troubleshooting Question

VPN working on PIX506E, but want to connect with Windows VPN Client now?

Avatar of Zenith63
Zenith63 asked on
Windows XPHardware FirewallsCisco
4 Comments1 Solution349 ViewsLast Modified:
Hi,

I have a VPN configuration setup on a PIX506E such that users can connect in but are only able to access one server on a couple of specific ports.  The data being transmitted is quite sensitive, so I've been aiming for maximum security all along.  Having said that I should point out I am very much a Cisco newbie, configuring this took me quite a bit of time, though I have a much better feel for it now.

It all works PERFECTLY with the Cisco VPN client on the end user's PCs, but now I'm told some of them won't/can't use the Cisco VPN client because it causes too many problems with other VPNs and VPN software on the PCs (I'm half inclined to agree with them on this actually, the client can get a bit of a god complex on a PC!).  They want to use the standard Windows XP client to connect up to the VPN.

So I understand it is possible to use the Windows XP client, but it won't connect to my setup and I wonder what changes I need to make to my config to make it happen.  Can somebody talk me through the basics (dos and don'ts) of getting the built-in Windows XP VPN to connect to a PIX VPN and have a look at the config below and see where I'm going wrong.  I'll just say again that this is working exactly the way I want it to, assuming you use the Cisco VPN client, just wondering what I have to do to make it work with Windows.  I have a feeling there's some stuff in here Windows doesn't support?

NOTES: 172.28.29.30 is the internal IP of the server I want clients to be able to access (only on port 5900 in this config example).  The clients are given IPs in range 10.25.11.x and I want to use split tunneling for them...


Any help appreciated!


PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password XXXXXXXXXXXXX encrypted
passwd XXXXXXXXXXXXX encrypted
hostname XXXXXXXXXXXX
domain-name XXXXXXXXXXXXX
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 102 remark ACL for split tunneling, defines routes added to clients
access-list 102 permit ip host 172.28.29.30 10.25.11.0 255.255.255.0
access-list 103 remark ACL for outbound traffic
access-list 103 permit icmp any 10.25.11.0 255.255.255.0
access-list 103 deny ip any any
access-list 104 remark ACL for inbound traffic
access-list 104 permit icmp any any
access-list 104 permit tcp 10.25.11.0 255.255.255.0 host 172.28.29.30 eq 5900
access-list 104 deny ip any any
access-list 105 remark ACL for NONAT, defines VPN traffic
access-list 105 permit ip 172.28.29.0 255.255.255.0 10.25.11.0 255.255.255.0
access-list 105 deny ip any any
pager lines 24
logging console debugging
mtu outside 1500
mtu inside 1500
ip address outside XXX.XXX.XXX.XXX 255.255.255.248
ip address inside 172.28.29.250 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnpool1 10.25.11.1-10.25.11.254 mask 255.255.255.255
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 105
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group 104 in interface outside
access-group 103 in interface inside
route outside 0.0.0.0 0.0.0.0 XXX.XXX.XXX.XXX 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
crypto ipsec transform-set transset1 esp-aes-256 esp-sha-hmac
crypto dynamic-map map2 10 set transform-set transset1
crypto map map1 10 ipsec-isakmp dynamic map2
crypto map map1 client authentication LOCAL
crypto map map1 interface outside
isakmp enable outside
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes-256
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup mygroup address-pool vpnpool1
vpngroup mygroup split-tunnel 102
vpngroup mygroup idle-time 1800
vpngroup mygroup password ********
telnet timeout 5
ssh timeout 5
console timeout 0
username XXXXXX password XXXXXXXXXXXXXXXencrypted privilege 0
terminal width 80
Cryptochecksum:XXXXXXXXXXXXXXXXXXXXXXXXXXX
Join the community to see this answer!
Join our exclusive community to see this answer & millions of others.
Unlock 1 Answer and 4 Comments.
Join the Community
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 4 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros