Link to home
Start Free TrialLog in
Avatar of fletchman
fletchman

asked on

VPN and/or PCAnywhere

I have a PIX 506e that I'm trying to configure to pass through PCAnywhere.  I'm also trying to setup the VPN.  The following is the PIX config:

PIX Version 6.3(3)                  
interface ethernet0 auto                        
interface ethernet1 auto                        
nameif ethernet0 outside security0                                  
nameif ethernet1 inside security100                                  
enable password /v2a6EDy6zMfLXc6 encrypted                                          
passwd /v2a6EDy6zMfLXc6 encrypted                                
hostname justice                
domain-name rose.net                    
fixup protocol dns maximum-length 512                                    
fixup protocol ftp 21                    
fixup protocol h323 h225 1720                            
fixup protocol h323 ras 1718-1719                                
fixup protocol http 80                      
fixup protocol rsh 514                      
fixup protocol rtsp 554                      
fixup protocol sip 5060                      
fixup protocol sip udp 5060                          
fixup protocol skinny 2000                          
fixup protocol smtp 25                      
fixup protocol sqlnet 1521                          
fixup protocol tftp 69                      
names    
access-list Support_splitTunnelAcl permit ip any any                                                    
access-list inside_outbound_nat0_acl permit ip any 10.0.1.0 255.255.255.240                                                                          
access-list outside_cryptomap_dyn_20 permit ip any 10.0.1.0 255.255.255.240                                                                          
pager lines 24              
mtu outside 1500                
mtu inside 1500              
ip address outside 172.19.200.2 255.255.0.0                                          
ip address inside 10.0.0.254 255.255.255.0                                          
ip audit info action alarm                          
ip audit attack action alarm                            
ip local pool Support 10.0.1.2-10.0.1.10                                        
pdm location 10.0.0.1 255.255.255.255 inside                                            
pdm logging informational 100                            
pdm history enable                  
arp timeout 14400                
global (outside) 1 interface                            
nat (inside) 0 access-list inside_outbound_nat0_acl                                                  
nat (inside) 1 0.0.0.0 0.0.0.0 0 0                                  
static (inside,outside) tcp interface pcanywhere-data 10.0.0.1 pcanywhere-                                                                        
etmask 255.255.255.255 0 0                          
static (inside,outside) udp interface 5631 10.0.0.1 5631 netmask 255.255.255.255                                                                                
 0 0    
static (inside,outside) tcp interface 5632 10.0.0.1 5632 netmask 255.255.255.255                                                                                
 0 0    
static (inside,outside) udp interface pcanywhere-status 10.0.0.1 pcanywhere-stat                                                                                
us netmask 255.255.255.255 0 0                              
route outside 0.0.0.0 0.0.0.0 172.19.1.1 1                                          
timeout xlate 0:05:00                    
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00                                                                            
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00                                                              
timeout uauth 0:05:00 absolute                              
aaa-server TACACS+ protocol tacacs+                                  
aaa-server RADIUS protocol radius                                
aaa-server LOCAL protocol local                              
http server enable                  
http 10.0.0.0 255.255.255.0 inside                                  
no snmp-server location                      
no snmp-server contact                      
snmp-server community public                            
no snmp-server enable traps                          
floodguard enable                
sysopt connection permit-ipsec                              
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac                                                          
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20                                                                            
crypto dynamic-map outside_dyn_map 20 set                                      
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 5
isakmp policy 20 lifetime 86400
vpngroup Support address-pool Support
vpngroup Support dns-server 10.0.0.1 10.0.0.1
vpngroup Support wins-server 10.0.0.1 10.0.0.1
vpngroup Support default-domain jail
vpngroup Support split-tunnel Support_splitTunnelAcl
vpngroup Support idle-time 1800
vpngroup Support password ********
telnet 10.0.0.0 255.255.255.0 inside
telnet timeout 15
ssh timeout 5
console timeout 0
username sds8828 password EyeLWAkMkzGJkPKP encrypted privilege 15
terminal width 80
Cryptochecksum:09ace9a4e7f36dfc4d858bddf187d577
: end

When I'm trying to connect with my vpn client, my log displays the following:

Cisco Systems VPN Client Version 4.0.1 (Rel)
Copyright (C) 1998-2003 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.1.2600

1      12:32:54.182  09/22/04  Sev=Info/4      CM/0x63100002
Begin connection process

2      12:32:54.182  09/22/04  Sev=Info/4      CVPND/0xE3400001
Microsoft IPSec Policy Agent service stopped successfully

3      12:32:54.182  09/22/04  Sev=Info/4      CM/0x63100004
Establish secure connection using Ethernet

4      12:32:54.182  09/22/04  Sev=Info/4      CM/0x63100024
Attempt connection with server "172.19.200.2"

5      12:32:55.184  09/22/04  Sev=Info/6      IKE/0x6300003B
Attempting to establish a connection with 172.19.200.2.

6      12:32:55.184  09/22/04  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Nat-T), VID(Frag), VID(Unity)) to 172.19.200.2

7      12:32:55.184  09/22/04  Sev=Info/4      IPSEC/0x63700008
IPSec driver successfully started

8      12:32:55.184  09/22/04  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

9      12:32:55.224  09/22/04  Sev=Info/5      IKE/0x6300002F
Received ISAKMP packet: peer = 172.19.200.2

10     12:32:55.224  09/22/04  Sev=Warning/2      IKE/0xE3000099
Invalid SPI size (PayloadNotify:116)

11     12:32:55.224  09/22/04  Sev=Info/4      IKE/0xE30000A4
Invalid payload: Stated payload length, 568, is not sufficient for Notification:(PayloadList:148)

12     12:32:55.224  09/22/04  Sev=Warning/3      IKE/0xA3000058
Received malformed message or negotiation no longer active (message id: 0x00000000)

13     12:33:00.291  09/22/04  Sev=Info/4      IKE/0x63000021
Retransmitting last packet!

14     12:33:00.291  09/22/04  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to 172.19.200.2

15     12:33:05.298  09/22/04  Sev=Info/4      IKE/0x63000021
Retransmitting last packet!

16     12:33:05.298  09/22/04  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to 172.19.200.2

17     12:33:10.305  09/22/04  Sev=Info/4      IKE/0x63000021
Retransmitting last packet!

18     12:33:10.305  09/22/04  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to 172.19.200.2

19     12:33:15.313  09/22/04  Sev=Info/4      IKE/0x63000017
Marking IKE SA for deletion  (I_Cookie=D84A057F29190335 R_Cookie=F72C18B8E50081DB) reason = DEL_REASON_PEER_NOT_RESPONDING

20     12:33:15.813  09/22/04  Sev=Info/4      IKE/0x6300004A
Discarding IKE SA negotiation (I_Cookie=D84A057F29190335 R_Cookie=F72C18B8E50081DB) reason = DEL_REASON_PEER_NOT_RESPONDING

21     12:33:15.813  09/22/04  Sev=Info/4      CM/0x63100014
Unable to establish Phase 1 SA with server "172.19.200.2" because of "DEL_REASON_PEER_NOT_RESPONDING"

22     12:33:15.813  09/22/04  Sev=Info/5      CM/0x63100025
Initializing CVPNDrv

23     12:33:15.813  09/22/04  Sev=Info/4      IKE/0x63000001
IKE received signal to terminate VPN connection

24     12:33:15.823  09/22/04  Sev=Info/4      IKE/0x63000085
Microsoft IPSec Policy Agent service started successfully

25     12:33:16.314  09/22/04  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

26     12:33:16.314  09/22/04  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

27     12:33:16.314  09/22/04  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

28     12:33:16.314  09/22/04  Sev=Info/4      IPSEC/0x6370000A
IPSec driver successfully stopped

Please give me some pointers as to what I may need to alter in my PIX config as I am new to the PIX scene.  I went through the VPN setup wizard, and I thought I answered all of the questions correct.
ASKER CERTIFIED SOLUTION
Avatar of Les Moore
Les Moore
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
I almost forgot.. you have to also apply the access-list for pca

   access-list outside_in in interface outside
Avatar of fletchman
fletchman

ASKER

Your last statement doesn't make sense or work when I input it.  This is what I have now, and I am going to another location to try the VPN to see if it works.  I'll let you know.  Here is my present config:

: Written by enable_15 at 04:53:39.778 UTC Thu Sep 23 2004                                                          
PIX Version 6.3(3)                  
interface ethernet0 auto                        
interface ethernet1 auto                        
nameif ethernet0 outside security0                                  
nameif ethernet1 inside security100                                  
enable password /v2a6EDy6zMfLXc6 encrypted                                          
passwd /v2a6EDy6zMfLXc6 encrypted                                
hostname justice                
domain-name rose.net                    
fixup protocol dns maximum-length 512                                    
fixup protocol ftp 21                    
fixup protocol h323 h225 17                        
fixup protocol h323 ras 1718-1719                                
fixup protocol http 80                      
fixup protocol rsh 514                      
fixup protocol rtsp 554                      
fixup protocol sip 5060                      
fixup protocol sip udp 5060                          
fixup protocol skinny 2000                          
fixup protocol smtp 25                      
fixup protocol sqlnet 1521                          
fixup protocol tftp 69                      
names    
access-list Support_splitTunnelAcl permit ip any any                                                    
access-list inside_outbound_nat0_acl permit ip any 10.0.1.0 255.255.255.240                                                                          
access-list outside_cryptomap_dyn_20 permit ip any 10.0.1.0 255.255.255.240                                                                          
access-list outside_in permit tcp any interface outs                                                  
access-list outside_in permit udp any interface outside eq pcanywhere-status23 ras 1718-                                                                
pager lines 24        
pdm
mtu outside 1500onal 100        
mtu inside 1500    
fi  
ERRO
ip address outside 172.19.200.2 255.255.0.0                          
fixup protoco  
ip address inside 10.0.0.254 255.255.255.0  
Usage:  [no] access-list compiled1 inte
ip audit info action alarm                      
fix
ip audit attack action alarmdeny-flow-max <n>nside_outbo
ip local pool Support 10.0.1.2-10.0.1.10                                        
pdm location 10.0.0.1 255.255.255.255 insidel                                      
nat
pdm logging informational 1000                            
pdm history enablelist <id> compiled
arp timeout 14400            
stat
global (outside) 1 interface                    
[no] a
nat (inside) 0 access-list inside_outbound_nat0_acl69                                                
nat (inside) 1 0.0  
access-    
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00it {any | <prefix> <mask> | host <address>}c-map outside_dyn_ma
timeout uauth 0:05:00 absolutetomap_dyn_20                  
aaa-server TACACS+ protocol tacacs+                                  
aaa-server RADIUS proto                      
http 10.0.0.0 255.255.255.0 insideMD5                              
no snmp-server location        
route outside
no snmp-server contact                      
snmp-server community publictside_ma                    
no snmp-server enable trapsthernet0 automic outside_dy
floodguard enable                
sysopt connection permit-ipsect1 auto 1:00:00 half-closed 0:
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup Support address-pool Support
vpngroup Support dns-server 10.0.0.1 10.0.0.1
vpngroup Support wins-server 10.0.0.1 10.0.0.1
vpngroup Support default-domain jail
vpngroup Support split-tunnel Support_splitTunnelAcl
vpngroup Support idle-time 1800
vpngroup Support password ********
telnet 10.0.0.0 255.255.255.0 inside
telnet timeout 15
ssh timeout 5
console timeout 0
username sds8828 password EyeLWAkMkzGJkPKP encrypted privilege 15
terminal width 80
Cryptochecksum:da8f09a77ce1d62a500004248573a368
Here is what I get when I do a show access-list:

access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 1024)
            alert-interval 300
access-list Support_splitTunnelAcl; 1 elements
access-list Support_splitTunnelAcl line 1 permit ip any any (hitcnt=0)
access-list inside_outbound_nat0_acl; 1 elements
access-list inside_outbound_nat0_acl line 1 permit ip any 10.0.1.0 255.255.255.2
40 (hitcnt=0)
access-list outside_cryptomap_dyn_20; 1 elements
access-list outside_cryptomap_dyn_20 line 1 permit ip any 10.0.1.0 255.255.255.2
40 (hitcnt=0)
access-list outside_in; 2 elements
access-list outside_in line 1 permit tcp any interface outside eq pcanywhere-dat
a (hitcnt=0)
access-list outside_in line 2 permit udp any interface outside eq pcanywhere-sta
tus (hitcnt=0)
The VPN does work.  Thank you so very much, but I'm still curious about that last statement of

access-list outside_in in interface outside

As you can see in the config, there seems to be an error with access-list outside_in.  Thank you again.
My bad...

access-group outside_in in interface outside
           ^^^