Solved

VPN and/or PCAnywhere

Posted on 2004-09-22
6
484 Views
Last Modified: 2013-11-16
I have a PIX 506e that I'm trying to configure to pass through PCAnywhere.  I'm also trying to setup the VPN.  The following is the PIX config:

PIX Version 6.3(3)                  
interface ethernet0 auto                        
interface ethernet1 auto                        
nameif ethernet0 outside security0                                  
nameif ethernet1 inside security100                                  
enable password /v2a6EDy6zMfLXc6 encrypted                                          
passwd /v2a6EDy6zMfLXc6 encrypted                                
hostname justice                
domain-name rose.net                    
fixup protocol dns maximum-length 512                                    
fixup protocol ftp 21                    
fixup protocol h323 h225 1720                            
fixup protocol h323 ras 1718-1719                                
fixup protocol http 80                      
fixup protocol rsh 514                      
fixup protocol rtsp 554                      
fixup protocol sip 5060                      
fixup protocol sip udp 5060                          
fixup protocol skinny 2000                          
fixup protocol smtp 25                      
fixup protocol sqlnet 1521                          
fixup protocol tftp 69                      
names    
access-list Support_splitTunnelAcl permit ip any any                                                    
access-list inside_outbound_nat0_acl permit ip any 10.0.1.0 255.255.255.240                                                                          
access-list outside_cryptomap_dyn_20 permit ip any 10.0.1.0 255.255.255.240                                                                          
pager lines 24              
mtu outside 1500                
mtu inside 1500              
ip address outside 172.19.200.2 255.255.0.0                                          
ip address inside 10.0.0.254 255.255.255.0                                          
ip audit info action alarm                          
ip audit attack action alarm                            
ip local pool Support 10.0.1.2-10.0.1.10                                        
pdm location 10.0.0.1 255.255.255.255 inside                                            
pdm logging informational 100                            
pdm history enable                  
arp timeout 14400                
global (outside) 1 interface                            
nat (inside) 0 access-list inside_outbound_nat0_acl                                                  
nat (inside) 1 0.0.0.0 0.0.0.0 0 0                                  
static (inside,outside) tcp interface pcanywhere-data 10.0.0.1 pcanywhere-                                                                        
etmask 255.255.255.255 0 0                          
static (inside,outside) udp interface 5631 10.0.0.1 5631 netmask 255.255.255.255                                                                                
 0 0    
static (inside,outside) tcp interface 5632 10.0.0.1 5632 netmask 255.255.255.255                                                                                
 0 0    
static (inside,outside) udp interface pcanywhere-status 10.0.0.1 pcanywhere-stat                                                                                
us netmask 255.255.255.255 0 0                              
route outside 0.0.0.0 0.0.0.0 172.19.1.1 1                                          
timeout xlate 0:05:00                    
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00                                                                            
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00                                                              
timeout uauth 0:05:00 absolute                              
aaa-server TACACS+ protocol tacacs+                                  
aaa-server RADIUS protocol radius                                
aaa-server LOCAL protocol local                              
http server enable                  
http 10.0.0.0 255.255.255.0 inside                                  
no snmp-server location                      
no snmp-server contact                      
snmp-server community public                            
no snmp-server enable traps                          
floodguard enable                
sysopt connection permit-ipsec                              
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac                                                          
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20                                                                            
crypto dynamic-map outside_dyn_map 20 set                                      
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 5
isakmp policy 20 lifetime 86400
vpngroup Support address-pool Support
vpngroup Support dns-server 10.0.0.1 10.0.0.1
vpngroup Support wins-server 10.0.0.1 10.0.0.1
vpngroup Support default-domain jail
vpngroup Support split-tunnel Support_splitTunnelAcl
vpngroup Support idle-time 1800
vpngroup Support password ********
telnet 10.0.0.0 255.255.255.0 inside
telnet timeout 15
ssh timeout 5
console timeout 0
username sds8828 password EyeLWAkMkzGJkPKP encrypted privilege 15
terminal width 80
Cryptochecksum:09ace9a4e7f36dfc4d858bddf187d577
: end

When I'm trying to connect with my vpn client, my log displays the following:

Cisco Systems VPN Client Version 4.0.1 (Rel)
Copyright (C) 1998-2003 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.1.2600

1      12:32:54.182  09/22/04  Sev=Info/4      CM/0x63100002
Begin connection process

2      12:32:54.182  09/22/04  Sev=Info/4      CVPND/0xE3400001
Microsoft IPSec Policy Agent service stopped successfully

3      12:32:54.182  09/22/04  Sev=Info/4      CM/0x63100004
Establish secure connection using Ethernet

4      12:32:54.182  09/22/04  Sev=Info/4      CM/0x63100024
Attempt connection with server "172.19.200.2"

5      12:32:55.184  09/22/04  Sev=Info/6      IKE/0x6300003B
Attempting to establish a connection with 172.19.200.2.

6      12:32:55.184  09/22/04  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Nat-T), VID(Frag), VID(Unity)) to 172.19.200.2

7      12:32:55.184  09/22/04  Sev=Info/4      IPSEC/0x63700008
IPSec driver successfully started

8      12:32:55.184  09/22/04  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

9      12:32:55.224  09/22/04  Sev=Info/5      IKE/0x6300002F
Received ISAKMP packet: peer = 172.19.200.2

10     12:32:55.224  09/22/04  Sev=Warning/2      IKE/0xE3000099
Invalid SPI size (PayloadNotify:116)

11     12:32:55.224  09/22/04  Sev=Info/4      IKE/0xE30000A4
Invalid payload: Stated payload length, 568, is not sufficient for Notification:(PayloadList:148)

12     12:32:55.224  09/22/04  Sev=Warning/3      IKE/0xA3000058
Received malformed message or negotiation no longer active (message id: 0x00000000)

13     12:33:00.291  09/22/04  Sev=Info/4      IKE/0x63000021
Retransmitting last packet!

14     12:33:00.291  09/22/04  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to 172.19.200.2

15     12:33:05.298  09/22/04  Sev=Info/4      IKE/0x63000021
Retransmitting last packet!

16     12:33:05.298  09/22/04  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to 172.19.200.2

17     12:33:10.305  09/22/04  Sev=Info/4      IKE/0x63000021
Retransmitting last packet!

18     12:33:10.305  09/22/04  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to 172.19.200.2

19     12:33:15.313  09/22/04  Sev=Info/4      IKE/0x63000017
Marking IKE SA for deletion  (I_Cookie=D84A057F29190335 R_Cookie=F72C18B8E50081DB) reason = DEL_REASON_PEER_NOT_RESPONDING

20     12:33:15.813  09/22/04  Sev=Info/4      IKE/0x6300004A
Discarding IKE SA negotiation (I_Cookie=D84A057F29190335 R_Cookie=F72C18B8E50081DB) reason = DEL_REASON_PEER_NOT_RESPONDING

21     12:33:15.813  09/22/04  Sev=Info/4      CM/0x63100014
Unable to establish Phase 1 SA with server "172.19.200.2" because of "DEL_REASON_PEER_NOT_RESPONDING"

22     12:33:15.813  09/22/04  Sev=Info/5      CM/0x63100025
Initializing CVPNDrv

23     12:33:15.813  09/22/04  Sev=Info/4      IKE/0x63000001
IKE received signal to terminate VPN connection

24     12:33:15.823  09/22/04  Sev=Info/4      IKE/0x63000085
Microsoft IPSec Policy Agent service started successfully

25     12:33:16.314  09/22/04  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

26     12:33:16.314  09/22/04  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

27     12:33:16.314  09/22/04  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

28     12:33:16.314  09/22/04  Sev=Info/4      IPSEC/0x6370000A
IPSec driver successfully stopped

Please give me some pointers as to what I may need to alter in my PIX config as I am new to the PIX scene.  I went through the VPN setup wizard, and I thought I answered all of the questions correct.
0
Comment
Question by:fletchman
  • 3
  • 3
6 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
Comment Utility
Easy part first...

To permit PcAnywhere, you need an additional access-list:
 
   access-list outside_in permit tcp any interface outside eq 5631
   access-list outside_in permit udp any interface outside eq 5632
Your statics are backwards for PcAnywhere (tcp/udp flipped)
   >static (inside,outside) udp interface 5631 10.0.0.1 5631  
   >static (inside,outside) tcp interface 5632 10.0.0.1 5632

Should be:
   static (inside,outside) tcp interface 5631 10.0.0.1 5631  
   static (inside,outside) udp interface 5632 10.0.0.1 5632

For your VPN:

isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 5 <-- des can't use group 5. Try changing this to Group 2


0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
I almost forgot.. you have to also apply the access-list for pca

   access-list outside_in in interface outside
0
 

Author Comment

by:fletchman
Comment Utility
Your last statement doesn't make sense or work when I input it.  This is what I have now, and I am going to another location to try the VPN to see if it works.  I'll let you know.  Here is my present config:

: Written by enable_15 at 04:53:39.778 UTC Thu Sep 23 2004                                                          
PIX Version 6.3(3)                  
interface ethernet0 auto                        
interface ethernet1 auto                        
nameif ethernet0 outside security0                                  
nameif ethernet1 inside security100                                  
enable password /v2a6EDy6zMfLXc6 encrypted                                          
passwd /v2a6EDy6zMfLXc6 encrypted                                
hostname justice                
domain-name rose.net                    
fixup protocol dns maximum-length 512                                    
fixup protocol ftp 21                    
fixup protocol h323 h225 17                        
fixup protocol h323 ras 1718-1719                                
fixup protocol http 80                      
fixup protocol rsh 514                      
fixup protocol rtsp 554                      
fixup protocol sip 5060                      
fixup protocol sip udp 5060                          
fixup protocol skinny 2000                          
fixup protocol smtp 25                      
fixup protocol sqlnet 1521                          
fixup protocol tftp 69                      
names    
access-list Support_splitTunnelAcl permit ip any any                                                    
access-list inside_outbound_nat0_acl permit ip any 10.0.1.0 255.255.255.240                                                                          
access-list outside_cryptomap_dyn_20 permit ip any 10.0.1.0 255.255.255.240                                                                          
access-list outside_in permit tcp any interface outs                                                  
access-list outside_in permit udp any interface outside eq pcanywhere-status23 ras 1718-                                                                
pager lines 24        
pdm
mtu outside 1500onal 100        
mtu inside 1500    
fi  
ERRO
ip address outside 172.19.200.2 255.255.0.0                          
fixup protoco  
ip address inside 10.0.0.254 255.255.255.0  
Usage:  [no] access-list compiled1 inte
ip audit info action alarm                      
fix
ip audit attack action alarmdeny-flow-max <n>nside_outbo
ip local pool Support 10.0.1.2-10.0.1.10                                        
pdm location 10.0.0.1 255.255.255.255 insidel                                      
nat
pdm logging informational 1000                            
pdm history enablelist <id> compiled
arp timeout 14400            
stat
global (outside) 1 interface                    
[no] a
nat (inside) 0 access-list inside_outbound_nat0_acl69                                                
nat (inside) 1 0.0  
access-    
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00it {any | <prefix> <mask> | host <address>}c-map outside_dyn_ma
timeout uauth 0:05:00 absolutetomap_dyn_20                  
aaa-server TACACS+ protocol tacacs+                                  
aaa-server RADIUS proto                      
http 10.0.0.0 255.255.255.0 insideMD5                              
no snmp-server location        
route outside
no snmp-server contact                      
snmp-server community publictside_ma                    
no snmp-server enable trapsthernet0 automic outside_dy
floodguard enable                
sysopt connection permit-ipsect1 auto 1:00:00 half-closed 0:
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup Support address-pool Support
vpngroup Support dns-server 10.0.0.1 10.0.0.1
vpngroup Support wins-server 10.0.0.1 10.0.0.1
vpngroup Support default-domain jail
vpngroup Support split-tunnel Support_splitTunnelAcl
vpngroup Support idle-time 1800
vpngroup Support password ********
telnet 10.0.0.0 255.255.255.0 inside
telnet timeout 15
ssh timeout 5
console timeout 0
username sds8828 password EyeLWAkMkzGJkPKP encrypted privilege 15
terminal width 80
Cryptochecksum:da8f09a77ce1d62a500004248573a368
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 

Author Comment

by:fletchman
Comment Utility
Here is what I get when I do a show access-list:

access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 1024)
            alert-interval 300
access-list Support_splitTunnelAcl; 1 elements
access-list Support_splitTunnelAcl line 1 permit ip any any (hitcnt=0)
access-list inside_outbound_nat0_acl; 1 elements
access-list inside_outbound_nat0_acl line 1 permit ip any 10.0.1.0 255.255.255.2
40 (hitcnt=0)
access-list outside_cryptomap_dyn_20; 1 elements
access-list outside_cryptomap_dyn_20 line 1 permit ip any 10.0.1.0 255.255.255.2
40 (hitcnt=0)
access-list outside_in; 2 elements
access-list outside_in line 1 permit tcp any interface outside eq pcanywhere-dat
a (hitcnt=0)
access-list outside_in line 2 permit udp any interface outside eq pcanywhere-sta
tus (hitcnt=0)
0
 

Author Comment

by:fletchman
Comment Utility
The VPN does work.  Thank you so very much, but I'm still curious about that last statement of

access-list outside_in in interface outside

As you can see in the config, there seems to be an error with access-list outside_in.  Thank you again.
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
My bad...

access-group outside_in in interface outside
           ^^^
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now