• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1045
  • Last Modified:

PIX 525 VPN Configuration

I am new to configuring VPNs and would like some guidance on setting up VPN connectivity on our Pix 525.
I have been reading through many of the questions that have been posted here and the Cisco documentation, but have been left feeling very dazed and confused.

Let me summarize our configuration to start with.
The Pix is running version 7.1(1).
There are 6 Ethernet and 2 GigabitEthernet interfaces.
One of the Ethernet interfaces is configured as a failover interface.
All of the interfaces are currently configured with a subnet on each.
One of the Gigabit interfaces is the outside interface.

I have read a couple of questions regarding setting up a separate subnet for the address pool for the VPN clients. Is this an option without having a physical interface available for the subnet? If not, how should I configure the pool(s) to have a different tunnel group for each of our internal interfaces?


0
cukwm27
Asked:
cukwm27
  • 7
  • 5
1 Solution
 
lrmooreCommented:
>I have read a couple of questions regarding setting up a separate subnet for the address pool for the VPN clients. Is this an option without having a physical interface available for the subnet?
Absolutely! I highly suggest using a separate IP subnet for the VPN client pool.

Use the VPN wizard in the ASDM interface and it'll walk you through step by step.
0
 
jabiiiCommented:
You should be able to use virtual interfaces or sub interfaces with no additional physical interface
0
 
lrmooreCommented:
Local pools are just that - local to the PIX. No need for anything else like sub-ifs or virtual interfaces. The PIX just knows that this local pool is connected to it and handles routing accordingly.

Besides, you can only use subinterfaces (which really are virtual) with VLAN trunking to a VLAN capable switch.
0
Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

 
cukwm27Author Commented:
Thanks for the replies!
How do I setup NAT from this local address pool to connect to each of the internal subnets and to get to outside resources?
Our DNS and Kerberos servers sit outside the firewall. Unfortunately, I have no way around this.

0
 
lrmooreCommented:
When you use the VPN wizard, you can select all the internal networks that your clients will be communicating with and it will setup all the nat/nat bypass rules you need.
As for the DNS and Kerberos servers sitting outside the firewall, this is a tricky situation.
Fortunately you have 7.1.x and you can enable "hairpinning", or allowing traffic back out the same interface it came in on.
You seem to have a fairly complex environment, so we might want to just take it one step at a time.
Use the wizard to setup the client and test it to see if you can at least ping internal hosts.
Then we'll work on any other aspects like the DNS...
0
 
cukwm27Author Commented:
I setup a config through the wizard.
I specified a subnet of 172.17.1.0/24 for the local pool.
When I get to the Address Translation Exemption and Split Tunneling page, I get a little confused. But, here is what I configured. For host/network to be added, I specified the full range of one of our internal subnets and did not check enable split tunneling.

When I try to connect via Cisco VPN Client 4.8.00.0440, it fails.
I am able to authenticate via the local AAA database.
Here is the log from the client:
Cisco Systems VPN Client Version 4.8.00.0440
Copyright (C) 1998-2005 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.1.2600 Service Pack 2

152    18:01:44.328  04/10/06  Sev=Info/4      CM/0x63100002
Begin connection process

153    18:01:44.358  04/10/06  Sev=Info/4      CVPND/0xE3400001
Microsoft IPSec Policy Agent service stopped successfully

154    18:01:44.358  04/10/06  Sev=Info/4      CM/0x63100004
Establish secure connection using Ethernet

155    18:01:44.358  04/10/06  Sev=Info/4      CM/0x63100024
Attempt connection with server "132.236.93.75"

156    18:01:44.368  04/10/06  Sev=Info/6      IKE/0x6300003B
Attempting to establish a connection with 132.236.93.75.

157    18:01:44.388  04/10/06  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to 132.236.93.75

158    18:01:44.538  04/10/06  Sev=Info/5      IKE/0x6300002F
Received ISAKMP packet: peer = 132.236.93.75

159    18:01:44.538  04/10/06  Sev=Info/4      IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (SA, KE, NON, ID, HASH, VID(Unity), VID(Xauth), VID(dpd), VID(Frag), VID(?)) from 132.236.93.75

160    18:01:44.538  04/10/06  Sev=Info/5      IKE/0x63000001
Peer is a Cisco-Unity compliant peer

161    18:01:44.538  04/10/06  Sev=Info/5      IKE/0x63000001
Peer supports XAUTH

162    18:01:44.538  04/10/06  Sev=Info/5      IKE/0x63000001
Peer supports DPD

163    18:01:44.538  04/10/06  Sev=Info/5      IKE/0x63000001
Peer supports IKE fragmentation payloads

164    18:01:44.569  04/10/06  Sev=Info/6      IKE/0x63000001
IOS Vendor ID Contruction successful

165    18:01:44.569  04/10/06  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, VID(?), VID(Unity)) to 132.236.93.75

166    18:01:44.569  04/10/06  Sev=Info/4      IKE/0x63000083
IKE Port in use - Local Port =  0x01F4, Remote Port = 0x01F4

167    18:01:44.569  04/10/06  Sev=Info/4      CM/0x6310000E
Established Phase 1 SA.  1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system

168    18:01:44.639  04/10/06  Sev=Info/4      IPSEC/0x63700008
IPSec driver successfully started

169    18:01:44.639  04/10/06  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

170    18:01:44.639  04/10/06  Sev=Info/5      IKE/0x6300002F
Received ISAKMP packet: peer = 132.236.93.75

171    18:01:44.639  04/10/06  Sev=Info/4      IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 132.236.93.75

172    18:01:44.639  04/10/06  Sev=Info/4      CM/0x63100015
Launch xAuth application

173    18:01:48.855  04/10/06  Sev=Info/4      CM/0x63100017
xAuth application returned

174    18:01:48.855  04/10/06  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 132.236.93.75

175    18:01:48.915  04/10/06  Sev=Info/5      IKE/0x6300002F
Received ISAKMP packet: peer = 132.236.93.75

176    18:01:48.915  04/10/06  Sev=Info/4      IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 132.236.93.75

177    18:01:48.915  04/10/06  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 132.236.93.75

178    18:01:48.915  04/10/06  Sev=Info/4      CM/0x6310000E
Established Phase 1 SA.  1 Crypto Active IKE SA, 1 User Authenticated IKE SA in the system

179    18:01:48.945  04/10/06  Sev=Info/5      IKE/0x6300005E
Client sending a firewall request to concentrator

180    18:01:48.945  04/10/06  Sev=Info/5      IKE/0x6300005D
Firewall Policy: Product=Cisco Systems Integrated Client Firewall, Capability= (Centralized Protection Policy).

181    18:01:48.955  04/10/06  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 132.236.93.75

182    18:01:49.005  04/10/06  Sev=Info/5      IKE/0x6300002F
Received ISAKMP packet: peer = 132.236.93.75

183    18:01:49.005  04/10/06  Sev=Info/4      IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 132.236.93.75

184    18:01:49.005  04/10/06  Sev=Info/5      IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_ADDRESS: , value = 172.17.1.1

185    18:01:49.005  04/10/06  Sev=Info/5      IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_NETMASK: , value = 255.255.255.0

186    18:01:49.005  04/10/06  Sev=Info/5      IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS(1): , value = 132.236.56.250

187    18:01:49.005  04/10/06  Sev=Info/5      IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS(2): , value = 128.253.180.2

188    18:01:49.005  04/10/06  Sev=Info/5      IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_NBNS(1) (a.k.a. WINS) : , value = 132.236.164.171

189    18:01:49.005  04/10/06  Sev=Info/5      IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SAVEPWD: , value = 0x00000000

190    18:01:49.005  04/10/06  Sev=Info/5      IKE/0x6300000E
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_DEFDOMAIN: , value = ornith.cornell.edu

191    18:01:49.005  04/10/06  Sev=Info/5      IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_PFS: , value = 0x00000000

192    18:01:49.005  04/10/06  Sev=Info/5      IKE/0x6300000E
MODE_CFG_REPLY: Attribute = APPLICATION_VERSION, value = Cisco Systems, Inc PIX-525 Version 7.1(1) built by builders on Thu 19-Jan-06 15:02

193    18:01:49.015  04/10/06  Sev=Info/4      CM/0x63100019
Mode Config data received

194    18:01:49.035  04/10/06  Sev=Info/4      IKE/0x63000056
Received a key request from Driver: Local IP = 172.17.1.1, GW IP = 132.236.93.75, Remote IP = 0.0.0.0

195    18:01:49.035  04/10/06  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK QM *(HASH, SA, NON, ID, ID) to 132.236.93.75

196    18:01:49.115  04/10/06  Sev=Info/5      IKE/0x6300002F
Received ISAKMP packet: peer = 132.236.93.75

197    18:01:49.115  04/10/06  Sev=Info/4      IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:STATUS_RESP_LIFETIME) from 132.236.93.75

198    18:01:49.115  04/10/06  Sev=Info/5      IKE/0x63000045
RESPONDER-LIFETIME notify has value of 86400 seconds

199    18:01:49.115  04/10/06  Sev=Info/5      IKE/0x63000047
This SA has already been alive for 5 seconds, setting expiry to 86395 seconds from now

200    18:01:49.115  04/10/06  Sev=Info/5      IKE/0x6300002F
Received ISAKMP packet: peer = 132.236.93.75

201    18:01:49.115  04/10/06  Sev=Info/4      IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO (FRAG) from 132.236.93.75

202    18:01:49.115  04/10/06  Sev=Info/5      IKE/0x6300002F
Received ISAKMP packet: peer = 132.236.93.75

203    18:01:49.115  04/10/06  Sev=Info/4      IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO (FRAG) from 132.236.93.75

204    18:01:49.135  04/10/06  Sev=Info/5      IKE/0x6300002F
Received ISAKMP packet: peer = 132.236.93.75

205    18:01:49.135  04/10/06  Sev=Info/4      IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO (FRAG) from 132.236.93.75

206    18:01:49.135  04/10/06  Sev=Info/5      IKE/0x63000073
All fragments received.

207    18:01:49.135  04/10/06  Sev=Info/4      IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:INVALID_ID_INFO) from 132.236.93.75

208    18:01:49.135  04/10/06  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, DEL) to 132.236.93.75

209    18:01:49.135  04/10/06  Sev=Info/4      IKE/0x63000049
Discarding IPsec SA negotiation, MsgID=CB210BD5

210    18:01:49.135  04/10/06  Sev=Info/4      IKE/0x63000017
Marking IKE SA for deletion  (I_Cookie=3F0C511DAA9A31A7 R_Cookie=A68F02B15F15D899) reason = DEL_REASON_IKE_NEG_FAILED

211    18:01:49.135  04/10/06  Sev=Info/5      IKE/0x6300002F
Received ISAKMP packet: peer = 132.236.93.75

212    18:01:49.135  04/10/06  Sev=Info/4      IKE/0x63000058
Received an ISAKMP message for a non-active SA, I_Cookie=3F0C511DAA9A31A7 R_Cookie=A68F02B15F15D899

213    18:01:49.135  04/10/06  Sev=Info/4      IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(Dropped) from 132.236.93.75

214    18:01:49.135  04/10/06  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

215    18:01:52.630  04/10/06  Sev=Info/4      IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=3F0C511DAA9A31A7 R_Cookie=A68F02B15F15D899) reason = DEL_REASON_IKE_NEG_FAILED

216    18:01:52.630  04/10/06  Sev=Info/4      CM/0x63100012
Phase 1 SA deleted before first Phase 2 SA is up cause by "DEL_REASON_IKE_NEG_FAILED".  0 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system

217    18:01:52.630  04/10/06  Sev=Info/5      CM/0x63100025
Initializing CVPNDrv

218    18:01:52.660  04/10/06  Sev=Info/4      IKE/0x63000001
IKE received signal to terminate VPN connection

219    18:01:52.670  04/10/06  Sev=Info/4      IKE/0x63000086
Microsoft IPSec Policy Agent service started successfully

220    18:01:52.670  04/10/06  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

221    18:01:52.670  04/10/06  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

222    18:01:52.670  04/10/06  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

223    18:01:52.670  04/10/06  Sev=Info/4      IPSEC/0x6370000A
IPSec driver successfully stopped
0
 
lrmooreCommented:
Run the Wizard again. When you get to the page in the Wizard for NAT Exemption and Split Tunneling, you need add the inside subnet/mask for each interface behind which you have systems that you want to access via the client.
Then you need to check the "enable split tunneling"
0
 
cukwm27Author Commented:
If I run the wizard again, can I reenter all of the same information? Or should I remove the VPN config that was entered the first time and then run the wizard?
0
 
lrmooreCommented:
Just re-run it with the same information.
0
 
cukwm27Author Commented:
Nevermind the last question. The wizard does not allow you to overwrite an existing config.

I still get the same failure from the client.
0
 
lrmooreCommented:
Do you have nat-t enabled?
Configuration | VPN | IKE | Global Parameters - check the box to enable NAT-T

How are you doing authentication? Local user database or Radius/Tacacs?

And just to verify - your VPN client is physically outside your PIX? And the client's local LAN is *not* the same IP subnet as the inside of your PIX?

0
 
lrmooreCommented:
One more question:
Is the local PIX interface the respective hosts' default gateway?
For example,
hosts on "inside" = 172.18.32.0/24
PIX inside IP = 172.18.32.1
Hosts' default gateway = 172.18.32.1
0
 
cukwm27Author Commented:
NAT-T is enabled.
Local user database for authentication.
VPN Client is physically outside the pix.

I'll respond back later on the last question.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

On-Demand: Securing Your Wi-Fi for Summer Travel

Traveling this summer?Check out our on-demand webinar to learn about the importance of Wi-Fi security and 3 easy measures you can start taking immediately to protect your private data while using public Wi-Fi. Follow us today to learn more!

  • 7
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now