Solved

cisco vpn connection : error when trying to connect

Posted on 2004-08-26
5
1,526 Views
Last Modified: 2013-11-16
we just set up our cisco 506 pix and have enbale vpn connections. The group setup works fine, its when the user tries to login I keep getting and error saying Reason 413 user authentication failed. I checked to make sure users were added using the wr term cmd. The users exist but for some reason I cant login with any of the accounts I setup! I setup the vpn and the group using the PDM and added the users via the cli. Is this causing my problem?
0
Comment
Question by:digitalslavery
  • 3
  • 2
5 Comments
 
LVL 36

Expert Comment

by:grblades
ID: 11910859
Hi digitalslavery,
The PDM does not always do things correctly.
Can you login via telnet or ssh and use the 'show run' command to display the current configuration and paste it here and I will have a look for you.
0
 

Author Comment

by:digitalslavery
ID: 11912116
Also I cant find anywhere in the PDM where my users are that I added, wierd.

Result of firewall command: "show run"
 
: Saved
:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ************ encrypted
passwd ************ encrypted
hostname MyPix
domain-name alff.net
clock timezone MST -7
no fixup protocol dns
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol pptp 3389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.1.0 Production
name 192.168.0.0 Corporate
name 192.168.0.4 PHX-FPS
name 192.168.0.20 PHX-EXC
name 192.168.0.253 LG-WEBSERVER
name 192.168.0.251 LG-TESTSERVER
name 192.168.0.5 PHX-SCAN
name 192.168.0.18 PHX-DC
name 192.168.0.96 PHX-EPO
name 192.168.0.200 PHX-FPS2
object-group network SERVERS
  description Network servers
  network-object PHX-FPS 255.255.255.255
  network-object PHX-SCAN 255.255.255.255
  network-object PHX-DC 255.255.255.255
  network-object PHX-EXC 255.255.255.255
  network-object PHX-EPO 255.255.255.255
  network-object LG-TESTSERVER 255.255.255.255
  network-object LG-WEBSERVER 255.255.255.255
  network-object PHX-FPS2 255.255.255.255
access-list outside_access_in permit icmp any any
access-list outside_access_in permit tcp any host 66.236.157.215 eq www
access-list outside_access_in permit tcp any host 66.236.157.212 eq smtp
access-list inside_outbound_nat0_acl permit ip Corporate 255.255.255.0 172.16.2.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip SanSalvidor 255.255.255.0 172.16.2.0 255.255.255.0
access-list rdc_splitTunnelAcl permit ip Corporate 255.255.255.0 any
access-list rdc_splitTunnelAcl permit ip SanSalvidor 255.255.255.0 any
access-list outside_cryptomap_dyn_20 permit ip any 172.16.2.0 255.255.255.0
access-list inside_access_in remark
access-list inside_access_in permit ip any any
pager lines 24
logging on
logging console alerts
logging monitor alerts
logging buffered alerts
logging trap informational
logging device-id hostname
mtu outside 1500
mtu inside 1500
ip address outside 66.236.157.210 255.255.255.240
ip address inside 192.168.0.254 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip audit info action alarm drop
ip audit attack action alarm drop
ip local pool CorporateRDC 192.168.0.2-LG-WEBSERVER
ip local pool vpn_access 172.16.2.20-172.16.2.254
pdm location PHX-FPS2 255.255.255.255 inside
pdm location PHX-EXC 255.255.255.255 inside
pdm location LG-WEBSERVER 255.255.255.255 inside
pdm location 207.114.195.34 255.255.255.255 outside
pdm location SanSalvidor 255.255.255.0 inside
pdm location 192.168.2.0 255.255.255.0 inside
pdm location 66.236.157.0 255.255.255.0 outside
pdm location 192.168.3.0 255.255.255.0 outside
pdm location 192.168.0.1 255.255.255.255 outside
pdm location 0.0.0.0 255.255.255.255 outside
pdm location PHX-FPS 255.255.255.255 inside
pdm location PHX-SCAN 255.255.255.255 inside
pdm location PHX-DC 255.255.255.255 inside
pdm location PHX-EPO 255.255.255.255 inside
pdm location LG-TESTSERVER 255.255.255.255 inside
pdm location 130.13.108.68 255.255.255.255 outside
pdm location 24.221.118.151 255.255.255.255 outside
pdm group SERVERS inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 66.236.157.212 PHX-EXC netmask 255.255.255.255 0 0
static (inside,outside) 66.236.157.215 LG-WEBSERVER netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 66.236.157.209 1
route inside Prodution 255.255.255.0 192.168.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 207.114.195.34 255.255.255.255 outside
http 130.13.108.68 255.255.255.255 outside
http 24.221.118.151 255.255.255.255 outside
http Corporate 255.255.255.0 inside
snmp-server location Corporate
snmp-server contact Jason Lasby
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication LOCAL
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup rdc address-pool vpn_access
vpngroup rdc dns-server PHX-DC 192.168.0.76
vpngroup rdc default-domain alff
vpngroup rdc split-tunnel rdc_splitTunnelAcl
vpngroup rdc idle-time 1800
vpngroup rdc password ********
telnet Corporate 255.255.255.0 inside
telnet timeout 5
ssh 207.114.195.34 255.255.255.255 outside
ssh timeout 5
console timeout 20
vpdn group 1 ppp authentication pap
vpdn group 1 ppp authentication chap
vpdn group 1 ppp authentication mschap
vpdn group 1 ppp encryption mppe 40
vpdn username jason2 password *********
vpdn username jaughe password *********
vpdn username dvaldez password *********
vpdn username llevin password *********
vpdn username jdavis password *********
vpdn username jason password *********
vpdn enable outside
vpdn enable inside
terminal width 80
Cryptochecksum:8ed367a461be32b04e7707390e73c3ff
: end

0
 
LVL 36

Accepted Solution

by:
grblades earned 250 total points
ID: 11912407
You appear to have both PPTP and IPSEC based VPN connections enabled. Do you intend to use both?
Your IPSEC sections looks correct and all you are missing is the list of user accounts:-

username user1 password password1
username user2 password password2
etc...
0
 

Author Comment

by:digitalslavery
ID: 11912963
We should be using IPsec connections only! how do I add the users? I see the users I thought I was enabling access to were acutally under the PPTP. the command I was using to add users was :

vpdn username employee password mypassword

What should it be?

0
 

Author Comment

by:digitalslavery
ID: 11913001
oh right! my bad I didn't realize that was the command! You've just won 250 points!

Thanks! :)
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Suggested Solutions

Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video discusses moving either the default database or any database to a new volume.

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now