?
Solved

PIX 525 VPN Configuration

Posted on 2006-04-10
16
Medium Priority
?
1,035 Views
Last Modified: 2013-11-16
I am new to configuring VPNs and would like some guidance on setting up VPN connectivity on our Pix 525.
I have been reading through many of the questions that have been posted here and the Cisco documentation, but have been left feeling very dazed and confused.

Let me summarize our configuration to start with.
The Pix is running version 7.1(1).
There are 6 Ethernet and 2 GigabitEthernet interfaces.
One of the Ethernet interfaces is configured as a failover interface.
All of the interfaces are currently configured with a subnet on each.
One of the Gigabit interfaces is the outside interface.

I have read a couple of questions regarding setting up a separate subnet for the address pool for the VPN clients. Is this an option without having a physical interface available for the subnet? If not, how should I configure the pool(s) to have a different tunnel group for each of our internal interfaces?


0
Comment
Question by:cukwm27
  • 7
  • 5
13 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 16421495
>I have read a couple of questions regarding setting up a separate subnet for the address pool for the VPN clients. Is this an option without having a physical interface available for the subnet?
Absolutely! I highly suggest using a separate IP subnet for the VPN client pool.

Use the VPN wizard in the ASDM interface and it'll walk you through step by step.
0
 
LVL 9

Expert Comment

by:jabiii
ID: 16421526
You should be able to use virtual interfaces or sub interfaces with no additional physical interface
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 16421564
Local pools are just that - local to the PIX. No need for anything else like sub-ifs or virtual interfaces. The PIX just knows that this local pool is connected to it and handles routing accordingly.

Besides, you can only use subinterfaces (which really are virtual) with VLAN trunking to a VLAN capable switch.
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 

Author Comment

by:cukwm27
ID: 16421648
Thanks for the replies!
How do I setup NAT from this local address pool to connect to each of the internal subnets and to get to outside resources?
Our DNS and Kerberos servers sit outside the firewall. Unfortunately, I have no way around this.

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 16421682
When you use the VPN wizard, you can select all the internal networks that your clients will be communicating with and it will setup all the nat/nat bypass rules you need.
As for the DNS and Kerberos servers sitting outside the firewall, this is a tricky situation.
Fortunately you have 7.1.x and you can enable "hairpinning", or allowing traffic back out the same interface it came in on.
You seem to have a fairly complex environment, so we might want to just take it one step at a time.
Use the wizard to setup the client and test it to see if you can at least ping internal hosts.
Then we'll work on any other aspects like the DNS...
0
 

Author Comment

by:cukwm27
ID: 16421763
I setup a config through the wizard.
I specified a subnet of 172.17.1.0/24 for the local pool.
When I get to the Address Translation Exemption and Split Tunneling page, I get a little confused. But, here is what I configured. For host/network to be added, I specified the full range of one of our internal subnets and did not check enable split tunneling.

When I try to connect via Cisco VPN Client 4.8.00.0440, it fails.
I am able to authenticate via the local AAA database.
Here is the log from the client:
Cisco Systems VPN Client Version 4.8.00.0440
Copyright (C) 1998-2005 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.1.2600 Service Pack 2

152    18:01:44.328  04/10/06  Sev=Info/4      CM/0x63100002
Begin connection process

153    18:01:44.358  04/10/06  Sev=Info/4      CVPND/0xE3400001
Microsoft IPSec Policy Agent service stopped successfully

154    18:01:44.358  04/10/06  Sev=Info/4      CM/0x63100004
Establish secure connection using Ethernet

155    18:01:44.358  04/10/06  Sev=Info/4      CM/0x63100024
Attempt connection with server "132.236.93.75"

156    18:01:44.368  04/10/06  Sev=Info/6      IKE/0x6300003B
Attempting to establish a connection with 132.236.93.75.

157    18:01:44.388  04/10/06  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to 132.236.93.75

158    18:01:44.538  04/10/06  Sev=Info/5      IKE/0x6300002F
Received ISAKMP packet: peer = 132.236.93.75

159    18:01:44.538  04/10/06  Sev=Info/4      IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (SA, KE, NON, ID, HASH, VID(Unity), VID(Xauth), VID(dpd), VID(Frag), VID(?)) from 132.236.93.75

160    18:01:44.538  04/10/06  Sev=Info/5      IKE/0x63000001
Peer is a Cisco-Unity compliant peer

161    18:01:44.538  04/10/06  Sev=Info/5      IKE/0x63000001
Peer supports XAUTH

162    18:01:44.538  04/10/06  Sev=Info/5      IKE/0x63000001
Peer supports DPD

163    18:01:44.538  04/10/06  Sev=Info/5      IKE/0x63000001
Peer supports IKE fragmentation payloads

164    18:01:44.569  04/10/06  Sev=Info/6      IKE/0x63000001
IOS Vendor ID Contruction successful

165    18:01:44.569  04/10/06  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, VID(?), VID(Unity)) to 132.236.93.75

166    18:01:44.569  04/10/06  Sev=Info/4      IKE/0x63000083
IKE Port in use - Local Port =  0x01F4, Remote Port = 0x01F4

167    18:01:44.569  04/10/06  Sev=Info/4      CM/0x6310000E
Established Phase 1 SA.  1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system

168    18:01:44.639  04/10/06  Sev=Info/4      IPSEC/0x63700008
IPSec driver successfully started

169    18:01:44.639  04/10/06  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

170    18:01:44.639  04/10/06  Sev=Info/5      IKE/0x6300002F
Received ISAKMP packet: peer = 132.236.93.75

171    18:01:44.639  04/10/06  Sev=Info/4      IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 132.236.93.75

172    18:01:44.639  04/10/06  Sev=Info/4      CM/0x63100015
Launch xAuth application

173    18:01:48.855  04/10/06  Sev=Info/4      CM/0x63100017
xAuth application returned

174    18:01:48.855  04/10/06  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 132.236.93.75

175    18:01:48.915  04/10/06  Sev=Info/5      IKE/0x6300002F
Received ISAKMP packet: peer = 132.236.93.75

176    18:01:48.915  04/10/06  Sev=Info/4      IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 132.236.93.75

177    18:01:48.915  04/10/06  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 132.236.93.75

178    18:01:48.915  04/10/06  Sev=Info/4      CM/0x6310000E
Established Phase 1 SA.  1 Crypto Active IKE SA, 1 User Authenticated IKE SA in the system

179    18:01:48.945  04/10/06  Sev=Info/5      IKE/0x6300005E
Client sending a firewall request to concentrator

180    18:01:48.945  04/10/06  Sev=Info/5      IKE/0x6300005D
Firewall Policy: Product=Cisco Systems Integrated Client Firewall, Capability= (Centralized Protection Policy).

181    18:01:48.955  04/10/06  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 132.236.93.75

182    18:01:49.005  04/10/06  Sev=Info/5      IKE/0x6300002F
Received ISAKMP packet: peer = 132.236.93.75

183    18:01:49.005  04/10/06  Sev=Info/4      IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 132.236.93.75

184    18:01:49.005  04/10/06  Sev=Info/5      IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_ADDRESS: , value = 172.17.1.1

185    18:01:49.005  04/10/06  Sev=Info/5      IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_NETMASK: , value = 255.255.255.0

186    18:01:49.005  04/10/06  Sev=Info/5      IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS(1): , value = 132.236.56.250

187    18:01:49.005  04/10/06  Sev=Info/5      IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS(2): , value = 128.253.180.2

188    18:01:49.005  04/10/06  Sev=Info/5      IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_NBNS(1) (a.k.a. WINS) : , value = 132.236.164.171

189    18:01:49.005  04/10/06  Sev=Info/5      IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SAVEPWD: , value = 0x00000000

190    18:01:49.005  04/10/06  Sev=Info/5      IKE/0x6300000E
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_DEFDOMAIN: , value = ornith.cornell.edu

191    18:01:49.005  04/10/06  Sev=Info/5      IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_PFS: , value = 0x00000000

192    18:01:49.005  04/10/06  Sev=Info/5      IKE/0x6300000E
MODE_CFG_REPLY: Attribute = APPLICATION_VERSION, value = Cisco Systems, Inc PIX-525 Version 7.1(1) built by builders on Thu 19-Jan-06 15:02

193    18:01:49.015  04/10/06  Sev=Info/4      CM/0x63100019
Mode Config data received

194    18:01:49.035  04/10/06  Sev=Info/4      IKE/0x63000056
Received a key request from Driver: Local IP = 172.17.1.1, GW IP = 132.236.93.75, Remote IP = 0.0.0.0

195    18:01:49.035  04/10/06  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK QM *(HASH, SA, NON, ID, ID) to 132.236.93.75

196    18:01:49.115  04/10/06  Sev=Info/5      IKE/0x6300002F
Received ISAKMP packet: peer = 132.236.93.75

197    18:01:49.115  04/10/06  Sev=Info/4      IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:STATUS_RESP_LIFETIME) from 132.236.93.75

198    18:01:49.115  04/10/06  Sev=Info/5      IKE/0x63000045
RESPONDER-LIFETIME notify has value of 86400 seconds

199    18:01:49.115  04/10/06  Sev=Info/5      IKE/0x63000047
This SA has already been alive for 5 seconds, setting expiry to 86395 seconds from now

200    18:01:49.115  04/10/06  Sev=Info/5      IKE/0x6300002F
Received ISAKMP packet: peer = 132.236.93.75

201    18:01:49.115  04/10/06  Sev=Info/4      IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO (FRAG) from 132.236.93.75

202    18:01:49.115  04/10/06  Sev=Info/5      IKE/0x6300002F
Received ISAKMP packet: peer = 132.236.93.75

203    18:01:49.115  04/10/06  Sev=Info/4      IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO (FRAG) from 132.236.93.75

204    18:01:49.135  04/10/06  Sev=Info/5      IKE/0x6300002F
Received ISAKMP packet: peer = 132.236.93.75

205    18:01:49.135  04/10/06  Sev=Info/4      IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO (FRAG) from 132.236.93.75

206    18:01:49.135  04/10/06  Sev=Info/5      IKE/0x63000073
All fragments received.

207    18:01:49.135  04/10/06  Sev=Info/4      IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:INVALID_ID_INFO) from 132.236.93.75

208    18:01:49.135  04/10/06  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, DEL) to 132.236.93.75

209    18:01:49.135  04/10/06  Sev=Info/4      IKE/0x63000049
Discarding IPsec SA negotiation, MsgID=CB210BD5

210    18:01:49.135  04/10/06  Sev=Info/4      IKE/0x63000017
Marking IKE SA for deletion  (I_Cookie=3F0C511DAA9A31A7 R_Cookie=A68F02B15F15D899) reason = DEL_REASON_IKE_NEG_FAILED

211    18:01:49.135  04/10/06  Sev=Info/5      IKE/0x6300002F
Received ISAKMP packet: peer = 132.236.93.75

212    18:01:49.135  04/10/06  Sev=Info/4      IKE/0x63000058
Received an ISAKMP message for a non-active SA, I_Cookie=3F0C511DAA9A31A7 R_Cookie=A68F02B15F15D899

213    18:01:49.135  04/10/06  Sev=Info/4      IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(Dropped) from 132.236.93.75

214    18:01:49.135  04/10/06  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

215    18:01:52.630  04/10/06  Sev=Info/4      IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=3F0C511DAA9A31A7 R_Cookie=A68F02B15F15D899) reason = DEL_REASON_IKE_NEG_FAILED

216    18:01:52.630  04/10/06  Sev=Info/4      CM/0x63100012
Phase 1 SA deleted before first Phase 2 SA is up cause by "DEL_REASON_IKE_NEG_FAILED".  0 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system

217    18:01:52.630  04/10/06  Sev=Info/5      CM/0x63100025
Initializing CVPNDrv

218    18:01:52.660  04/10/06  Sev=Info/4      IKE/0x63000001
IKE received signal to terminate VPN connection

219    18:01:52.670  04/10/06  Sev=Info/4      IKE/0x63000086
Microsoft IPSec Policy Agent service started successfully

220    18:01:52.670  04/10/06  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

221    18:01:52.670  04/10/06  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

222    18:01:52.670  04/10/06  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

223    18:01:52.670  04/10/06  Sev=Info/4      IPSEC/0x6370000A
IPSec driver successfully stopped
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 16422264
Run the Wizard again. When you get to the page in the Wizard for NAT Exemption and Split Tunneling, you need add the inside subnet/mask for each interface behind which you have systems that you want to access via the client.
Then you need to check the "enable split tunneling"
0
 

Author Comment

by:cukwm27
ID: 16422314
If I run the wizard again, can I reenter all of the same information? Or should I remove the VPN config that was entered the first time and then run the wizard?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 16422337
Just re-run it with the same information.
0
 

Author Comment

by:cukwm27
ID: 16422349
Nevermind the last question. The wizard does not allow you to overwrite an existing config.

I still get the same failure from the client.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 16422382
Do you have nat-t enabled?
Configuration | VPN | IKE | Global Parameters - check the box to enable NAT-T

How are you doing authentication? Local user database or Radius/Tacacs?

And just to verify - your VPN client is physically outside your PIX? And the client's local LAN is *not* the same IP subnet as the inside of your PIX?

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 16422393
One more question:
Is the local PIX interface the respective hosts' default gateway?
For example,
hosts on "inside" = 172.18.32.0/24
PIX inside IP = 172.18.32.1
Hosts' default gateway = 172.18.32.1
0
 

Author Comment

by:cukwm27
ID: 16426090
NAT-T is enabled.
Local user database for authentication.
VPN Client is physically outside the pix.

I'll respond back later on the last question.
0

Featured Post

Veeam Disaster Recovery in Microsoft Azure

Veeam PN for Microsoft Azure is a FREE solution designed to simplify and automate the setup of a DR site in Microsoft Azure using lightweight software-defined networking. It reduces the complexity of VPN deployments and is designed for businesses of ALL sizes.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When speed and performance are vital to revenue, companies must have complete confidence in their cloud environment.
As managed cloud service providers, we often get asked to intervene when cloud deployments go awry. Attracted by apparent ease-of-use, flexibility and low computing costs, companies quickly adopt leading public cloud platforms such as Amazon Web Ser…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses
Course of the Month13 days, 12 hours left to enroll

755 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question