Zenith63
asked on
VPN working on PIX506E, but want to connect with Windows VPN Client now?
Hi,
I have a VPN configuration setup on a PIX506E such that users can connect in but are only able to access one server on a couple of specific ports. The data being transmitted is quite sensitive, so I've been aiming for maximum security all along. Having said that I should point out I am very much a Cisco newbie, configuring this took me quite a bit of time, though I have a much better feel for it now.
It all works PERFECTLY with the Cisco VPN client on the end user's PCs, but now I'm told some of them won't/can't use the Cisco VPN client because it causes too many problems with other VPNs and VPN software on the PCs (I'm half inclined to agree with them on this actually, the client can get a bit of a god complex on a PC!). They want to use the standard Windows XP client to connect up to the VPN.
So I understand it is possible to use the Windows XP client, but it won't connect to my setup and I wonder what changes I need to make to my config to make it happen. Can somebody talk me through the basics (dos and don'ts) of getting the built-in Windows XP VPN to connect to a PIX VPN and have a look at the config below and see where I'm going wrong. I'll just say again that this is working exactly the way I want it to, assuming you use the Cisco VPN client, just wondering what I have to do to make it work with Windows. I have a feeling there's some stuff in here Windows doesn't support?
NOTES: 172.28.29.30 is the internal IP of the server I want clients to be able to access (only on port 5900 in this config example). The clients are given IPs in range 10.25.11.x and I want to use split tunneling for them...
Any help appreciated!
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password XXXXXXXXXXXXX encrypted
passwd XXXXXXXXXXXXX encrypted
hostname XXXXXXXXXXXX
domain-name XXXXXXXXXXXXX
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 102 remark ACL for split tunneling, defines routes added to clients
access-list 102 permit ip host 172.28.29.30 10.25.11.0 255.255.255.0
access-list 103 remark ACL for outbound traffic
access-list 103 permit icmp any 10.25.11.0 255.255.255.0
access-list 103 deny ip any any
access-list 104 remark ACL for inbound traffic
access-list 104 permit icmp any any
access-list 104 permit tcp 10.25.11.0 255.255.255.0 host 172.28.29.30 eq 5900
access-list 104 deny ip any any
access-list 105 remark ACL for NONAT, defines VPN traffic
access-list 105 permit ip 172.28.29.0 255.255.255.0 10.25.11.0 255.255.255.0
access-list 105 deny ip any any
pager lines 24
logging console debugging
mtu outside 1500
mtu inside 1500
ip address outside XXX.XXX.XXX.XXX 255.255.255.248
ip address inside 172.28.29.250 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnpool1 10.25.11.1-10.25.11.254 mask 255.255.255.255
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 105
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group 104 in interface outside
access-group 103 in interface inside
route outside 0.0.0.0 0.0.0.0 XXX.XXX.XXX.XXX 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
crypto ipsec transform-set transset1 esp-aes-256 esp-sha-hmac
crypto dynamic-map map2 10 set transform-set transset1
crypto map map1 10 ipsec-isakmp dynamic map2
crypto map map1 client authentication LOCAL
crypto map map1 interface outside
isakmp enable outside
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes-256
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup mygroup address-pool vpnpool1
vpngroup mygroup split-tunnel 102
vpngroup mygroup idle-time 1800
vpngroup mygroup password ********
telnet timeout 5
ssh timeout 5
console timeout 0
username XXXXXX password XXXXXXXXXXXXXXXencrypted privilege 0
terminal width 80
Cryptochecksum:XXXXXXXXXXX
I have a VPN configuration setup on a PIX506E such that users can connect in but are only able to access one server on a couple of specific ports. The data being transmitted is quite sensitive, so I've been aiming for maximum security all along. Having said that I should point out I am very much a Cisco newbie, configuring this took me quite a bit of time, though I have a much better feel for it now.
It all works PERFECTLY with the Cisco VPN client on the end user's PCs, but now I'm told some of them won't/can't use the Cisco VPN client because it causes too many problems with other VPNs and VPN software on the PCs (I'm half inclined to agree with them on this actually, the client can get a bit of a god complex on a PC!). They want to use the standard Windows XP client to connect up to the VPN.
So I understand it is possible to use the Windows XP client, but it won't connect to my setup and I wonder what changes I need to make to my config to make it happen. Can somebody talk me through the basics (dos and don'ts) of getting the built-in Windows XP VPN to connect to a PIX VPN and have a look at the config below and see where I'm going wrong. I'll just say again that this is working exactly the way I want it to, assuming you use the Cisco VPN client, just wondering what I have to do to make it work with Windows. I have a feeling there's some stuff in here Windows doesn't support?
NOTES: 172.28.29.30 is the internal IP of the server I want clients to be able to access (only on port 5900 in this config example). The clients are given IPs in range 10.25.11.x and I want to use split tunneling for them...
Any help appreciated!
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password XXXXXXXXXXXXX encrypted
passwd XXXXXXXXXXXXX encrypted
hostname XXXXXXXXXXXX
domain-name XXXXXXXXXXXXX
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 102 remark ACL for split tunneling, defines routes added to clients
access-list 102 permit ip host 172.28.29.30 10.25.11.0 255.255.255.0
access-list 103 remark ACL for outbound traffic
access-list 103 permit icmp any 10.25.11.0 255.255.255.0
access-list 103 deny ip any any
access-list 104 remark ACL for inbound traffic
access-list 104 permit icmp any any
access-list 104 permit tcp 10.25.11.0 255.255.255.0 host 172.28.29.30 eq 5900
access-list 104 deny ip any any
access-list 105 remark ACL for NONAT, defines VPN traffic
access-list 105 permit ip 172.28.29.0 255.255.255.0 10.25.11.0 255.255.255.0
access-list 105 deny ip any any
pager lines 24
logging console debugging
mtu outside 1500
mtu inside 1500
ip address outside XXX.XXX.XXX.XXX 255.255.255.248
ip address inside 172.28.29.250 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnpool1 10.25.11.1-10.25.11.254 mask 255.255.255.255
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 105
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group 104 in interface outside
access-group 103 in interface inside
route outside 0.0.0.0 0.0.0.0 XXX.XXX.XXX.XXX 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
crypto ipsec transform-set transset1 esp-aes-256 esp-sha-hmac
crypto dynamic-map map2 10 set transform-set transset1
crypto map map1 10 ipsec-isakmp dynamic map2
crypto map map1 client authentication LOCAL
crypto map map1 interface outside
isakmp enable outside
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes-256
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup mygroup address-pool vpnpool1
vpngroup mygroup split-tunnel 102
vpngroup mygroup idle-time 1800
vpngroup mygroup password ********
telnet timeout 5
ssh timeout 5
console timeout 0
username XXXXXX password XXXXXXXXXXXXXXXencrypted privilege 0
terminal width 80
Cryptochecksum:XXXXXXXXXXX
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
OK I have vpdn accepting connections and the VPN tunnel working well from Windows clients, the only thing that isn't matching my original config is the local list of usernames/passwords on the PIX. VPDN uses it's own local list it seems, but can only store one username and password? Is there any way for it to use the list os users the PIX uses for the likes of the command "crypto map map1 client authentication LOCAL"? Or am I being forced into a RADIUS server here as I need a seperate username/password for about 25-30 users?
ASKER
I guess you pointed me in the right direction RPPreacher so I'll close this question.
ASKER
Am I right in thinking using this vpdn is a different way of configuring my VPN tunnels on the PIX? I mean I can't just add the command "vpdn group 1 ppp encryption mppe 128" to the above configuration and expect it to work can I? I'd basically want to scrap my above VPN config and go to a vpdn type config?
As I say I'm a complete newbie to Ciscos in general so you'll have to be a bit more specific if you don't mind.
Ideally what I want is to essentially keep the setup I have but add a command or two to allow the Windows VPN connect for those who dont' want to use the Cisco one. Is this not possible?