troubleshooting Question

Adding VPN clients to a PIX 515E that already has PIX-to-PIX site VPN's

Avatar of sithman17
sithman17 asked on
SecurityInternet Protocol SecurityCisco
10 Comments1 Solution345 ViewsLast Modified:
Hello all,

    I currently have a 515E that is connected to four other offices which have 501's. I am trying to add the ability of remote users dialing in with the Cisco VPN client to the 515E but have hit a wall. I've read similar posts and Cisco documents that state how to do this, but there seems to be a problem with my config somewhere and I can't see it. Anyone care to take a stab at it.



User Access Verification

Username: jsanchez
Password: ********
Type help or '?' for a list of available commands.
RocklinFW> en
Password: ********
RocklinFW# write term
Building configuration...
: Saved
:
PIX Version 6.3(4)
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
enable password xxxxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxxxxx encrypted
hostname RocklinFW
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 140 permit ip 192.168.254.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list 150 permit ip 192.168.254.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list 110 permit ip 192.168.254.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list 120 permit ip 192.168.254.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 130 permit ip 192.168.254.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list 100 permit ip 192.168.254.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list 100 permit ip 192.168.254.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 100 permit ip 192.168.254.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list 100 permit ip 192.168.254.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list 100 permit ip 192.168.254.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list 100 permit ip 192.168.4.0 255.255.255.0 192.168.254.0 255.255.255.0
access-list 100 permit ip 192.168.254.0 255.255.255.0 10.10.1.0 255.255.255.0
access-list 160 permit ip 192.168.254.0 255.255.255.0 10.10.1.0 255.255.255.0
access-list smtp permit tcp any host 63.205.221.108 eq smtp
access-list smtp permit tcp any host 63.205.221.108 eq www
access-list smtp permit tcp any host 63.205.221.108 eq pop3
access-list smtp permit tcp any host 63.205.221.108 eq 3342
pager lines 24
logging on
logging timestamp
logging trap informational
logging history warnings
logging host inside 192.168.254.111
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside 63.205.221.109 255.255.255.248
ip address inside 192.168.254.254 255.255.255.0
ip address dmz 10.10.10.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool remotepool 192.168.254.50-192.168.254.75
no pdm history enable
arp timeout 14400
global (outside) 1 63.205.221.106
nat (inside) 0 access-list 100
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 63.205.221.108 192.168.254.13 netmask 255.255.255.255 0 0
access-group smtp in interface outside
route outside 0.0.0.0 0.0.0.0 63.205.221.109 1
timeout xlate 1:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa-server Authorization protocol radius
aaa-server Authorization max-failed-attempts 3
aaa-server Authorization deadtime 10
aaa-server Authorization (inside) host 192.168.254.12 xxxxxxxxxx timeout 10
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication telnet console LOCAL
aaa authorization command LOCAL
http server enable
http 0.0.0.0 0.0.0.0 inside
snmp-server host inside xxx.x.x.x
snmp-server location Rocklin HQ
snmp-server contact Jorge Sanchez
snmp-server community G@t3W@y
no snmp-server enable traps
tftp-server inside xxx.xxx.xxx.xxx  /cisco/pix
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ROCKLIN esp-des esp-md5-hmac
crypto dynamic-map linksys 1 set transform-set ROCKLIN
crypto dynamic-map RemoteUsers 120 set transform-set ROCKLIN
crypto map HQVPN 10 ipsec-isakmp
crypto map HQVPN 10 match address 110
crypto map HQVPN 10 set peer 207.231.95.78
crypto map HQVPN 10 set transform-set ROCKLIN
crypto map HQVPN 20 ipsec-isakmp
crypto map HQVPN 20 match address 120
crypto map HQVPN 20 set peer 64.169.228.2
crypto map HQVPN 20 set transform-set ROCKLIN
crypto map HQVPN 30 ipsec-isakmp
crypto map HQVPN 30 match address 130
crypto map HQVPN 30 set peer 63.198.31.130
crypto map HQVPN 30 set transform-set ROCKLIN
crypto map HQVPN 40 ipsec-isakmp
crypto map HQVPN 40 match address 140
crypto map HQVPN 40 set peer 67.118.59.226
crypto map HQVPN 40 set transform-set ROCKLIN
crypto map HQVPN 50 ipsec-isakmp
crypto map HQVPN 50 match address 150
crypto map HQVPN 50 set peer 71.129.214.65
crypto map HQVPN 50 set peer 71.134.82.194
crypto map HQVPN 50 set transform-set ROCKLIN
crypto map HQVPN 90 ipsec-isakmp dynamic RemoteUsers
crypto map HQVPN interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp key ******** address 67.118.59.226 netmask 255.255.255.255
isakmp key ******** address 69.226.79.221 netmask 255.255.255.255
isakmp key ******** address 207.231.95.78 netmask 255.255.255.255
isakmp key ******** address 64.169.228.2 netmask 255.255.255.255
isakmp key ******** address 63.198.31.130 netmask 255.255.255.255
isakmp key ******** address 71.134.82.194 netmask 255.255.255.255
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 28800
vpngroup RemoteUsers address-pool remotepool
vpngroup RemoteUsers dns-server 192.168.254.13
vpngroup RemoteUsers default-domain internal.foothill.com
vpngroup RemoteUsers idle-time 3600
vpngroup RemoteUsers authentication-server Authorization
vpngroup RemoteUsers password ********
vpngroup no idle-time 1800
telnet 192.168.254.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
management-access inside
console timeout 5
username earmstrong password xxxxxxxxxxxxxxxxxxx encrypted privilege 15
username jsanchez password xxxxxxxxxxxxxxxxxx encrypted privilege 15
privilege show level 0 command version
privilege show level 0 command curpriv
privilege show level 3 command pdm
privilege show level 3 command blocks
privilege show level 3 command ssh
privilege configure level 3 command who
privilege show level 3 command isakmp
privilege show level 3 command ipsec
privilege show level 3 command vpdn
privilege show level 3 command local-host
privilege show level 3 command interface
privilege show level 3 command ip
privilege configure level 3 command ping
privilege show level 3 command uauth
privilege configure level 5 mode enable command configure
privilege show level 5 command running-config
privilege show level 5 command privilege
privilege show level 5 command clock
privilege show level 5 command ntp
privilege show level 5 mode configure command logging
privilege show level 5 command fragment
terminal width 120
Cryptochecksum:3e3cd6e6b89da1f01ebd5dfcee4afffd

When I attempt to connect via the VPN client I receive a Reason 412:The remote peer is no longer responding.

Anyone have any ideas?
Join the community to see this answer!
Join our exclusive community to see this answer & millions of others.
Unlock 1 Answer and 10 Comments.
Join the Community
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 10 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros