TACACS+ AND PIX FIREWALL
Hello,
I am installed TACACS+ on a Windows Server I defined two users to test the configuration. On the PIX firewall I have a VPN configured for PPTP. I want the PIX to authenticate the user for the VPN against the TACACS+ server. I also want the PIX firewall to authenticate any connection which is made to the PIX firewall from the outside against the TACACS+ server. When I try to iniate a connection to the VPN server. I get an error, and I am not able to connect to the VPN server. Below is a copy of the PIX config.
Thank You,
vreyesii
: Saved
:
PIX Version 6.3(5)
interface ethernet0 100full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password XXXXXXXXXX encrypted
passwd XXXXXXXX encrypted
hostname pixfirewall
domain-name XXXXXX.com
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 101 permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0
access-list allow_inbound deny ip 59.124.0.0 255.252.0.0 any
access-list allow_inbound deny ip host 24.71.105.183 any
access-list allow_inbound deny ip host 163.27.116.133 any
access-list allow_inbound deny ip host 218.189.179.82 any
access-list allow_inbound deny ip host 84.60.164.161 any
access-list allow_inbound deny ip host 222.128.34.89 any
access-list allow_inbound deny ip host 202.64.47.108 any
access-list allow_inbound deny ip host 87.162.179.31 any
access-list allow_inbound deny ip host 70.255.106.164 any
access-list allow_inbound permit tcp any interface outside eq smtp
access-list allow_inbound permit tcp any interface outside eq pop3
access-list allow_inbound permit tcp any interface outside eq www
access-list allow_inbound permit icmp any any source-quench
access-list allow_inbound permit tcp any host B.X.X.236 eq www
access-list allow_inbound permit tcp any host B.X.X.236 eq h323
access-list allow_inbound permit tcp any host B.X.X.236 eq 5060
access-list allow_inbound permit gre any interface outside
access-list allow_inbound permit tcp any interface outside eq 3000
access-list allow_inbound permit udp any interface outside eq 49153
access-list allow_inbound permit tcp any interface outside eq 49153
access-list allow_inbound permit tcp any interface outside eq 10240
access-list allow_inbound permit tcp any interface outside eq 10241
access-list allow_inbound permit tcp any interface outside eq 10242
access-list allow_inbound permit udp any interface outside eq 10240
access-list allow_inbound permit udp any interface outside eq 10241
access-list allow_inbound permit udp any interface outside eq 10242
access-list allow_inbound permit tcp any interface outside eq 41170
access-list allow_inbound permit udp any interface outside eq 41170
access-list allow_inbound permit tcp any interface outside eq 4662
access-list allow_inbound permit tcp any interface outside eq 4000
access-list deny_outbound deny tcp any host 63.236.240.73 eq https
access-list deny_outbound deny tcp any host 209.202.9.7 eq https
access-list deny_outbound deny tcp any host 63.236.240.73 eq www
access-list deny_outbound deny tcp any host 66.28.235.59 eq www
access-list deny_outbound deny tcp any host 204.245.86.77 eq www
access-list deny_outbound deny tcp any host 69.18.151.78 eq www
access-list deny_outbound permit ip any any
access-list do_not_nat permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0
no pager
logging on
logging timestamp
logging monitor debugging
logging trap notifications
logging queue 24
logging host inside 10.1.1.23
icmp permit any unreachable outside
icmp deny any echo outside
icmp deny any echo-reply outside
mtu outside 1500
mtu inside 1500
ip address outside A.X.X.85 255.255.255.0
ip address inside 10.1.1.1 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip audit name POLICY1 attack action alarm reset
ip audit name InfoPolicy info action alarm drop
ip audit interface outside InfoPolicy
ip audit interface outside POLICY1
ip audit info action alarm drop
ip audit attack action alarm
ip local pool ippool 10.1.2.1-10.1.2.254
pdm location 10.1.1.6 255.255.255.255 inside
pdm location 10.1.1.2 255.255.255.255 inside
pdm location 10.1.1.7 255.255.255.255 inside
pdm location 10.1.1.23 255.255.255.255 inside
pdm location 59.124.0.0 255.252.0.0 outside
pdm location 63.236.240.73 255.255.255.255 outside
pdm location 84.60.164.161 255.255.255.255 outside
pdm location 163.27.116.133 255.255.255.255 outside
pdm location 209.202.9.7 255.255.255.255 outside
pdm location 218.189.179.82 255.255.255.255 outside
pdm location 10.1.1.8 255.255.255.255 inside
pdm location 10.1.1.30 255.255.255.255 inside
pdm location 10.1.1.251 255.255.255.255 inside
pdm location 10.1.1.252 255.255.255.255 inside
pdm location 192.168.2.0 255.255.255.0 inside
pdm location 192.168.10.0 255.255.255.0 inside
pdm location 24.71.105.183 255.255.255.255 outside
pdm location 66.28.235.59 255.255.255.255 outside
pdm location 202.64.47.108 255.255.255.255 outside
pdm location 216.178.32.48 255.255.255.255 outside
pdm location 216.178.32.49 255.255.255.255 outside
pdm location 216.178.32.50 255.255.255.255 outside
pdm location 216.178.32.51 255.255.255.255 outside
pdm location 222.128.34.89 255.255.255.255 outside
pdm location 69.18.151.78 255.255.255.255 outside
pdm location 70.255.106.164 255.255.255.255 outside
pdm location 87.162.179.31 255.255.255.255 outside
pdm location 204.245.86.77 255.255.255.255 outside
pdm location 10.1.1.253 255.255.255.255 inside
pdm location 64.61.25.171 255.255.255.255 inside
pdm location 64.61.25.171 255.255.255.255 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list do_not_nat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface pop3 10.1.1.23 pop3 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface smtp 10.1.1.23 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 3000 10.1.1.23 3000 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 1000 10.1.1.23 1000 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 4662 10.1.1.8 4662 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 49153 10.1.1.2 49153 netmask 255.255.255.255 0 0
static (inside,outside) udp interface 49153 10.1.1.2 49153 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 4000 10.1.1.251 telnet netmask 255.255.255.255 0 0
static (inside,outside) tcp interface www 10.1.1.6 www netmask 255.255.255.255 0 0
static (inside,outside) B.X.X.236 10.1.1.7 netmask 255.255.255.255 0 0
access-group allow_inbound in interface outside
access-group deny_outbound in interface inside
route outside 0.0.0.0 0.0.0.0 A.X.X.1 1
route inside 192.168.2.0 255.255.255.0 10.1.1.30 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa-server AuthInbound protocol tacacs+
aaa-server AuthInbound max-failed-attempts 3
aaa-server AuthInbound deadtime 10
aaa-server AuthInbound (inside) host 10.1.1.23 nyc4u2me timeout 10
aaa authentication ssh console LOCAL
aaa authentication include tcp/0 outside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 AuthInbound
aaa authorization include ftp inside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 AuthInbound
aaa accounting include tcp/0 outside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 AuthInbound
http server enable
http 10.1.1.0 255.255.255.0 inside
snmp-server host inside 10.1.1.23
snmp-server host inside 10.1.1.252
no snmp-server location
no snmp-server contact
snmp-server community XXXXXXX
snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap client authentication LOCAL
crypto map mymap interface outside
isakmp enable outside
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup vpn3000 address-pool ippool
vpngroup vpn3000 default-domain pix.com
vpngroup vpn3000 split-tunnel 101
vpngroup vpn3000 idle-time 1800
vpngroup vpn3000 password ********
vpngroup vmr2 address-pool ippool
vpngroup vmr2 default-domain pix.com
vpngroup vmr2 split-tunnel 101
vpngroup vmr2 idle-time 1800
vpngroup vmr2 password ********
vpngroup grace address-pool ippool
vpngroup grace default-domain xxxx.com
vpngroup grace split-tunnel 101
vpngroup grace idle-time 1800
vpngroup grace password ********
telnet timeout 30
ssh 10.1.1.0 255.255.255.0 inside
ssh 192.168.10.0 255.255.255.0 inside
ssh timeout 60
console timeout 0
vpdn group 1 accept dialin pptp
vpdn group 1 ppp authentication pap
vpdn group 1 ppp authentication chap
vpdn group 1 ppp authentication mschap
vpdn group 1 ppp encryption mppe 128
vpdn group 1 client configuration address local ippool
vpdn group 1 client authentication aaa AuthInbound
vpdn group 1 pptp echo 60
vpdn username vmr2 password *********
vpdn username test2 password *********
vpdn enable outside
username vmr2 password GykSunQWdCv4dXFH encrypted privilege 15
privilege show level 15 command access-group
privilege clear level 15 command access-group
terminal width 80
banner login Unauthorized access and use of this network/device will be prosecuted.
banner motd Unauthorized access and use of this network/device will be prosecuted.
Cryptochecksum:24558cdd86e
: end
I am installed TACACS+ on a Windows Server I defined two users to test the configuration. On the PIX firewall I have a VPN configured for PPTP. I want the PIX to authenticate the user for the VPN against the TACACS+ server. I also want the PIX firewall to authenticate any connection which is made to the PIX firewall from the outside against the TACACS+ server. When I try to iniate a connection to the VPN server. I get an error, and I am not able to connect to the VPN server. Below is a copy of the PIX config.
Thank You,
vreyesii
: Saved
:
PIX Version 6.3(5)
interface ethernet0 100full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password XXXXXXXXXX encrypted
passwd XXXXXXXX encrypted
hostname pixfirewall
domain-name XXXXXX.com
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 101 permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0
access-list allow_inbound deny ip 59.124.0.0 255.252.0.0 any
access-list allow_inbound deny ip host 24.71.105.183 any
access-list allow_inbound deny ip host 163.27.116.133 any
access-list allow_inbound deny ip host 218.189.179.82 any
access-list allow_inbound deny ip host 84.60.164.161 any
access-list allow_inbound deny ip host 222.128.34.89 any
access-list allow_inbound deny ip host 202.64.47.108 any
access-list allow_inbound deny ip host 87.162.179.31 any
access-list allow_inbound deny ip host 70.255.106.164 any
access-list allow_inbound permit tcp any interface outside eq smtp
access-list allow_inbound permit tcp any interface outside eq pop3
access-list allow_inbound permit tcp any interface outside eq www
access-list allow_inbound permit icmp any any source-quench
access-list allow_inbound permit tcp any host B.X.X.236 eq www
access-list allow_inbound permit tcp any host B.X.X.236 eq h323
access-list allow_inbound permit tcp any host B.X.X.236 eq 5060
access-list allow_inbound permit gre any interface outside
access-list allow_inbound permit tcp any interface outside eq 3000
access-list allow_inbound permit udp any interface outside eq 49153
access-list allow_inbound permit tcp any interface outside eq 49153
access-list allow_inbound permit tcp any interface outside eq 10240
access-list allow_inbound permit tcp any interface outside eq 10241
access-list allow_inbound permit tcp any interface outside eq 10242
access-list allow_inbound permit udp any interface outside eq 10240
access-list allow_inbound permit udp any interface outside eq 10241
access-list allow_inbound permit udp any interface outside eq 10242
access-list allow_inbound permit tcp any interface outside eq 41170
access-list allow_inbound permit udp any interface outside eq 41170
access-list allow_inbound permit tcp any interface outside eq 4662
access-list allow_inbound permit tcp any interface outside eq 4000
access-list deny_outbound deny tcp any host 63.236.240.73 eq https
access-list deny_outbound deny tcp any host 209.202.9.7 eq https
access-list deny_outbound deny tcp any host 63.236.240.73 eq www
access-list deny_outbound deny tcp any host 66.28.235.59 eq www
access-list deny_outbound deny tcp any host 204.245.86.77 eq www
access-list deny_outbound deny tcp any host 69.18.151.78 eq www
access-list deny_outbound permit ip any any
access-list do_not_nat permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0
no pager
logging on
logging timestamp
logging monitor debugging
logging trap notifications
logging queue 24
logging host inside 10.1.1.23
icmp permit any unreachable outside
icmp deny any echo outside
icmp deny any echo-reply outside
mtu outside 1500
mtu inside 1500
ip address outside A.X.X.85 255.255.255.0
ip address inside 10.1.1.1 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip audit name POLICY1 attack action alarm reset
ip audit name InfoPolicy info action alarm drop
ip audit interface outside InfoPolicy
ip audit interface outside POLICY1
ip audit info action alarm drop
ip audit attack action alarm
ip local pool ippool 10.1.2.1-10.1.2.254
pdm location 10.1.1.6 255.255.255.255 inside
pdm location 10.1.1.2 255.255.255.255 inside
pdm location 10.1.1.7 255.255.255.255 inside
pdm location 10.1.1.23 255.255.255.255 inside
pdm location 59.124.0.0 255.252.0.0 outside
pdm location 63.236.240.73 255.255.255.255 outside
pdm location 84.60.164.161 255.255.255.255 outside
pdm location 163.27.116.133 255.255.255.255 outside
pdm location 209.202.9.7 255.255.255.255 outside
pdm location 218.189.179.82 255.255.255.255 outside
pdm location 10.1.1.8 255.255.255.255 inside
pdm location 10.1.1.30 255.255.255.255 inside
pdm location 10.1.1.251 255.255.255.255 inside
pdm location 10.1.1.252 255.255.255.255 inside
pdm location 192.168.2.0 255.255.255.0 inside
pdm location 192.168.10.0 255.255.255.0 inside
pdm location 24.71.105.183 255.255.255.255 outside
pdm location 66.28.235.59 255.255.255.255 outside
pdm location 202.64.47.108 255.255.255.255 outside
pdm location 216.178.32.48 255.255.255.255 outside
pdm location 216.178.32.49 255.255.255.255 outside
pdm location 216.178.32.50 255.255.255.255 outside
pdm location 216.178.32.51 255.255.255.255 outside
pdm location 222.128.34.89 255.255.255.255 outside
pdm location 69.18.151.78 255.255.255.255 outside
pdm location 70.255.106.164 255.255.255.255 outside
pdm location 87.162.179.31 255.255.255.255 outside
pdm location 204.245.86.77 255.255.255.255 outside
pdm location 10.1.1.253 255.255.255.255 inside
pdm location 64.61.25.171 255.255.255.255 inside
pdm location 64.61.25.171 255.255.255.255 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list do_not_nat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface pop3 10.1.1.23 pop3 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface smtp 10.1.1.23 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 3000 10.1.1.23 3000 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 1000 10.1.1.23 1000 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 4662 10.1.1.8 4662 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 49153 10.1.1.2 49153 netmask 255.255.255.255 0 0
static (inside,outside) udp interface 49153 10.1.1.2 49153 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 4000 10.1.1.251 telnet netmask 255.255.255.255 0 0
static (inside,outside) tcp interface www 10.1.1.6 www netmask 255.255.255.255 0 0
static (inside,outside) B.X.X.236 10.1.1.7 netmask 255.255.255.255 0 0
access-group allow_inbound in interface outside
access-group deny_outbound in interface inside
route outside 0.0.0.0 0.0.0.0 A.X.X.1 1
route inside 192.168.2.0 255.255.255.0 10.1.1.30 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa-server AuthInbound protocol tacacs+
aaa-server AuthInbound max-failed-attempts 3
aaa-server AuthInbound deadtime 10
aaa-server AuthInbound (inside) host 10.1.1.23 nyc4u2me timeout 10
aaa authentication ssh console LOCAL
aaa authentication include tcp/0 outside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 AuthInbound
aaa authorization include ftp inside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 AuthInbound
aaa accounting include tcp/0 outside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 AuthInbound
http server enable
http 10.1.1.0 255.255.255.0 inside
snmp-server host inside 10.1.1.23
snmp-server host inside 10.1.1.252
no snmp-server location
no snmp-server contact
snmp-server community XXXXXXX
snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap client authentication LOCAL
crypto map mymap interface outside
isakmp enable outside
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup vpn3000 address-pool ippool
vpngroup vpn3000 default-domain pix.com
vpngroup vpn3000 split-tunnel 101
vpngroup vpn3000 idle-time 1800
vpngroup vpn3000 password ********
vpngroup vmr2 address-pool ippool
vpngroup vmr2 default-domain pix.com
vpngroup vmr2 split-tunnel 101
vpngroup vmr2 idle-time 1800
vpngroup vmr2 password ********
vpngroup grace address-pool ippool
vpngroup grace default-domain xxxx.com
vpngroup grace split-tunnel 101
vpngroup grace idle-time 1800
vpngroup grace password ********
telnet timeout 30
ssh 10.1.1.0 255.255.255.0 inside
ssh 192.168.10.0 255.255.255.0 inside
ssh timeout 60
console timeout 0
vpdn group 1 accept dialin pptp
vpdn group 1 ppp authentication pap
vpdn group 1 ppp authentication chap
vpdn group 1 ppp authentication mschap
vpdn group 1 ppp encryption mppe 128
vpdn group 1 client configuration address local ippool
vpdn group 1 client authentication aaa AuthInbound
vpdn group 1 pptp echo 60
vpdn username vmr2 password *********
vpdn username test2 password *********
vpdn enable outside
username vmr2 password GykSunQWdCv4dXFH encrypted privilege 15
privilege show level 15 command access-group
privilege clear level 15 command access-group
terminal width 80
banner login Unauthorized access and use of this network/device will be prosecuted.
banner motd Unauthorized access and use of this network/device will be prosecuted.
Cryptochecksum:24558cdd86e
: end
ASKER
I added the line which you mention I was missing and I enabled debug on the PIX and I got the output that you see below.
When I try to inniate a VPN connection from the remote client using the windows VPN dialer I get a message "Error 800: Unable to establish the VPN connection."
Thank You,
vreyesii
Nov 20 2006 06:20:29: %PIX-7-710001: TCP access requested from 68.g.g.147/50651 to outside:A.X.X.85/pptp
2006-11-20 18:16:38 Local4.Debug 10.1.1.1 Nov 20 2006 06:20:29: %PIX-7-710002: TCP access permitted from 68.g.g.147/50651 to outside:A.X.X.85/pptp
2006-11-20 18:16:38 Local4.Warning 10.1.1.1 Nov 20 2006 06:20:29: %PIX-4-403106: PPP virtual interface 1 requires RADIUS aaa server for MPPE
When I try to inniate a VPN connection from the remote client using the windows VPN dialer I get a message "Error 800: Unable to establish the VPN connection."
Thank You,
vreyesii
Nov 20 2006 06:20:29: %PIX-7-710001: TCP access requested from 68.g.g.147/50651 to outside:A.X.X.85/pptp
2006-11-20 18:16:38 Local4.Debug 10.1.1.1 Nov 20 2006 06:20:29: %PIX-7-710002: TCP access permitted from 68.g.g.147/50651 to outside:A.X.X.85/pptp
2006-11-20 18:16:38 Local4.Warning 10.1.1.1 Nov 20 2006 06:20:29: %PIX-4-403106: PPP virtual interface 1 requires RADIUS aaa server for MPPE
It's looking for a RADIUS server but can't find one as you've only configured TACACS for AuthInbound. So add:
aaa-server AuthInbound protocol radius
and report back.
aaa-server AuthInbound protocol radius
and report back.
ASKER
When I try to change the config I get this message "this server group is associated with some authorization group
please remove those authorization group prior to change the protocol of the server group". Also why am I changing the protocol to radius if I am using TACACS+ on the Windows Server.
please remove those authorization group prior to change the protocol of the server group". Also why am I changing the protocol to radius if I am using TACACS+ on the Windows Server.
Firstly, change your vmr2 password ASAP - you've posted it's hash up in your config, and they're reversible!
All of these lines aren't doing anything, so would recommend you remove them:
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
and then add:
aaa-server AuthInbound protocol radius
Reboot the PIX once you've done this, and try logging in again.
I'm not sure why it's asking you for radius auth - we'll come to that bridge once you've carried out the above, OK? :)
All of these lines aren't doing anything, so would recommend you remove them:
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
and then add:
aaa-server AuthInbound protocol radius
Reboot the PIX once you've done this, and try logging in again.
I'm not sure why it's asking you for radius auth - we'll come to that bridge once you've carried out the above, OK? :)
ASKER
Thank you for the advice about the password hash.
Many of the lines which you suggested I remove could not removed, the PIX would not let me. This time when I tried to connect to the VPN the Windows Client states that the username and password were trying to be authenticated, and that the VPN server did not respond in a timely manner. Below is a copy of the debug.
Nov 20 2006 19:43:41: %PIX-7-710001: TCP access requested from 68.160.193.147/50910 to outside:216.254.64.85/pptp
2006-11-21 07:39:55 Local4.Debug 10.1.1.1 Nov 20 2006 19:43:41: %PIX-7-710002: TCP access permitted from 68.160.193.147/50910 to outside:216.254.64.85/pptp
2006-11-21 07:40:35 Local4.Info 10.1.1.1 Nov 20 2006 19:44:21: %PIX-6-603103: PPP virtual interface 2 - user: grace aaa authentication failed
2006-11-21 07:40:35 Local4.Info 10.1.1.1 Nov 20 2006 19:44:21: %PIX-6-603104: PPTP Tunnel created, tunnel_id is 3, remote_peer_ip is 68.160.193.147, ppp_virtual_interface_id is 2, client_dynamic_ip is 0.0.0.0, username is grace, MPPE_key_strength is None
2006-11-21 07:40:35 Local4.Info 10.1.1.1 Nov 20 2006 19:44:21: %PIX-6-603105: PPTP Tunnel deleted, tunnel_id = 3, remote_peer_ip = 68.160.193.147
Many of the lines which you suggested I remove could not removed, the PIX would not let me. This time when I tried to connect to the VPN the Windows Client states that the username and password were trying to be authenticated, and that the VPN server did not respond in a timely manner. Below is a copy of the debug.
Nov 20 2006 19:43:41: %PIX-7-710001: TCP access requested from 68.160.193.147/50910 to outside:216.254.64.85/pptp
2006-11-21 07:39:55 Local4.Debug 10.1.1.1 Nov 20 2006 19:43:41: %PIX-7-710002: TCP access permitted from 68.160.193.147/50910 to outside:216.254.64.85/pptp
2006-11-21 07:40:35 Local4.Info 10.1.1.1 Nov 20 2006 19:44:21: %PIX-6-603103: PPP virtual interface 2 - user: grace aaa authentication failed
2006-11-21 07:40:35 Local4.Info 10.1.1.1 Nov 20 2006 19:44:21: %PIX-6-603104: PPTP Tunnel created, tunnel_id is 3, remote_peer_ip is 68.160.193.147, ppp_virtual_interface_id is 2, client_dynamic_ip is 0.0.0.0, username is grace, MPPE_key_strength is None
2006-11-21 07:40:35 Local4.Info 10.1.1.1 Nov 20 2006 19:44:21: %PIX-6-603105: PPTP Tunnel deleted, tunnel_id = 3, remote_peer_ip = 68.160.193.147
Can you add:
aaa-server AuthInbound protocol radius
?
Just trying to see why your client is trying to auth against RADIUS. Perhaps there's a client configuration issue here too?
It could be an idea to try and get this working with RADIUS first, and then try TACACS later?
Do you get hits on your TACACS+ server when you try and authenticate? Anything in the logs there?
aaa-server AuthInbound protocol radius
?
Just trying to see why your client is trying to auth against RADIUS. Perhaps there's a client configuration issue here too?
It could be an idea to try and get this working with RADIUS first, and then try TACACS later?
Do you get hits on your TACACS+ server when you try and authenticate? Anything in the logs there?
ASKER
Ok I added line above that you mentioned and I got the client connected using Radius. I am using the Windows Dialer to connect to the VPN not the Cisco VPN client software. Below is output from the logs.
2006-11-21 16:15:14 Local4.Debug 10.1.1.1 Nov 21 2006 04:18:59: %PIX-7-710001: TCP access requested from 68.160.193.147/50305 to outside:216.254.64.85/pptp
2006-11-21 16:15:14 Local4.Debug 10.1.1.1 Nov 21 2006 04:18:59: %PIX-7-710002: TCP access permitted from 68.160.193.147/50305 to outside:216.254.64.85/pptp
2006-11-21 16:15:14 Local4.Info 10.1.1.1 Nov 21 2006 04:19:00: %PIX-6-603104: PPTP Tunnel created, tunnel_id is 21, remote_peer_ip is 68.160.193.147, ppp_virtual_interface_id is 2, client_dynamic_ip is 10.1.2.1, username is grace, MPPE_key_strength is 128 bits
2006-11-21 16:15:14 Local4.Debug 10.1.1.1 Nov 21 2006 04:18:59: %PIX-7-710001: TCP access requested from 68.160.193.147/50305 to outside:216.254.64.85/pptp
2006-11-21 16:15:14 Local4.Debug 10.1.1.1 Nov 21 2006 04:18:59: %PIX-7-710002: TCP access permitted from 68.160.193.147/50305 to outside:216.254.64.85/pptp
2006-11-21 16:15:14 Local4.Info 10.1.1.1 Nov 21 2006 04:19:00: %PIX-6-603104: PPTP Tunnel created, tunnel_id is 21, remote_peer_ip is 68.160.193.147, ppp_virtual_interface_id is 2, client_dynamic_ip is 10.1.2.1, username is grace, MPPE_key_strength is 128 bits
I'm not sure that TACACS+ will support MPPE - set it to auto:
no vpdn group 1 ppp encryption mppe 128
vpdn group 1 ppp encryption mppe auto
Give this a go and let me know what happens. Could you repost your config once you've made these changes, just so we're all on the same page again?
no vpdn group 1 ppp encryption mppe 128
vpdn group 1 ppp encryption mppe auto
Give this a go and let me know what happens. Could you repost your config once you've made these changes, just so we're all on the same page again?
ASKER
When I add "vpdn group 1 ppp encryption mppe auto" I get an error from the client "Unable to establish the VPN connection. However, if I remove the vpdn group 1 ppp encryption mppe auto line I get a different error from the client. I get "the remote computer does not support the required data encryption type." Below is a copy of the PIX config.
PIX Version 6.3(5)
interface ethernet0 100full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password XXXXXXXXX encrypted
passwd XXXXXXXXX encrypted
hostname pixfirewall
domain-name XXXXXXX.com
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 101 permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0
access-list allow_inbound deny ip 59.124.0.0 255.252.0.0 any
access-list allow_inbound deny ip host 24.71.105.183 any
access-list allow_inbound deny ip host 163.27.116.133 any
access-list allow_inbound deny ip host 218.189.179.82 any
access-list allow_inbound deny ip host 84.60.164.161 any
access-list allow_inbound deny ip host 222.128.34.89 any
access-list allow_inbound deny ip host 202.64.47.108 any
access-list allow_inbound deny ip host 87.162.179.31 any
access-list allow_inbound deny ip host 70.255.106.164 any
access-list allow_inbound permit tcp any interface outside eq smtp
access-list allow_inbound permit tcp any interface outside eq pop3
access-list allow_inbound permit tcp any interface outside eq www
access-list allow_inbound permit icmp any any source-quench
access-list allow_inbound permit tcp any host B.X.X.236 eq www
access-list allow_inbound permit tcp any host B.X.X.236 eq h323
access-list allow_inbound permit tcp any host B.X.X.236 eq 5060
access-list allow_inbound permit gre any interface outside
access-list allow_inbound permit tcp any interface outside eq 3000
access-list allow_inbound permit udp any interface outside eq 49153
access-list allow_inbound permit tcp any interface outside eq 49153
access-list allow_inbound permit tcp any interface outside eq 10240
access-list allow_inbound permit tcp any interface outside eq 10241
access-list allow_inbound permit tcp any interface outside eq 10242
access-list allow_inbound permit udp any interface outside eq 10240
access-list allow_inbound permit udp any interface outside eq 10241
access-list allow_inbound permit udp any interface outside eq 10242
access-list allow_inbound permit tcp any interface outside eq 41170
access-list allow_inbound permit udp any interface outside eq 41170
access-list allow_inbound permit tcp any interface outside eq 4662
access-list allow_inbound permit tcp any interface outside eq 4000
access-list deny_outbound deny tcp any host 63.236.240.73 eq https
access-list deny_outbound deny tcp any host 209.202.9.7 eq https
access-list deny_outbound deny tcp any host 63.236.240.73 eq www
access-list deny_outbound deny tcp any host 66.28.235.59 eq www
access-list deny_outbound deny tcp any host 204.245.86.77 eq www
access-list deny_outbound deny tcp any host 69.18.151.78 eq www
access-list deny_outbound permit ip any any
access-list do_not_nat permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0
no pager
logging on
logging timestamp
logging monitor debugging
logging trap notifications
logging queue 24
logging host inside 10.1.1.23
icmp permit any unreachable outside
icmp deny any echo outside
icmp deny any echo-reply outside
mtu outside 1500
mtu inside 1500
ip address outside A.X.X.85 255.255.255.0
ip address inside 10.1.1.1 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip audit name POLICY1 attack action alarm reset
ip audit name InfoPolicy info action alarm drop
ip audit interface outside InfoPolicy
ip audit interface outside POLICY1
ip audit info action alarm drop
ip audit attack action alarm
ip local pool ippool 10.1.2.1-10.1.2.254
pdm location 10.1.1.6 255.255.255.255 inside
pdm location 10.1.1.2 255.255.255.255 inside
pdm location 10.1.1.7 255.255.255.255 inside
pdm location 10.1.1.23 255.255.255.255 inside
pdm location 59.124.0.0 255.252.0.0 outside
pdm location 63.236.240.73 255.255.255.255 outside
pdm location 84.60.164.161 255.255.255.255 outside
pdm location 163.27.116.133 255.255.255.255 outside
pdm location 209.202.9.7 255.255.255.255 outside
pdm location 218.189.179.82 255.255.255.255 outside
pdm location 10.1.1.8 255.255.255.255 inside
pdm location 10.1.1.30 255.255.255.255 inside
pdm location 10.1.1.251 255.255.255.255 inside
pdm location 10.1.1.252 255.255.255.255 inside
pdm location 192.168.2.0 255.255.255.0 inside
pdm location 192.168.10.0 255.255.255.0 inside
pdm location 24.71.105.183 255.255.255.255 outside
pdm location 66.28.235.59 255.255.255.255 outside
pdm location 202.64.47.108 255.255.255.255 outside
pdm location 216.178.32.48 255.255.255.255 outside
pdm location 216.178.32.49 255.255.255.255 outside
pdm location 216.178.32.50 255.255.255.255 outside
pdm location 216.178.32.51 255.255.255.255 outside
pdm location 222.128.34.89 255.255.255.255 outside
pdm location 69.18.151.78 255.255.255.255 outside
pdm location 70.255.106.164 255.255.255.255 outside
pdm location 87.162.179.31 255.255.255.255 outside
pdm location 204.245.86.77 255.255.255.255 outside
pdm location 10.1.1.253 255.255.255.255 inside
pdm location 64.61.25.171 255.255.255.255 inside
pdm location 64.61.25.171 255.255.255.255 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list do_not_nat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface pop3 10.1.1.23 pop3 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface smtp 10.1.1.23 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 3000 10.1.1.23 3000 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 1000 10.1.1.23 1000 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 4662 10.1.1.8 4662 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 4000 10.1.1.251 telnet netmask 255.255.255.255 0 0
static (inside,outside) tcp interface www 10.1.1.6 www netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 49153 10.1.1.2 49153 netmask 255.255.255.255 0 0
static (inside,outside) udp interface 49153 10.1.1.2 49153 netmask 255.255.255.255 0 0
static (inside,outside) B.X.X.236 10.1.1.7 netmask 255.255.255.255 0 0
access-group allow_inbound in interface outside
access-group deny_outbound in interface inside
route outside 0.0.0.0 0.0.0.0 A.X.X.1 1
route inside 192.168.2.0 255.255.255.0 10.1.1.30 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa-server AuthInbound protocol tacacs+
aaa-server AuthInbound max-failed-attempts 3
aaa-server AuthInbound deadtime 10
aaa-server AuthInbound (inside) host 10.1.1.23 nyc4u2me timeout 10
aaa authentication ssh console LOCAL
aaa authentication include tcp/0 outside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 AuthInbound
aaa accounting include tcp/0 outside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 AuthInbound
http server enable
http 10.1.1.0 255.255.255.0 inside
snmp-server host inside 10.1.1.23
snmp-server host inside 10.1.1.252
no snmp-server location
no snmp-server contact
snmp-server community nyc4u2me
snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap client configuration address initiate
crypto map mymap client configuration address respond
crypto map mymap client authentication LOCAL
crypto map mymap interface outside
isakmp enable outside
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup vpn3000 address-pool ippool
vpngroup vpn3000 default-domain XXX.com
vpngroup vpn3000 split-tunnel 101
vpngroup vpn3000 idle-time 1800
vpngroup vpn3000 password ********
vpngroup vmr2 address-pool ippool
vpngroup vmr2 default-domain XXX.com
vpngroup vmr2 split-tunnel 101
vpngroup vmr2 idle-time 1800
vpngroup vmr2 password ********
vpngroup grace address-pool ippool
vpngroup grace default-domain XXXXX.com
vpngroup grace split-tunnel 101
vpngroup grace idle-time 1800
vpngroup grace password ********
telnet timeout 30
ssh 10.1.1.0 255.255.255.0 inside
ssh 192.168.10.0 255.255.255.0 inside
ssh timeout 60
console timeout 0
vpdn group 1 accept dialin pptp
vpdn group 1 ppp authentication pap
vpdn group 1 ppp authentication chap
vpdn group 1 ppp authentication mschap
vpdn group 1 ppp encryption mppe auto
vpdn group 1 client configuration address local ippool
vpdn group 1 client authentication aaa AuthInbound
vpdn group 1 pptp echo 60
vpdn username vmr2 password *********
vpdn enable outside
username vmr2 password XXXXXXXXXXX encrypted privilege 15
privilege show level 15 command access-group
privilege clear level 15 command access-group
terminal width 80
banner login Unauthorized access and use of this network/device will be prosecuted.
banner motd Unauthorized access and use of this network/device will be prosecuted.
Cryptochecksum:535b37e2040
: end
PIX Version 6.3(5)
interface ethernet0 100full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password XXXXXXXXX encrypted
passwd XXXXXXXXX encrypted
hostname pixfirewall
domain-name XXXXXXX.com
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 101 permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0
access-list allow_inbound deny ip 59.124.0.0 255.252.0.0 any
access-list allow_inbound deny ip host 24.71.105.183 any
access-list allow_inbound deny ip host 163.27.116.133 any
access-list allow_inbound deny ip host 218.189.179.82 any
access-list allow_inbound deny ip host 84.60.164.161 any
access-list allow_inbound deny ip host 222.128.34.89 any
access-list allow_inbound deny ip host 202.64.47.108 any
access-list allow_inbound deny ip host 87.162.179.31 any
access-list allow_inbound deny ip host 70.255.106.164 any
access-list allow_inbound permit tcp any interface outside eq smtp
access-list allow_inbound permit tcp any interface outside eq pop3
access-list allow_inbound permit tcp any interface outside eq www
access-list allow_inbound permit icmp any any source-quench
access-list allow_inbound permit tcp any host B.X.X.236 eq www
access-list allow_inbound permit tcp any host B.X.X.236 eq h323
access-list allow_inbound permit tcp any host B.X.X.236 eq 5060
access-list allow_inbound permit gre any interface outside
access-list allow_inbound permit tcp any interface outside eq 3000
access-list allow_inbound permit udp any interface outside eq 49153
access-list allow_inbound permit tcp any interface outside eq 49153
access-list allow_inbound permit tcp any interface outside eq 10240
access-list allow_inbound permit tcp any interface outside eq 10241
access-list allow_inbound permit tcp any interface outside eq 10242
access-list allow_inbound permit udp any interface outside eq 10240
access-list allow_inbound permit udp any interface outside eq 10241
access-list allow_inbound permit udp any interface outside eq 10242
access-list allow_inbound permit tcp any interface outside eq 41170
access-list allow_inbound permit udp any interface outside eq 41170
access-list allow_inbound permit tcp any interface outside eq 4662
access-list allow_inbound permit tcp any interface outside eq 4000
access-list deny_outbound deny tcp any host 63.236.240.73 eq https
access-list deny_outbound deny tcp any host 209.202.9.7 eq https
access-list deny_outbound deny tcp any host 63.236.240.73 eq www
access-list deny_outbound deny tcp any host 66.28.235.59 eq www
access-list deny_outbound deny tcp any host 204.245.86.77 eq www
access-list deny_outbound deny tcp any host 69.18.151.78 eq www
access-list deny_outbound permit ip any any
access-list do_not_nat permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0
no pager
logging on
logging timestamp
logging monitor debugging
logging trap notifications
logging queue 24
logging host inside 10.1.1.23
icmp permit any unreachable outside
icmp deny any echo outside
icmp deny any echo-reply outside
mtu outside 1500
mtu inside 1500
ip address outside A.X.X.85 255.255.255.0
ip address inside 10.1.1.1 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip audit name POLICY1 attack action alarm reset
ip audit name InfoPolicy info action alarm drop
ip audit interface outside InfoPolicy
ip audit interface outside POLICY1
ip audit info action alarm drop
ip audit attack action alarm
ip local pool ippool 10.1.2.1-10.1.2.254
pdm location 10.1.1.6 255.255.255.255 inside
pdm location 10.1.1.2 255.255.255.255 inside
pdm location 10.1.1.7 255.255.255.255 inside
pdm location 10.1.1.23 255.255.255.255 inside
pdm location 59.124.0.0 255.252.0.0 outside
pdm location 63.236.240.73 255.255.255.255 outside
pdm location 84.60.164.161 255.255.255.255 outside
pdm location 163.27.116.133 255.255.255.255 outside
pdm location 209.202.9.7 255.255.255.255 outside
pdm location 218.189.179.82 255.255.255.255 outside
pdm location 10.1.1.8 255.255.255.255 inside
pdm location 10.1.1.30 255.255.255.255 inside
pdm location 10.1.1.251 255.255.255.255 inside
pdm location 10.1.1.252 255.255.255.255 inside
pdm location 192.168.2.0 255.255.255.0 inside
pdm location 192.168.10.0 255.255.255.0 inside
pdm location 24.71.105.183 255.255.255.255 outside
pdm location 66.28.235.59 255.255.255.255 outside
pdm location 202.64.47.108 255.255.255.255 outside
pdm location 216.178.32.48 255.255.255.255 outside
pdm location 216.178.32.49 255.255.255.255 outside
pdm location 216.178.32.50 255.255.255.255 outside
pdm location 216.178.32.51 255.255.255.255 outside
pdm location 222.128.34.89 255.255.255.255 outside
pdm location 69.18.151.78 255.255.255.255 outside
pdm location 70.255.106.164 255.255.255.255 outside
pdm location 87.162.179.31 255.255.255.255 outside
pdm location 204.245.86.77 255.255.255.255 outside
pdm location 10.1.1.253 255.255.255.255 inside
pdm location 64.61.25.171 255.255.255.255 inside
pdm location 64.61.25.171 255.255.255.255 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list do_not_nat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface pop3 10.1.1.23 pop3 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface smtp 10.1.1.23 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 3000 10.1.1.23 3000 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 1000 10.1.1.23 1000 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 4662 10.1.1.8 4662 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 4000 10.1.1.251 telnet netmask 255.255.255.255 0 0
static (inside,outside) tcp interface www 10.1.1.6 www netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 49153 10.1.1.2 49153 netmask 255.255.255.255 0 0
static (inside,outside) udp interface 49153 10.1.1.2 49153 netmask 255.255.255.255 0 0
static (inside,outside) B.X.X.236 10.1.1.7 netmask 255.255.255.255 0 0
access-group allow_inbound in interface outside
access-group deny_outbound in interface inside
route outside 0.0.0.0 0.0.0.0 A.X.X.1 1
route inside 192.168.2.0 255.255.255.0 10.1.1.30 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa-server AuthInbound protocol tacacs+
aaa-server AuthInbound max-failed-attempts 3
aaa-server AuthInbound deadtime 10
aaa-server AuthInbound (inside) host 10.1.1.23 nyc4u2me timeout 10
aaa authentication ssh console LOCAL
aaa authentication include tcp/0 outside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 AuthInbound
aaa accounting include tcp/0 outside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 AuthInbound
http server enable
http 10.1.1.0 255.255.255.0 inside
snmp-server host inside 10.1.1.23
snmp-server host inside 10.1.1.252
no snmp-server location
no snmp-server contact
snmp-server community nyc4u2me
snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap client configuration address initiate
crypto map mymap client configuration address respond
crypto map mymap client authentication LOCAL
crypto map mymap interface outside
isakmp enable outside
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup vpn3000 address-pool ippool
vpngroup vpn3000 default-domain XXX.com
vpngroup vpn3000 split-tunnel 101
vpngroup vpn3000 idle-time 1800
vpngroup vpn3000 password ********
vpngroup vmr2 address-pool ippool
vpngroup vmr2 default-domain XXX.com
vpngroup vmr2 split-tunnel 101
vpngroup vmr2 idle-time 1800
vpngroup vmr2 password ********
vpngroup grace address-pool ippool
vpngroup grace default-domain XXXXX.com
vpngroup grace split-tunnel 101
vpngroup grace idle-time 1800
vpngroup grace password ********
telnet timeout 30
ssh 10.1.1.0 255.255.255.0 inside
ssh 192.168.10.0 255.255.255.0 inside
ssh timeout 60
console timeout 0
vpdn group 1 accept dialin pptp
vpdn group 1 ppp authentication pap
vpdn group 1 ppp authentication chap
vpdn group 1 ppp authentication mschap
vpdn group 1 ppp encryption mppe auto
vpdn group 1 client configuration address local ippool
vpdn group 1 client authentication aaa AuthInbound
vpdn group 1 pptp echo 60
vpdn username vmr2 password *********
vpdn enable outside
username vmr2 password XXXXXXXXXXX encrypted privilege 15
privilege show level 15 command access-group
privilege clear level 15 command access-group
terminal width 80
banner login Unauthorized access and use of this network/device will be prosecuted.
banner motd Unauthorized access and use of this network/device will be prosecuted.
Cryptochecksum:535b37e2040
: end
Hi Vreyesii - what happened - is this fixed now? Do you need any more help? I hope my comments were of some assistance.
ASKER
The problem is fixed now however, I had to look elsewhere for the answer.
Thank You
Thank You
Good news. Could you let me know how you fixed this, or what your working config looks like now?
ASKER
Here is my working config.
PIX Version 6.3(5)
interface ethernet0 100full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password XXXXXXXXXXXx encrypted
passwd XXXXXXXXXXXXX encrypted
hostname pixfirewall
domain-name XXXXXXXXXXX.com
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol ftp 1521
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 101 permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0
access-list allow_inbound deny ip 59.124.0.0 255.252.0.0 any
access-list allow_inbound deny ip host 24.71.105.183 any
access-list allow_inbound deny ip host 163.27.116.133 any
access-list allow_inbound deny ip host 218.189.179.82 any
access-list allow_inbound deny ip host 84.60.164.161 any
access-list allow_inbound deny ip host 222.128.34.89 any
access-list allow_inbound deny ip host 202.64.47.108 any
access-list allow_inbound deny ip host 87.162.179.31 any
access-list allow_inbound deny ip host 70.255.106.164 any
access-list allow_inbound permit tcp any interface outside eq smtp
access-list allow_inbound permit tcp any interface outside eq pop3
access-list allow_inbound permit tcp any interface outside eq www
access-list allow_inbound permit icmp any any source-quench
access-list allow_inbound permit tcp any host 216.254.64.236 eq www
access-list allow_inbound permit tcp any host 216.254.64.236 eq h323
access-list allow_inbound permit tcp any host 216.254.64.236 eq 5060
access-list allow_inbound permit tcp any interface outside eq 49156
access-list allow_inbound permit udp any interface outside eq 49156
access-list allow_inbound permit gre any interface outside
access-list allow_inbound permit tcp any interface outside eq 3000
access-list allow_inbound permit tcp any interface outside eq 10240
access-list allow_inbound permit tcp any interface outside eq 10241
access-list allow_inbound permit tcp any interface outside eq 10242
access-list allow_inbound permit udp any interface outside eq 10240
access-list allow_inbound permit udp any interface outside eq 10241
access-list allow_inbound permit udp any interface outside eq 10242
access-list allow_inbound permit tcp any interface outside eq 41170
access-list allow_inbound permit udp any interface outside eq 41170
access-list allow_inbound permit tcp any interface outside eq 4662
access-list allow_inbound permit tcp any interface outside eq 4000
access-list allow_inbound permit udp any interface outside eq 49153
access-list allow_inbound permit tcp any interface outside eq 49153
access-list deny_outbound deny tcp any host 63.236.240.73 eq https
access-list deny_outbound deny tcp any host 209.202.9.7 eq https
access-list deny_outbound deny tcp any host 63.236.240.73 eq www
access-list deny_outbound deny tcp any host 66.28.235.59 eq www
access-list deny_outbound deny tcp any host 204.245.86.77 eq www
access-list deny_outbound deny tcp any host 69.18.151.78 eq www
access-list deny_outbound permit ip any any
access-list do_not_nat permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0
no pager
logging on
logging timestamp
logging trap notifications
logging queue 24
logging host inside 10.1.1.23
icmp permit any unreachable outside
icmp deny any echo outside
icmp deny any echo-reply outside
mtu outside 1500
mtu inside 1500
ip address outside A.x.x.85 255.255.255.0
ip address inside 10.1.1.1 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip audit name AttackPolicy563 attack action alarm drop reset
ip audit name InfoPolicy563 info action alarm drop
ip audit interface outside InfoPolicy563
ip audit interface outside AttackPolicy563
ip audit info action alarm drop
ip audit attack action alarm
ip local pool ippool 10.1.2.1-10.1.2.254
pdm location 10.1.1.6 255.255.255.255 inside
pdm location 10.1.1.2 255.255.255.255 inside
pdm location 10.1.1.7 255.255.255.255 inside
pdm location 10.1.1.23 255.255.255.255 inside
pdm location 59.124.0.0 255.252.0.0 outside
pdm location 63.236.240.73 255.255.255.255 outside
pdm location 84.60.164.161 255.255.255.255 outside
pdm location 163.27.116.133 255.255.255.255 outside
pdm location 209.202.9.7 255.255.255.255 outside
pdm location 218.189.179.82 255.255.255.255 outside
pdm location 10.1.1.8 255.255.255.255 inside
pdm location 10.1.1.30 255.255.255.255 inside
pdm location 10.1.1.251 255.255.255.255 inside
pdm location 10.1.1.252 255.255.255.255 inside
pdm location 192.168.2.0 255.255.255.0 inside
pdm location 192.168.10.0 255.255.255.0 inside
pdm location 24.71.105.183 255.255.255.255 outside
pdm location 66.28.235.59 255.255.255.255 outside
pdm location 202.64.47.108 255.255.255.255 outside
pdm location 216.178.32.48 255.255.255.255 outside
pdm location 216.178.32.49 255.255.255.255 outside
pdm location 216.178.32.50 255.255.255.255 outside
pdm location 216.178.32.51 255.255.255.255 outside
pdm location 222.128.34.89 255.255.255.255 outside
pdm location 69.18.151.78 255.255.255.255 outside
pdm location 70.255.106.164 255.255.255.255 outside
pdm location 87.162.179.31 255.255.255.255 outside
pdm location 204.245.86.77 255.255.255.255 outside
pdm location 10.1.1.253 255.255.255.255 inside
pdm location 64.61.25.171 255.255.255.255 inside
pdm location 64.61.25.171 255.255.255.255 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list do_not_nat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
alias (inside) 10.1.1.6 A.x.x.85 255.255.255.255
static (inside,outside) tcp interface pop3 10.1.1.23 pop3 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface smtp 10.1.1.23 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 3000 10.1.1.23 3000 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 1000 10.1.1.23 1000 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 4662 10.1.1.8 4662 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 4000 10.1.1.251 telnet netmask 255.255.255.255 0 0
static (inside,outside) tcp interface www 10.1.1.6 www netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 49156 10.1.1.2 49156 netmask 255.255.255.255 0 0
static (inside,outside) udp interface 49156 10.1.1.2 49156 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 49153 10.1.1.2 49153 netmask 255.255.255.255 0 0
static (inside,outside) udp interface 49153 10.1.1.2 49153 netmask 255.255.255.255 0 0
static (inside,outside) B.x.x.236 10.1.1.7 netmask 255.255.255.255 0 0
access-group allow_inbound in interface outside
access-group deny_outbound in interface inside
route outside 0.0.0.0 0.0.0.0 A.x.x.1 1
route inside 192.168.2.0 255.255.255.0 10.1.1.30 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server TACACS+ (inside) host 10.1.1.23 nyc4u2me timeout 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication ssh console TACACS+
http server enable
http 10.1.1.0 255.255.255.0 inside
snmp-server host inside 10.1.1.23
snmp-server host inside 10.1.1.252
no snmp-server location
no snmp-server contact
snmp-server community nyc4u2me
snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap client configuration address initiate
crypto map mymap client configuration address respond
crypto map mymap client authentication AuthInbound
crypto map mymap interface outside
isakmp enable outside
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup vpn3000 address-pool ippool
vpngroup vpn3000 default-domain pix.com
vpngroup vpn3000 split-tunnel 101
vpngroup vpn3000 idle-time 1800
vpngroup vpn3000 password ********
vpngroup vmr2 address-pool ippool
vpngroup vmr2 default-domain pix.com
vpngroup vmr2 split-tunnel 101
vpngroup vmr2 idle-time 1800
vpngroup vmr2 password ********
vpngroup grace address-pool ippool
vpngroup grace default-domain pix.com
vpngroup grace split-tunnel 101
vpngroup grace idle-time 1800
vpngroup grace password ********
telnet timeout 30
ssh 10.1.1.0 255.255.255.0 inside
ssh 192.168.10.0 255.255.255.0 inside
ssh timeout 60
console timeout 0
vpdn group 1 accept dialin pptp
vpdn group 1 ppp authentication pap
vpdn group 1 ppp authentication chap
vpdn group 1 ppp authentication mschap
vpdn group 1 client configuration address local pptp-pool
vpdn group 1 client authentication aaa TACACS+
vpdn enable outside
vpdn group 1 pptp echo 60
vpdn enable outside
username vmr2 password XXXXXXXXXXX encrypted privilege 15
privilege show level 15 command access-group
privilege clear level 15 command access-group
terminal width 80
banner exec Unauthorized access and use of this network/device will be prosecuted.
banner login Unauthorized access and use of this network/device will be prosecuted.
banner motd Unauthorized access and use of this network/device will be prosecuted.
Cryptochecksum:10de254e1fe
: end
PIX Version 6.3(5)
interface ethernet0 100full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password XXXXXXXXXXXx encrypted
passwd XXXXXXXXXXXXX encrypted
hostname pixfirewall
domain-name XXXXXXXXXXX.com
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol ftp 1521
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 101 permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0
access-list allow_inbound deny ip 59.124.0.0 255.252.0.0 any
access-list allow_inbound deny ip host 24.71.105.183 any
access-list allow_inbound deny ip host 163.27.116.133 any
access-list allow_inbound deny ip host 218.189.179.82 any
access-list allow_inbound deny ip host 84.60.164.161 any
access-list allow_inbound deny ip host 222.128.34.89 any
access-list allow_inbound deny ip host 202.64.47.108 any
access-list allow_inbound deny ip host 87.162.179.31 any
access-list allow_inbound deny ip host 70.255.106.164 any
access-list allow_inbound permit tcp any interface outside eq smtp
access-list allow_inbound permit tcp any interface outside eq pop3
access-list allow_inbound permit tcp any interface outside eq www
access-list allow_inbound permit icmp any any source-quench
access-list allow_inbound permit tcp any host 216.254.64.236 eq www
access-list allow_inbound permit tcp any host 216.254.64.236 eq h323
access-list allow_inbound permit tcp any host 216.254.64.236 eq 5060
access-list allow_inbound permit tcp any interface outside eq 49156
access-list allow_inbound permit udp any interface outside eq 49156
access-list allow_inbound permit gre any interface outside
access-list allow_inbound permit tcp any interface outside eq 3000
access-list allow_inbound permit tcp any interface outside eq 10240
access-list allow_inbound permit tcp any interface outside eq 10241
access-list allow_inbound permit tcp any interface outside eq 10242
access-list allow_inbound permit udp any interface outside eq 10240
access-list allow_inbound permit udp any interface outside eq 10241
access-list allow_inbound permit udp any interface outside eq 10242
access-list allow_inbound permit tcp any interface outside eq 41170
access-list allow_inbound permit udp any interface outside eq 41170
access-list allow_inbound permit tcp any interface outside eq 4662
access-list allow_inbound permit tcp any interface outside eq 4000
access-list allow_inbound permit udp any interface outside eq 49153
access-list allow_inbound permit tcp any interface outside eq 49153
access-list deny_outbound deny tcp any host 63.236.240.73 eq https
access-list deny_outbound deny tcp any host 209.202.9.7 eq https
access-list deny_outbound deny tcp any host 63.236.240.73 eq www
access-list deny_outbound deny tcp any host 66.28.235.59 eq www
access-list deny_outbound deny tcp any host 204.245.86.77 eq www
access-list deny_outbound deny tcp any host 69.18.151.78 eq www
access-list deny_outbound permit ip any any
access-list do_not_nat permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0
no pager
logging on
logging timestamp
logging trap notifications
logging queue 24
logging host inside 10.1.1.23
icmp permit any unreachable outside
icmp deny any echo outside
icmp deny any echo-reply outside
mtu outside 1500
mtu inside 1500
ip address outside A.x.x.85 255.255.255.0
ip address inside 10.1.1.1 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip audit name AttackPolicy563 attack action alarm drop reset
ip audit name InfoPolicy563 info action alarm drop
ip audit interface outside InfoPolicy563
ip audit interface outside AttackPolicy563
ip audit info action alarm drop
ip audit attack action alarm
ip local pool ippool 10.1.2.1-10.1.2.254
pdm location 10.1.1.6 255.255.255.255 inside
pdm location 10.1.1.2 255.255.255.255 inside
pdm location 10.1.1.7 255.255.255.255 inside
pdm location 10.1.1.23 255.255.255.255 inside
pdm location 59.124.0.0 255.252.0.0 outside
pdm location 63.236.240.73 255.255.255.255 outside
pdm location 84.60.164.161 255.255.255.255 outside
pdm location 163.27.116.133 255.255.255.255 outside
pdm location 209.202.9.7 255.255.255.255 outside
pdm location 218.189.179.82 255.255.255.255 outside
pdm location 10.1.1.8 255.255.255.255 inside
pdm location 10.1.1.30 255.255.255.255 inside
pdm location 10.1.1.251 255.255.255.255 inside
pdm location 10.1.1.252 255.255.255.255 inside
pdm location 192.168.2.0 255.255.255.0 inside
pdm location 192.168.10.0 255.255.255.0 inside
pdm location 24.71.105.183 255.255.255.255 outside
pdm location 66.28.235.59 255.255.255.255 outside
pdm location 202.64.47.108 255.255.255.255 outside
pdm location 216.178.32.48 255.255.255.255 outside
pdm location 216.178.32.49 255.255.255.255 outside
pdm location 216.178.32.50 255.255.255.255 outside
pdm location 216.178.32.51 255.255.255.255 outside
pdm location 222.128.34.89 255.255.255.255 outside
pdm location 69.18.151.78 255.255.255.255 outside
pdm location 70.255.106.164 255.255.255.255 outside
pdm location 87.162.179.31 255.255.255.255 outside
pdm location 204.245.86.77 255.255.255.255 outside
pdm location 10.1.1.253 255.255.255.255 inside
pdm location 64.61.25.171 255.255.255.255 inside
pdm location 64.61.25.171 255.255.255.255 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list do_not_nat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
alias (inside) 10.1.1.6 A.x.x.85 255.255.255.255
static (inside,outside) tcp interface pop3 10.1.1.23 pop3 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface smtp 10.1.1.23 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 3000 10.1.1.23 3000 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 1000 10.1.1.23 1000 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 4662 10.1.1.8 4662 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 4000 10.1.1.251 telnet netmask 255.255.255.255 0 0
static (inside,outside) tcp interface www 10.1.1.6 www netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 49156 10.1.1.2 49156 netmask 255.255.255.255 0 0
static (inside,outside) udp interface 49156 10.1.1.2 49156 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 49153 10.1.1.2 49153 netmask 255.255.255.255 0 0
static (inside,outside) udp interface 49153 10.1.1.2 49153 netmask 255.255.255.255 0 0
static (inside,outside) B.x.x.236 10.1.1.7 netmask 255.255.255.255 0 0
access-group allow_inbound in interface outside
access-group deny_outbound in interface inside
route outside 0.0.0.0 0.0.0.0 A.x.x.1 1
route inside 192.168.2.0 255.255.255.0 10.1.1.30 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server TACACS+ (inside) host 10.1.1.23 nyc4u2me timeout 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication ssh console TACACS+
http server enable
http 10.1.1.0 255.255.255.0 inside
snmp-server host inside 10.1.1.23
snmp-server host inside 10.1.1.252
no snmp-server location
no snmp-server contact
snmp-server community nyc4u2me
snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap client configuration address initiate
crypto map mymap client configuration address respond
crypto map mymap client authentication AuthInbound
crypto map mymap interface outside
isakmp enable outside
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup vpn3000 address-pool ippool
vpngroup vpn3000 default-domain pix.com
vpngroup vpn3000 split-tunnel 101
vpngroup vpn3000 idle-time 1800
vpngroup vpn3000 password ********
vpngroup vmr2 address-pool ippool
vpngroup vmr2 default-domain pix.com
vpngroup vmr2 split-tunnel 101
vpngroup vmr2 idle-time 1800
vpngroup vmr2 password ********
vpngroup grace address-pool ippool
vpngroup grace default-domain pix.com
vpngroup grace split-tunnel 101
vpngroup grace idle-time 1800
vpngroup grace password ********
telnet timeout 30
ssh 10.1.1.0 255.255.255.0 inside
ssh 192.168.10.0 255.255.255.0 inside
ssh timeout 60
console timeout 0
vpdn group 1 accept dialin pptp
vpdn group 1 ppp authentication pap
vpdn group 1 ppp authentication chap
vpdn group 1 ppp authentication mschap
vpdn group 1 client configuration address local pptp-pool
vpdn group 1 client authentication aaa TACACS+
vpdn enable outside
vpdn group 1 pptp echo 60
vpdn enable outside
username vmr2 password XXXXXXXXXXX encrypted privilege 15
privilege show level 15 command access-group
privilege clear level 15 command access-group
terminal width 80
banner exec Unauthorized access and use of this network/device will be prosecuted.
banner login Unauthorized access and use of this network/device will be prosecuted.
banner motd Unauthorized access and use of this network/device will be prosecuted.
Cryptochecksum:10de254e1fe
: end
Good point - it does help if you put in the IP address of the TACACS+ server in the config. Sorry I missed it! :)
ASKER
Thanks for your comments.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080093f89.shtml
Looks like you're missing a couple of lines:
crypto map mymap client configuration address initiate
crypto map mymap client configuration address respond
Otherwise, what sort of error are you getting? If you turn on debug on the PIX, what messages are you getting?