[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 439
  • Last Modified:

Initiate IPSec VPN connection with PIX 506e which is behind a Cisco 1751 perimeter router.

I have a DSL connection with one Public IP addess. I have traffic flowing both ways and have my static VPN tunnel up and working. The only thing that I cannot do is to initiate a VPN session using my Cisco VPN client version 4.6.02.0011 from outside in to the PIX. The client keeps trying to establish a secure session and ultimately times out. I know that the problem is in the router but I will post the config for both the router and the PIX for comparison.

Router Config:

version 12.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname cisco1751
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 10 log
security passwords min-length 6
logging buffered 4096 debugging
no logging console
enable secret 5 $1$04TY$IqP70rW0itP0p.qCApz.S/
!
username xxxx password 7 06140A255E5B044A54434A595F547F73
memory-size iomem 25
clock timezone CST -5
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
aaa new-model
!
!
aaa authentication login local_auth local
aaa session-id common
ip subnet-zero
no ip source-route
no ip gratuitous-arps
!
!
!
!
no ip domain lookup
ip domain name hargisgroup.com
no ip bootp server
ip cef
ip inspect audit-trail
ip inspect udp idle-time 1800
ip inspect dns-timeout 7
ip inspect tcp idle-time 14400
ip inspect name autosec_inspect cuseeme timeout 3600
ip inspect name autosec_inspect ftp timeout 3600
ip inspect name autosec_inspect http timeout 3600
ip inspect name autosec_inspect rcmd timeout 3600
ip inspect name autosec_inspect realaudio timeout 3600
ip inspect name autosec_inspect smtp timeout 3600
ip inspect name autosec_inspect tftp timeout 30
ip inspect name autosec_inspect udp timeout 30
ip inspect name autosec_inspect tcp timeout 3600
ip inspect name autosec_inspect h323 timeout 3600
ip inspect name autosec_inspect netshow timeout 3600
ip inspect name autosec_inspect rtsp timeout 3600
ip inspect name autosec_inspect sqlnet timeout 3600
ip inspect name autosec_inspect streamworks timeout 3600
ip inspect name autosec_inspect vdolive timeout 3600
ip ips po max-events 100
ip ssh time-out 60
ip ssh authentication-retries 2
login block-for 60 attempts 5 within 30
no ftp-server write-enable
!
!
!
!
!
!
bridge irb
!
!
interface ATM0/0
 no ip address
 ip verify unicast source reachable-via rx allow-default 101
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip accounting access-violations
 ip inspect autosec_inspect out
 no atm ilmi-keepalive
 dsl operating-mode ansi-dmt
 bridge-group 1
 pvc 8/35
  encapsulation aal5snap
 !
!
interface FastEthernet0/0
 ip address 192.168.70.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip accounting access-violations
 ip nat inside
 ip virtual-reassembly
 speed 100
 full-duplex
 no cdp enable
!
interface Ethernet1/0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip accounting access-violations
 shutdown
 half-duplex
 no cdp enable
!
interface BVI1
 mac-address 0000.0c71.d824
 ip address 65.41.XXX.XXX 255.255.255.128
 ip access-group 102 in
 ip verify unicast reverse-path
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip accounting access-violations
 ip nat outside
 ip virtual-reassembly
 no ip route-cache cef
 no ip route-cache
!
ip classless
ip route 0.0.0.0 0.0.0.0 65.41.203.129
ip route 192.168.1.0 255.255.255.0 FastEthernet0/0
no ip http server
no ip http secure-server
ip nat pool hargisnat 192.168.70.1 192.168.70.254 netmask 255.255.255.0
ip nat inside source list 1 interface BVI1 overload
!
!
!
ip access-list extended autosec_complete_bogon
 deny   ip 1.0.0.0 0.255.255.255 any
 deny   ip 2.0.0.0 0.255.255.255 any
 deny   ip 5.0.0.0 0.255.255.255 any
 deny   ip 7.0.0.0 0.255.255.255 any
 deny   ip 23.0.0.0 0.255.255.255 any
 deny   ip 27.0.0.0 0.255.255.255 any
 deny   ip 31.0.0.0 0.255.255.255 any
 deny   ip 36.0.0.0 0.255.255.255 any
 deny   ip 37.0.0.0 0.255.255.255 any
 deny   ip 39.0.0.0 0.255.255.255 any
 deny   ip 41.0.0.0 0.255.255.255 any
 deny   ip 42.0.0.0 0.255.255.255 any
 deny   ip 49.0.0.0 0.255.255.255 any
 deny   ip 50.0.0.0 0.255.255.255 any
 deny   ip 58.0.0.0 0.255.255.255 any
 deny   ip 59.0.0.0 0.255.255.255 any
 deny   ip 60.0.0.0 0.255.255.255 any
 deny   ip 70.0.0.0 0.255.255.255 any
 deny   ip 71.0.0.0 0.255.255.255 any
 deny   ip 72.0.0.0 0.255.255.255 any
 deny   ip 73.0.0.0 0.255.255.255 any
 deny   ip 74.0.0.0 0.255.255.255 any
 deny   ip 75.0.0.0 0.255.255.255 any
 deny   ip 76.0.0.0 0.255.255.255 any
 deny   ip 77.0.0.0 0.255.255.255 any
 deny   ip 78.0.0.0 0.255.255.255 any
 deny   ip 79.0.0.0 0.255.255.255 any
 deny   ip 83.0.0.0 0.255.255.255 any
 deny   ip 84.0.0.0 0.255.255.255 any
 deny   ip 85.0.0.0 0.255.255.255 any
 deny   ip 86.0.0.0 0.255.255.255 any
 deny   ip 87.0.0.0 0.255.255.255 any
 deny   ip 88.0.0.0 0.255.255.255 any
 deny   ip 89.0.0.0 0.255.255.255 any
 deny   ip 90.0.0.0 0.255.255.255 any
 deny   ip 91.0.0.0 0.255.255.255 any
 deny   ip 92.0.0.0 0.255.255.255 any
 deny   ip 93.0.0.0 0.255.255.255 any
 deny   ip 94.0.0.0 0.255.255.255 any
 deny   ip 95.0.0.0 0.255.255.255 any
 deny   ip 96.0.0.0 0.255.255.255 any
 deny   ip 97.0.0.0 0.255.255.255 any
 deny   ip 98.0.0.0 0.255.255.255 any
 deny   ip 99.0.0.0 0.255.255.255 any
 deny   ip 100.0.0.0 0.255.255.255 any
 deny   ip 101.0.0.0 0.255.255.255 any
 deny   ip 102.0.0.0 0.255.255.255 any
 deny   ip 103.0.0.0 0.255.255.255 any
 deny   ip 104.0.0.0 0.255.255.255 any
 deny   ip 105.0.0.0 0.255.255.255 any
 deny   ip 106.0.0.0 0.255.255.255 any
 deny   ip 107.0.0.0 0.255.255.255 any
 deny   ip 108.0.0.0 0.255.255.255 any
 deny   ip 109.0.0.0 0.255.255.255 any
 deny   ip 110.0.0.0 0.255.255.255 any
 deny   ip 111.0.0.0 0.255.255.255 any
 deny   ip 112.0.0.0 0.255.255.255 any
 deny   ip 113.0.0.0 0.255.255.255 any
 deny   ip 114.0.0.0 0.255.255.255 any
 deny   ip 115.0.0.0 0.255.255.255 any
 deny   ip 116.0.0.0 0.255.255.255 any
 deny   ip 117.0.0.0 0.255.255.255 any
 deny   ip 118.0.0.0 0.255.255.255 any
 deny   ip 119.0.0.0 0.255.255.255 any
 deny   ip 120.0.0.0 0.255.255.255 any
 deny   ip 121.0.0.0 0.255.255.255 any
 deny   ip 122.0.0.0 0.255.255.255 any
 deny   ip 123.0.0.0 0.255.255.255 any
 deny   ip 124.0.0.0 0.255.255.255 any
 deny   ip 125.0.0.0 0.255.255.255 any
 deny   ip 126.0.0.0 0.255.255.255 any
 deny   ip 197.0.0.0 0.255.255.255 any
 deny   ip 201.0.0.0 0.255.255.255 any
 deny   ip 10.0.0.0 0.255.255.255 any
 deny   ip 172.16.0.0 0.15.255.255 any
 deny   ip 192.168.0.0 0.0.255.255 any
 deny   ip 224.0.0.0 15.255.255.255 any
 deny   ip 240.0.0.0 15.255.255.255 any
 deny   ip 0.0.0.0 0.255.255.255 any
 deny   ip 169.254.0.0 0.0.255.255 any
 deny   ip 192.0.2.0 0.0.0.255 any
 deny   ip 127.0.0.0 0.255.255.255 any
 permit ip any any
 remark This acl might not be up to date. Visit www.iana.org/assignments/ipv4-address-space for updt
 remark This acl might not be up to date. Visit www.iana.org/assignments/ipv4-address-space for updt
 remark This acl might not be up to date. Visit www.iana.org/assignments/ipv4-address-space for updt
 remark This acl might not be up to date. Visit www.iana.org/assignments/ipv4-address-space for updt
ip access-list extended autosec_firewall_acl
 permit udp any any eq bootpc
 deny   ip any any
ip access-list extended autosec_iana_reserved_block
 deny   ip 1.0.0.0 0.255.255.255 any
 deny   ip 2.0.0.0 0.255.255.255 any
 deny   ip 5.0.0.0 0.255.255.255 any
 deny   ip 7.0.0.0 0.255.255.255 any
 deny   ip 23.0.0.0 0.255.255.255 any
 deny   ip 27.0.0.0 0.255.255.255 any
 deny   ip 31.0.0.0 0.255.255.255 any
 deny   ip 36.0.0.0 0.255.255.255 any
 deny   ip 37.0.0.0 0.255.255.255 any
 deny   ip 39.0.0.0 0.255.255.255 any
 deny   ip 41.0.0.0 0.255.255.255 any
 deny   ip 42.0.0.0 0.255.255.255 any
 deny   ip 49.0.0.0 0.255.255.255 any
 deny   ip 50.0.0.0 0.255.255.255 any
 deny   ip 58.0.0.0 0.255.255.255 any
 deny   ip 59.0.0.0 0.255.255.255 any
 deny   ip 60.0.0.0 0.255.255.255 any
 deny   ip 70.0.0.0 0.255.255.255 any
 deny   ip 71.0.0.0 0.255.255.255 any
 deny   ip 72.0.0.0 0.255.255.255 any
 deny   ip 73.0.0.0 0.255.255.255 any
 deny   ip 74.0.0.0 0.255.255.255 any
 deny   ip 75.0.0.0 0.255.255.255 any
 deny   ip 76.0.0.0 0.255.255.255 any
 deny   ip 77.0.0.0 0.255.255.255 any
 deny   ip 78.0.0.0 0.255.255.255 any
 deny   ip 79.0.0.0 0.255.255.255 any
 deny   ip 83.0.0.0 0.255.255.255 any
 deny   ip 84.0.0.0 0.255.255.255 any
 deny   ip 85.0.0.0 0.255.255.255 any
 deny   ip 86.0.0.0 0.255.255.255 any
 deny   ip 87.0.0.0 0.255.255.255 any
 deny   ip 88.0.0.0 0.255.255.255 any
 deny   ip 89.0.0.0 0.255.255.255 any
 deny   ip 90.0.0.0 0.255.255.255 any
 deny   ip 91.0.0.0 0.255.255.255 any
 deny   ip 92.0.0.0 0.255.255.255 any
 deny   ip 93.0.0.0 0.255.255.255 any
 deny   ip 94.0.0.0 0.255.255.255 any
 deny   ip 95.0.0.0 0.255.255.255 any
 deny   ip 96.0.0.0 0.255.255.255 any
 deny   ip 97.0.0.0 0.255.255.255 any
 deny   ip 98.0.0.0 0.255.255.255 any
 deny   ip 99.0.0.0 0.255.255.255 any
 deny   ip 100.0.0.0 0.255.255.255 any
 deny   ip 101.0.0.0 0.255.255.255 any
 deny   ip 102.0.0.0 0.255.255.255 any
 deny   ip 103.0.0.0 0.255.255.255 any
 deny   ip 104.0.0.0 0.255.255.255 any
 deny   ip 105.0.0.0 0.255.255.255 any
 deny   ip 106.0.0.0 0.255.255.255 any
 deny   ip 107.0.0.0 0.255.255.255 any
 deny   ip 108.0.0.0 0.255.255.255 any
 deny   ip 109.0.0.0 0.255.255.255 any
 deny   ip 110.0.0.0 0.255.255.255 any
 deny   ip 111.0.0.0 0.255.255.255 any
 deny   ip 112.0.0.0 0.255.255.255 any
 deny   ip 113.0.0.0 0.255.255.255 any
 deny   ip 114.0.0.0 0.255.255.255 any
 deny   ip 115.0.0.0 0.255.255.255 any
 deny   ip 116.0.0.0 0.255.255.255 any
 deny   ip 117.0.0.0 0.255.255.255 any
 deny   ip 118.0.0.0 0.255.255.255 any
 deny   ip 119.0.0.0 0.255.255.255 any
 deny   ip 120.0.0.0 0.255.255.255 any
 deny   ip 121.0.0.0 0.255.255.255 any
 deny   ip 122.0.0.0 0.255.255.255 any
 deny   ip 123.0.0.0 0.255.255.255 any
 deny   ip 124.0.0.0 0.255.255.255 any
 deny   ip 125.0.0.0 0.255.255.255 any
 deny   ip 126.0.0.0 0.255.255.255 any
 deny   ip 197.0.0.0 0.255.255.255 any
 deny   ip 201.0.0.0 0.255.255.255 any
 permit ip any any
 remark This acl might not be up to date. Visit www.iana.org/assignments/ipv4-address-space for updt
 remark This acl might not be up to date. Visit www.iana.org/assignments/ipv4-address-space for updt
 remark This acl might not be up to date. Visit www.iana.org/assignments/ipv4-address-space for updt
 remark This acl might not be up to date. Visit www.iana.org/assignments/ipv4-address-space for updt
ip access-list extended autosec_private_block
 deny   ip 10.0.0.0 0.255.255.255 any
 deny   ip 172.16.0.0 0.15.255.255 any
 deny   ip 192.168.0.0 0.0.255.255 any
 permit ip any any
logging facility local2
logging 192.168.1.4
access-list 1 permit 192.168.70.0 0.0.0.255
access-list 100 permit udp any any eq bootpc
access-list 101 permit udp any any eq bootpc
access-list 102 deny   icmp any any
access-list 102 deny   icmp any any redirect
access-list 102 permit ip any any
dialer-list 1 protocol ip permit
no cdp run
!
!
control-plane
!
bridge 1 protocol dec
bridge 1 route ip
banner motd ^CAuthorised Access only
  This system is the property of XXXX
  UNAUTHORISED ACCESS TO THIS DEVICE IS PROHIBITED.
  You must have explicit permission to access this
  device. All activities performed on this device
  are logged and violations of of this policy result
  in disciplinary action.^C
!
line con 0
 exec-timeout 15 0
 login authentication local_auth
 transport output telnet
line aux 0
 login authentication local_auth
 transport output telnet
line vty 0 4
 password 7 134437514F493A6C
 login authentication local_auth
 transport input ssh
!
scheduler allocate 4000 1000
ntp clock-period 17179880
ntp server 192.5.41.41 source BVI1
ntp server 192.5.41.40 source BVI1 prefer
ntp server 18.26.4.105 source BVI1
end


PIX Config:

PIX Version 6.3(4)
interface ethernet0 100full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password v914w4bB4kaU0ypy encrypted
passwd OZk0LVfY42vMqD6A encrypted
hostname pixfirewall
domain-name ciscopix.com
clock timezone EST -5
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.1.4 Athlon
access-list PROTECT permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list 102 permit ip 192.168.1.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list 102 permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list 100 deny icmp any any echo
access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any unreachable
access-list 100 permit icmp any any time-exceeded
access-list 100 permit udp any eq domain any
pager lines 24
logging on
logging timestamp
logging trap warnings
logging history warnings
logging host inside Athlon format emblem
icmp permit host 12.19.XXX.XXX outside
icmp deny any outside
mtu outside 1500
mtu inside 1500
ip address outside 192.168.70.254 255.255.255.0
ip address inside 192.168.1.1 255.255.255.0
ip verify reverse-path interface outside
ip audit info action alarm
ip audit attack action alarm
ip local pool hargispool 192.168.50.1-192.168.50.254
pdm location 192.168.0.0 255.255.255.0 outside
pdm location 192.168.50.0 255.255.255.0 outside
pdm location Athlon 255.255.255.255 inside
pdm location 12.XXX.XXX.XXX 255.255.255.255 outside
pdm location 12.XXX.XXX.XXX 255.255.255.255 outside
pdm location 10.1.0.0 255.255.0.0 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 102
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.70.1 1
timeout xlate 1:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
ntp authenticate
ntp server 192.5.41.41 source outside prefer
ntp server 192.5.41.40 source outside
ntp server 198.60.22.240 source outside
ntp server 128.10.252.7 source outside
http server enable
http 12.19.145.135 255.255.255.255 outside
http 192.168.1.0 255.255.255.0 inside
http Athlon 255.255.255.255 inside
snmp-server host inside Athlon
snmp-server location XXXXX
snmp-server contact XXXXX
snmp-server community xxxxx
no snmp-server enable traps
tftp-server inside Athlon /
floodguard enable
sysopt connection permit-ipsec
sysopt noproxyarp outside
sysopt noproxyarp inside
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto dynamic-map map2 20 set pfs group2
crypto dynamic-map map2 20 set transform-set ESP-AES-256-SHA
crypto map map1 10 ipsec-isakmp
crypto map map1 10 match address PROTECT
crypto map map1 10 set pfs group2
crypto map map1 10 set peer 69.245.xxx.xxx
crypto map map1 10 set transform-set ESP-AES-256-SHA
crypto map map1 20 ipsec-isakmp dynamic map2
crypto map map1 client authentication LOCAL
crypto map map1 interface outside
isakmp enable outside
isakmp key ******** address 69.245.xxx.xxx netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp keepalive 20 10
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes-256
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 28800
isakmp policy 11 authentication rsa-sig
isakmp policy 11 encryption des
isakmp policy 11 hash sha
isakmp policy 11 group 1
isakmp policy 11 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption aes-256
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup hargisvpn address-pool hargispool
vpngroup hargisvpn split-tunnel 102
vpngroup hargisvpn pfs
vpngroup hargisvpn idle-time 1800
vpngroup hargisvpn password ********
telnet Athlon 255.255.255.255 inside
telnet timeout 15
ssh 12.19.XXX.XXX 255.255.255.255 outside
ssh timeout 10
management-access inside
console timeout 30
dhcpd address 192.168.1.100-192.168.1.254 inside
dhcpd dns 4.2.2.2 4.2.2.3
dhcpd lease 21600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
username XXXX password ZKvuR/E4cb5TutkE encrypted privilege 15
terminal width 80
banner exec Enter your password carefully
banner login Enter your password to log in
banner motd Authorized Access only
banner motd   This system is the property of XXXX.
banner motd   UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED.
banner motd   You must have explicit permission to access this
banner motd   device. All activities performed on this device
banner motd   are logged. Any violations of access policy will result
banner motd   in disciplinary action.
Cryptochecksum:a007e17b2f2f2daa176e30e05a12e108
: end

The Network layout is this:

INTERNET ---> Perimeter Router ---> PIX ---> LAN

I have already tried severl things so far but with no luck. I would greatly appreciate your help.

N9XRG
0
n9xrg
Asked:
n9xrg
  • 3
1 Solution
 
lrmooreCommented:
Try adding a new isakmp policy 15, using group 5 instead of 2

isakmp policy 15 authentication pre-share
isakmp policy 15 encryption aes-256
isakmp policy 15 hash sha
isakmp policy 15 group 5
isakmp policy 15 lifetime 86400

I don't see any static NAT on your router that would push the public IP over to the PIX. You have private IP on the outside interface of the PIX. I don't see how your static VPN tunnel could be working..
0
 
n9xrgAuthor Commented:
The static vpn is up and functioning. The only thing with doing the above from what I can see is that unless something has changed with Cisco VPN client I operating with the understanding that it did not support group 5. If it does then that would be great. As far as teh reason for the private IP on the outside interface of the PIX I set up the configuration for a perimeter router from the Cisco example. I did have a monster of a hard time trying to bridge the DSL outside address to the outside interface of the PIX. If you have any ideas let me know. That would solve the whole problem.

Thanks
0
 
lrmooreCommented:
Sorry to leave you hanging. Any luck with this yet?
Any progress? Still need help?
0
 
lrmooreCommented:
Are you still working on this?
Have you found a solution?
Do you need more information?

This question will be classified as abandoned soon if we don't get some feedback from you.

Can you close out this question? See here for details:
http://www.experts-exchange.com/help.jsp#hs5

Thanks for your attention!
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now