Solved

VPN Error 721 on PIX 506e

Posted on 2006-06-30
6
2,607 Views
Last Modified: 2007-12-19
Dear,
Since yesterday i can't connect anymore to our network through VPN, i am getting error 721:"after verifying username and password".
The VPN was working for more than a year and we didn't change anything in the PIX.
Please help, very important

Here my configuration :

sh run
: Saved
:
PIX Version 6.3(1)
interface ethernet0 100basetx
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxxxxxxxxx encrypted
passwd encrypted
hostname fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list access-in permit tcp any interface outside eq 14000
access-list access-in permit udp any interface outside eq 14000
access-list access-in permit tcp any interface outside eq 32
access-list access-in permit icmp any any
access-list access-in permit tcp any host xxx.xxx.xxx.50 eq smtp
access-list access-in permit tcp any host xxx.xxx.xxx.50 eq 3389
access-list access-in permit tcp any host xxx.xxx.xxx.50 eq www
access-list access-in permit tcp host yyy.yyy.1.65 host xxx.xxx.xxx.50 eq ftp
access-list access-in permit tcp host yyy.yyy.1.63 host xxx.xxx.xxx.50 eq ftp
access-list NO-NAT permit ip any 172.16.1.0 255.255.255.0
access-list worms deny udp any any eq tftp
access-list worms deny tcp any any eq 135
access-list worms deny udp any any eq 135
access-list worms deny udp any any eq netbios-ns
access-list worms deny udp any any eq netbios-dgm
access-list worms deny tcp any any eq netbios-ssn
access-list worms deny udp any any eq 139
access-list worms deny tcp any any eq 445
access-list worms deny tcp any any eq 593
access-list worms deny tcp any any eq 4444
access-list worms permit ip any any
pager lines 24
logging on
logging buffered debugging
mtu outside 1500
mtu inside 1500
ip address outside xxx.xxx.xxx.50 255.255.255.252
ip address inside 192.168.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool myLAN 172.16.1.1-172.16.1.16
pdm location 165.165.0.0 255.255.0.0 outside
pdm location 192.168.0.0 255.255.255.0 inside
pdm location 165.145.0.0 255.255.0.0 outside
pdm location 144.254.0.0 255.255.0.0 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NO-NAT
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 32 192.168.0.175 32 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 14000 192.168.0.175 14000 netmask 255.255.255.255 0 0
static (inside,outside) udp interface 14000 192.168.0.175 14000 netmask 255.255.255.255 0 0
static (inside,outside) tcp xxx.xxx.xxx.50 smtp 192.168.0.4 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp xxx.xxx.xxx.50 3389 192.168.0.4 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp xxx.xxx.xxx.50 www 192.168.0.4 www netmask 255.255.255.255 0 0
access-group access-in in interface outside
access-group worms in interface inside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.49 1
route inside 129.9.0.0 255.255.0.0 192.168.0.254 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http zzz.zzz.zzz.0 255.255.255.0 outside
http aaa.aaa.aaa.100 255.255.255.255 outside
http bbb.bbb.bbb.0 255.255.0.0 outside
http ccc.ccc.ccc.14 255.255.255.255 outside
http 192.168.0.0 255.255.255.0 inside
snmp-server host inside ddd.ddd.ddd.77
no snmp-server location
no snmp-server contact
snmp-server community pass
snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
sysopt connection permit-l2tp
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 5
ssh zzz.zzz.zzz.0 255.255.255.0 outside
ssh aaa.aaa.aaa.100 255.255.255.255 outside
ssh bbb.bbb.bbb.0 255.255.0.0 outside
ssh ccc.ccc.ccc.14255.255.255.255 outside
ssh eee.eee.eee.0 255.255.0.0 outside
ssh fff.fff.fff.0 255.255.0.0 outside
ssh timeout 5
console timeout 0
vpdn group myLAN accept dialin pptp
vpdn group myLAN ppp authentication pap
vpdn group myLAN ppp authentication chap
vpdn group myLAN client configuration address local SMSC
vpdn group myLAN pptp echo 60
vpdn group myLAN client authentication local
vpdn username myLAN password *****************
vpdn enable outside
dhcpd lease 3600
dhcpd ping_timeout 750
username user1 password encrypted privilege 15
username user2 password encrypted privilege 15
terminal width 80
: end


0
Comment
Question by:aime14
6 Comments
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17022745
What is that you have on your side ? router/cable modem etc ? Did you try resetting them ?

Also I note that you are using 6.3(1) which is old and you need to upgrade that.

Cheers,
Rajesh
0
 

Author Comment

by:aime14
ID: 17025734
In my side i have a router and no any change have been made from both side.
Can you help me how to upgrade to the new version!
Thanks
AIME
0
 
LVL 32

Accepted Solution

by:
rsivanandan earned 500 total points
ID: 17026512
Did you try resetting (power off) the router ?

For upgrade; first read this;

http://www.cisco.com/en/US/products/sw/secursw/ps2120/prod_release_note09186a00804e6d6d.html

this will help you learn something on the requirements (MUST READ!)

Then here is the actual procedure on upgrading;

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094a5d.shtml

The above link explains it in detail, go over carefully and actually it is not that difficult.

Cheers,
Rajesh
0
Free Gift Card with Acronis Backup Purchase!

Backup any data in any location: local and remote systems, physical and virtual servers, private and public clouds, Macs and PCs, tablets and mobile devices, & more! For limited time only, buy any Acronis backup products and get a FREE Amazon/Best Buy gift card worth up to $200!

 

Expert Comment

by:vijaikanagaraj
ID: 17028909
Hi ,

from ur question ,it is understood that your VPN could not be established during authentication process.

Have u restarted your PIX firewall and tried? since I have personally faced this pbm frequently in many customer sites.

rgds
sai
0
 

Author Comment

by:aime14
ID: 17034246
Hi Sai,
I did the restart but still getting the same error.
Regards
AIME
0
 
LVL 1

Expert Comment

by:george183
ID: 17135225
Have you changed or added any personal firewall software on your computer?  I know that ZoneAlarm will block VPN connections by default unless you setup a rule to allow the connection.  Maybe SP2 was installed by Windows auto-update with Firewall enabled?

Just a few suggestions...
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

If you get continual lockouts after changing your Active Directory password, there are several possible reasons.  Two of the most common are using other devices to access your email and stored passwords in the credential manager of windows.
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now