junsato
asked on
Cisco PIX accepts only one Cisco VPN Client connection per public IP
There is a Cisco PIX506E accepting connections from numerous Cisco VPN Clients (Version 4.6). It worked rather well, until I had to add a new site-to-site VPN over IPSec. This somehow caused existing VPN Client user to be able to connect only one PC per location. For instance, in a house with three computer, each having VPN client software, only the first PC would be able to connect. Other two would fail during IKE phase I while negotiating security.
...and this does not appear to be the UDP problem, as suggested by some, to enable "NAT traversal" didn't help. It was been on and it is on now.
The PIX can accept connections, so long as it's the first connection coming from given NATted subnet.
There are exceptions to this. Some locales seem to be able to connect however many VPN clients.
any help, especially how/why it happens, is highly appreciated.
...and this does not appear to be the UDP problem, as suggested by some, to enable "NAT traversal" didn't help. It was been on and it is on now.
The PIX can accept connections, so long as it's the first connection coming from given NATted subnet.
There are exceptions to this. Some locales seem to be able to connect however many VPN clients.
any help, especially how/why it happens, is highly appreciated.
Cyclops3590
please post your sanitized config
ASKER
name 192.168.100.0 Internal_IPs
name 192.168.20.0 RemoteSite1 (address range for remote office C)
object-group service Http tcp
port-object eq www
access-list 65082 permit ip Internal_IPs 255.255.255.0 N47087 255.255.255.0
access-list 47087 permit ip Internal_IPs 255.255.255.0 N65082 255.255.255.0
access-list nonat permit ip any 192.168.100.96 255.255.255.224
access-list nonat permit ip Internal_IPs 255.255.255.0 N65082 255.255.255.0
access-list nonat permit ip Internal_IPs 255.255.255.0 N47087 255.255.255.0
access-list nonat permit ip Internal_IPs 255.255.255.0 192.168.100.128 255.255.2
55.224
access-list nonat permit ip Internal_IPs 255.255.255.0 192.168.200.0 255.255.255
.0
access-list outside_cryptomap_dyn_20 permit ip any 192.168.100.96 255.255.255.22
4
access-list Remote_splitTunnelAcl permit ip 192.168.0.0 255.255.0.0 any
logging buffered debugging
icmp permit any echo-reply outside
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside <The Router's Global IP> 255.255.255.240
ip address inside 192.168.100.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool remote_access 192.168.100.100-192.168.10
ip local pool pptp-pool 192.168.200.1-192.168.200.
ip local pool windows_remote_access 192.168.100.241-192.168.10
.255.0
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list nonat
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp 216.199.185.98 3389 192.168.100.2 3389 netmask 255.2
55.255.255 0 0
access-group term_serv in interface outside
route outside 0.0.0.0 0.0.0.0 216.199.185.97 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http 67.9.3.250 255.255.255.255 outside
http 192.168.100.2 255.255.255.255 inside
http Internal_IPs 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
sysopt connection permit-l2tp
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_MD5 mode transport
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 11 ipsec-isakmp
crypto map outside_map 11 match address 65082
crypto map outside_map 11 set peer <Global IP of remote office A>
crypto map outside_map 11 set transform-set ESP-3DES-MD5
crypto map outside_map 12 ipsec-isakmp
crypto map outside_map 12 match address 47087
crypto map outside_map 12 set peer <Global IP of remote office B>
crypto map outside_map 12 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address <Global IP of remote router at office A> netmask 255.255.255.255 no-xauth no-con
fig-mode
isakmp key ******** address <Global IP of remote router at office B> netmask 255.255.255.255 no-xauth no-confi
g-mode
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp key ******** address <Grobal IP of remote router at office C> netmask 255.255.255.0 no-xauth no-config-
mode
isakmp identity address
isakmp keepalive 600 60
isakmp nat-traversal 600
isakmp log 300
isakmp policy 9 authentication pre-share
isakmp policy 9 encryption 3des
isakmp policy 9 hash md5
isakmp policy 9 group 2
isakmp policy 9 lifetime 86400
vpngroup Remote address-pool remote_access
vpngroup Remote dns-server 192.168.100.2 192.168.100.12
vpngroup Remote wins-server 192.168.100.2 192.168.100.12
vpngroup Remote default-domain cere.local
vpngroup Remote split-tunnel Remote_splitTunnelAcl
vpngroup Remote idle-time 1800
vpngroup Remote password ********
telnet Internal_IPs 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
console timeout 0
vpdn group 1 accept dialin pptp
vpdn group 1 ppp authentication pap
vpdn group 1 ppp authentication chap
vpdn group 1 ppp authentication mschap
vpdn group 1 client configuration address local windows_remote_access
vpdn group 1 client configuration dns 192.168.100.2 192.168.100.12
vpdn group 1 client configuration wins 192.168.100.2 192.168.100.12
vpdn group 1 pptp echo 60
vpdn group 1 client authentication local
vpdn enable outside
vpdn enable inside
name 192.168.20.0 RemoteSite1 (address range for remote office C)
object-group service Http tcp
port-object eq www
access-list 65082 permit ip Internal_IPs 255.255.255.0 N47087 255.255.255.0
access-list 47087 permit ip Internal_IPs 255.255.255.0 N65082 255.255.255.0
access-list nonat permit ip any 192.168.100.96 255.255.255.224
access-list nonat permit ip Internal_IPs 255.255.255.0 N65082 255.255.255.0
access-list nonat permit ip Internal_IPs 255.255.255.0 N47087 255.255.255.0
access-list nonat permit ip Internal_IPs 255.255.255.0 192.168.100.128 255.255.2
55.224
access-list nonat permit ip Internal_IPs 255.255.255.0 192.168.200.0 255.255.255
.0
access-list outside_cryptomap_dyn_20 permit ip any 192.168.100.96 255.255.255.22
4
access-list Remote_splitTunnelAcl permit ip 192.168.0.0 255.255.0.0 any
logging buffered debugging
icmp permit any echo-reply outside
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside <The Router's Global IP> 255.255.255.240
ip address inside 192.168.100.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool remote_access 192.168.100.100-192.168.10
ip local pool pptp-pool 192.168.200.1-192.168.200.
ip local pool windows_remote_access 192.168.100.241-192.168.10
.255.0
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list nonat
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp 216.199.185.98 3389 192.168.100.2 3389 netmask 255.2
55.255.255 0 0
access-group term_serv in interface outside
route outside 0.0.0.0 0.0.0.0 216.199.185.97 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http 67.9.3.250 255.255.255.255 outside
http 192.168.100.2 255.255.255.255 inside
http Internal_IPs 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
sysopt connection permit-l2tp
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_MD5 mode transport
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 11 ipsec-isakmp
crypto map outside_map 11 match address 65082
crypto map outside_map 11 set peer <Global IP of remote office A>
crypto map outside_map 11 set transform-set ESP-3DES-MD5
crypto map outside_map 12 ipsec-isakmp
crypto map outside_map 12 match address 47087
crypto map outside_map 12 set peer <Global IP of remote office B>
crypto map outside_map 12 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address <Global IP of remote router at office A> netmask 255.255.255.255 no-xauth no-con
fig-mode
isakmp key ******** address <Global IP of remote router at office B> netmask 255.255.255.255 no-xauth no-confi
g-mode
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp key ******** address <Grobal IP of remote router at office C> netmask 255.255.255.0 no-xauth no-config-
mode
isakmp identity address
isakmp keepalive 600 60
isakmp nat-traversal 600
isakmp log 300
isakmp policy 9 authentication pre-share
isakmp policy 9 encryption 3des
isakmp policy 9 hash md5
isakmp policy 9 group 2
isakmp policy 9 lifetime 86400
vpngroup Remote address-pool remote_access
vpngroup Remote dns-server 192.168.100.2 192.168.100.12
vpngroup Remote wins-server 192.168.100.2 192.168.100.12
vpngroup Remote default-domain cere.local
vpngroup Remote split-tunnel Remote_splitTunnelAcl
vpngroup Remote idle-time 1800
vpngroup Remote password ********
telnet Internal_IPs 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
console timeout 0
vpdn group 1 accept dialin pptp
vpdn group 1 ppp authentication pap
vpdn group 1 ppp authentication chap
vpdn group 1 ppp authentication mschap
vpdn group 1 client configuration address local windows_remote_access
vpdn group 1 client configuration dns 192.168.100.2 192.168.100.12
vpdn group 1 client configuration wins 192.168.100.2 192.168.100.12
vpdn group 1 pptp echo 60
vpdn group 1 client authentication local
vpdn enable outside
vpdn enable inside
what is N47087 and N65082
I don't see any names associated with them
I don't see any names associated with them
also, where is the crypto map entry for office C
and you shouldn't use part of the inside ip range for remote access, you should use a different segment pool
and you shouldn't use part of the inside ip range for remote access, you should use a different segment pool
ASKER
Sorry about the confusion, Office C is the new addition that caused the problem so I was in the process of reversing the latest changes. That's why Office C entries are incomplete.
N47087 and N65082 are the remote routers which I called office A and B, respectively. The "names" section was rather long and contained info I would not post for public view. Hope this helps..
N47087 and N65082 are the remote routers which I called office A and B, respectively. The "names" section was rather long and contained info I would not post for public view. Hope this helps..
and your users get in via IPSec or pptp
ASKER
IPSec/UDP, with transparent tunneling enabled. Client versions vary from 4.0 to the latest.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you for all your assistance - I think we got it resolved, but here are the points for your kindness.
At any rate, turns out, the one-VPN-per-locale issue happened only on clients on certain ISP. We call them up, BAM, few days later it was back to working order without any change on our end. My guess is that something kept UDP traffic from flowing through them so they couldn't do NAT traversal properly...if such situation is technically possible.
lrmoore:
At any rate, just so we can do better, would you mind explaining why it's better to separate remote VPN pools? For instance, should we make 192.168.101.x range available for remote uses, configure Active Directory-integrated DNS/DHCP accordingly, etc? What are the main benefits?
Cyclops:
>isakmp keepalive 600 60
>Did you add this keepalive statement before or after the remote client issue?
This has been there forever AFAIK. Did this catch your eye as something really unusual? If so, how can we adjust it to our needs?
At any rate, turns out, the one-VPN-per-locale issue happened only on clients on certain ISP. We call them up, BAM, few days later it was back to working order without any change on our end. My guess is that something kept UDP traffic from flowing through them so they couldn't do NAT traversal properly...if such situation is technically possible.
lrmoore:
At any rate, just so we can do better, would you mind explaining why it's better to separate remote VPN pools? For instance, should we make 192.168.101.x range available for remote uses, configure Active Directory-integrated DNS/DHCP accordingly, etc? What are the main benefits?
Cyclops:
>isakmp keepalive 600 60
>Did you add this keepalive statement before or after the remote client issue?
This has been there forever AFAIK. Did this catch your eye as something really unusual? If so, how can we adjust it to our needs?
lrmoore brought up the isakmp keepalive 600 60 issue and is much more of an expert at pix's than I am so I'll let him explain that