Solved

TACACS+ AND PIX FIREWALL

Posted on 2006-11-20
18
502 Views
Last Modified: 2013-11-16
Hello,

I am installed TACACS+ on a Windows Server I defined two users to test the configuration. On the PIX firewall I have a VPN configured for PPTP. I want the PIX to authenticate the user for the VPN against the TACACS+ server. I also want the PIX firewall to authenticate any connection which is made to the PIX firewall from the outside against the TACACS+ server. When I try to iniate a connection to the VPN server. I get an error, and I am not able to connect to the VPN server. Below is a copy of the PIX config.

Thank You,
vreyesii

: Saved
:
PIX Version 6.3(5)
interface ethernet0 100full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password XXXXXXXXXX encrypted
passwd XXXXXXXX encrypted
hostname pixfirewall
domain-name XXXXXX.com
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 101 permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0
access-list allow_inbound deny ip 59.124.0.0 255.252.0.0 any
access-list allow_inbound deny ip host 24.71.105.183 any
access-list allow_inbound deny ip host 163.27.116.133 any
access-list allow_inbound deny ip host 218.189.179.82 any
access-list allow_inbound deny ip host 84.60.164.161 any
access-list allow_inbound deny ip host 222.128.34.89 any
access-list allow_inbound deny ip host 202.64.47.108 any
access-list allow_inbound deny ip host 87.162.179.31 any
access-list allow_inbound deny ip host 70.255.106.164 any
access-list allow_inbound permit tcp any interface outside eq smtp
access-list allow_inbound permit tcp any interface outside eq pop3
access-list allow_inbound permit tcp any interface outside eq www
access-list allow_inbound permit icmp any any source-quench
access-list allow_inbound permit tcp any host B.X.X.236 eq www
access-list allow_inbound permit tcp any host B.X.X.236 eq h323
access-list allow_inbound permit tcp any host B.X.X.236 eq 5060
access-list allow_inbound permit gre any interface outside
access-list allow_inbound permit tcp any interface outside eq 3000
access-list allow_inbound permit udp any interface outside eq 49153
access-list allow_inbound permit tcp any interface outside eq 49153
access-list allow_inbound permit tcp any interface outside eq 10240
access-list allow_inbound permit tcp any interface outside eq 10241
access-list allow_inbound permit tcp any interface outside eq 10242
access-list allow_inbound permit udp any interface outside eq 10240
access-list allow_inbound permit udp any interface outside eq 10241
access-list allow_inbound permit udp any interface outside eq 10242
access-list allow_inbound permit tcp any interface outside eq 41170
access-list allow_inbound permit udp any interface outside eq 41170
access-list allow_inbound permit tcp any interface outside eq 4662
access-list allow_inbound permit tcp any interface outside eq 4000
access-list deny_outbound deny tcp any host 63.236.240.73 eq https
access-list deny_outbound deny tcp any host 209.202.9.7 eq https
access-list deny_outbound deny tcp any host 63.236.240.73 eq www
access-list deny_outbound deny tcp any host 66.28.235.59 eq www
access-list deny_outbound deny tcp any host 204.245.86.77 eq www
access-list deny_outbound deny tcp any host 69.18.151.78 eq www
access-list deny_outbound permit ip any any
access-list do_not_nat permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0
no pager
logging on
logging timestamp
logging monitor debugging
logging trap notifications
logging queue 24
logging host inside 10.1.1.23
icmp permit any unreachable outside
icmp deny any echo outside
icmp deny any echo-reply outside
mtu outside 1500
mtu inside 1500
ip address outside A.X.X.85 255.255.255.0
ip address inside 10.1.1.1 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip audit name POLICY1 attack action alarm reset
ip audit name InfoPolicy info action alarm drop
ip audit interface outside InfoPolicy
ip audit interface outside POLICY1
ip audit info action alarm drop
ip audit attack action alarm
ip local pool ippool 10.1.2.1-10.1.2.254
pdm location 10.1.1.6 255.255.255.255 inside
pdm location 10.1.1.2 255.255.255.255 inside
pdm location 10.1.1.7 255.255.255.255 inside
pdm location 10.1.1.23 255.255.255.255 inside
pdm location 59.124.0.0 255.252.0.0 outside
pdm location 63.236.240.73 255.255.255.255 outside
pdm location 84.60.164.161 255.255.255.255 outside
pdm location 163.27.116.133 255.255.255.255 outside
pdm location 209.202.9.7 255.255.255.255 outside
pdm location 218.189.179.82 255.255.255.255 outside
pdm location 10.1.1.8 255.255.255.255 inside
pdm location 10.1.1.30 255.255.255.255 inside
pdm location 10.1.1.251 255.255.255.255 inside
pdm location 10.1.1.252 255.255.255.255 inside
pdm location 192.168.2.0 255.255.255.0 inside
pdm location 192.168.10.0 255.255.255.0 inside
pdm location 24.71.105.183 255.255.255.255 outside
pdm location 66.28.235.59 255.255.255.255 outside
pdm location 202.64.47.108 255.255.255.255 outside
pdm location 216.178.32.48 255.255.255.255 outside
pdm location 216.178.32.49 255.255.255.255 outside
pdm location 216.178.32.50 255.255.255.255 outside
pdm location 216.178.32.51 255.255.255.255 outside
pdm location 222.128.34.89 255.255.255.255 outside
pdm location 69.18.151.78 255.255.255.255 outside
pdm location 70.255.106.164 255.255.255.255 outside
pdm location 87.162.179.31 255.255.255.255 outside
pdm location 204.245.86.77 255.255.255.255 outside
pdm location 10.1.1.253 255.255.255.255 inside
pdm location 64.61.25.171 255.255.255.255 inside
pdm location 64.61.25.171 255.255.255.255 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list do_not_nat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface pop3 10.1.1.23 pop3 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface smtp 10.1.1.23 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 3000 10.1.1.23 3000 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 1000 10.1.1.23 1000 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 4662 10.1.1.8 4662 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 49153 10.1.1.2 49153 netmask 255.255.255.255 0 0
static (inside,outside) udp interface 49153 10.1.1.2 49153 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 4000 10.1.1.251 telnet netmask 255.255.255.255 0 0
static (inside,outside) tcp interface www 10.1.1.6 www netmask 255.255.255.255 0 0
static (inside,outside) B.X.X.236 10.1.1.7 netmask 255.255.255.255 0 0
access-group allow_inbound in interface outside
access-group deny_outbound in interface inside
route outside 0.0.0.0 0.0.0.0 A.X.X.1 1
route inside 192.168.2.0 255.255.255.0 10.1.1.30 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa-server AuthInbound protocol tacacs+
aaa-server AuthInbound max-failed-attempts 3
aaa-server AuthInbound deadtime 10
aaa-server AuthInbound (inside) host 10.1.1.23 nyc4u2me timeout 10
aaa authentication ssh console LOCAL
aaa authentication include tcp/0 outside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 AuthInbound
aaa authorization include ftp inside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 AuthInbound
aaa accounting include tcp/0 outside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 AuthInbound
http server enable
http 10.1.1.0 255.255.255.0 inside
snmp-server host inside 10.1.1.23
snmp-server host inside 10.1.1.252
no snmp-server location
no snmp-server contact
snmp-server community XXXXXXX
snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap client authentication LOCAL
crypto map mymap interface outside
isakmp enable outside
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup vpn3000 address-pool ippool
vpngroup vpn3000 default-domain pix.com
vpngroup vpn3000 split-tunnel 101
vpngroup vpn3000 idle-time 1800
vpngroup vpn3000 password ********
vpngroup vmr2 address-pool ippool
vpngroup vmr2 default-domain pix.com
vpngroup vmr2 split-tunnel 101
vpngroup vmr2 idle-time 1800
vpngroup vmr2 password ********
vpngroup grace address-pool ippool
vpngroup grace default-domain xxxx.com
vpngroup grace split-tunnel 101
vpngroup grace idle-time 1800
vpngroup grace password ********
telnet timeout 30
ssh 10.1.1.0 255.255.255.0 inside
ssh 192.168.10.0 255.255.255.0 inside
ssh timeout 60
console timeout 0
vpdn group 1 accept dialin pptp
vpdn group 1 ppp authentication pap
vpdn group 1 ppp authentication chap
vpdn group 1 ppp authentication mschap
vpdn group 1 ppp encryption mppe 128
vpdn group 1 client configuration address local ippool
vpdn group 1 client authentication aaa AuthInbound
vpdn group 1 pptp echo 60
vpdn username vmr2 password *********
vpdn username test2 password *********
vpdn enable outside
username vmr2 password GykSunQWdCv4dXFH encrypted privilege 15
privilege show level 15 command access-group
privilege clear level 15 command access-group
terminal width 80
banner login Unauthorized access and use of this network/device will be prosecuted.
banner motd Unauthorized access and use of this network/device will be prosecuted.
Cryptochecksum:24558cdd86e7726fc9cc5e299b277a8c
: end

0
Comment
Question by:vreyesii
  • 8
  • 8
18 Comments
 
LVL 23

Expert Comment

by:Tim Holman
ID: 17983256
There's a step-by-step guide here:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080093f89.shtml

Looks like you're missing a couple of lines:

crypto map mymap client configuration address initiate
crypto map mymap client configuration address respond

Otherwise, what sort of error are you getting?  If you turn on debug on the PIX, what messages are you getting?
0
 

Author Comment

by:vreyesii
ID: 17983770
I added the line which you mention I was missing and I enabled debug on the PIX and I got the output that you see below.
When I try to inniate a VPN connection from the remote client using the windows VPN dialer I get a message "Error 800: Unable to establish the VPN connection."

Thank You,

vreyesii

Nov 20 2006 06:20:29: %PIX-7-710001: TCP access requested from 68.g.g.147/50651 to outside:A.X.X.85/pptp
2006-11-20 18:16:38      Local4.Debug      10.1.1.1      Nov 20 2006 06:20:29: %PIX-7-710002: TCP access permitted from 68.g.g.147/50651 to outside:A.X.X.85/pptp
2006-11-20 18:16:38      Local4.Warning      10.1.1.1      Nov 20 2006 06:20:29: %PIX-4-403106: PPP virtual interface 1 requires RADIUS aaa server for MPPE


0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 17984003
It's looking for a RADIUS server but can't find one as you've only configured TACACS for AuthInbound.  So add:

aaa-server AuthInbound protocol radius

and report back.
0
 

Author Comment

by:vreyesii
ID: 17984137
When I try to change the config I get this message "this server group is associated with some authorization group
please remove those authorization group prior to change the protocol of the server group". Also why am I changing the protocol to radius if I am using TACACS+ on the Windows Server.

0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 17985980
Firstly, change your vmr2 password ASAP - you've posted it's hash up in your config, and they're reversible!

All of these lines aren't doing anything, so would recommend you remove them:

aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local

and then add:

aaa-server AuthInbound protocol radius

Reboot the PIX once you've done this, and try logging in again.

I'm not sure why it's asking you for radius auth - we'll come to that bridge once you've carried out the above, OK?  :)

0
 

Author Comment

by:vreyesii
ID: 17986608
Thank you for the advice about the password hash.
Many of the lines which you suggested I remove could not removed, the PIX would not let me. This time when I tried to connect to the VPN the Windows Client states that the username and password were trying to be authenticated, and that the VPN server did not respond in a timely manner. Below is a copy of the debug.

Nov 20 2006 19:43:41: %PIX-7-710001: TCP access requested from 68.160.193.147/50910 to outside:216.254.64.85/pptp

2006-11-21 07:39:55      Local4.Debug      10.1.1.1      Nov 20 2006 19:43:41: %PIX-7-710002: TCP access permitted from 68.160.193.147/50910 to outside:216.254.64.85/pptp

2006-11-21 07:40:35      Local4.Info      10.1.1.1      Nov 20 2006 19:44:21: %PIX-6-603103: PPP virtual interface 2 - user: grace  aaa authentication failed

2006-11-21 07:40:35      Local4.Info      10.1.1.1      Nov 20 2006 19:44:21: %PIX-6-603104: PPTP Tunnel created, tunnel_id is 3, remote_peer_ip is 68.160.193.147, ppp_virtual_interface_id is 2, client_dynamic_ip is 0.0.0.0, username is grace, MPPE_key_strength is None

2006-11-21 07:40:35      Local4.Info      10.1.1.1      Nov 20 2006 19:44:21: %PIX-6-603105: PPTP Tunnel deleted, tunnel_id = 3, remote_peer_ip = 68.160.193.147
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 17990457
Can you add:

aaa-server AuthInbound protocol radius

?

Just trying to see why your client is trying to auth against RADIUS.  Perhaps there's a client configuration issue here too?

It could be an idea to try and get this working with RADIUS first, and then try TACACS later?

Do you get hits on your TACACS+ server when you try and authenticate?  Anything in the logs there?
0
 

Author Comment

by:vreyesii
ID: 17990708
Ok I added line above that you mentioned and I got the client connected using Radius. I am using the Windows Dialer to connect to the VPN not the Cisco VPN client software. Below is output from the logs.

2006-11-21 16:15:14      Local4.Debug      10.1.1.1      Nov 21 2006 04:18:59: %PIX-7-710001: TCP access requested from 68.160.193.147/50305 to outside:216.254.64.85/pptp

2006-11-21 16:15:14      Local4.Debug      10.1.1.1      Nov 21 2006 04:18:59: %PIX-7-710002: TCP access permitted from 68.160.193.147/50305 to outside:216.254.64.85/pptp

2006-11-21 16:15:14      Local4.Info      10.1.1.1      Nov 21 2006 04:19:00: %PIX-6-603104: PPTP Tunnel created, tunnel_id is 21, remote_peer_ip is 68.160.193.147, ppp_virtual_interface_id is 2, client_dynamic_ip is 10.1.2.1, username is grace, MPPE_key_strength is 128 bits
0
Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

 
LVL 23

Expert Comment

by:Tim Holman
ID: 17996003
I'm not sure that TACACS+ will support MPPE - set it to auto:

no vpdn group 1 ppp encryption mppe 128
vpdn group 1 ppp encryption mppe auto

Give this a go and let me know what happens.  Could you repost your config once you've made these changes, just so we're all on the same page again?
0
 

Author Comment

by:vreyesii
ID: 17996319
When I add "vpdn group 1 ppp encryption mppe auto" I get an error from the client "Unable to establish the VPN connection.  However, if I remove the vpdn group 1 ppp encryption mppe auto line I get a different error from the client. I get "the remote computer does not support the required data encryption type." Below is a copy of the PIX config.

PIX Version 6.3(5)
interface ethernet0 100full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password XXXXXXXXX encrypted
passwd XXXXXXXXX encrypted
hostname pixfirewall
domain-name XXXXXXX.com
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 101 permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0
access-list allow_inbound deny ip 59.124.0.0 255.252.0.0 any
access-list allow_inbound deny ip host 24.71.105.183 any
access-list allow_inbound deny ip host 163.27.116.133 any
access-list allow_inbound deny ip host 218.189.179.82 any
access-list allow_inbound deny ip host 84.60.164.161 any
access-list allow_inbound deny ip host 222.128.34.89 any
access-list allow_inbound deny ip host 202.64.47.108 any
access-list allow_inbound deny ip host 87.162.179.31 any
access-list allow_inbound deny ip host 70.255.106.164 any
access-list allow_inbound permit tcp any interface outside eq smtp
access-list allow_inbound permit tcp any interface outside eq pop3
access-list allow_inbound permit tcp any interface outside eq www
access-list allow_inbound permit icmp any any source-quench
access-list allow_inbound permit tcp any host B.X.X.236 eq www
access-list allow_inbound permit tcp any host B.X.X.236 eq h323
access-list allow_inbound permit tcp any host B.X.X.236 eq 5060
access-list allow_inbound permit gre any interface outside
access-list allow_inbound permit tcp any interface outside eq 3000
access-list allow_inbound permit udp any interface outside eq 49153
access-list allow_inbound permit tcp any interface outside eq 49153
access-list allow_inbound permit tcp any interface outside eq 10240
access-list allow_inbound permit tcp any interface outside eq 10241
access-list allow_inbound permit tcp any interface outside eq 10242
access-list allow_inbound permit udp any interface outside eq 10240
access-list allow_inbound permit udp any interface outside eq 10241
access-list allow_inbound permit udp any interface outside eq 10242
access-list allow_inbound permit tcp any interface outside eq 41170
access-list allow_inbound permit udp any interface outside eq 41170
access-list allow_inbound permit tcp any interface outside eq 4662
access-list allow_inbound permit tcp any interface outside eq 4000
access-list deny_outbound deny tcp any host 63.236.240.73 eq https
access-list deny_outbound deny tcp any host 209.202.9.7 eq https
access-list deny_outbound deny tcp any host 63.236.240.73 eq www
access-list deny_outbound deny tcp any host 66.28.235.59 eq www
access-list deny_outbound deny tcp any host 204.245.86.77 eq www
access-list deny_outbound deny tcp any host 69.18.151.78 eq www
access-list deny_outbound permit ip any any
access-list do_not_nat permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0
no pager
logging on
logging timestamp
logging monitor debugging
logging trap notifications
logging queue 24
logging host inside 10.1.1.23
icmp permit any unreachable outside
icmp deny any echo outside
icmp deny any echo-reply outside
mtu outside 1500
mtu inside 1500
ip address outside A.X.X.85 255.255.255.0
ip address inside 10.1.1.1 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip audit name POLICY1 attack action alarm reset
ip audit name InfoPolicy info action alarm drop
ip audit interface outside InfoPolicy
ip audit interface outside POLICY1
ip audit info action alarm drop
ip audit attack action alarm
ip local pool ippool 10.1.2.1-10.1.2.254
pdm location 10.1.1.6 255.255.255.255 inside
pdm location 10.1.1.2 255.255.255.255 inside
pdm location 10.1.1.7 255.255.255.255 inside
pdm location 10.1.1.23 255.255.255.255 inside
pdm location 59.124.0.0 255.252.0.0 outside
pdm location 63.236.240.73 255.255.255.255 outside
pdm location 84.60.164.161 255.255.255.255 outside
pdm location 163.27.116.133 255.255.255.255 outside
pdm location 209.202.9.7 255.255.255.255 outside
pdm location 218.189.179.82 255.255.255.255 outside
pdm location 10.1.1.8 255.255.255.255 inside
pdm location 10.1.1.30 255.255.255.255 inside
pdm location 10.1.1.251 255.255.255.255 inside
pdm location 10.1.1.252 255.255.255.255 inside
pdm location 192.168.2.0 255.255.255.0 inside
pdm location 192.168.10.0 255.255.255.0 inside
pdm location 24.71.105.183 255.255.255.255 outside
pdm location 66.28.235.59 255.255.255.255 outside
pdm location 202.64.47.108 255.255.255.255 outside
pdm location 216.178.32.48 255.255.255.255 outside
pdm location 216.178.32.49 255.255.255.255 outside
pdm location 216.178.32.50 255.255.255.255 outside
pdm location 216.178.32.51 255.255.255.255 outside
pdm location 222.128.34.89 255.255.255.255 outside
pdm location 69.18.151.78 255.255.255.255 outside
pdm location 70.255.106.164 255.255.255.255 outside
pdm location 87.162.179.31 255.255.255.255 outside
pdm location 204.245.86.77 255.255.255.255 outside
pdm location 10.1.1.253 255.255.255.255 inside
pdm location 64.61.25.171 255.255.255.255 inside
pdm location 64.61.25.171 255.255.255.255 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list do_not_nat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface pop3 10.1.1.23 pop3 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface smtp 10.1.1.23 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 3000 10.1.1.23 3000 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 1000 10.1.1.23 1000 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 4662 10.1.1.8 4662 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 4000 10.1.1.251 telnet netmask 255.255.255.255 0 0
static (inside,outside) tcp interface www 10.1.1.6 www netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 49153 10.1.1.2 49153 netmask 255.255.255.255 0 0
static (inside,outside) udp interface 49153 10.1.1.2 49153 netmask 255.255.255.255 0 0
static (inside,outside) B.X.X.236 10.1.1.7 netmask 255.255.255.255 0 0
access-group allow_inbound in interface outside
access-group deny_outbound in interface inside
route outside 0.0.0.0 0.0.0.0 A.X.X.1 1
route inside 192.168.2.0 255.255.255.0 10.1.1.30 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa-server AuthInbound protocol tacacs+
aaa-server AuthInbound max-failed-attempts 3
aaa-server AuthInbound deadtime 10
aaa-server AuthInbound (inside) host 10.1.1.23 nyc4u2me timeout 10
aaa authentication ssh console LOCAL
aaa authentication include tcp/0 outside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 AuthInbound
aaa accounting include tcp/0 outside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 AuthInbound
http server enable
http 10.1.1.0 255.255.255.0 inside
snmp-server host inside 10.1.1.23
snmp-server host inside 10.1.1.252
no snmp-server location
no snmp-server contact
snmp-server community nyc4u2me
snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap client configuration address initiate
crypto map mymap client configuration address respond
crypto map mymap client authentication LOCAL
crypto map mymap interface outside
isakmp enable outside
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup vpn3000 address-pool ippool
vpngroup vpn3000 default-domain XXX.com
vpngroup vpn3000 split-tunnel 101
vpngroup vpn3000 idle-time 1800
vpngroup vpn3000 password ********
vpngroup vmr2 address-pool ippool
vpngroup vmr2 default-domain XXX.com
vpngroup vmr2 split-tunnel 101
vpngroup vmr2 idle-time 1800
vpngroup vmr2 password ********
vpngroup grace address-pool ippool
vpngroup grace default-domain XXXXX.com
vpngroup grace split-tunnel 101
vpngroup grace idle-time 1800
vpngroup grace password ********
telnet timeout 30
ssh 10.1.1.0 255.255.255.0 inside
ssh 192.168.10.0 255.255.255.0 inside
ssh timeout 60
console timeout 0
vpdn group 1 accept dialin pptp
vpdn group 1 ppp authentication pap
vpdn group 1 ppp authentication chap
vpdn group 1 ppp authentication mschap
vpdn group 1 ppp encryption mppe auto
vpdn group 1 client configuration address local ippool
vpdn group 1 client authentication aaa AuthInbound
vpdn group 1 pptp echo 60
vpdn username vmr2 password *********
vpdn enable outside
username vmr2 password XXXXXXXXXXX encrypted privilege 15
privilege show level 15 command access-group
privilege clear level 15 command access-group
terminal width 80
banner login Unauthorized access and use of this network/device will be prosecuted.
banner motd Unauthorized access and use of this network/device will be prosecuted.
Cryptochecksum:535b37e204075eff09629f1be554e922
: end


0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 18064421
Hi Vreyesii - what happened - is this fixed now?  Do you need any more help?  I hope my comments were of some assistance.
0
 

Author Comment

by:vreyesii
ID: 18065298
The problem is fixed now however, I had to look elsewhere for the answer.

Thank You
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 18067397
Good news.  Could you let me know how you fixed this, or what your working config looks like now?
0
 

Author Comment

by:vreyesii
ID: 18073722
Here is my working config.

PIX Version 6.3(5)
interface ethernet0 100full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password XXXXXXXXXXXx encrypted
passwd XXXXXXXXXXXXX encrypted
hostname pixfirewall
domain-name XXXXXXXXXXX.com
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol ftp 1521
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 101 permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0
access-list allow_inbound deny ip 59.124.0.0 255.252.0.0 any
access-list allow_inbound deny ip host 24.71.105.183 any
access-list allow_inbound deny ip host 163.27.116.133 any
access-list allow_inbound deny ip host 218.189.179.82 any
access-list allow_inbound deny ip host 84.60.164.161 any
access-list allow_inbound deny ip host 222.128.34.89 any
access-list allow_inbound deny ip host 202.64.47.108 any
access-list allow_inbound deny ip host 87.162.179.31 any
access-list allow_inbound deny ip host 70.255.106.164 any
access-list allow_inbound permit tcp any interface outside eq smtp
access-list allow_inbound permit tcp any interface outside eq pop3
access-list allow_inbound permit tcp any interface outside eq www
access-list allow_inbound permit icmp any any source-quench
access-list allow_inbound permit tcp any host 216.254.64.236 eq www
access-list allow_inbound permit tcp any host 216.254.64.236 eq h323
access-list allow_inbound permit tcp any host 216.254.64.236 eq 5060
access-list allow_inbound permit tcp any interface outside eq 49156
access-list allow_inbound permit udp any interface outside eq 49156
access-list allow_inbound permit gre any interface outside
access-list allow_inbound permit tcp any interface outside eq 3000
access-list allow_inbound permit tcp any interface outside eq 10240
access-list allow_inbound permit tcp any interface outside eq 10241
access-list allow_inbound permit tcp any interface outside eq 10242
access-list allow_inbound permit udp any interface outside eq 10240
access-list allow_inbound permit udp any interface outside eq 10241
access-list allow_inbound permit udp any interface outside eq 10242
access-list allow_inbound permit tcp any interface outside eq 41170
access-list allow_inbound permit udp any interface outside eq 41170
access-list allow_inbound permit tcp any interface outside eq 4662
access-list allow_inbound permit tcp any interface outside eq 4000
access-list allow_inbound permit udp any interface outside eq 49153
access-list allow_inbound permit tcp any interface outside eq 49153
access-list deny_outbound deny tcp any host 63.236.240.73 eq https
access-list deny_outbound deny tcp any host 209.202.9.7 eq https
access-list deny_outbound deny tcp any host 63.236.240.73 eq www
access-list deny_outbound deny tcp any host 66.28.235.59 eq www
access-list deny_outbound deny tcp any host 204.245.86.77 eq www
access-list deny_outbound deny tcp any host 69.18.151.78 eq www
access-list deny_outbound permit ip any any
access-list do_not_nat permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0
no pager
logging on
logging timestamp
logging trap notifications
logging queue 24
logging host inside 10.1.1.23
icmp permit any unreachable outside
icmp deny any echo outside
icmp deny any echo-reply outside
mtu outside 1500
mtu inside 1500
ip address outside A.x.x.85 255.255.255.0
ip address inside 10.1.1.1 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip audit name AttackPolicy563 attack action alarm drop reset
ip audit name InfoPolicy563 info action alarm drop
ip audit interface outside InfoPolicy563
ip audit interface outside AttackPolicy563
ip audit info action alarm drop
ip audit attack action alarm
ip local pool ippool 10.1.2.1-10.1.2.254
pdm location 10.1.1.6 255.255.255.255 inside
pdm location 10.1.1.2 255.255.255.255 inside
pdm location 10.1.1.7 255.255.255.255 inside
pdm location 10.1.1.23 255.255.255.255 inside
pdm location 59.124.0.0 255.252.0.0 outside
pdm location 63.236.240.73 255.255.255.255 outside
pdm location 84.60.164.161 255.255.255.255 outside
pdm location 163.27.116.133 255.255.255.255 outside
pdm location 209.202.9.7 255.255.255.255 outside
pdm location 218.189.179.82 255.255.255.255 outside
pdm location 10.1.1.8 255.255.255.255 inside
pdm location 10.1.1.30 255.255.255.255 inside
pdm location 10.1.1.251 255.255.255.255 inside
pdm location 10.1.1.252 255.255.255.255 inside
pdm location 192.168.2.0 255.255.255.0 inside
pdm location 192.168.10.0 255.255.255.0 inside
pdm location 24.71.105.183 255.255.255.255 outside
pdm location 66.28.235.59 255.255.255.255 outside
pdm location 202.64.47.108 255.255.255.255 outside
pdm location 216.178.32.48 255.255.255.255 outside
pdm location 216.178.32.49 255.255.255.255 outside
pdm location 216.178.32.50 255.255.255.255 outside
pdm location 216.178.32.51 255.255.255.255 outside
pdm location 222.128.34.89 255.255.255.255 outside
pdm location 69.18.151.78 255.255.255.255 outside
pdm location 70.255.106.164 255.255.255.255 outside
pdm location 87.162.179.31 255.255.255.255 outside
pdm location 204.245.86.77 255.255.255.255 outside
pdm location 10.1.1.253 255.255.255.255 inside
pdm location 64.61.25.171 255.255.255.255 inside
pdm location 64.61.25.171 255.255.255.255 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list do_not_nat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
alias (inside) 10.1.1.6 A.x.x.85 255.255.255.255
static (inside,outside) tcp interface pop3 10.1.1.23 pop3 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface smtp 10.1.1.23 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 3000 10.1.1.23 3000 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 1000 10.1.1.23 1000 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 4662 10.1.1.8 4662 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 4000 10.1.1.251 telnet netmask 255.255.255.255 0 0
static (inside,outside) tcp interface www 10.1.1.6 www netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 49156 10.1.1.2 49156 netmask 255.255.255.255 0 0
static (inside,outside) udp interface 49156 10.1.1.2 49156 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 49153 10.1.1.2 49153 netmask 255.255.255.255 0 0
static (inside,outside) udp interface 49153 10.1.1.2 49153 netmask 255.255.255.255 0 0
static (inside,outside) B.x.x.236 10.1.1.7 netmask 255.255.255.255 0 0
access-group allow_inbound in interface outside
access-group deny_outbound in interface inside
route outside 0.0.0.0 0.0.0.0 A.x.x.1 1
route inside 192.168.2.0 255.255.255.0 10.1.1.30 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server TACACS+ (inside) host 10.1.1.23 nyc4u2me timeout 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication ssh console TACACS+
http server enable
http 10.1.1.0 255.255.255.0 inside
snmp-server host inside 10.1.1.23
snmp-server host inside 10.1.1.252
no snmp-server location
no snmp-server contact
snmp-server community nyc4u2me
snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap client configuration address initiate
crypto map mymap client configuration address respond
crypto map mymap client authentication AuthInbound
crypto map mymap interface outside
isakmp enable outside
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup vpn3000 address-pool ippool
vpngroup vpn3000 default-domain pix.com
vpngroup vpn3000 split-tunnel 101
vpngroup vpn3000 idle-time 1800
vpngroup vpn3000 password ********
vpngroup vmr2 address-pool ippool
vpngroup vmr2 default-domain pix.com
vpngroup vmr2 split-tunnel 101
vpngroup vmr2 idle-time 1800
vpngroup vmr2 password ********
vpngroup grace address-pool ippool
vpngroup grace default-domain pix.com
vpngroup grace split-tunnel 101
vpngroup grace idle-time 1800
vpngroup grace password ********
telnet timeout 30
ssh 10.1.1.0 255.255.255.0 inside
ssh 192.168.10.0 255.255.255.0 inside
ssh timeout 60
console timeout 0
vpdn group 1 accept dialin pptp
vpdn group 1 ppp authentication pap
vpdn group 1 ppp authentication chap
vpdn group 1 ppp authentication mschap
vpdn group 1 client configuration address local pptp-pool
vpdn group 1 client authentication aaa TACACS+
vpdn enable outside
vpdn group 1 pptp echo 60
vpdn enable outside
username vmr2 password XXXXXXXXXXX encrypted privilege 15
privilege show level 15 command access-group
privilege clear level 15 command access-group
terminal width 80
banner exec Unauthorized access and use of this network/device will be prosecuted.
banner login Unauthorized access and use of this network/device will be prosecuted.
banner motd Unauthorized access and use of this network/device will be prosecuted.
Cryptochecksum:10de254e1fe62d1b8e765489b7ffb4d9
: end
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 18075190
Good point - it does help if you put in the IP address of the TACACS+ server in the config.  Sorry I missed it!  :)
0
 

Author Comment

by:vreyesii
ID: 18076151
Thanks for your comments.
0
 
LVL 1

Accepted Solution

by:
DarthMod earned 0 total points
ID: 18106322
Closed, 500 points refunded.
DarthMod
Community Support Moderator
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

This is about downgrading PIX Version 8.0(4) & ASDM 6.1(5) to PIX 7.2(4) and ASDM 5.2(4) but with only 64MB RAM and 16MB flash. Background: You have a Cisco Pix 515E which was running on PIX 7.2(4) and its supporting ASDM 5.2(4) without any i…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now