Solved

Cisco 515 vpn

Posted on 2006-11-29
20
394 Views
Last Modified: 2010-04-10
I have a Cisco Pix vpn set up for pptp, but when my client logs in, I get an IP address, but cannot browse the network.  I used to be able to, but have been trying to set up the ipsec client.  I can't figure out what I might have done to mess up the pptp set up.

Any ideas?  Like I said the client connects and gains an IP address.  I just can't ping, browse etc...

Thanks,

Scott
0
Comment
Question by:scottman29
  • 8
  • 8
  • 2
  • +2
20 Comments
 
LVL 4

Expert Comment

by:gmooney7
Comment Utility
Hmm, i don't know the exact answer to this one, but normally, when i use pptp with a pix, i have to have the windows vpn client use the vpn as its default gateway, inside of the properties for the vpn connection > network tab > TCP/IP properties > Advanced.  You'll see a little checkbox there.  Bad thing is, unless you're using vpn on a stick as its called, with pix os 7, you cannot route traffic back out to the public internet that comes in from a vpn.

So, ipsec is the best solution, using split tunneling.

Let me know if you want help with that.
0
 
LVL 4

Expert Comment

by:gmooney7
Comment Utility
Otherwise, you can add a static route in windows pointing to your assigned ip address you receive after establishing the vpn. This is basically the only "split tunneling" you can do with pptp under windows terminating to the pix.
0
 
LVL 4

Expert Comment

by:pakitloss
Comment Utility
Like gmooney7 said a Pix will not send traffic out the same interface it came in on. I would turn on debug and see what the logs say. I haven't done this in a while but I believe you need to route the traffic for the pool inside and I think I had an access-list and be sure traffic is not trying to be nat'd  
0
 
LVL 5

Author Comment

by:scottman29
Comment Utility
after looking further at the pix, there's no rule that points the traffic from the vpn to the internal interface.  Should there be?
0
 
LVL 4

Expert Comment

by:pakitloss
Comment Utility
Scott,

Can you past your Pix config?
0
 
LVL 5

Author Comment

by:scottman29
Comment Utility
I'd like to, but that just doesn't seem safe to me...
0
 
LVL 4

Expert Comment

by:pakitloss
Comment Utility
just change any IP's and pertinent info to x.x.x.x and specify anything next to it to be able to identify it and just paste the VPN portion.  Do you have your Access List defined for the connection? Is your pool on the same subnet as your LAN? What happens if you add a static gateway to one of the machines? (just to test)
0
 
LVL 5

Author Comment

by:scottman29
Comment Utility
since you put it that way... I'll post it asap
0
 
LVL 5

Author Comment

by:scottman29
Comment Utility
: Saved
: Written by at 10:46:24.779 EST Fri Nov 17 2006
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname xxx
domain-name xxx
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 101 permit tcp any host xxx.xxx.xxx.xxx eq www
access-list 101 permit tcp xxx.xxx.xxx.xxx 255.255.255.0 host xxx.xxx.xxx.xxx eq ftp
access-list 101 permit tcp host xxx.xxx.xxx.xxx host xxx.xxx.xxx.xxx eq 3389
access-list 101 permit tcp xxx.xxx.xxx.xxx 255.255.255.0 host xxx.xxx.xxx.xxx 4 eq ftp-data
access-list 101 permit tcp any host xxx.xxx.xxx.xxx eq smtp
access-list 101 permit tcp any host xxx.xxx.xxx.xxx eq pop3
access-list 101 permit tcp any host xxx.xxx.xxx.xxx eq lotusnotes
access-list 101 permit tcp any host xxx.xxx.xxx.xxx eq www
access-list 101 permit tcp any host xxx.xxx.xxx.xxx eq smtp
access-list 101 permit tcp any host xxx.xxx.xxx.xxx eq www
access-list 101 permit tcp any host xxx.xxx.xxx.xxx eq lotusnotes
access-list 101 permit tcp any host xxx.xxx.xxx.xxx eq pop3
access-list 101 permit tcp any host xxx.xxx.xxx.xxx  eq pcanywhere-data
access-list 101 permit udp any host xxx.xxx.xxx.xxx eq pcanywhere-status
access-list 101 permit tcp any host xxx.xxx.xxx.xxx eq https
access-list 101 permit ip any host xxx.xxx.xxx.xxx
access-list 101 permit ip any host xxx.xxx.xxx.xxx
access-list 101 permit tcp host xxx.xxx.xxx.xxx host xxx.xxx.xxx.xxx eq 3389
access-list 101 permit tcp any host xxx.xxx.xxx.xxx  eq ftp
access-list 101 permit tcp any host xxx.xxx.xxx.xxx eq ftp-data
access-list 101 permit tcp host xxx.xxx.xxx.xxx host xxx.xxx.xxx.xxx eq pcanywhere-data
access-list 101 permit udp host xxx.xxx.xxx.xxx host xxx.xxx.xxx.xxx eq pcanywhere-status
access-list 101 permit udp any host xxx.xxx.xxx.xxx
access-list 101 permit tcp any host xxx.xxx.xxx.xxx eq h323
access-list 101 permit tcp host xxx.xxx.xxx.xxx host xxx.xxx.xxx.xxx eq pcanywhere-data
access-list 101 permit udp host xxx.xxx.xxx.xxx host xxx.xxx.xxx.xxx eq pcanywhere-status
access-list 101 permit tcp host xxx.xxx.xxx.xxx host xxx.xxx.xxx.xxx eq 3389
access-list 101 permit tcp host xxx.xxx.xxx.xxx host xxx.xxx.xxx.xxx eq 3389
access-list 101 permit tcp any host xxx.xxx.xxx.xxx eq imap4
access-list 101 permit tcp any host xxx.xxx.xxx.xxx eq imap4
access-list outside_cryptomap_dyn_30 permit ip any xxx.xxx.xxx.xxx 255.255.255.0
pager lines 24
logging on
logging timestamp
logging monitor errors
logging buffered errors
logging trap warnings
logging host inside xxx.xxx.xxx.xxx
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside xxx.xxx.xxx.xxx 255.255.255.224
ip address inside xxx.xxx.xxx.xxx 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool PAT xxx.xxx.xxx.xxx - xxx.xxx.xxx.xxx
failover
failover timeout 0:00:00
failover poll 15
failover ip address outside xxx.xxx.xxx.xxx
failover ip address inside xxx.xxx.xxx.xxx
pdm location 10.28.4.0 255.255.255.0 inside
pdm location 10.28.3.250 255.255.255.255 inside
pdm location 10.28.3.252 255.255.255.255 inside
pdm location 10.28.4.30 255.255.255.255 inside
pdm location 10.28.4.50 255.255.255.255 inside
pdm location 10.28.4.74 255.255.255.255 inside
pdm location 10.28.4.251 255.255.255.255 inside
pdm location 10.28.9.3 255.255.255.255 inside
pdm location 10.37.4.249 255.255.255.255 inside
pdm location 10.37.9.201 255.255.255.255 inside
pdm location 10.37.9.202 255.255.255.255 inside
pdm location 10.37.9.253 255.255.255.255 inside
pdm location 10.37.9.0 255.255.255.0 inside
pdm location 10.37.20.206 255.255.255.255 inside
pdm location 10.137.4.250 255.255.255.255 inside
pdm location xxx.xxx.xxx.xxx 255.255.255.0 inside
pdm location xxx.xxx.xxx.xxx 255.255.255.255 inside
pdm location xxx.xxx.xxx.xxx 255.255.255.255 inside
pdm location 10.0.0.0 255.0.0.0 inside
pdm location xxx.xxx.xxx.xxx 255.255.0.0 inside
pdm location 206.226.187.0 255.255.255.0 inside
pdm location 208.220.136.0 255.255.255.0 inside
pdm location 208.220.137.0 255.255.255.0 inside
pdm location 208.220.199.0 255.255.255.0 inside
pdm location 208.220.236.14 255.255.255.255 inside
pdm location 208.220.236.12 255.255.255.252 inside
pdm location 208.220.236.8 255.255.255.248 inside
pdm location 208.220.237.0 255.255.255.0 inside
pdm location 208.220.238.0 255.255.255.0 inside
pdm location 208.220.239.0 255.255.255.0 inside
pdm location 208.234.136.0 255.255.255.0 inside
pdm location 208.234.137.0 255.255.255.0 inside
pdm location 208.234.138.0 255.255.255.0 inside
pdm location 208.234.139.0 255.255.255.0 inside
pdm location 208.234.140.0 255.255.255.0 inside
pdm location 208.234.141.0 255.255.255.0 inside
pdm location 208.234.142.0 255.255.255.0 inside
pdm location 208.234.143.0 255.255.255.0 inside
pdm location 208.246.198.0 255.255.255.0 inside
pdm location 208.246.199.0 255.255.255.0 inside
pdm location 63.214.17.0 255.255.255.0 outside
pdm location 69.123.203.126 255.255.255.255 outside
pdm location 167.206.67.146 255.255.255.255 outside
pdm location xxx.xxx.xxx.xxx 255.255.255.255 outside
pdm location xxx.xxx.xxx.xxx 255.255.255.255 outside
pdm location xxx.xxx.xxx.xxx 255.255.255.255 outside
pdm location xxx.xxx.xxx.xxx 255.255.0.0 outside
pdm location 216.83.237.194 255.255.255.255 outside
pdm logging notifications 100
pdm history enable
arp timeout 14400
global (outside) 1 xxx.xxx.xxx.xxx
nat (inside) 0 access-list 150
nat (inside) 1 10.37.9.0 255.255.255.0 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 208.220.136.0 208.220.136.0 netmask 255.255.255.0 0 0
static (inside,outside) 208.220.236.8 208.220.236.8 netmask 255.255.255.248 0 0
static (inside,outside) 10.137.73.0 10.137.73.0 netmask 255.255.255.0 0 0
static (inside,outside) 208.220.239.250 10.137.4.250 netmask 255.255.255.255 0 0
static (inside,outside) xxx.xxx.xxx.xxx 10.254.254.1 netmask 255.255.255.255 0 0
static (inside,outside) xxx.xxx.xxx.xxx 208.220.236.14 netmask 255.255.255.255 0 0
static (inside,outside) xxx.xxx.xxx.xxx 10.200.5.1 netmask 255.255.255.255 0 0
static (inside,outside) xxx.xxx.xxx.xxx 10.28.3.252 netmask 255.255.255.255 0 0
static (inside,outside) xxx.xxx.xxx.xxx 10.37.4.249 netmask 255.255.255.255 0 0
static (inside,outside) xxx.xxx.xxx.xxx 10.37.9.253 netmask 255.255.255.255 0 0
static (inside,outside) xxx.xxx.xxx.xxx 10.28.4.251 netmask 255.255.255.255 0 0
static (inside,outside) xxx.xxx.xxx.xxx 10.28.9.3 netmask 255.255.255.255 0 0
static (inside,outside) xxx.xxx.xxx.xxx 10.37.20.206 netmask 255.255.255.255 0 0
static (inside,outside) xxx.xxx.xxx.xxx 10.37.9.202 netmask 255.255.255.255 0 0
static (inside,outside) xxx.xxx.xxx.xxx 10.37.9.201 netmask 255.255.255.255 0 0
access-group 101 in interface outside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
route inside 10.0.0.0 255.0.0.0 xxx.xxx.xxx.xxx
route inside 172.22.0.0 255.255.0.0 10.0.254.1 1
route inside 206.226.187.0 255.255.255.0 10.254.254.1 1
route inside 208.220.136.0 255.255.255.0 10.254.254.1 1
route inside 208.220.137.0 255.255.255.0 10.254.254.1 1
route inside 208.220.199.0 255.255.255.0 10.254.254.1 1
route inside 208.220.236.8 255.255.255.248 10.254.254.1 1
route inside 208.220.236.12 255.255.255.252 10.254.254.1 1
route inside 208.220.237.0 255.255.255.0 10.254.254.1 1
route inside 208.220.238.0 255.255.255.0 10.254.254.1 1
route inside 208.220.239.0 255.255.255.0 10.254.254.1 1
route inside 208.234.136.0 255.255.255.0 10.254.254.1 1
route inside 208.234.137.0 255.255.255.0 10.254.254.1 1
route inside 208.234.138.0 255.255.255.0 10.254.254.1 1
route inside 208.234.139.0 255.255.255.0 10.254.254.1 1
route inside 208.234.140.0 255.255.255.0 10.254.254.1 1
route inside 208.234.141.0 255.255.255.0 10.254.254.1 1
route inside 208.234.142.0 255.255.255.0 10.254.254.1 1
route inside 208.234.143.0 255.255.255.0 10.254.254.1 1
route inside 208.246.198.0 255.255.255.0 10.254.254.1 1
route inside 208.246.199.0 255.255.255.0 10.254.254.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
url-server (inside) vendor websense host 10.28.3.250 timeout 5 protocol TCP version 4
aaa authentication http console LOCAL
filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow
filter https 443 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow
filter ftp 21 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow
ntp server xxx.xxx.xxx.xxx source inside
http server enable
http xxx.xxx.xxx.xxx 255.255.255.255 inside
http xxx.xxx.xxx.xxx 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community D
no snmp-server enable traps
tftp-server inside xxx.xxx.xxx.xxx fwconfig
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto dynamic-map dynmap 30 match address outside_cryptomap_dyn_30
crypto dynamic-map dynmap 30 set transform-set ESP-3DES-MD5
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap client configuration address initiate
crypto map mymap client configuration address respond
crypto map mymap client authentication LOCAL
crypto map mymap interface outside
isakmp enable outside
isakmp key PAT address 0.0.0.0 netmask 0.0.0.0
isakmp identity address
isakmp client configuration address-pool local PATvpn outside
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
isakmp policy 40 authentication pre-share
isakmp policy 40 encryption 3des
isakmp policy 40 hash md5
isakmp policy 40 group 2
isakmp policy 40 lifetime 86400
vpngroup vpn3000-all idle-time 1800
vpngroup MEDVPN address-pool PATVPN
vpngroup MEDVPN dns-server xxx.xxx.xxx.xxx
vpngroup MEDVPN split-tunnel 152
vpngroup MEDVPN idle-time 1800
vpngroup MEDVPN password
telnet xxx.xxx.xxx.xxx 255.255.255.0 inside
telnet 10.0.0.0 255.0.0.0 inside
telnet timeout 30
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
vpdn group 1 accept dialin pptp
vpdn group 1 ppp authentication pap
vpdn group 1 ppp authentication chap
vpdn group 1 ppp authentication mschap
vpdn group 1 ppp encryption mppe 40
vpdn group 1 client configuration address local PATMEDVPN
vpdn group 1 pptp echo 60
vpdn group 1 client authentication local
vpdn username cisco password @@
vpdn username cisco password
vpdn username cisco password
vpdn username cisco password
vpdn username cisco password
vpdn enable outside
username cisco password /cEwoUYq0P8mu98t encrypted privilege 15
username cisco password Tt90QzGAmTWGwlvn encrypted privilege 15
url-block url-mempool 1500
url-block url-size 4
url-block block 128
terminal width 80
Cryptochecksum:b062c373d4d68ed7450e91c44f0133ed
: end

0
 
LVL 4

Expert Comment

by:pakitloss
Comment Utility
Where is access-list 150?
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 
LVL 4

Expert Comment

by:pakitloss
Comment Utility
You have nat (inside) 0 access-list 150 but I don't see this list. Without nat (inside) 0 all traffic for the tunnel will be translated. Try nat (inside) 0 access-list outside_cryptomap_dyn_30
0
 
LVL 4

Expert Comment

by:pakitloss
Comment Utility
Normally the way this is done is to place all your access-lists for your VPN into one group. Then create another (duplicate) for the nat (inside) 0.. This way if you need to create more tunnels you just add the networks to the nat-0-list.


access-list vpn-list permit ip host 172.20.15.6 host 10.20.123.50    >------------- access-list/crypto map  1st tunnel
access-list vpn-list permit ip host 172.20.15.7 host 10.20.123.51

access-list vpn-list permit ip host 172.20.25.6 host 10.20.1.50    >------------- access-list/crypto map 2nd tunnel
access-list vpn-list permit ip host 172.20.25.7 host 10.20.1.51

access-list nat-0-list permit ip host 172.20.25.6 host 10.20.1.50   >-------------- nat (inside) 0 list
access-list nat-0-list permit ip host 172.20.25.7 host 10.20.1.51
access-list nat-0-list permit ip host 172.20.15.5 host 10.20.123.59
access-list nat-0-list permit ip host 172.20.15.6 host 10.20.123.50  nat (inside) 0 nat-0-list
access-list nat-0-list permit ip host 172.20.15.7 host 10.20.123.51

This is the suggested method by Cisco as you can not have more than one nat (inside) 0 access-list

0
 
LVL 5

Author Comment

by:scottman29
Comment Utility
I must have somehow edited it out.  Here's the access list info you request

access-list 150 deny ip host 10.28.9.3 172.19.0.0 255.255.0.0
access-list 150 permit ip 10.0.0.0 255.0.0.0 172.19.0.0 255.255.0.0
access-list 150 permit ip any 172.19.1.0 255.255.255.0
access-list 110 permit ip any host 141.155.238.204
access-list 110 permit ip any host 141.155.238.203
access-list 152 permit ip 10.0.0.0 255.0.0.0 any
0
 
LVL 4

Expert Comment

by:pakitloss
Comment Utility
Scott,

Explain all of your route inside commands. Also please change you passwords on this.

username cisco password /cEwoUYq0P8mu98t encrypted privilege 15
username cisco password Tt90QzGAmTWGwlvn encrypted privilege 15

These should not be shown.
0
 
LVL 5

Author Comment

by:scottman29
Comment Utility
but the password is encrypted...
0
 
LVL 4

Expert Comment

by:pakitloss
Comment Utility
best practice..... although the PIX is very tough to crack better to be safe. What I mean is since it is placed on this site a jackass can attempt to try any crack it with a brute force cracker. Would be hard but best to be safe.
0
 
LVL 5

Author Comment

by:scottman29
Comment Utility
I'll see if I can get it done.  It also helps that I didn't post any of the ip info or domain name stuff...  It's as generic as possible.
0
 
LVL 5

Author Comment

by:scottman29
Comment Utility
I'm working with a consultant on this... if the right answer is posted, then I will award points.
0
 
LVL 5

Expert Comment

by:Netminder
Comment Utility
A request has been made to delete or close this question; if there are no objections within four days, the request will be granted.

EXPERTS: Please leave your thoughts on the disposition of this question here.

ASKER: If you have not responded to the comments left by the Experts, you may or may not receive a refund based on the responses to this post.

Recommendation: PAQ/refund if the solution is posted by the Asker; otherwise delete/refund.

Netminder
Site Admin
0
 
LVL 1

Accepted Solution

by:
DarthMod earned 0 total points
Comment Utility
PAQd, 500 points refunded.

DarthMod
CS Moderator
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now