Solved

cisco client VPN from behind a PIX with existing site to site config

Posted on 2006-12-01
5
200 Views
Last Modified: 2013-11-16
first: I'm a dummy so bear with me :~) This may be super easy for y'all.
We have a remote site that is tied in site-to-site using cisco easy VPN config. Works great, no probs there. A couple of users in the remote site also use cisco VPN client to connect to another agency. It was working until a major power outage, but apparently the previously working running config was not write mem'd, nor do I have a copy. I have tried a few things to no avail; e.g. got client VPN working but broke site-to-site when I tried some variations of access-list or static statements. Could anyone recommend the BEST way to set this up so that client VPN to about 4 external IP's, in series x.x.x.1-x.x.x.4, will work from behind the basic config shown below?

Oh - and I don't have access to the VPN client connection log or I would include that. I could have sworn this was working without any explicit permits or statics but I am probably wrong about that too. :~(


PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxxxxxxxx encrypted
passwd ZHPW3PkCqVp0zNHL encrypted
hostname pixfirewall
domain-name xxx.xxx
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 10.60.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 10.60.0.0 255.255.255.0 inside
pdm location 192.168.0.0 255.255.255.0 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 10.60.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
isakmp nat-traversal 20
telnet 10.60.0.0 255.255.255.0 inside
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
management-access inside
console timeout 0
dhcpd address 10.60.0.2-10.60.0.29 inside
dhcpd dns 10.10.0.20 10.10.0.19
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain xxxx.local
dhcpd auto_config outside
dhcpd enable inside
username techsupp password xxxxxxxxxxxxxxxxxx encrypted privilege 15
vpnclient server x.x.x.x
vpnclient mode network-extension-mode
vpnclient vpngroup vpnremote password ********
vpnclient username techsupp password ********
vpnclient enable
terminal width 80
banner exec *** UNAUTHORIZED ACCESS IS PROHIBITED ***
banner exec ***   VIOLATORS WILL BE PROSECUTED       ***
Cryptochecksum:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
: end
0
Comment
Question by:ipockcr
  • 2
5 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 150 total points
ID: 18057363
If the EasyVPN is working as is with the posted config, try simply adding this one line and see if the other users can VPN out

  isakmp nat-traversal 20

If that doesn't work, enable fixup esp-ike
0
 

Author Comment

by:ipockcr
ID: 18068254
yikes; well at least I didn't leave any real IPs.

nat traversal is in the config actually, but haven't tried fixup esp-Ike so I'll try that. It was definitely working without it before, but I have no knoweledge of what they may have done on the remote end.
0
 
LVL 104

Expert Comment

by:Sembee
ID: 18070388
I always remove them if I see them... just in case. You may give away information elsewhere on the site or in the question that lets someone put two and two together.

Simon.
0
 

Author Comment

by:ipockcr
ID: 18093011
go figure. the remote provider, after repeatedly insisting the problem was on my end, has been forced to concede that this was NOT the case. Now if they will kindly return the time I wasted. The mistake was a simple one, and easily remedied: never trust anyone who claims to know what they are talking about. I should have bypassed the firewall FIRST and it might have saved me some time; had it been easier to do so at the location in question I probably wpuld have done that sooner.

I accept lrmoore's answer because it was most likely to have helped, but note that nat-traversal WAS in the original config. (hence the "B" lol).
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
Let’s list some of the technologies that enable smooth teleworking. 
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now