• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 322
  • Last Modified:

VPN on PIX 501

Hi There, i have the Cisco PIX 501 and i'm trying to create a VPN using the PDM but it doesn't seem to be working correctly ... basically i have a webserver ( 192.168.1.9 ) which i will put on the inside interface and i would like remote users to connect to it using the Microsoft VPN Client (PPTP) and i already have a registered public IP address which i will assign to the outside interface ... actually it should be easy for you security experts, i think i'm missing something here ... ans also when i create the AAA server, what IP address should i assign to it on the inside interface? and lastly on which interface should i enable the VPN since it gives me the ability to select between the outside and the inside interface ? ... so would you guys be so kind to help ... and here is my "show run".

show run

: Saved

:

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password htYVSdNOjZ7/cLuy encrypted

passwd RG8twOAPlif87cCk encrypted

hostname NDIBaghdad

domain-name ndibaghdad.org

clock timezone AST 3

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol icmp error

fixup protocol ils 389

fixup protocol pptp 1723

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

<--- More --->
             
fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

name 192.168.1.9 WebServer

access-list outside_access_in permit ip any 192.168.1.0 255.255.255.0

access-list outside_authentication_LOCAL permit tcp interface outside host WebServer

pager lines 24

icmp permit any outside

mtu outside 1500

mtu inside 1500

ip address outside 213.5.236.44 255.255.255.248

ip address inside 192.168.1.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool Clients 192.168.1.50-192.168.1.60

pdm location 0.0.0.0 255.255.255.248 inside

pdm location 0.0.0.0 255.255.255.248 outside

pdm location 0.0.0.0 255.255.255.255 outside

pdm location WebServer 255.255.255.255 inside

pdm location 192.168.1.0 255.255.255.255 inside

pdm location 192.168.1.0 255.255.255.255 outside

pdm logging informational 100

<--- More --->
             
pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) WebServer WebServer netmask 255.255.255.255 0 0

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 210.5.236.44 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

aaa authentication match outside_authentication_LOCAL outside LOCAL

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

<--- More --->
             
snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

sysopt connection permit-pptp

sysopt connection permit-l2tp

telnet 192.168.1.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

management-access inside

console timeout 0

vpdn group PPTP-VPDN-GROUP accept dialin pptp

vpdn group PPTP-VPDN-GROUP ppp authentication chap

vpdn group PPTP-VPDN-GROUP ppp authentication mschap

vpdn group PPTP-VPDN-GROUP ppp encryption mppe auto

vpdn group PPTP-VPDN-GROUP client configuration address local Clients

vpdn group PPTP-VPDN-GROUP pptp echo 60

vpdn group PPTP-VPDN-GROUP client authentication local

vpdn username Admin password *********

vpdn enable outside

vpdn enable inside

dhcpd address 192.168.1.2-192.168.1.33 inside

dhcpd lease 3600

dhcpd ping_timeout 750

<--- More --->
             
dhcpd auto_config outside

dhcpd enable inside

username Admin password iKtg9QcN/XaHeH77 encrypted privilege 15

terminal width 80

Cryptochecksum:8a4f766d7f94074725cb2130c9a644f1

: end


NDIBaghdad#
0
ndihelpiraq
Asked:
ndihelpiraq
  • 4
  • 3
1 Solution
 
naveedbCommented:
What is not working, clients are unable to connect?

ans also when i create the AAA server, what IP address should i assign to it on the inside interface?

What kind of server do you have, are you using Radius of TACACS? If not, no need to setup AAA server

 and lastly on which interface should i enable the VPN since it gives me the ability to select between the outside and the inside interface ?

Clients will be connecting from outside, so it will be outside only

Make above changes, try to connect again, and let us know what fails.
0
 
ndihelpiraqAuthor Commented:
-When clients trying to connect using the MS VPN client, it connects, and it reaches the "Verifying username and password" and then it disconnects with the 721 error.

-i don't know the different between using Radius, TACACS and using the local users and if creating a server what IP address should i assign to it?

-thanks for your help.
0
 
naveedbCommented:
You do not need AAA server for authentication. RADIUS or TACACS are used to store usernames and passwords. Since you are saving them on the LOCAL PIX with vpdn username / password command you are good. To clear you can enter the following command.

no aaa authentication match outside_authentication_LOCAL outside LOCAL

Also, in your config

ip address inside 192.168.1.1 255.255.255.0

ip local pool Clients 192.168.1.50-192.168.1.60

It is not recommended to use the same subnet for clients that you are using for inside interface. Change your pool to something like

ip local pool Clients 10.168.1.0-10.168.1.63

Add following two commands:

access-list 101 permit ip 192.168.1.0 255.255.255.0 10.168.1.0 255.255.255.192
nat (inside) 0 access-list 101

Also; on your client side, try to disable firewall; and if it doesn't work, see if you can connect the client directly to the Internet connection CABLE/DSL bypassing the router and if it works.



0
Become a Leader in Data Analytics

Gain the power to turn raw data into better business decisions and outcomes in your industry. Transform your career future by earning your MS in Data Analytics. WGU’s MSDA program curriculum features IT certifications from Oracle and SAS.  

 
ndihelpiraqAuthor Commented:
Hi Again ... this is what i've done and i will put my show run here ... please have a look and tell me what do i need to do more ... its still not working ... i prefer to use encryption but it didn't work with and without it ... any ideas?



show run

: Saved

:

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password htYVSdNOjZ7/cLuy encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

hostname NDIBaghdad

domain-name NDIbaghdad.org

clock timezone AST 3

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol pptp 1723

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

<--- More --->
             
fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list 101 permit ip 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0

pager lines 24

icmp permit any outside

mtu outside 1500

mtu inside 1500

ip address outside 213.*.*.44 255.255.255.248

ip address inside 10.1.1.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool PPTP-POOL 192.168.1.1-192.168.1.50

pdm location 192.168.1.0 255.255.255.0 outside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list 101

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

route outside 0.0.0.0 0.0.0.0 213.*.*.44 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

<--- More --->
             
timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http 10.1.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-pptp

telnet timeout 5

ssh timeout 5

management-access inside

console timeout 0

vpdn group 1 accept dialin pptp

vpdn group 1 ppp authentication pap

vpdn group 1 ppp authentication chap

<--- More --->
             
vpdn group 1 ppp authentication mschap

vpdn group 1 ppp encryption mppe auto required

vpdn group 1 client configuration address local PPTP-POOL

vpdn group 1 client configuration dns 66.178.2.16 66.178.2.25

vpdn group 1 pptp echo 60

vpdn group 1 client authentication local

vpdn username Admin password *********

vpdn enable outside

dhcpd address 10.1.1.2-10.1.1.33 inside

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

dhcpd enable inside

terminal width 80

Cryptochecksum:06288ef2e193efec9aeab124b3bf48c5

: end


0
 
naveedbCommented:
What is the error message user is getting when they try to connect?

Also, can you run debug commands to see what errors are showing up?

Enable Logging
logging on
logging timestamp
logging buffered debugging


debug ppp io
debug ppp error
debug vpdn error
debug vpdn packets
debug vpdn events

then issue show log to see if there are any messages while user tries to connect.
0
 
ndihelpiraqAuthor Commented:
The problem has been solved and now its working fine ... in fact, i was unable to connect to the PIX because of the firewall that i'm running on my computer ... i know it does not sound professional and it was the last resort i tried and fortunately it worked after disabling the firewall ... and certainly after some modifications on the PIX.


Thanks naveedb for looking into my problem and for your nice support .....
0
 
naveedbCommented:
No problem, glad it is working now.
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now