalive
 no atm address-registration
 pvc 0/38
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
 dsl operating-mode auto
!
!
interface Dialer0
 description ADSL Service
 ip unnumbered Ethernet0
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ppp authentication chap callin
 ppp chap hostname [username]@[isp].co.uk
 ppp chap password 7 [password]
 no cdp enable
 no ip directed-broadcast
 no ip mask-reply
 no ip mroute-cache
 no ip proxy-arp
 no ip redirect
 no ip unreachables
 !  Applied Access List(s)
 ip access-group Internet-in in
!
!
ip route 0.0.0.0 0.0.0.0 Dialer0
!
!
!
interface Ethernet0
 ip address 217.xxx.xxx.65 255.255.255.240
 no cdp enable
 no ip directed-broadcast
 no ip mask-reply
 no ip mroute-cache
 no ip proxy-arp
 no ip redirect
 no ip unreachables
 !  Applied Access List(s)
 ip access-group Ethernet-in in
!
!
interface loopback0
 description Loopback interface for service bindings
 no ip proxy-arp
 no ip directed-broadcast
 no ip unreachable
 no ip redirect
!
!
! Serial Port
line con 0
 password 7 [password]
 no modem enable
 transport preferred all
 transport output all
 stopbits 1
!
! Aux Port Access
line aux 0
 exec-timeout 0 1
 no exec
 transport input none
!
! SSH/Telnet Access
line vty 0 4
! ip access-group RouterSSH-in in
! access-class 105 in
 access-class 50 in
 transport input ssh
!
!
end
0
Comment
Question by:_Stu_
  • 4
7 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 11860215
I don't see a line like this in your PIX:
  access-list outside_cryptomap_dyn_10 permit ip 10.0.0.0 255.255.255.0 10.0.2.0 255.255.255.240
  crypto dynamic-map map2 10 match address outside_cryptomap_dyn_10


Even though this requires the exact same access-list, it is suggested that you use two different acls:
>vpngroup test split-tunnel inside_outbound_nat0_acl

Instead, use:
access-list split-tunnel-acl permit ip 10.0.0.0 255.255.255.0 any
  or, if you want to restrict split-tunneling:
access-list split-tunnel-acl permit ip 10.0.0.0 255.255.255.0 10.0.2.0 255.255.255.240
vpngroup test split-tunnel split-tunnel-acl

You see three separate instances of acl reference, all with identical acls, but you need to create three separate acls, not reference the same one multiple times.
  nat 0 acl
  split-tunnel acl
  dynamic tunnel map match acl

If you still can't get it to work, remove the acls from the router interfaces while you are troubleshooting.
0
 

Author Comment

by:_Stu_
ID: 11860945
Hi lrnoore.  Thanks for the quick reply.  So just to check, I need to add the following entries :

  access-list outside_cryptomap_dyn_10 permit ip 10.0.0.0 255.255.255.0 10.0.2.0 255.255.255.240
  crypto dynamic-map map2 10 match address outside_cryptomap_dyn_10

  access-list split-tunnel-acl permit ip 10.0.0.0 255.255.255.0 10.0.2.0 255.255.255.240
  vpngroup test split-tunnel split-tunnel-acl

With the existing entry of :

  access-list inside_outbound_nat0_acl permit ip 10.0.0.0 255.255.255.0 10.0.2.0 255.255.255.240
  nat (inside) 0 access-list inside_outbound_nat0_acl

If you don't mind me asking, could you explain why the second crypto dynamic command is required and what it does compared with the  ?

Also, I don't want to allow split-tunneling for any VPN client because they will already be connecting in from the internet.  The ACL you've suggested for split-tunelling, does that only allow access to the internet network ?

Sorry for the questions, I'm still not 100% up on Cisco commands, but getting there :)  I followed the instructions on the Cisco site on the link below, which is why I'm confused about the problems :

http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_configuration_example09186a00801e71c0.shtml

Thanks again,
Stuart.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 11863667
Sorry for the extended delay in answering..
These two lines don't show up in the example in that link, but I took them from my (working) config. The VPN Wizard apparently created them:
>  access-list outside_cryptomap_dyn_10 permit ip 10.0.0.0 255.255.255.0 10.0.2.0 255.255.255.240
>  crypto dynamic-map map2 10 match address outside_cryptomap_dyn_10

I know the link shows using the same acl for both the nat 0 and the split-tunnel, but there are several cases where this has shown to cause problems. The convention is to use independent acls for different processes..

If you do not want to permit split-tunneling while clients are connected (most secure, but clients hate it), then simply leave off the split-tunnel command, and the related acls:
   no vpngroup test split-tunnel split-tunnel-acl
  ^^

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12092758
Are you still working on this? Do you need more information?
Can you close out this question?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 13703128
How's it going? Have you found a solution? Do you need more information?
Can you close this question?

http://www.experts-exchange.com/help.jsp#hs5

Thanks for attending to this long-forgotten question.

<-8}
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Upgrading the firmware on a XTMv 8 74
Opening Port 80 10 59
What does this mean to you?  Source side firewall 3 59
Hardening ScreenOS 8 69
Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now