pix 501 vpn and opening access to temrnial services

hi !  need to solve this issue, i have a pix 501 that i need to have a valid vpn connection and that the 3389 port stay open. for now the 3389 is ok but the vpn is not working (i have put the same config on a another firewall and it is working my guess is that my access list r conflicting but..) here is my config..

Building configuration...
: Saved
:
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8ZP.b8DeNlsN19Oy encrypted
passwd NHhShNdGEy.KDaLf encrypted
hostname PixMatane
domain-name boisbsl.net
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.123.5 Boisbslsrv5
name 192.168.123.3 Boisbslsrv4
name 192.168.0.4 Boisbslsrv2
name 192.168.123.0 Matane
name 192.168.1.0 Testbsl
name 192.168.0.0 Mont-Joli
name 192.168.3.0 Mechins
name 192.168.0.139 Admin
access-list 101 permit ip Matane 255.255.255.0 192.168.5.0 255.255.255.0
access-list outside_in permit tcp any interface outside eq 3389
pager lines 24
logging on
logging trap warnings
logging history notifications
logging host inside 192.168.0.144
mtu outside 1500
mtu inside 1500
ip address outside x.x.x.x 255.255.255.0  --> removed the real ip for obvious security reason
ip address inside 192.168.123.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool ippool 192.168.5.1-192.168.5.254
pdm location 192.168.1.100 255.255.255.255 inside
pdm location Admin 255.255.255.255 inside
pdm location Testbsl 255.255.255.0 inside
pdm location Mechins 255.255.255.0 inside
pdm location Matane 255.255.255.0 inside
pdm location Boisbslsrv2 255.255.255.255 inside
pdm location Mont-Joli 255.255.255.0 inside
pdm location Boisbslsrv5 255.255.255.255 inside
pdm location 192.168.0.144 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 3389 Boisbslsrv5 3389 netmask 255.255.255.255 0 0
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.x 255 --> removed the real ip for obvious security reason
route inside Mont-Joli 255.255.255.0 Boisbslsrv5 1
route inside Mechins 255.255.255.0 Boisbslsrv5 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
ntp server 192.168.0.3 source inside prefer
http server enable
http Testbsl 255.255.255.0 inside
http 192.168.1.100 255.255.255.255 inside
http Admin 255.255.255.255 inside
http Boisbslsrv2 255.255.255.255 inside
http Boisbslsrv5 255.255.255.255 inside
snmp-server host inside 192.168.0.144
snmp-server location Mont-Joli
snmp-server contact Martin Dufresne
snmp-server community Public
snmp-server enable traps
tftp-server inside Boisbslsrv5 /
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
isakmp enable outside
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup vpn3000 address-pool ippool
vpngroup vpn3000 dns-server Boisbslsrv4
vpngroup vpn3000 wins-server Boisbslsrv4
vpngroup vpn3000 default-domain boisbsl.net
vpngroup vpn3000 split-tunnel 101
vpngroup vpn3000 idle-time 1800
vpngroup vpn3000 password ********
telnet Admin 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
terminal width 80
banner exec Bienvenue  Bois BSL Matane, tout acces non autorise est interdit et sera traite en consequence !
Cryptochecksum:009d548657315aaff878e08b441c51fa
: end
[OK]

Thank you in advance !!!
hifive007Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

stressedout2004Commented:
Configuration looks solid, aside from the difference between the encryption used for isakmp policy (des) and the transform set (3des) which shouldn't cause any issue. But you can try matching them and see if it does the trick. Just add the following command:

isakmp policy 10 encryption 3des

If you still can't connect, turn on the following debugs:

debug crypto isa
debug crypto ipsec
term mon

Try the VPN connection and let's see what the debugs says.
hifive007Author Commented:
This is the log in the client software :

Cisco Systems VPN Client Version 4.6.00.0045
Copyright (C) 1998-2004 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.1.2600 Service Pack 2

3      10:39:14.399  04/25/06  Sev=Warning/3      IKE/0xA300004B
Received a NOTIFY message with an invalid protocol id (0)

4      10:41:44.368  04/25/06  Sev=Warning/3      IKE/0xA300004B
Received a NOTIFY message with an invalid protocol id (0)
stressedout2004Commented:
Those logs doesn't really tell you anything. You need the logs from the PIX firewall itself.

debug crypto isa
debug crypto ipsec
term mon
Virus Depot: Cyber Crime Becomes Big Business

The rising threat of malware-as-a-service is not one to be overlooked. Malware-as-a-service is growing and easily purchased from a full-service cyber-criminal store in a “Virus Depot” fashion. View our webinar recording to learn how to best defend against these attacks!

hifive007Author Commented:
here is the result :

{\rtf1\ansi\ansicpg1252\deff0\deflang1036{\fonttbl{\f0\fswiss\fcharset0 Arial;}}
\viewkind4\uc1\pard\f0\fs20\par
PixMatane# debug crypto isakmp\par
PixMatane# debug crypto ipsec\par
PixMatane#\par
ISAKMP: Deleting peer node for 142.169.251.237\par
crypto_isakmp_process_block:src:142.169.251.237, dest:x.x.x.x spt:500 dp\par
t:500\par
OAK_AG exchange\par
ISAKMP (0): processing SA payload. message ID = 0\par
\par
ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy\par
ISAKMP:      encryption AES-CBC\par
ISAKMP:      hash SHA\par
ISAKMP:      default group 2\par
ISAKMP:      extended auth pre-share (init)\par
ISAKMP:      life type in seconds\par
ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4 0x9b\par
ISAKMP:      keylength of 256\par
ISAKMP (0): atts are not acceptable. Next payload is 3\par
ISAKMP (0): Checking ISAKMP transform 2 against priority 10 policy\par
ISAKMP:      encryption AES-CBC\par
ISAKMP:      hash MD5\par
ISAKMP:      default group 2\par
ISAKMP:      extended auth pre-share (init)\par
ISAKMP:      life type in seconds\par
ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4 0x9b\par
ISAKMP:      keylength of 256\par
ISAKMP (0): atts are not acceptable. Next payload is 3\par
ISAKMP (0): Checking ISAKMP transform 3 against priority 10 policy\par
ISAKMP:      encryption AES-CBC\par
ISAKMP:      hash SHA\par
ISAKMP:      default group 2\par
ISAKMP:      auth pre-share\par
ISAKMP:      life type in seconds\par
ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4 0x9b\par
ISAKMP:      keylength of 256\par
ISAKMP (0): atts are not acceptable. Next payload is 3\par
ISAKMP (0): Checking ISAKMP transform 4 against priority 10 policy\par
ISAKMP:      encryption AES-CBC\par
ISAKMP:      hash MD5\par
ISAKMP:      default group 2\par
ISAKMP:      auth pre-share\par
ISAKMP:      life type in seconds\par
ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4 0x9b\par
ISAKMP:      keylength of 256\par
ISAKMP (0): atts are not acceptable. Next payload is 3\par
ISAKMP (0): Checking ISAKMP transform 5 against priority 10 policy\par
ISAKMP:      encryption AES-CBC\par
ISAKMP:      hash SHA\par
ISAKMP:      default group 2\par
ISAKMP:      extended auth pre-share (init)\par
ISAKMP:      life type in seconds\par
ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4 0x9b\par
ISAKMP:      keylength of 128\par
ISAKMP (0): atts are not acceptable. Next payload is 3\par
ISAKMP (0): Checking ISAKMP transform 6 against priority 10 policy\par
ISAKMP:      encryption AES-CBC\par
ISAKMP:      hash MD5\par
ISAKMP:      default group 2\par
ISAKMP:      extended auth pre-share (init)\par
ISAKMP:      life type in seconds\par
ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4 0x9b\par
ISAKMP:      keylength of 128\par
ISAKMP (0): atts are not acceptable. Next payload is 3\par
ISAKMP (0): Checking ISAKMP transform 7 against priority 10 policy\par
ISAKMP:      encryption AES-CBC\par
ISAKMP:      hash SHA\par
ISAKMP:      default group 2\par
ISAKMP:      auth pre-share\par
ISAKMP:      life type in seconds\par
ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4 0x9b\par
ISAKMP:      keylength of 128\par
ISAKMP (0): atts are not acceptable. Next payload is 3\par
ISAKMP (0): Checking ISAKMP transform 8 against priority 10 policy\par
ISAKMP:      encryption AES-CBC\par
ISAKMP:      hash MD5\par
ISAKMP:      default group 2\par
ISAKMP:      auth pre-share\par
ISAKMP:      life type in seconds\par
ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4 0x9b\par
ISAKMP:      keylength of 128\par
ISAKMP (0): atts are not acceptable. Next payload is 3\par
ISAKMP (0): Checking ISAKMP transform 9 against priority 10 policy\par
ISAKMP:      encryption 3DES-CBC\par
ISAKMP:      hash SHA\par
ISAKMP:      default group 2\par
ISAKMP:      extended auth pre-share (init)\par
ISAKMP:      life type in seconds\par
ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4 0x9b\par
ISAKMP (0): atts are not acceptable.\par
crypto_isakmp_process_block:src:142.169.251.237, dest:x.x.x.x spt:500 dp\par
t:500\par
OAK_AG exchange\par
ISAKMP (0): processing HASH payload. message ID = 0\par
ISAKMP (0): processing NOTIFY payload 24578 protocol 1\par
        spi 0, message ID = 0\par
ISAKMP (0): processing notify INITIAL_CONTACTIPSEC(key_engine): got a queue even\par
t...\par
IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP\par
IPSEC(key_engine_delete_sas): delete all SAs shared with 142.169.251.237\par
\par
ISAKMP (0): processing vendor id payload\par
\par
ISAKMP (0): speaking to another IOS box!\par
\par
ISAKMP (0): processing vendor id payload\par
\par
ISAKMP (0): speaking to a Unity client\par
\par
ISAKMP (0): SA has been authenticated\par
ISAKMP: Created a peer struct for 142.169.251.237, peer port 62465\par
return status is IKMP_NO_ERROR\par
ISAKMP (0): sending phase 1 RESPONDER_LIFETIME notify\par
ISAKMP (0): sending NOTIFY message 24576 protocol 1\par
VPN Peer: ISAKMP: Added new peer: ip:142.169.251.237/500 Total VPN Peers:1\par
VPN Peer: ISAKMP: Peer ip:142.169.251.237/500 Ref cnt incremented to:1 Total VPN\par
 Peers:1\par
ISAKMP: peer is a remote access client\par
crypto_isakmp_process_block:src:142.169.251.237, dest:x.x.x.x spt:500 dp\par
t:500\par
ISAKMP_TRANSACTION exchange\par
ISAKMP (0:0): processing transaction payload from 142.169.251.237. message ID =\par
11433236\par
ISAKMP: Config payload CFG_REQUEST\par
ISAKMP (0:0): checking request:\par
ISAKMP: attribute    IP4_ADDRESS (1)\par
ISAKMP: attribute    IP4_NETMASK (2)\par
ISAKMP: attribute    IP4_DNS (3)\par
ISAKMP: attribute    IP4_NBNS (4)\par
ISAKMP: attribute    ADDRESS_EXPIRY (5)\par
        Unsupported Attr: 5\par
ISAKMP: attribute    UNKNOWN (28672)\par
        Unsupported Attr: 28672\par
ISAKMP: attribute    UNKNOWN (28673)\par
        Unsupported Attr: 28673\par
ISAKMP: attribute    ALT_DEF_DOMAIN (28674)\par
ISAKMP: attribute    ALT_SPLIT_INCLUDE (28676)\par
ISAKMP: attribute    ALT_SPLITDNS_NAME (28675)\par
ISAKMP: attribute    ALT_PFS (28679)\par
ISAKMP: attribute    UNKNOWN (28683)\par
        Unsupported Attr: 28683\par
ISAKMP: attribute    ALT_BACKUP_SERVERS (28681)\par
ISAKMP: attribute    APPLICATION_VERSION (7)\par
ISAKMP: attribute    UNKNOWN (28680)\par
        Unsupported Attr: 28680\par
ISAKMP: attribute    UNKNOWN (28682)\par
        Unsupported Attr: 28682\par
ISAKMP: attribute    UNKNOWN (28677)\par
        Unsupported Attr: 28677\par
ISAKMP (0:0): responding to peer config from 142.169.251.237. ID = 1749099075\par
return status is IKMP_NO_ERROR\par
crypto_isakmp_process_block:src:142.169.251.237, dest:x.x.x.x spt:500 dp\par
t:500\par
OAK_QM exchange\par
oakley_process_quick_mode:\par
OAK_QM_IDLE\par
ISAKMP (0): processing SA payload. message ID = 219442156\par
\par
ISAKMP : Checking IPSec proposal 1\par
\par
ISAKMP: transform 1, ESP_AES\par
ISAKMP:   attributes in transform:\par
ISAKMP:      authenticator is HMAC-MD5\par
ISAKMP:      key length is 256\par
ISAKMP:      encaps is 1\par
ISAKMP:      SA life type in seconds\par
ISAKMP:      SA life duration (VPI) of  0x0 0x20 0xc4 0x9b IPSEC(validate_propos\par
al): invalid local address x.x.x.x\par
\par
ISAKMP (0): atts not acceptable. Next payload is 0\par
ISAKMP (0): skipping next ANDed proposal (1)\par
ISAKMP : Checking IPSec proposal 2\par
\par
ISAKMP: transform 1, ESP_AES\par
ISAKMP:   attributes in transform:\par
ISAKMP:      authenticator is HMAC-SHA\par
ISAKMP:      key length is 256\par
ISAKMP:      encaps is 1\par
ISAKMP:      SA life type in seconds\par
ISAKMP:      SA life duration (VPI) of  0x0 0x20 0xc4 0x9b IPSEC(validate_propos\par
al): invalid local address x.x.x.x\par
\par
ISAKMP (0): atts not acceptable. Next payload is 0\par
ISAKMP (0): skipping next ANDed proposal (2)\par
ISAKMP : Checking IPSec proposal 3\par
\par
ISAKMP: transform 1, ESP_AES\par
ISAKMP:   attributes in transform:\par
ISAKMP:      authenticator is HMAC-MD5\par
ISAKMP:      key length is 128\par
ISAKMP:      encaps is 1\par
ISAKMP:      SA life type in seconds\par
ISAKMP:      SA life duration (VPI) of  0x0 0x20 0xc4 0x9b IPSEC(validate_propos\par
al): invalid local address x.x.x.x\par
\par
ISAKMP (0): atts not acceptable. Next payload is 0\par
ISAKMP (0): skipping next ANDed proposal (3)\par
ISAKMP : Checking IPSec proposal 4\par
\par
ISAKMP: transform 1, ESP_AES\par
ISAKMP:   attributes in transform:\par
ISAKMP:      authenticator is HMAC-SHA\par
ISAKMP:      key length is 128\par
ISAKMP:      encaps is 1\par
ISAKMP:      SA life type in seconds\par
ISAKMP:      SA life duration (VPI) of  0x0 0x20 0xc4 0x9b IPSEC(validate_propos\par
al): invalid local address x.x.x.x\par
\par
ISAKMP (0): atts not acceptable. Next payload is 0\par
ISAKMP (0): skipping next ANDed proposal (4)\par
ISAKMP : Checking IPSec proposal 5\par
\par
ISAKMP: transform 1, ESP_AES\par
ISAKMP:   attributes in transform:\par
ISAKMP:      authenticator is HMAC-MD5\par
ISAKMP:      key length is 256\par
ISAKMP:      encaps is 1\par
ISAKMP:      SA life type in seconds\par
ISAKMP:      SA life duration (VPI) of  0x0 0x20 0xc4 0x9b IPSEC(validate_propos\par
al): invalid local address x.x.x.x\par
\par
ISAKMP (0): atts not acceptable. Next payload is 0\par
ISAKMP : Checking IPSec proposal 6\par
\par
ISAKMP: transform 1, ESP_AES\par
ISAKMP:   attributes in transform:\par
ISAKMP:      authenticator is HMAC-SHA\par
ISAKMP:      key length is 256\par
ISAKMP:      encaps is 1\par
ISAKMP:      SA life type in seconds\par
ISAKMP:      SA life duration (VPI) of  0x0 0x20 0xc4 0x9b IPSEC(validate_propos\par
al): invalid local address x.x.x.x\par
\par
ISAKMP (0): atts not acceptable. Next payload is 0\par
ISAKMP : Checking IPSec proposal 7\par
\par
ISAKMP: transform 1, ESP_AES\par
ISAKMP:   attributes in transform:\par
ISAKMP:      authenticator is HMAC-MD5\par
ISAKMP:      key length is 128\par
ISAKMP:      encaps is 1\par
ISAKMP:      SA life type in seconds\par
ISAKMP:      SA life duration (VPI) of  0x0 0x20 0xc4 0x9b IPSEC(validate_propos\par
al): invalid local address x.x.x.x\par
\par
ISAKMP (0): atts not acceptable. Next payload is 0\par
ISAKMP : Checking IPSec proposal 8\par
\par
ISAKMP: transform 1, ESP_AES\par
ISAKMP:   attributes in transform:\par
ISAKMP:      authenticator is HMAC-SHA\par
ISAKMP:      key length is 128\par
ISAKMP:      encaps is 1\par
ISAKMP:      SA life type in seconds\par
ISAKMP:      SA life duration (VPI) of  0x0 0x20 0xc4 0x9b IPSEC(validate_propos\par
al): invalid local address x.x.x.x\par
crypto_isakmp_process_block:src:142.169.251.237, dest:x.x.x.x spt:500 dp\par
t:500\par
ISAKMP: reserved not zero on payload 8!\par
ISAKMP: malformed payload\par
crypto_isakmp_process_block:src:142.169.251.237, dest:x.x.x.x spt:500 dp\par
t:500\par
ISAKMP: reserved not zero on payload 8!\par
ISAKMP: malformed payload\par
crypto_isakmp_process_block:src:142.169.251.237, dest:x.x.x.x spt:500 dp\par
t:500\par
ISAKMP: reserved not zero on payload 8!\par
ISAKMP: malformed payload\par
crypto_isakmp_process_block:src:142.169.251.237, dest:x.x.x.x spt:500 dp\par
t:500\par
ISAKMP (0): processing NOTIFY payload 36136 protocol 1\par
        spi 0, message ID = 329284196\par
ISAMKP (0): received DPD_R_U_THERE from peer 142.169.251.237\par
ISAKMP (0): sending NOTIFY message 36137 protocol 1\par
return status is IKMP_NO_ERR_NO_TRANS\par
crypto_isakmp_process_block:src:142.169.251.237, dest:x.x.x.x spt:500 dp\par
t:500\par
ISAKMP (0): processing DELETE payload. message ID = 315628995, spi size = 4IPSEC\par
(key_engine): got a queue event...\par
IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP\par
\par
return status is IKMP_NO_ERR_NO_TRANS\par
crypto_isakmp_process_block:src:142.169.251.237, dest:x.x.x.x spt:500 dp\par
t:500\par
ISAKMP (0): processing DELETE payload. message ID = 3383752515, spi size = 16\par
ISAKMP (0): deleting SA: src 142.169.251.237, dst x.x.x.x\par
return status is IKMP_NO_ERR_NO_TRANS\par
ISADB: reaper checking SA 0xb5d984, conn_id = 0  DELETE IT!\par
\par
VPN Peer: ISAKMP: Peer ip:142.169.251.237/500 Ref cnt decremented to:0 Total VPN\par
 Peers:1\par
VPN Peer: ISAKMP: Deleted peer: ip:142.169.251.237/500 Total VPN peers:0IPSEC(ke\par
y_engine): got a queue event...\par
IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP\par
IPSEC(key_engine_delete_sas): delete all SAs shared with 142.169.251.237\par
\par
ISAKMP: Deleting peer node for 142.169.251.237\par
}
 
stressedout2004Commented:
From the debugs, I see this:

reserved not zero on payload 8!\par
ISAKMP: malformed payload\par

Looks like VPN password mismatched.

Retype your vpngroup password and type it again.

no vpngroup vpn3000 password ********
vpngroup vpn3000 password <yourpassword>

Then on your VPN client, retype the password as well. vpngroup name and password are case sensitive.
Try it out and let me know how it works.

hifive007Author Commented:
That was not the problem, change had no effect !!!
stressedout2004Commented:
Ok then, try doing the following changes:

isakmp policy 10 encryption 3des
isakmp nat-t
no crypto map mymap interface outside
crypto map mymap interface outside

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.