troubleshooting Question

VPN working on PIX506E, but want to connect with Windows VPN Client now?

Avatar of Zenith63
Zenith63 asked on
Hardware FirewallsCiscoWindows XP
4 Comments1 Solution349 ViewsLast Modified:

I have a VPN configuration setup on a PIX506E such that users can connect in but are only able to access one server on a couple of specific ports.  The data being transmitted is quite sensitive, so I've been aiming for maximum security all along.  Having said that I should point out I am very much a Cisco newbie, configuring this took me quite a bit of time, though I have a much better feel for it now.

It all works PERFECTLY with the Cisco VPN client on the end user's PCs, but now I'm told some of them won't/can't use the Cisco VPN client because it causes too many problems with other VPNs and VPN software on the PCs (I'm half inclined to agree with them on this actually, the client can get a bit of a god complex on a PC!).  They want to use the standard Windows XP client to connect up to the VPN.

So I understand it is possible to use the Windows XP client, but it won't connect to my setup and I wonder what changes I need to make to my config to make it happen.  Can somebody talk me through the basics (dos and don'ts) of getting the built-in Windows XP VPN to connect to a PIX VPN and have a look at the config below and see where I'm going wrong.  I'll just say again that this is working exactly the way I want it to, assuming you use the Cisco VPN client, just wondering what I have to do to make it work with Windows.  I have a feeling there's some stuff in here Windows doesn't support?

NOTES: is the internal IP of the server I want clients to be able to access (only on port 5900 in this config example).  The clients are given IPs in range 10.25.11.x and I want to use split tunneling for them...

Any help appreciated!

PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password XXXXXXXXXXXXX encrypted
passwd XXXXXXXXXXXXX encrypted
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
access-list 102 remark ACL for split tunneling, defines routes added to clients
access-list 102 permit ip host
access-list 103 remark ACL for outbound traffic
access-list 103 permit icmp any
access-list 103 deny ip any any
access-list 104 remark ACL for inbound traffic
access-list 104 permit icmp any any
access-list 104 permit tcp host eq 5900
access-list 104 deny ip any any
access-list 105 remark ACL for NONAT, defines VPN traffic
access-list 105 permit ip
access-list 105 deny ip any any
pager lines 24
logging console debugging
mtu outside 1500
mtu inside 1500
ip address outside XXX.XXX.XXX.XXX
ip address inside
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnpool1 mask
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 105
nat (inside) 1 0 0
access-group 104 in interface outside
access-group 103 in interface inside
route outside XXX.XXX.XXX.XXX 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
crypto ipsec transform-set transset1 esp-aes-256 esp-sha-hmac
crypto dynamic-map map2 10 set transform-set transset1
crypto map map1 10 ipsec-isakmp dynamic map2
crypto map map1 client authentication LOCAL
crypto map map1 interface outside
isakmp enable outside
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes-256
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup mygroup address-pool vpnpool1
vpngroup mygroup split-tunnel 102
vpngroup mygroup idle-time 1800
vpngroup mygroup password ********
telnet timeout 5
ssh timeout 5
console timeout 0
username XXXXXX password XXXXXXXXXXXXXXXencrypted privilege 0
terminal width 80

Our community of experts have been thoroughly vetted for their expertise and industry experience.

Log in to continue reading
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform for $9.99/mo
View membership options
Unlock 1 Answer and 4 Comments.
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
The Value of Experts Exchange in My Daily IT Life

Experts Exchange (EE) has become my company's go-to resource to get answers. I've used EE to make decisions, solve problems and even save customers. OutagesIO has been a challenging project and... Keep reading >>


Owner of Outages.IO
Phoenix, Arizona, United States
Member Since 2016
Join a full scale community that combines the best parts of other tools into one platform.
Unlock 1 Answer and 4 Comments.
View membership options
“All of life is about relationships, and EE has made a virtual community a real community. It lifts everyone's boat.”
William Peck

Member since 2004