Solved

PIX 515 and VPN

Posted on 2004-08-29
11
18,924 Views
Last Modified: 2013-11-16
I just installed a 515 and all is well. However, I'm having a difficult time getting thevpn working.
Here is my config:

and below the config are the logs from my vpn client.
thanks in advance for the help.

cepolly

PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ security50
enable password 6ztx/UAvbLi8D0Sn encrypted
passwd 6ztx/UAvbLi8D0Sn encrypted
hostname PIX515
domain-name T43434n
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
no names      
name 192.168.1.3 3434
name 192.168.1.1 434343
name 192.168.1.5 43434
name 192.168.1.8 43434
name 192.168.1.12 34343
name 192.168.1.11 34343
name 192.168.1.9 c4344k
object-group service pcANY tcp
  description pcANYwhere
  port-object range 65301 65301
  port-object eq pcanywhere-data
  port-object range pcanywhere-data 5632
object-group service TermServ tcp
  description RDP
  port-object range 3389 3399
access-list inside_access_in remark outbound
access-list inside_access_in permit tcp any any
access-list letmein remark inbound traffic
access-list letmein permit tcp any host x.x.x.x eq www
access-list letmein permit tcp any host x.x.x.x eq https
access-list letmein permit tcp any host x.x.x.x eq pop3
access-list letmein permit tcp any host x.x.x.x eq imap4
access-list letmein permit tcp any host x.x.x.x eq pcanywhere-data
access-list letmein permit udp any host x.x.x.x eq 65301
access-list letmein permit tcp any host x.x.x.x eq 65301
access-list letmein permit udp any host x.x.x.x eq 143
access-list letmein permit udp any host x.x.x.x eq 220
access-list letmein permit tcp any host x.x.x.x eq 220
access-list letmein permit tcp any host x.x.x.x eq 585
access-list letmein permit udp any host x.x.x.x eq 585
access-list letmein permit udp any host x.x.x.x eq 993
access-list letmein permit tcp any host x.x.x.x eq 993
access-list letmein permit tcp any host x.x.x.x eq smtp
access-list letmein permit icmp any any
access-list letmein permit udp any host x.x.x.x eq 3389
access-list letmein permit tcp any host x.x.x.x eq 3389
access-list letmein permit tcp any host x.x.x.x eq 8080
access-list letmein permit udp any host x.x.x.x eq 2439
access-list letmein permit tcp any host x.x.x.x eq 2439
access-list letmein permit tcp any host x.x.x.x eq 5001
access-list in_out permit ip any any
access-list dmz_in permit tcp host 10.0.1.9 host 192.168.1.12 eq 3502
access-list dmz_in permit icmp any any
access-list dmz_in permit tcp host 10.0.1.9 host 192.168.1.12 eq smtp
access-list dmz_in deny ip any 192.168.1.0 255.255.255.0
access-list dmz_in permit ip any any
access-list nat0 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
mtu DMZ 1500  
ip address outside x.x.x.x 255.255.255.248
ip address inside 192.168.1.19 255.255.255.0
ip address DMZ 10.0.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool ippool 192.168.2.1-192.168.2.254
pdm location x.x.x.x 255.255.255.255 outside
pdm location x.x.x.x 255.255.255.255 outside
pdm location 10.0.1.9 255.255.255.255 inside
pdm location 192.168.1.7 255.255.255.255 inside
pdm location 192.168.1.12 255.255.255.255 inside
pdm location 10.0.1.9 255.255.255.255 DMZ
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
nat (DMZ) 1 10.0.1.0 255.255.255.0 0 0
static (inside,outside) udp interface 2439 192.168.1.7 2439 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 2439 192.168.1.7 2439 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 8080 10.0.1.9 8080 netmask 255.255.255.255 0 0
static (inside,outside) udp interface 143 192.168.1.12 143 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface imap4 192.168.1.12 imap4 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface pop3 192.168.1.12 pop3 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface smtp 192.168.1.12 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface https 192.168.1.9 https netmask 255.255.255.255 0 0
static (inside,outside) tcp interface www 192.168.1.9 www netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 5001 192.168.1.9 5001 netmask 255.255.255.255 0 0
static (inside,outside) udp interface 3389 192.168.1.9 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 3389 192.168.1.9 3389 netmask 255.255.255.255 0 0
static (inside,DMZ) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 0 0
access-group letmein in interface outside
access-group dmz_in in interface DMZ
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 0.0.0.0 255.255.255.0 outside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map outside_map 90 ipsec-isakmp dynamic dynmap
crypto map mymap 5 ipsec-isakmp
! Incomplete           <-------------------------notice this.
crypto map mymap interface outside
isakmp enable outside
isakmp identity address
isakmp policy 20 authentication rsa-sig
isakmp policy 20 encryption des
isakmp policy 20 hash sha
isakmp policy 20 group 1
isakmp policy 20 lifetime 86400
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption des
isakmp policy 30 hash md5
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400
vpngroup vpn3000 dns-server x.x.x.x
vpngroup vpn3000 wins-server 192.168.1.1
vpngroup vpn3000 default-domain domain
vpngroup vpn3000 split-tunnel 101
vpngroup vpn3000 idle-time 1800
vpngroup vpn3000 password ********
vpngroup TEK-VPN-USERS idle-time 1800
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 DMZ
ssh timeout 60
console timeout 0
dhcpd address 192.168.1.200-192.168.1.254 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
terminal width 80
Cryptochecksum:2c0a8cdd2a73b02d0cd52a8f1929afbb
: end  

1      19:25:58.475  08/29/04  Sev=Info/4      CM/0x63100002
Begin connection process

2      19:25:58.490  08/29/04  Sev=Info/4      CM/0x63100004
Establish secure connection using Ethernet

3      19:25:58.490  08/29/04  Sev=Info/4      CM/0x63100024
Attempt connection with server "216.64.25.187"

4      19:25:59.740  08/29/04  Sev=Info/4      CM/0x6310000E
Established Phase 1 SA.  1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system

5      19:25:59.740  08/29/04  Sev=Info/4      CM/0x6310000E
Established Phase 1 SA.  1 Crypto Active IKE SA, 1 User Authenticated IKE SA in the system

6      19:25:59.865  08/29/04  Sev=Warning/2      IKE/0xE3000022
No private IP address was assigned by the peer

7      19:25:59.865  08/29/04  Sev=Warning/2      IKE/0xE3000099
Failed to process ModeCfg Reply (NavigatorTM:175)

8      19:26:03.194  08/29/04  Sev=Info/4      CM/0x6310000F
Phase 1 SA deleted before Mode Config is completed cause by "DEL_REASON_IKE_NEG_FAILED".  0 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system

9      19:26:03.194  08/29/04  Sev=Info/5      CM/0x63100025
Initializing CVPNDrv

0
Comment
Question by:cepolly
  • 6
  • 4
11 Comments
 
LVL 36

Expert Comment

by:grblades
ID: 11929627
Hi cepolly,
'mymap' does not correspond with anything. Remove the 'crypto map mymap' commands and set them up correctly :-

no crypto map mymap 5 ipsec-isakmp
no crypto map mymap interface outside
crypto map outside_map interface outside

You are missing an address pool from the vpngroup and this is mainly what the client log is complaining about. Add the following :-

ip local pool vpnpool 192.168.100.1-192.168.100.254
vpngroup vpn3000 address-pool vpnpool
0
 
LVL 1

Author Comment

by:cepolly
ID: 11930077
As far as the ip pool, it's there. 'ip local pool ippool 192.168.2.1-192.168.2.254'.
But I didn't have it assigned. Idid that now.

Thanks.I see what you are saying about the mymap.
Should i change this to myset instead of mymap?

When I try to remove the mymap using 'no crypto map mymap 5 ipsec-isakmp' i get an 'ERROR: unknown subcommand <ipsec-isakmp>'.




0
 
LVL 1

Author Comment

by:cepolly
ID: 11930864
Ok thanks grblades.

I was able to do the remove 'no crypto map mymap 5 ipsec-isakmp'  by just doing a 'no crypto map mymap 5' without the reas of the statement.

Also as soon as I added the vpngroup vpn3000 address-pool ippool, it worked.
Thanks.

The only thing now is the ability to use exchange and outlook via the vpn.
how do I setup to resolve the exchange server to allow the sync of mail?
I defined the wins server.
0
 
LVL 36

Expert Comment

by:grblades
ID: 11933226
As long as the WINS server is configured and contains the name of the exchange server and the DNS server being used is that of the AD domain controller it should work.
0
 
LVL 1

Author Comment

by:cepolly
ID: 11935477
here is my latest log file.

not sure what is holding up the communication from the vpn client into the network


58     16:02:02.782  08/30/04  Sev=Info/4      CM/0x63100002
Begin connection process

59     16:02:02.798  08/30/04  Sev=Info/4      CM/0x63100004
Establish secure connection using Ethernet

60     16:02:02.798  08/30/04  Sev=Info/4      CM/0x63100024
Attempt connection with server "216.64.25.187"

61     16:02:03.064  08/30/04  Sev=Info/4      CM/0x6310000E
Established Phase 1 SA.  1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system

62     16:02:03.064  08/30/04  Sev=Info/4      CM/0x6310000E
Established Phase 1 SA.  1 Crypto Active IKE SA, 1 User Authenticated IKE SA in the system

63     16:02:03.626  08/30/04  Sev=Info/4      CM/0x63100019
Mode Config data received

64     16:02:04.157  08/30/04  Sev=Info/4      CM/0x63100034
The Virtual Adapter was enabled:
      IP=192.168.2.1/255.255.255.0
      DNS=66.255.x.x,0.0.0.0
      WINS=192.168.1.1,0.0.0.0
      Domain=xxxdomain
      Split DNS Names=

65     16:02:04.204  08/30/04  Sev=Warning/2      CVPND/0xE3400013
AddRoute failed to add a route: code 87
      Destination      192.168.1.255
      Netmask      255.255.255.255
      Gateway      192.168.2.1
      Interface      192.168.2.1

66     16:02:04.204  08/30/04  Sev=Info/6      CM/0x63100036
The routing table was updated for the Virtual Adapter

67     16:02:04.251  08/30/04  Sev=Info/4      CM/0x6310001A
One secure connection established

68     16:02:04.361  08/30/04  Sev=Info/4      CM/0x63100038
Address watch added for 192.168.1.108.  Current address(es): 192.168.2.1, 192.168.1.108.

69     16:02:04.361  08/30/04  Sev=Info/4      CM/0x63100038
Address watch added for 192.168.2.1.  Current address(es): 192.168.2.1, 192.168.1.108.
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 
LVL 36

Expert Comment

by:grblades
ID: 11935559
From your machine without VPN running can you post the output of 'route print' (run it in a dos windows).
Are you using 192.168.1.x or 192.168.2.x on your local network?
0
 
LVL 1

Author Comment

by:cepolly
ID: 11936243
i have the route with the vpn on as well.
here it is without vpn on:

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...mac address ...... 3Com EtherLink XL 10/100 PCI For Complete PC Management NIC (3C905C-TX) - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.1.1   192.168.1.108        20
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1        1
      192.168.1.0    255.255.255.0    192.168.1.108   192.168.1.108        20
    192.168.1.108  255.255.255.255        127.0.0.1       127.0.0.1        20
    192.168.1.255  255.255.255.255    192.168.1.108   192.168.1.108        20
        224.0.0.0        240.0.0.0    192.168.1.108   192.168.1.108        20
  255.255.255.255  255.255.255.255    192.168.1.108   192.168.1.108        1
Default Gateway:       192.168.1.1
===========================================================================
Persistent Routes:
  None
0
 
LVL 1

Author Comment

by:cepolly
ID: 11938033
my home network is 192.168.1.0.

is the vpn getting confused?

is there a way to only use the vpn connection to resolve names?

192.168.1.1 is the wins server on the network i'm connecting to.
192.168.1.1 is my gateway on my local network.
0
 
LVL 36

Expert Comment

by:grblades
ID: 11939853
Yes you cannot have the same IP address range either side of the VPN. You will have to either change your home network range or the company one.
0
 
LVL 1

Author Comment

by:cepolly
ID: 11960129
we got it to work.

i forgot to use the nat line:

nat (inside) 0 access-list nat0

as soon as this was applied it worked.

thanks.


0
 

Accepted Solution

by:
RomMod earned 0 total points
ID: 11966480
Asker resolved-
The question has been PAQ'd and the 500 points have been refunded.

RomMod
Community Support Moderator
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

This is about downgrading PIX Version 8.0(4) & ASDM 6.1(5) to PIX 7.2(4) and ASDM 5.2(4) but with only 64MB RAM and 16MB flash. Background: You have a Cisco Pix 515E which was running on PIX 7.2(4) and its supporting ASDM 5.2(4) without any i…
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now