Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Cisco IPSEC VPN on Pix 501 - IAS cannot auth to Exchange Server

Posted on 2006-03-20
5
Medium Priority
?
486 Views
Last Modified: 2008-03-04
I can connect to my VPN, it forces the XAUTH and lets me in when I enter user@mydomain.local.  
Problem is, I still have to authenticate when typing start, run \\servername but it lets me in.  
Big problem is when I open Outlook, try to authenticate using the same credentials and it will not let me.  Here is my config...
--------------------------
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxxxxxxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxxxxxxxx encrypted
hostname xxxxxxxxxxx
domain-name xxx.local
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 101 permit tcp any any eq ftp
access-list 101 permit tcp any any eq 3389
access-list 101 permit icmp any any echo-reply
access-list 101 permit tcp any any eq pop3
access-list 101 permit tcp any any eq www
access-list 101 permit tcp any any eq smtp
access-list 101 permit tcp any any eq 2525
access-list 101 permit tcp any any eq 3101
access-list 101 permit tcp any any eq 2505
access-list 120 permit ip 10.0.0.0 255.255.255.0 10.1.5.0 255.255.255.0
access-list splittunnel permit ip 10.0.0.0 255.255.255.0 10.1.5.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside xxx.xxx.xxx.xxx 255.255.255.248
ip address inside 10.0.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnpool 10.1.5.100-10.1.5.115
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 120
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 3389 10.0.0.11 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface telnet 10.0.0.11 telnet netmask 255.255.255.255 0 0
static (inside,outside) tcp interface smtp 10.0.0.13 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface pop3 10.0.0.13 pop3 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface www 10.0.0.13 www netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 2525 10.0.0.13 2525 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 2505 10.0.0.13 2505 netmask 255.255.255.255 0 0
access-group 101 in interface outside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa-server partnerauth protocol radius
aaa-server partnerauth max-failed-attempts 3
aaa-server partnerauth deadtime 10
aaa-server partnerauth (inside) host 10.0.0.12 xxxxxxxxxx timeout 5
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set strong esp-aes esp-md5-hmac
crypto dynamic-map dynamic 10 set transform-set strong
crypto map vpn 20 ipsec-isakmp dynamic dynamic
crypto map vpn client authentication partnerauth
crypto map vpn interface outside
isakmp enable outside
isakmp identity address
isakmp keepalive 10
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup AvL-VPN address-pool vpnpool
vpngroup AvL-VPN dns-server 10.0.0.12
vpngroup AvL-VPN default-domain xxxxxx.local
vpngroup AvL-VPN split-tunnel splittunnel
vpngroup AvL-VPN split-dns xxxxxx.local
vpngroup AvL-VPN idle-time 28800
vpngroup AvL-VPN password ********
telnet 10.0.0.0 255.255.255.0 inside
telnet timeout 10
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 10
console timeout 0
0
Comment
Question by:tmostowy
  • 2
4 Comments
 
LVL 20

Expert Comment

by:calvinetter
ID: 16253670
The problem isn't with the PIX, this is an Outlook/Exchange issue.  Perhaps you're trying to use an older Outlook version that may not be correctly authenticating to Exchange? ie, Outlook 2000 trying to authenticate to an Exchange 2003 server?  

I'd highly suggest opening a question in the Exchange topic area:
  http://www.experts-exchange.com/Networking/Email_Groupware/Exchange_Server/

cheers
0
 

Author Comment

by:tmostowy
ID: 16253953
Strange, the issue was resolved when i made the workstation a domain member.  Then when I went remote, and logged onto my WS with the same username/pass as the domain, the authentication worked.  I think the problem is reolved.

Best, Todd
0
 

Author Comment

by:tmostowy
ID: 16848318
Yes.  Please close.  I cannot seem to find a way to close my own cases.
0
 

Accepted Solution

by:
CetusMOD earned 0 total points
ID: 16876713
PAQed with points refunded (250)

CetusMOD
Community Support Moderator
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Juniper VPN devices are a popular alternative to using Cisco products. Last year I needed to set up an international site-to-site VPN over the Internet, but the client had high security requirements -- FIPS 140. What and Why of FIPS 140 Federa…
I've written this article to illustrate how we can implement a Dynamic Multipoint VPN (DMVPN) with both hub and spokes having a dynamically assigned non-broadcast multiple-access (NBMA) network IP (public IP). Here is the basic setup of DMVPN Pha…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Suggested Courses

564 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question