PIX Firewall VPN Client Config

Posted on 2006-05-12
Medium Priority
Last Modified: 2013-11-16
I need some additional eyes to look at this config.  What is preventing VPN clients from successful establishement via Cisco VPN client??

Password: ********
pix# sh run
: Saved
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxxxxxxx encrypted
passwd xxxxxxxxxx encrypted
hostname pix
domain-name xxxxxxx.local
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
access-list inbound_traffic permit tcp any interface outside eq 3389
access-list inbound_traffic permit icmp any any echo-reply
access-list inbound_traffic permit icmp any any
access-list VPN_Traffic permit ip
access-list nonat permit ip
access-list nonat permit ip
access-list nonat permit ip
access-list VPN_TW permit ip
access-list allow_client_vpn permit ip
pager lines 24
logging monitor debugging
logging host inside
mtu outside 1500
mtu inside 1500
ip address outside x.x.x.x
ip address inside
ip audit info action alarm
ip audit attack action alarm
ip local pool CiscoVPNClientPool
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0 0
static (inside,outside) tcp interface 3389 3389 netmask 0 0
access-group inbound_traffic in interface outside
route outside x.x.x.x 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set TPVI-TPIT esp-3des esp-sha-hmac
crypto ipsec transform-set TPVI-TW esp-3des esp-sha-hmac
crypto ipsec transform-set AES esp-aes esp-sha-hmac
crypto dynamic-map VPNClient 30 set transform-set AES
crypto map TPVI-TPIT 10 ipsec-isakmp
crypto map TPVI-TPIT 10 match address VPN_Traffic
crypto map TPVI-TPIT 10 set peer x.x.x.x
crypto map TPVI-TPIT 10 set transform-set TPVI-TPIT
crypto map TPVI-TPIT 20 ipsec-isakmp
crypto map TPVI-TPIT 20 match address VPN_TW
crypto map TPVI-TPIT 20 set peer x.x.x.x
crypto map TPVI-TPIT 20 set transform-set TPVI-TW
crypto map TPVI-TPIT interface outside
crypto map ClientMap 30 ipsec-isakmp dynamic VPNClient
isakmp enable outside
isakmp key ******** address x.x.x.x netmask
isakmp key ******** address x.x.x.x netmask
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 28800
isakmp policy 15 authentication pre-share
isakmp policy 15 encryption aes
isakmp policy 15 hash sha
isakmp policy 15 group 2
isakmp policy 15 lifetime 86400
vpngroup CiscoVPNClient address-pool CiscoVPNClientPool
vpngroup CiscoVPNClient dns-server
vpngroup CiscoVPNClient wins-server
vpngroup CiscoVPNClient default-domain xxxxxx
vpngroup CiscoVPNClient split-tunnel allow_client_vpn
vpngroup CiscoVPNClient idle-time 1800
vpngroup CiscoVPNClient password ********
telnet timeout 20
ssh outside
ssh inside
ssh timeout 60
management-access inside
console timeout 0
dhcpd address inside
dhcpd dns
dhcpd lease 3600
dhcpd ping_timeout 750
terminal width 80
: end
Question by:andreacadia
  • 3
  • 2
  • 2
LVL 25

Accepted Solution

Cyclops3590 earned 1600 total points
ID: 16669768
do this
no crypto map ClientMap 30 ipsec-isakmp dynamic VPNClient
crypto map TPVI-TPIT 30 ipsec-isakmp dynamic VPNClient

right now the dynamic crypto map isn't being applied to the interface
LVL 25

Expert Comment

ID: 16669779
also reapply the crypto map to the interface just to make sure the changes take effect by doing the following
crypto map TPVI-TPIT interface outside

Author Comment

ID: 16670000
Thats perfect.  I must have just been looking to hard :).  That solved the issue.  Could i jog your brain once more?? I cannot seem to be able to ping from vpn client side to internal LAN.  Do you see anything preventing this?
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

LVL 25

Expert Comment

ID: 16670128
you're sure the host you're trying to ping uses the firewall as the default gateway?
also, try
debug icmp trace
on the firewall and then try to ping.  
also check the firewall on the vpn client and the lan client to see if either one of those would be blocking the request
LVL 20

Assisted Solution

calvinetter earned 400 total points
ID: 16674260
 If you can't pass traffic via the VPN here are some things to check, more common problems listed first:

- Verify the IP range where the VPN client PC resides doesn't overlap your VPN client pool (192.168.25.x), or the internal subnet(s) behind the PIX (10.100.52.x, etc).
- Verify on the VPN client side that a hardware or software firewall isn't blocking ESP traffic (protocol 50, *not* port 50) for both inbound/outbound.  If using a SOHO router/firewall on the client end, make sure it has a feature called something like "VPN passthrough" or "IPSec passthrough" enabled on it.  Or simply modify the firewall rules to allow ESP traffic both inbound/outbound.
- Did you run "clear xlate" after adding the config lines for the client VPN?
- Default gateway setting on host you're trying to reach behind PIX --> as Cyclops3590 already mentioned

Since you're running PIX 6.3 series, you should run:
  isakmp nat-t
  clear xlate
And if your VPN site-to-site peer devices are also PIXes running 6.3, they should also have "isakmp nat-t" enabled on them.  Then make sure no device (router or other firewall) is blocking UDP port 4500 traffic between your VPN client & your PIX, or between your PIX & your site-to-site VPN peers.


Author Comment

ID: 16676196
Thanks Calvinetter,

Issuing the "clear xlate" command seems to have solved the issue with communicating across the VPN.  My initial question however was answered by Cyclops however so i wil split the points 80/20.  I hope this is fare to both of you.

Thanks for the help.
LVL 20

Expert Comment

ID: 16679999
No problem andreacadia! Glad you got it going.

cheers all

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There’s a movement in Information Technology (IT), and while it’s hard to define, it is gaining momentum. Some call it “stream-lined IT;” others call it “thin-model IT.”
Let’s face it: one of the reasons your organization chose a SaaS solution (whether Microsoft Dynamics 365, Netsuite or SAP) is that it is subscription-based. The upkeep is done. Or so you think.
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses
Course of the Month16 days, 7 hours left to enroll

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question