Solved

Cannot connect VPN client to PIX 506e

Posted on 2004-09-30
6
1,219 Views
Last Modified: 2013-11-16
I have a PIX 506e that I am trying to connect to via Cisco VPN client, and it authenticates via Win2k RADIUS Server.  I have the VPN client connect, and it prompts me to authenticate with username and password.  I was able to get on until I made some changes to a couple of ACL's to try to allow me access to the whole network. They were changes that I had just made to another PIX 506e, which worked fine, but it only has one VPN policy.   I have two VPN policies.  One is more restrictive, but I'm wondering if the more restrictive one is limiting me.  Following I will include PIX config and VPN client log.  Here is my config:

PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password kvNRvZvBoWInG7i5 encrypted
passwd kvNRvZvBoWInG7i5 encrypted
hostname tcf
domain-name rose.net
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list tcfsl_splitTunnelAcl permit ip any any
access-list inside_outbound_nat0_acl permit ip any 10.65.32.0
255.255.255.240
access-list inside_outbound_nat0_acl permit ip 10.65.31.0 255.255.255.192
10.65.
33.0 255.255.255.240
access-list outside_cryptomap_dyn_20 permit ip any 10.65.32.0
255.255.255.240
access-list rumbles_splitTunnelAcl permit ip 10.65.31.0 255.255.255.192 any
access-list outside_cryptomap_dyn_40 permit ip 10.65.31.0 255.255.255.192
10.65.
33.0 255.255.255.240
pager lines 24
logging console warnings
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 10.65.31.8 255.255.255.192
ip verify reverse-path interface outside
ip audit info action alarm
ip audit attack action alarm
ip local pool tcfsl 10.65.32.2-10.65.32.10
ip local pool rumbles 10.65.33.2-10.65.33.10
pdm location 10.65.31.0 255.255.255.255 inside
pdm location 10.65.31.255 255.255.255.255 inside
pdm location 10.65.31.0 255.255.255.0 inside
pdm location 64.39.130.86 255.255.255.255 outside
pdm location 10.65.31.6 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host 10.65.31.6 7cF51 timeout 10
aaa-server LOCAL protocol local
aaa-server vpn protocol radius
aaa-server vpn (inside) host 10.65.31.6 7cF51 timeout 10
http server enable
http 10.65.31.0 255.255.255.192 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5
crypto dynamic-map outside_dyn_map 40 match address outside_cryptomap_dyn_40
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication vpn
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup tcfsl address-pool tcfsl
vpngroup tcfsl dns-server 10.65.31.6
vpngroup tcfsl default-domain tcfb_branch00.local
vpngroup tcfsl split-tunnel tcfsl_splitTunnelAcl
vpngroup tcfsl idle-time 1800
vpngroup tcfsl password ********
vpngroup rumbles address-pool rumbles
vpngroup rumbles dns-server 10.65.31.6
vpngroup rumbles default-domain tcfb_branch00.local
vpngroup rumbles split-tunnel rumbles_splitTunnelAcl
vpngroup rumbles idle-time 1800
vpngroup rumbles password ********
telnet 64.39.130.86 255.255.255.255 outside
telnet 10.65.31.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 10.65.31.9-10.65.31.62 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
terminal width 80
Cryptochecksum:4faace7441cf97cf913188c68a2fa5d4
: end
tcf(config)#


Here is my log:

Cisco Systems VPN Client Version 4.0.1 (Rel)
Copyright (C) 1998-2003 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.1.2600

1      07:13:32.539  09/30/04  Sev=Info/4      CM/0x63100002
Begin connection process

2      07:13:32.569  09/30/04  Sev=Info/4      CVPND/0xE3400001
Microsoft IPSec Policy Agent service stopped successfully

3      07:13:32.569  09/30/04  Sev=Info/4      CM/0x63100004
Establish secure connection using Ethernet

4      07:13:32.579  09/30/04  Sev=Info/4      CM/0x63100024
Attempt connection with server "64.39.130.223"

5      07:13:33.581  09/30/04  Sev=Info/6      IKE/0x6300003B
Attempting to establish a connection with 64.39.130.223.

6      07:13:33.651  09/30/04  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Nat-T), VID(Frag), VID(Unity)) to 64.39.130.223

7      07:13:33.651  09/30/04  Sev=Info/4      IPSEC/0x63700008
IPSec driver successfully started

8      07:13:33.651  09/30/04  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

9      07:13:33.841  09/30/04  Sev=Info/5      IKE/0x6300002F
Received ISAKMP packet: peer = 64.39.130.223

10     07:13:33.841  09/30/04  Sev=Info/4      IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (SA, VID(Xauth), VID(dpd), VID(Unity), VID(?), KE, ID, NON, HASH) from 64.39.130.223

11     07:13:33.841  09/30/04  Sev=Info/5      IKE/0x63000001
Peer supports XAUTH

12     07:13:33.841  09/30/04  Sev=Info/5      IKE/0x63000001
Peer supports DPD

13     07:13:33.841  09/30/04  Sev=Info/5      IKE/0x63000001
Peer is a Cisco-Unity compliant peer

14     07:13:33.841  09/30/04  Sev=Info/5      IKE/0x63000081
Received IOS Vendor ID with unknown capabilities flag 0x00000025

15     07:13:33.851  09/30/04  Sev=Info/6      IKE/0x63000001
IOS Vendor ID Contruction successful

16     07:13:33.851  09/30/04  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, VID(?), VID(Unity)) to 64.39.130.223

17     07:13:33.851  09/30/04  Sev=Info/4      IKE/0x63000082
IKE Port in use - Local Port =  0x01F4, Remote Port = 0x01F4

18     07:13:33.871  09/30/04  Sev=Info/5      IKE/0x6300002F
Received ISAKMP packet: peer = 64.39.130.223

19     07:13:33.871  09/30/04  Sev=Info/4      IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:STATUS_RESP_LIFETIME) from 64.39.130.223

20     07:13:33.871  09/30/04  Sev=Info/5      IKE/0x63000044
RESPONDER-LIFETIME notify has value of 86400 seconds

21     07:13:33.871  09/30/04  Sev=Info/5      IKE/0x63000046
This SA has already been alive for 0 seconds, setting expiry to 86400 seconds from now

22     07:13:33.881  09/30/04  Sev=Info/5      IKE/0x6300002F
Received ISAKMP packet: peer = 64.39.130.223

23     07:13:33.881  09/30/04  Sev=Info/4      IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 64.39.130.223

24     07:13:33.881  09/30/04  Sev=Info/4      CM/0x63100015
Launch xAuth application

25     07:13:38.348  09/30/04  Sev=Info/4      CM/0x63100017
xAuth application returned

26     07:13:38.348  09/30/04  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 64.39.130.223

27     07:13:38.388  09/30/04  Sev=Info/5      IKE/0x6300002F
Received ISAKMP packet: peer = 64.39.130.223

28     07:13:38.388  09/30/04  Sev=Info/4      IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 64.39.130.223

29     07:13:38.388  09/30/04  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 64.39.130.223

30     07:13:38.388  09/30/04  Sev=Info/4      CM/0x6310000E
Established Phase 1 SA.  1 Phase 1 SA in the system

31     07:13:38.528  09/30/04  Sev=Info/5      IKE/0x6300005D
Client sending a firewall request to concentrator

32     07:13:38.528  09/30/04  Sev=Info/5      IKE/0x6300005C
Firewall Policy: Product=Cisco Systems Integrated Client, Capability= (Centralized Protection Policy).

33     07:13:38.528  09/30/04  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 64.39.130.223

34     07:13:38.548  09/30/04  Sev=Info/5      IKE/0x6300002F
Received ISAKMP packet: peer = 64.39.130.223

35     07:13:38.548  09/30/04  Sev=Info/4      IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 64.39.130.223

36     07:13:38.548  09/30/04  Sev=Info/5      IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_ADDRESS: , value = 10.65.33.2

37     07:13:38.548  09/30/04  Sev=Info/5      IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS(1): , value = 10.65.31.6

38     07:13:38.548  09/30/04  Sev=Info/5      IKE/0x6300000E
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_DEFDOMAIN: , value = tcfb_branch00.local

39     07:13:38.548  09/30/04  Sev=Info/5      IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SPLIT_INCLUDE (# of split_nets), value = 0x00000001

40     07:13:38.548  09/30/04  Sev=Info/5      IKE/0x6300000F
SPLIT_NET #1
      subnet = 10.65.31.0
      mask = 255.255.255.192
      protocol = 0
      src port = 0
      dest port=0

41     07:13:38.548  09/30/04  Sev=Info/5      IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_PFS: , value = 0x00000000

42     07:13:38.548  09/30/04  Sev=Info/4      CM/0x63100019
Mode Config data received

43     07:13:38.558  09/30/04  Sev=Info/4      IKE/0x63000055
Received a key request from Driver: Local IP = 10.65.33.2, GW IP = 64.39.130.223, Remote IP = 0.0.0.0

44     07:13:38.558  09/30/04  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK QM *(HASH, SA, NON, ID, ID) to 64.39.130.223

45     07:13:38.588  09/30/04  Sev=Info/5      IKE/0x6300002F
Received ISAKMP packet: peer = 64.39.130.223

46     07:13:38.588  09/30/04  Sev=Info/4      IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:NO_PROPOSAL_CHOSEN) from 64.39.130.223

47     07:13:38.588  09/30/04  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, DEL) to 64.39.130.223

48     07:13:38.588  09/30/04  Sev=Info/4      IKE/0x63000048
Discarding IPsec SA negotiation, MsgID=47B886ED

49     07:13:38.588  09/30/04  Sev=Info/4      IKE/0x63000017
Marking IKE SA for deletion  (I_Cookie=D214D8FDE8E17DDC R_Cookie=744E460417539515) reason = DEL_REASON_IKE_NEG_FAILED

50     07:13:38.838  09/30/04  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

51     07:13:41.823  09/30/04  Sev=Info/4      IKE/0x6300004A
Discarding IKE SA negotiation (I_Cookie=D214D8FDE8E17DDC R_Cookie=744E460417539515) reason = DEL_REASON_IKE_NEG_FAILED

52     07:13:41.823  09/30/04  Sev=Info/4      CM/0x63100012
Phase 1 SA deleted before first Phase 2 SA is up cause by "DEL_REASON_IKE_NEG_FAILED".  0 Phase 1 SA currently in the system

53     07:13:41.823  09/30/04  Sev=Info/5      CM/0x63100025
Initializing CVPNDrv

54     07:13:41.823  09/30/04  Sev=Info/4      IKE/0x63000001
IKE received signal to terminate VPN connection

55     07:13:41.823  09/30/04  Sev=Info/4      IKE/0x63000085
Microsoft IPSec Policy Agent service started successfully

56     07:13:42.323  09/30/04  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

57     07:13:42.323  09/30/04  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

58     07:13:42.323  09/30/04  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

59     07:13:42.323  09/30/04  Sev=Info/4      IPSEC/0x6370000A
IPSec driver successfully stopped

0
Comment
Question by:fletchman
  • 4
  • 2
6 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 12189517
Which one did you change, rumbles or tcfsl ?

Given:
>  ip local pool tcfsl 10.65.32.2-10.65.32.10
>  ip local pool rumbles 10.65.33.2-10.65.33.10

If you want to use them both, you need, instead of this:
>  access-list inside_outbound_nat0_acl permit ip any 10.65.32.0 255.255.255.240
>  access-list inside_outbound_nat0_acl permit ip 10.65.31.0 255.255.255.192 10.65.33.0 255.255.255.240

You need this:
   access-list inside_outbound_nat0_acl permit ip 10.65.31.0 255.255.255.192 10.65.32.0 255.255.255.240
   access-list inside_outbound_nat0_acl permit ip 10.65.31.0 255.255.255.192 10.65.33.0 255.255.255.240

I would change these:
>  access-list outside_cryptomap_dyn_20 permit ip any 10.65.32.0 255.255.255.240
>  access-list outside_cryptomap_dyn_40 permit ip 10.65.31.0 255.255.255.192 10.65.33.0 255.255.255.240

To this:
  access-list outside_cryptomap_dyn_20 permit ip 10.65.31.0 255.255.255.192 10.65.32.0 255.255.255.240
  access-list outside_cryptomap_dyn_40 permit ip 10.65.31.0 255.255.255.192 10.65.33.0 255.255.255.240

Your split-tunnel acls is where you make a difference in control, or in the nat0 acl. What is your desired goal, and what is broken at this point?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12189524
Also, what OS is your client? XP? Did you install SP2? If yes, you will need to upgrade your VPN client to 4.05 or 4.6
0
 

Author Comment

by:fletchman
ID: 12190768
My desired goal is to allow the IT people to have full access to all PC's for VNC, and to let other people only have access to the server for running apps and accessing data.  I downloaded SP2 for my XP machine before loading the VPN client 4.01.  I haven't had any problems with it so far.  Where can I get the latest client?
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 
LVL 79

Expert Comment

by:lrmoore
ID: 12190818
You can download the latest client from Cisco's web site, but you need a CCO login.
0
 

Author Comment

by:fletchman
ID: 12191193
What should I change in the split-tunnel or nat0 to limit two different groups of people?  Or can you point me towards some documentation on this?  Thanks.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12191425
Assuming that "rumbles" is your IT group and "tcfsl" is the restricted group:

You can restrict your nat 0 acl:
The first line will only allow the VPN group tcfsl access to one host. Change the host IP to whatever is appropo
The second line provides full access to the whole network for your rumbles vpn group.

   access-list inside_outbound_nat0_acl permit ip host 10.65.31.100 255.255.255.192 10.65.32.0 255.255.255.240
   access-list inside_outbound_nat0_acl permit ip 10.65.31.0 255.255.255.192 10.65.33.0 255.255.255.240

The split-tunnel acl is pretty much the same:
  >access-list tcfsl_splitTunnelAcl permit ip any any
  >access-list rumbles_splitTunnelAcl permit ip 10.65.31.0 255.255.255.192 any

Could be:
    access-list tcfsl_splitTunnelAcl permit ip host 10.65.31.100 10.65.32.0 255.255.255.240
    access-list rumbles_splitTunnelAcl permit ip 10.65.31.0 255.255.255.192 10.65.33.0 255.255.255.240

0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now