Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Cisco PIX accepts only one Cisco VPN Client connection per public IP

Posted on 2006-05-07
11
Medium Priority
?
914 Views
Last Modified: 2010-08-05
There is a Cisco PIX506E accepting connections from numerous Cisco VPN Clients (Version 4.6). It worked rather well, until I had to add a new site-to-site VPN over IPSec. This somehow caused existing VPN Client user to be able to connect only one PC per location. For instance, in a house with three computer, each having VPN client software, only the first PC would be able to connect. Other two would fail during IKE phase I while negotiating security.

...and this does not appear to be the UDP problem, as suggested by some, to enable "NAT traversal" didn't help. It was been on and it is on now.

The PIX can accept connections, so long as it's the first connection coming from given NATted subnet.

There are exceptions to this. Some locales seem to be able to connect however many VPN clients.

any help, especially how/why it happens, is highly appreciated.
0
Comment
Question by:junsato
  • 6
  • 4
11 Comments
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 16626111
please post your sanitized config
0
 

Author Comment

by:junsato
ID: 16626285
name 192.168.100.0 Internal_IPs
name 192.168.20.0 RemoteSite1 (address range for remote office C)
object-group service Http tcp
  port-object eq www
access-list 65082 permit ip Internal_IPs 255.255.255.0 N47087 255.255.255.0
access-list 47087 permit ip Internal_IPs 255.255.255.0 N65082 255.255.255.0
access-list nonat permit ip any 192.168.100.96 255.255.255.224
access-list nonat permit ip Internal_IPs 255.255.255.0 N65082 255.255.255.0
access-list nonat permit ip Internal_IPs 255.255.255.0 N47087 255.255.255.0
access-list nonat permit ip Internal_IPs 255.255.255.0 192.168.100.128 255.255.2
55.224
access-list nonat permit ip Internal_IPs 255.255.255.0 192.168.200.0 255.255.255
.0
access-list outside_cryptomap_dyn_20 permit ip any 192.168.100.96 255.255.255.22
4
access-list Remote_splitTunnelAcl permit ip 192.168.0.0 255.255.0.0 any
logging buffered debugging
icmp permit any echo-reply outside
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside <The Router's Global IP> 255.255.255.240
ip address inside 192.168.100.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool remote_access 192.168.100.100-192.168.100.120 mask 255.255.255.0
ip local pool pptp-pool 192.168.200.1-192.168.200.50
ip local pool windows_remote_access 192.168.100.241-192.168.100.249 mask 255.255
.255.0
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list nonat
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp 216.199.185.98 3389 192.168.100.2 3389 netmask 255.2
55.255.255 0 0
access-group term_serv in interface outside
route outside 0.0.0.0 0.0.0.0 216.199.185.97 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute

http 67.9.3.250 255.255.255.255 outside
http 192.168.100.2 255.255.255.255 inside
http Internal_IPs 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
sysopt connection permit-l2tp
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_MD5 mode transport
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 11 ipsec-isakmp
crypto map outside_map 11 match address 65082
crypto map outside_map 11 set peer <Global IP of remote office A>
crypto map outside_map 11 set transform-set ESP-3DES-MD5
crypto map outside_map 12 ipsec-isakmp
crypto map outside_map 12 match address 47087
crypto map outside_map 12 set peer <Global IP of remote office B>
crypto map outside_map 12 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address <Global IP of remote router at office A> netmask 255.255.255.255 no-xauth no-con
fig-mode
isakmp key ******** address <Global IP of remote router at office B> netmask 255.255.255.255 no-xauth no-confi
g-mode
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp key ******** address <Grobal IP of remote router at office C> netmask 255.255.255.0 no-xauth no-config-
mode
isakmp identity address
isakmp keepalive 600 60
isakmp nat-traversal 600
isakmp log 300
isakmp policy 9 authentication pre-share
isakmp policy 9 encryption 3des
isakmp policy 9 hash md5
isakmp policy 9 group 2
isakmp policy 9 lifetime 86400
vpngroup Remote address-pool remote_access
vpngroup Remote dns-server 192.168.100.2 192.168.100.12
vpngroup Remote wins-server 192.168.100.2 192.168.100.12
vpngroup Remote default-domain cere.local
vpngroup Remote split-tunnel Remote_splitTunnelAcl
vpngroup Remote idle-time 1800
vpngroup Remote password ********
telnet Internal_IPs 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
console timeout 0
vpdn group 1 accept dialin pptp
vpdn group 1 ppp authentication pap
vpdn group 1 ppp authentication chap
vpdn group 1 ppp authentication mschap
vpdn group 1 client configuration address local windows_remote_access
vpdn group 1 client configuration dns 192.168.100.2 192.168.100.12
vpdn group 1 client configuration wins 192.168.100.2 192.168.100.12
vpdn group 1 pptp echo 60
vpdn group 1 client authentication local
vpdn enable outside
vpdn enable inside
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 16626587
what is N47087 and N65082
I don't see any names associated with them
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 25

Expert Comment

by:Cyclops3590
ID: 16626608
also, where is the crypto map entry for office C
and you shouldn't use part of the inside ip range for remote access, you should use a different segment pool
0
 

Author Comment

by:junsato
ID: 16626814
Sorry about the confusion, Office C is the new addition that caused the problem so I was in the process of reversing the latest changes. That's why Office C entries are incomplete.
N47087 and N65082 are the remote routers which I called office A and B, respectively. The "names" section was rather long and contained info I would not post for public view. Hope this helps..
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 16627073
and your users get in via IPSec or pptp
0
 

Author Comment

by:junsato
ID: 16627119
IPSec/UDP, with transparent tunneling enabled. Client versions vary from 4.0 to the latest.
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 186 total points
ID: 16629746
>This somehow caused existing VPN Client user to be able to connect only one PC per location.
>Some locales seem to be able to connect however many VPN clients.
If it quit working for only one location, did anything change on that end? I am very surprised that it ever worked from any location. Most soho broadband router/firewalls will simply not handle multiple VPN tunnels to the same endpoint. Did this particular user change routers, providers, etc?  Which client were they using, Cisco (which version?) or Microsoft? It could have something to do with the version client they are running and latest Microsoft updates. Try updating their client - latest is 4.8.
What version PIX OS are you running?

>isakmp keepalive 600 60
Did you add this keepalive statement before or after the remote client issue?

>ip address inside 192.168.100.254 255.255.255.0
>ip local pool remote_access 192.168.100.100-192.168.100.120 mask 255.255.255.0
>ip local pool windows_remote_access 192.168.100.241-192.168.100.249 mask 255.255.255.0
I ALWAYS counsel PIX administrators to use a completely different IP subnet for the IPSEC VPN users, NEVER a pool out of the same internal LAN subnet. Windows PPTP users have different "issues" and can be from the same local lan, but then I never use PPTP because it is so unsecure.

0
 
LVL 25

Assisted Solution

by:Cyclops3590
Cyclops3590 earned 189 total points
ID: 16629828
yes, although you may have gotten remote access working using part of the inside ip range, you should change that.  have you tried that yet like I suggested above.  I've heard of this working, but its not reliable.

then add in the entries for office C again, there is no reason that adding that to the config should screw anything else up if done properly and doesn't conflict with IPs from another area
0
 

Author Comment

by:junsato
ID: 16670331
Thank you for all your assistance - I think we got it resolved, but here are the points for your kindness.

At any rate, turns out, the one-VPN-per-locale issue happened only on clients on certain ISP. We call them up, BAM, few days later it was back to working order without any change on our end. My guess is that something kept UDP traffic from flowing through them so they couldn't do NAT traversal properly...if such situation is technically possible.

lrmoore:
At any rate, just so we can do better, would you mind explaining why it's better to separate remote VPN pools? For instance, should we make 192.168.101.x range available for remote uses, configure Active Directory-integrated DNS/DHCP accordingly, etc? What are the main benefits?

Cyclops:
 >isakmp keepalive 600 60
>Did you add this keepalive statement before or after the remote client issue?

This has been there forever AFAIK. Did this catch your eye as something really unusual? If so, how can we adjust it to our needs?
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 16670377
lrmoore brought up the isakmp keepalive 600 60 issue and is much more of an expert at pix's than I am so I'll let him explain that
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Using Windows 2008 RRAS, I was able to successfully VPN into the network, but I was having problems restricting my test user from accessing certain things on the network.  I used Google in order to try to find out how to stop people from accessing c…
Overview Often, we set up VPN appliances where the connected clients are on a separate subnet and the company will have alternate internet connections and do not use this particular device as the gateway for certain servers or clients. In this case…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Suggested Courses

564 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question