Solved

Radius + PIX + VPN + IAS

Posted on 2007-03-27
70
1,538 Views
Last Modified: 2013-12-04
I am
> new to Cisco and am having some problems.  I am referring to this:
>
> http://www.experts-exchange.com/Security/Software_Firewalls/Q_22016322
> .html
>
>  
>
>  
>
> I am setting up.. well trying to set up VPN access.
>
> I set up the windows 2003 server with IAS.
>
> I actually see that there is attempted access to the IAS; But I NEVER
> get authentication; it always says the authentication failed.
>
>  
>
> When I connect, it asks for user name and password; sits there and
> waits.. and then fails.  I did enable dial-up
>
>  
>
> I am using the cisco client 4.8; Could there be a version conflict
> between 4.8 and PIXversion 6.3?
>
>  
>
> I appreciate any help you can give me.
>
>  
>
> Shawn
>
>  
>
>  
PIX Config

Building configuration...
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ayES3UY1NuNSgrCy encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname lstechpix
domain-name lstechllc.com
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 101 permit tcp any host 111.183.5.248 eq ssh
access-list 101 permit tcp any host 111.183.5.248 eq https
access-list 101 permit tcp any host 111.183.5.248 eq 3389
access-list 101 permit tcp any host 111.183.5.248 eq ftp-data
access-list 101 permit tcp any host 111.183.5.248 eq ftp
access-list 111 deny ip host 202.213.201.85 any
access-list 111 permit ip any any
access-list 111 deny ip host 58.60.237.66 any
access-list 111 deny ip host 218.57.8.24 any
access-list 111 deny ip host 207.218.250.80 any
access-list 1 deny host 67.106.213.90
access-list 1 permit any
pager lines 24
logging on
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool VPNPOOL 192.168.2.1-192.168.2.254
pdm location 192.168.1.2 255.255.255.255 inside
pdm location 192.168.1.3 255.255.255.255 inside
pdm location 58.60.237.66 255.255.255.255 outside
pdm location 202.213.201.85 255.255.255.255 outside
pdm location 207.218.250.80 255.255.255.255 outside
pdm location 218.57.8.24 255.255.255.255 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp 111.183.5.248 ssh 192.168.1.2 ssh netmask 255.255.255.255 0 0
static (inside,outside) tcp 111.183.5.248 3389 192.168.1.3 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp 111.183.5.248 https 192.168.1.3 https netmask 255.255.255.255 0 0
static (inside,outside) tcp 111.183.5.248 ftp-data 192.168.1.3 ftp-data netmask 255.255.255.255 0 0
static (inside,outside) tcp 111.183.5.248 ftp 192.168.1.3 ftp netmask 255.255.255.255 0 0
access-group 111 in interface outside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server radius-authport 1812
aaa-server radius-acctport 1813
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server RADIUS (inside) host 192.168.1.2 timeout 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication RADIUS
crypto map outside_map interface outside
crypto map dyn-map client token authentication RADIUS
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup LSTECHVPN address-pool VPNPOOL
vpngroup LSTECHVPN dns-server 192.168.1.2 68.100.16.30
vpngroup LSTECHVPN default-domain LSTECHLLC-HQ
vpngroup LSTECHVPN idle-time 1800
vpngroup LSTECHVPN password ********
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.150-192.168.1.254 inside
dhcpd dns 192.168.1.2 68.100.16.30
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:06b38f116a86f8667a69b38d244374c0
: end
[OK]


0
Comment
Question by:Shawnspi
  • 36
  • 33
70 Comments
 
LVL 1

Expert Comment

by:ed_reyes
ID: 18804840
I don't have a copy of a 6.x PIX config, but I believe you're supposed to set a shared secret between IAS and the device.  I don't see your radius key set.  When you added the device in IAS, did you specify a key?  If so, your config should look something like:

aaa-server RADIUS (inside) host 192.168.1.2 timeout 10
     key <shared_secret>

Can you provide copies of your event logs from your IAS server.

0
 

Author Comment

by:Shawnspi
ID: 18806988
I used the PDM wizard to do the VPN on the PIX.
When I typed what you said...I got this response:

lstechpix(config)# aaa-server RADIUS (inside) host 192.168.1.2 timeout 10 key $
no encryption key found. Using unencrypted mode.
server exists


below is what I got from the IAS log:

192.168.1.1,Cisco,03/26/2007,12:54:26,IAS,LSTECH01,4,192.168.1.1,31,75.197.32.240,5,84,4108,192.168.1.1,4116,0,4128,LSTECHVPN,5000,ip:source-ip=75.197.32.240,4155,1,4154,Use Windows authentication for all users,4129,LSTECHLLC-HQ\Cisco,4130,LSTECHLLC-HQ\Cisco,4127,1,25,311 1 192.168.1.2 03/22/2007 18:02:29 21,4136,1,4142,0
192.168.1.1,Cisco,03/26/2007,12:54:26,IAS,LSTECH01,25,311 1 192.168.1.2 03/22/2007 18:02:29 21,4127,1,4130,LSTECHLLC-HQ\Cisco,4129,LSTECHLLC-HQ\Cisco,4154,Use Windows authentication for all users,4108,192.168.1.1,4116,0,4128,LSTECHVPN,4155,1,4136,3,4142,16
192.168.1.1,Cisco,03/26/2007,12:54:36,IAS,LSTECH01,4,192.168.1.1,31,75.197.32.240,5,85,4108,192.168.1.1,4116,0,4128,LSTECHVPN,5000,ip:source-ip=75.197.32.240,4155,1,4154,Use Windows authentication for all users,4129,LSTECHLLC-HQ\Cisco,4130,LSTECHLLC-HQ\Cisco,4127,1,25,311 1 192.168.1.2 03/22/2007 18:02:29 22,4136,1,4142,0
192.168.1.1,Cisco,03/26/2007,12:54:36,IAS,LSTECH01,25,311 1 192.168.1.2 03/22/2007 18:02:29 22,4127,1,4130,LSTECHLLC-HQ\Cisco,4129,LSTECHLLC-HQ\Cisco,4154,Use Windows authentication for all users,4108,192.168.1.1,4116,0,4128,LSTECHVPN,4155,1,4136,3,4142,16
192.168.1.1,Cisco,03/26/2007,12:54:46,IAS,LSTECH01,4,192.168.1.1,31,75.197.32.240,5,86,4108,192.168.1.1,4116,0,4128,LSTECHVPN,5000,ip:source-ip=75.197.32.240,4155,1,4154,Use Windows authentication for all users,4129,LSTECHLLC-HQ\Cisco,4130,LSTECHLLC-HQ\Cisco,4127,1,25,311 1 192.168.1.2 03/22/2007 18:02:29 23,4136,1,4142,0
192.168.1.1,Cisco,03/26/2007,12:54:46,IAS,LSTECH01,25,311 1 192.168.1.2 03/22/2007 18:02:29 23,4127,1,4130,LSTECHLLC-HQ\Cisco,4129,LSTECHLLC-HQ\Cisco,4154,Use Windows authentication for all users,4108,192.168.1.1,4116,0,4128,LSTECHVPN,4155,1,4136,3,4142,16
192.168.1.1,Cisco,03/26/2007,12:54:56,IAS,LSTECH01,4,192.168.1.1,31,75.197.32.240,5,87,4108,192.168.1.1,4116,0,4128,LSTECHVPN,5000,ip:source-ip=75.197.32.240,4155,1,4154,Use Windows authentication for all users,4129,LSTECHLLC-HQ\Cisco,4130,LSTECHLLC-HQ\Cisco,4127,1,25,311 1 192.168.1.2 03/22/2007 18:02:29 24,4136,1,4142,0
192.168.1.1,Cisco,03/26/2007,12:54:56,IAS,LSTECH01,25,311 1 192.168.1.2 03/22/2007 18:02:29 24,4127,1,4130,LSTECHLLC-HQ\Cisco,4129,LSTECHLLC-HQ\Cisco,4154,Use Windows authentication for all users,4108,192.168.1.1,4116,0,4128,LSTECHVPN,4155,1,4136,3,4142,16

Thanks.
0
 
LVL 10

Expert Comment

by:Sorenson
ID: 18816252
In the event log, what IAS message appears?  Is the IAS configured to allow unencrypted traffic, it looks like the IAS cannot understand the request?  Check this cisco doc http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00800b6099.shtml for setup of the IAS.
0
 

Author Comment

by:Shawnspi
ID: 18816719
Event Log:

User Cisco was denied access.
 Fully-Qualified-User-Name = LSTECHLLC-HQ\Cisco
 NAS-IP-Address = 192.168.1.1
 NAS-Identifier = <not present>
 Called-Station-Identifier = <not present>
 Calling-Station-Identifier = 75.197.32.240
 Client-Friendly-Name = LSTECHVPN
 Client-IP-Address = 192.168.1.1
 NAS-Port-Type = <not present>
 NAS-Port = 76
 Proxy-Policy-Name = Use Windows authentication for all users
 Authentication-Provider = Windows
 Authentication-Server = <undetermined>
 Policy-Name = <undetermined>
 Authentication-Type = PAP
 EAP-Type = <undetermined>
 Reason-Code = 16
 Reason = Authentication was not successful because an unknown user name or incorrect password was used.
0
 

Author Comment

by:Shawnspi
ID: 18816746
I did something to IAS .. and now I get:

User sspickler was denied access.
 Fully-Qualified-User-Name = <undetermined>
 NAS-IP-Address = 192.168.1.1
 NAS-Identifier = <not present>
 Called-Station-Identifier = <not present>
 Calling-Station-Identifier = 75.196.120.18
 Client-Friendly-Name = LSTECHVPN
 Client-IP-Address = 192.168.1.1
 NAS-Port-Type = <not present>
 NAS-Port = 103
 Proxy-Policy-Name = <none>
 Authentication-Provider = <undetermined>
 Authentication-Server = <undetermined>
 Policy-Name = <undetermined>
 Authentication-Type = <undetermined>
 EAP-Type = <undetermined>
 Reason-Code = 49
 Reason = The connection attempt did not match any connection request policy.

Anyway to reset policy to defaults?

0
 
LVL 10

Expert Comment

by:Sorenson
ID: 18817172
No, the policy defaults are not what you want.  
It looks like the client portion is setup correctly.
Go to the remote access policies, Create a new one.  Call it whatever.  Add a policy condition, NAS-IP-Address and set it to match the internal ip address of the pix.  (can also add windows group here if you want users to be a part of a group to logon).  Be sure the box to grant remote access permission is also checked. The edit the profile under encryption be sure that each is checked, basic through no.  Under authentication be sure all are checked except the unauthenticated access.  Make sure this policy is listed above any others..

Make sure the user that you are testing with has the dial-in permission enabled on his/her AD account.


0
 

Author Comment

by:Shawnspi
ID: 18817381
I did what you said.. and I am getting the same error..

I allowed all domain users.. and NAS-IP-Address from 192.168.1.1 ...

any other thoughts?
0
 

Author Comment

by:Shawnspi
ID: 18817410
Another thing..

On a user.. the Control access through Remote Access Policy  is grayed out...

I can to allow or deny .. though.
0
 
LVL 10

Expert Comment

by:Sorenson
ID: 18818357
Ok.  Not sure where the problem is.  Try using a user name that include the pre-AD domain (ie:  domain\username) ?  just to check.

in your pix you have:
aaa-server RADIUS (inside) host 192.168.1.2 timeout 10
change it to
!
aaa-server RADIUS (inside) host 192.168.1.2 xxxxx timeout 10
!
where xxxxx is the password you set for preshared secret in IAS


in IAS, under Radius client.  should be pix name (or whatever u want to list it as) the internal pix ip and protocol type or RADIUS / RADIUS Standard
under Remote Access Policies, policy for access order #1, open policy, specific to NAS-IP address (matches internal address that was used in the radius client area), at this point remove group for testing. Grant remote access permission is checked.  Click on Edit profile, click IP tab, -Server settings determine ip address assignment (pix gives addresses from ip pool), nothing check in dial-in constraints, multilink  - server settings deterine multilink, advanced (framed-protocol PPP and service-type framed), encryption - all checked, authentication all checked (except unauthenticated access), EAP Methods button, nothing specified in box.

Connection request processing. - Connection request policies, 1 policy, Use Windows Authentication for all users.  Properties of policy, Day time matches all days, edit profile button, authenticate, - authenticate requests on this server is selected, accounting -greyed out, attribute - blank, advanced - blank.

After checking settings, restart IAS service and test again.
0
 

Author Comment

by:Shawnspi
ID: 18818525
Ok...

So.. it was the Connection Request Processing that wasn't there that cause that problem.

I still cannot autheticate:

User sspickler was denied access.
 Fully-Qualified-User-Name = LSTECHLLC-HQ\sspickler
 NAS-IP-Address = 192.168.1.1
 NAS-Identifier = <not present>
 Called-Station-Identifier = <not present>
 Calling-Station-Identifier = 75.197.62.199
 Client-Friendly-Name = LSTECHVPN
 Client-IP-Address = 192.168.1.1
 NAS-Port-Type = <not present>
 NAS-Port = 182
 Proxy-Policy-Name = Use Windows authentication for all users
 Authentication-Provider = Windows
 Authentication-Server = <undetermined>
 Policy-Name = <undetermined>
 Authentication-Type = PAP
 EAP-Type = <undetermined>
 Reason-Code = 16
 Reason = Authentication was not successful because an unknown user name or incorrect password was used.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


And yes, the account exists, I know the password, and Dial-up is checked.
0
 
LVL 10

Expert Comment

by:Sorenson
ID: 18818597
Did you try both ways (with and without the domain)? Same result?

Change crypto map dyn-map client token authentication RADIUS to
!
crypto map dyn-map client authentication RADIUS
!
0
 

Author Comment

by:Shawnspi
ID: 18818652
Yes, I did, both with and without the domain.

when I did this line aaa-server RADIUS (inside) host 192.168.1.2 xxxxx timeout 10
I get : server exists

current config:
Building configuration...
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ayES3UY1NuNSgrCy encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname lstechpix
domain-name lstechllc.com
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 101 permit tcp any host 70.183.5.248 eq ssh
access-list 101 permit tcp any host 70.183.5.248 eq https
access-list 101 permit tcp any host 70.183.5.248 eq 3389
access-list 101 permit tcp any host 70.183.5.248 eq ftp-data
access-list 101 permit tcp any host 70.183.5.248 eq ftp
access-list 111 deny ip host 202.213.201.85 any
access-list 111 permit ip any any
access-list 111 deny ip host 58.60.237.66 any
access-list 111 deny ip host 218.57.8.24 any
access-list 111 deny ip host 207.218.250.80 any
access-list 1 deny host 67.106.213.90
access-list 1 permit any
pager lines 24
logging on
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool VPNPOOL 192.168.2.1-192.168.2.254
pdm location 192.168.1.2 255.255.255.255 inside
pdm location 192.168.1.3 255.255.255.255 inside
pdm location 58.60.237.66 255.255.255.255 outside
pdm location 202.213.201.85 255.255.255.255 outside
pdm location 207.218.250.80 255.255.255.255 outside
pdm location 218.57.8.24 255.255.255.255 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp 70.183.5.248 ssh 192.168.1.2 ssh netmask 255.255.255.255 0 0
static (inside,outside) tcp 70.183.5.248 3389 192.168.1.3 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp 70.183.5.248 https 192.168.1.3 https netmask 255.255.255.255 0 0
static (inside,outside) tcp 70.183.5.248 ftp-data 192.168.1.3 ftp-data netmask 255.255.255.255 0 0
static (inside,outside) tcp 70.183.5.248 ftp 192.168.1.3 ftp netmask 255.255.255.255 0 0
access-group 111 in interface outside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server radius-authport 1812
aaa-server radius-acctport 1813
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server RADIUS (inside) host 192.168.1.2 timeout 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication RADIUS
crypto map outside_map interface outside
crypto map dyn-map client authentication RADIUS
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup LSTECHVPN address-pool VPNPOOL
vpngroup LSTECHVPN dns-server 192.168.1.2 68.100.16.30
vpngroup LSTECHVPN default-domain LSTECHLLC-HQ
vpngroup LSTECHVPN idle-time 1800
vpngroup LSTECHVPN password ********
vpngroup vpn3000 idle-time 1800
vpngroup vpn3000 password ********
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.150-192.168.1.254 inside
dhcpd dns 192.168.1.2 68.100.16.30
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:0c3b257ae39a92558609afe395768d3f
: end




Would I be getting hits on the IAS server if something was terribly wrong with the PIX, like if the shared password was not matching?

Thanks!!!
 
0
 
LVL 10

Expert Comment

by:Sorenson
ID: 18818696
Do the following commands, change xxxx to the pre-shared radius password in IAS
!
no crypto map dyn-map client token authentication RADIUS
no aaa-server RADIUS (inside) host 192.168.1.2 timeout 10
!
aaa-server RADIUS (inside) host 192.168.1.2 xxxxx  timeout 10
!
crypto map dyn-map client authentication RADIUS
!
0
 

Author Comment

by:Shawnspi
ID: 18818735
It doesn't like this command:
no aaa-server RADIUS (inside) host 192.168.1.2 timeout 10


I also found this:
http://support.microsoft.com/?id=893318
0
 
LVL 10

Expert Comment

by:Sorenson
ID: 18818971
can you repost a sanitized config of the pix?  I think the one above is old.

I am not sure the article pertains to the problem.  The PIX uses PAP authentication (unencrypted), not MS-CHAP.
0
 

Author Comment

by:Shawnspi
ID: 18819695
That is the most current one.

0
 
LVL 10

Expert Comment

by:Sorenson
ID: 18822644
I am not sure that it is a problem.  When you configured the radius host on the IAS did you specify a password for it?  If so, it needs to be in that aaa-server line.


!
no aaa-server RADIUS (inside) host 192.168.1.2 timeout 10
aaa-server RADIUS (inside) host 192.168.1.2 xxxxxx timeout 10
!
0
 
LVL 10

Expert Comment

by:Sorenson
ID: 18822654
Is IAS on a domain controller?  If not, follow http://support.microsoft.com/kb/826158 to specify the default domain to use for authentication.
0
 

Author Comment

by:Shawnspi
ID: 18822803
Sorenson,

I think it puts the password on this line:
vpngroup LSTECHVPN password ********
0
 

Author Comment

by:Shawnspi
ID: 18822888
The IAS is on the domain controller.  I tried the link you gave me.  I did not have the DefaultDomain string.

I created it, but still no luck.

0
 

Author Comment

by:Shawnspi
ID: 18822898
Sorenson,

Sorry for all the replies..



User Access Verification

Password:
Type help or '?' for a list of available commands.
lstechpix> en
Password: ********
lstechpix# config t
lstechpix(config)# no aaa-server RADIUS (inside) host 192.168.1.2 timeout 10
you must remove all AAA corresponding entries prior to
removing the last server in group RADIUS
Usage:  [no] aaa-server <tag> [<(if_name)>] host <ip_address> [<key>] [timeout <
seconds>]
       [no] aaa-server <tag> protocol tacacs+|radius
       [no] aaa-server <tag> max-failed-attempts <tries>
       [no] aaa-server <tag> deadtime <deadtimeout>
       clear aaa-server [<tag>]
       [no] aaa-server radius-authport [<auth_port>]
       [no] aaa-server radius-acctport [<acct_port>]
lstechpix(config)#
0
 
LVL 10

Expert Comment

by:Sorenson
ID: 18822936
gotcha. try
!
no crypto map dyn-map client authentication RADIUS
no aaa-server RADIUS (inside) host 192.168.1.2 timeout 10
aaa-server RADIUS (inside) host 192.168.1.2 xxxxxx timeout 10
crypto map dyn-map client authentication RADIUS
!

not sure if that will do it, if not you will probably need to remove all of the aaa-server RADIUS commands and put them back on.

0
 

Author Comment

by:Shawnspi
ID: 18822989
Yeah, same error.
This may saound stupid. but I have tried several times to remove the aaa-server .. but i have no idea how.  I always get errors.. even in the PDM..

Thanks
0
 
LVL 10

Expert Comment

by:Sorenson
ID: 18823011
hmm.  Lets just build another one...


aaa-server LSTECH01 protocol radius
aaa-server LSTECH01 max-failed-attempts 3
aaa-server LSTECH01 deadtime 10
aaa-server LSTECH01  (inside) host 192.168.1.2 xxxxx timeout 10
!
no crypto map dyn-map client authentication RADIUS
crypto map dyn-map client authentication LSTECH01
!
no need to change the IAS name (it doesnt matter), just be sure that xxxxx matches the Radius secret in IAS and that the IAS is set to Radius-Standard.



0
 

Author Comment

by:Shawnspi
ID: 18823125
I also has to add these lines:
vpngroup LSTECH01 address-pool VPNPOOL
vpngroup LSTECH01 dns-server 192.168.1.2 68.100.16.30
vpngroup LSTECH01 default-domain LSTECHLLC-HQ
vpngroup LSTECH01 idle-time 1800
vpngroup LSTECH01 password ********

I changed the client to use LSTECH01

and I still have the same problem.
I suck.
0
 
LVL 10

Expert Comment

by:Sorenson
ID: 18823185
silly question.  did you reboot the server after installing IAS?
0
 
LVL 10

Expert Comment

by:Sorenson
ID: 18823203
Is the event log entry the same?  Authentication was not successful because an unknown user name or incorrect password was used.

0
 

Author Comment

by:Shawnspi
ID: 18823429
The server has been rebooted many times.

And the event log is exactly the same...I wish there was a way to see exactly what it is failing on.

Thanks.
0
 
LVL 10

Expert Comment

by:Sorenson
ID: 18823515
Can you send the last few lines from the IAS log (windows\system32\logfiles)?

Do you capture logging from the pix to syslog?  I think we can use the debug aaa-server command to generate information on it.

0
 

Author Comment

by:Shawnspi
ID: 18823716
192.168.1.1,sspickler,03/30/2007,10:38:43,IAS,LSTECH01,4,192.168.1.1,31,75.198.119.126,5,24,4108,192.168.1.1,4116,0,4128,LSTECH01,5000,ip:source-ip=75.198.119.126,4155,1,4154,Use Windows authentication for all users,4129,IAS\sspickler,4130,IAS\sspickler,4127,1,25,311 1 192.168.1.2 03/30/2007 14:08:18 1,4136,1,4142,0
192.168.1.1,sspickler,03/30/2007,10:38:43,IAS,LSTECH01,25,311 1 192.168.1.2 03/30/2007 14:08:18 1,4127,1,4130,IAS\sspickler,4129,IAS\sspickler,4154,Use Windows authentication for all users,4108,192.168.1.1,4116,0,4128,LSTECH01,4155,1,4136,3,4142,16
192.168.1.1,sspickler,03/30/2007,10:38:53,IAS,LSTECH01,4,192.168.1.1,31,75.198.119.126,5,25,4108,192.168.1.1,4116,0,4128,LSTECH01,5000,ip:source-ip=75.198.119.126,4155,1,4154,Use Windows authentication for all users,4129,IAS\sspickler,4130,IAS\sspickler,4127,1,25,311 1 192.168.1.2 03/30/2007 14:08:18 2,4136,1,4142,0
192.168.1.1,sspickler,03/30/2007,10:38:53,IAS,LSTECH01,25,311 1 192.168.1.2 03/30/2007 14:08:18 2,4127,1,4130,IAS\sspickler,4129,IAS\sspickler,4154,Use Windows authentication for all users,4108,192.168.1.1,4116,0,4128,LSTECH01,4155,1,4136,3,4142,16


No i don't capture it.. Like I said i am VERY VERY new to PIX/Cisco.
0
 
LVL 10

Expert Comment

by:Sorenson
ID: 18823884
using http://technet2.microsoft.com/WindowsServer/en/library/f6322ae0-fb0a-4379-ad54-80bc62f783101033.mspx?mfr=true

Something looks wrong on IAS here:
192.168.1.1,sspickler,03/30/2007,10:38:43,IAS,LSTECH01,4,192.168.1.1,31,75.198.119.126,5,24,4108,192.168.1.1,4116,0,4128,LSTECH01,5000,ip:source-ip=75.198.119.126,4155,1,4154,Use Windows authentication for all users,4129,IAS\sspickler,4130,IAS\sspickler,4127,1,25,311 1 192.168.1.2 03/30/2007 14:08:18 1,4136,1,4142,0

when I look at logs from my equipment i see differences in a few spots.
,4128,LSTECH01
is LSTECH01 the name that you called the pix when you configured it as a Radius client in IAS?

4129,IAS\sspickler  and 4130, IAS\sspickler
it is trying to match IAS\sspickler as the name.  4129 - sam-account-name and 4130 - fq user name.

I wonder if it would be best to uninstall IAS, reboot, and reinstall it, reboot and then reconfigure it.  The connection request policy that you were missing earlier should have been there as a default part of the installation...
0
 

Author Comment

by:Shawnspi
ID: 18823968
LSTECH is .. i guess the groupname ?
That is what I am using in the client as the Name
I am removing.. and reinstalling now ..
0
 
LVL 10

Expert Comment

by:Sorenson
ID: 18824069
ok, that would explain the first part.  I don't know why it is putting IAS as your domain name... in the username portion (record 4129 and 4130)... hopefully the reinstall will help it out.

Long thread...end has got to be close :)
0
 

Author Comment

by:Shawnspi
ID: 18824070
Funny thing...
Removing it and reinstalling it... it keeps all the same settings.

0
 
LVL 10

Expert Comment

by:Sorenson
ID: 18824091
crap :)
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 
LVL 10

Expert Comment

by:Sorenson
ID: 18824178
It has to be pulling that IAS\ from somewhere.
Can you check the registry setting for the "default domain" again.  Looking all the way back at your first post, the IAS logs appear to have the correct domain in it.
If you created that key, try deleting it and restarting the IAS server, and see what a new access attempt puts in the log?


0
 

Author Comment

by:Shawnspi
ID: 18824348
Did that ...

192.168.1.1,sspickler,03/30/2007,11:51:09,IAS,LSTECH01,4,192.168.1.1,31,75.198.119.126,5,36,4108,192.168.1.1,4116,0,4128,LSTECH01,5000,ip:source-ip=75.198.119.126,4155,1,4154,Use Windows authentication for all users,4129,IAS\sspickler,4130,IAS\sspickler,4127,1,25,311 1 192.168.1.2 03/30/2007 15:06:04 9,4136,1,4142,0
192.168.1.1,sspickler,03/30/2007,11:51:09,IAS,LSTECH01,25,311 1 192.168.1.2 03/30/2007 15:06:04 9,4127,1,4130,IAS\sspickler,4129,IAS\sspickler,4154,Use Windows authentication for all users,4108,192.168.1.1,4116,0,4128,LSTECH01,4155,1,4136,3,4142,16
192.168.1.1,sspickler,03/30/2007,11:51:19,IAS,LSTECH01,4,192.168.1.1,31,75.198.119.126,5,37,4108,192.168.1.1,4116,0,4128,LSTECH01,5000,ip:source-ip=75.198.119.126,4155,1,4154,Use Windows authentication for all users,4129,IAS\sspickler,4130,IAS\sspickler,4127,1,25,311 1 192.168.1.2 03/30/2007 15:06:04 10,4136,1,4142,0
192.168.1.1,sspickler,03/30/2007,11:51:19,IAS,LSTECH01,25,311 1 192.168.1.2 03/30/2007 15:06:04 10,4127,1,4130,IAS\sspickler,4129,IAS\sspickler,4154,Use Windows authentication for all users,4108,192.168.1.1,4116,0,4128,LSTECH01,4155,1,4136,3,4142,16
192.168.1.1,sspickler,03/30/2007,11:51:29,IAS,LSTECH01,4,192.168.1.1,31,75.198.119.126,5,38,4108,192.168.1.1,4116,0,4128,LSTECH01,5000,ip:source-ip=75.198.119.126,4155,1,4154,Use Windows authentication for all users,4129,IAS\sspickler,4130,IAS\sspickler,4127,1,25,311 1 192.168.1.2 03/30/2007 15:06:04 11,4136,1,4142,0
192.168.1.1,sspickler,03/30/2007,11:51:29,IAS,LSTECH01,25,311 1 192.168.1.2 03/30/2007 15:06:04 11,4127,1,4130,IAS\sspickler,4129,IAS\sspickler,4154,Use Windows authentication for all users,4108,192.168.1.1,4116,0,4128,LSTECH01,4155,1,4136,3,4142,16
192.168.1.1,sspickler,03/30/2007,11:51:39,IAS,LSTECH01,4,192.168.1.1,31,75.198.119.126,5,39,4108,192.168.1.1,4116,0,4128,LSTECH01,5000,ip:source-ip=75.198.119.126,4155,1,4154,Use Windows authentication for all users,4129,IAS\sspickler,4130,IAS\sspickler,4127,1,25,311 1 192.168.1.2 03/30/2007 15:06:04 12,4136,1,4142,0
192.168.1.1,sspickler,03/30/2007,11:51:39,IAS,LSTECH01,25,311 1 192.168.1.2 03/30/2007 15:06:04 12,4127,1,4130,IAS\sspickler,4129,IAS\sspickler,4154,Use Windows authentication for all users,4108,192.168.1.1,4116,0,4128,LSTECH01,4155,1,4136,3,4142,16



Looking back .. i see it used to put the domain instead of IAS .. i really screwed it up, huh
0
 

Author Comment

by:Shawnspi
ID: 18825125
I think i really want to get rid of all the VPN stuff on the PIX.. and start from scrath .. how do i delete it all ?
0
 
LVL 10

Expert Comment

by:Sorenson
ID: 18825720
I dont think the problem is on the pix side.
Please post the pix config again, however the radius configuration is fairly straight forward, and the IAS logs / event logs would have things about the radius client not being accepted, etc.  I think the problem resides on the IAS side.
With the last set of logs posted, did you try using domain\username as well?  
The first part of the log line shows the 192.168.1.1 radius client sending sspickler as the username, and after that IAS is appending IAS\ to it, resulting in the username being unknown, I am curious if the same thing happens when you put your domainname\username into the vpn client.
I know I asked before, but to be sure the radius client settings are Radius Standard, not cisco.
If it still fails when trying domainname\username, try changing the server description to be the domain name (in IAS, right click on Internet Authentication Service (local) and goto properties).  That is the only place I see IAS in capital letters in any of my configs.

0
 
LVL 10

Expert Comment

by:Sorenson
ID: 18825739
reviewing the pix config at the top....
also change
!
vpngroup LSTECHVPN default-domain LSTECHLLC-HQ
!
to be your AD DNS name
ie:
vpngroup LSTECHVPN default-domain LSTECHLLC.INT
!(or .COM or whatever AD is setup for, the domain specification is for DNS lookups, not NT domain)
0
 

Author Comment

by:Shawnspi
ID: 18826400
I either screwed up the PIX or the IAS now.. cause after fooling with it the VPN client doesn't even promt for use name and password.. and I get this error:
1      16:38:54.893  03/30/07  Sev=Warning/3      IKE/0xE3000056
The received HASH payload cannot be verified

2      16:38:54.893  03/30/07  Sev=Warning/2      IKE/0xE300007D
Hash verification failed... may be configured with invalid group password.

3      16:38:54.893  03/30/07  Sev=Warning/2      IKE/0xE3000099
Failed to authenticate peer (Navigator:904)

4      16:38:54.903  03/30/07  Sev=Warning/2      IKE/0xE30000A5
Unexpected SW error occurred while processing Aggressive Mode negotiator:(Navigator:2202)


0
 
LVL 10

Expert Comment

by:Sorenson
ID: 18826542
ouch!
post pix config, I can take a look at it... if you haven't wrote out the changes... reboot to get the old config back! :)
0
 

Author Comment

by:Shawnspi
ID: 18829617
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ayES3UY1NuNSgrCy encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname lstechpix
domain-name lstechllc.com
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 101 permit tcp any host 70.183.5.248 eq ssh
access-list 101 permit tcp any host 70.183.5.248 eq https
access-list 101 permit tcp any host 70.183.5.248 eq 3389
access-list 101 permit tcp any host 70.183.5.248 eq ftp-data
access-list 101 permit tcp any host 70.183.5.248 eq ftp
access-list 111 deny ip host 202.213.201.85 any
access-list 111 permit ip any any
access-list 111 deny ip host 58.60.237.66 any
access-list 111 deny ip host 218.57.8.24 any
access-list 111 deny ip host 207.218.250.80 any
access-list 1 deny host 67.106.213.90
access-list 1 permit any
pager lines 24
logging on
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool VPNPOOL 192.168.2.1-192.168.2.254
pdm location 192.168.1.2 255.255.255.255 inside
pdm location 192.168.1.3 255.255.255.255 inside
pdm location 58.60.237.66 255.255.255.255 outside
pdm location 202.213.201.85 255.255.255.255 outside
pdm location 207.218.250.80 255.255.255.255 outside
pdm location 218.57.8.24 255.255.255.255 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp 70.183.5.248 ssh 192.168.1.2 ssh netmask 255.255.255
.255 0 0
static (inside,outside) tcp 70.183.5.248 3389 192.168.1.3 3389 netmask 255.255.2
55.255 0 0
static (inside,outside) tcp 70.183.5.248 https 192.168.1.3 https netmask 255.255
.255.255 0 0
static (inside,outside) tcp 70.183.5.248 ftp-data 192.168.1.3 ftp-data netmask 2
55.255.255.255 0 0
static (inside,outside) tcp 70.183.5.248 ftp 192.168.1.3 ftp netmask 255.255.255
.255 0 0
access-group 111 in interface outside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server radius-authport 1812
aaa-server radius-acctport 1813
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server RADIUS (inside) host 192.168.1.2 timeout 10
aaa-server LOCAL protocol local
aaa-server LSTECH01 protocol radius
aaa-server LSTECH01 max-failed-attempts 3
aaa-server LSTECH01 deadtime 10
aaa-server LSTECH01 (inside) host 192.168.1.2 ssssssssss timeout 10
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication RADIUS
crypto map outside_map interface outside
crypto map dyn-map client authentication LSTECH01
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup LSTECH01 address-pool VPNPOOL
vpngroup LSTECH01 default-domain LSTECHLLC-HQ
vpngroup LSTECH01 idle-time 1800
vpngroup LSTECH02 address-pool VPNPOOL
vpngroup LSTECH02 dns-server 192.168.1.2 68.100.16.30
vpngroup LSTECH02 default-domain LSTECHLLC-HQ
vpngroup LSTECH02 idle-time 1800
vpngroup LSTECH02 password ********
vpngroup LSTECHVPN idle-time 1800
vpngroup LSTECHVPN password ********
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.150-192.168.1.254 inside
dhcpd dns 192.168.1.2 68.100.16.30
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:774b0b92068da0fb4eb937c6bac4365e
: end
lstechpix#
0
 

Author Comment

by:Shawnspi
ID: 18835298
Ok.  
So, I foudn my error with it not even talkign to the IAS.. but now I am back to the orignal problem.

0
 

Author Comment

by:Shawnspi
ID: 18835310
When I add the domain name to the cisco client login:

192.168.1.1,LSTECHLLC-HQ\sspickler,04/02/2007,07:05:39,IAS,LSTECH01,4,192.168.1.1,31,75.199.200.75,5,72,4108,192.168.1.1,4116,0,4128,LSTECH01,5000,ip:source-ip=75.199.200.75,4155,1,4154,Use Windows authentication for all users,4129,LSTECHLLC-HQ\sspickler,4130,LSTECHLLC-HQ\sspickler,4127,1,25,311 1 192.168.1.2 03/30/2007 15:59:00 25,4136,1,4142,0
192.168.1.1,LSTECHLLC-HQ\sspickler,04/02/2007,07:05:39,IAS,LSTECH01,25,311 1 192.168.1.2 03/30/2007 15:59:00 25,4127,1,4130,LSTECHLLC-HQ\sspickler,4129,LSTECHLLC-HQ\sspickler,4154,Use Windows authentication for all users,4108,192.168.1.1,4116,0,4128,LSTECH01,4155,1,4136,3,4142,16
192.168.1.1,LSTECHLLC-HQ\sspickler,04/02/2007,07:05:48,IAS,LSTECH01,4,192.168.1.1,31,75.199.200.75,5,73,4108,192.168.1.1,4116,0,4128,LSTECH01,5000,ip:source-ip=75.199.200.75,4155,1,4154,Use Windows authentication for all users,4129,LSTECHLLC-HQ\sspickler,4130,LSTECHLLC-HQ\sspickler,4127,1,25,311 1 192.168.1.2 03/30/2007 15:59:00 26,4136,1,4142,0
192.168.1.1,LSTECHLLC-HQ\sspickler,04/02/2007,07:05:48,IAS,LSTECH01,25,311 1 192.168.1.2 03/30/2007 15:59:00 26,4127,1,4130,LSTECHLLC-HQ\sspickler,4129,LSTECHLLC-HQ\sspickler,4154,Use Windows authentication for all users,4108,192.168.1.1,4116,0,4128,LSTECH01,4155,1,4136,3,4142,16

0
 
LVL 10

Expert Comment

by:Sorenson
ID: 18835522
Does anyone use this pix for vpn currently?
0
 

Author Comment

by:Shawnspi
ID: 18835544
No sir.  I am trying to do it!
0
 
LVL 10

Accepted Solution

by:
Sorenson earned 150 total points
ID: 18835698
Ok.

Lets clean out the vpn side and start fresh there.

!
no isakmp enable outside
NO crypto map outside_map interface outside
no vpngroup LSTECH01
no vpngroup LSTECH02
no vpngroup LSTECHVPN
!
no crypto map outside_map
no crypto map dyn-map
no aaa-server RADIUS
!


check running config to be sure that the vpngroups are gone and that the old reference to aaa-server RADIUS is gone



then rebuild VPN for remote access
!
crypto dynamic-map dynmap 10 set transform-set ESP-3DES-MD5
crypto dynamic-map ClientVPN 10 ipsec-isakmp dynamic dynmap
!
crypto map ClientVPN interface outside
isakmp enable outside
isakmp identity address
vpngroup LSTECH address-pool VPNPOOL
vpngroup LSTECH dns-server 192.168.1.2
vpngroup LSTECH wins-server 192.168.1.2
vpngroup LSTECH idle-time 1800
vpngroup LSTECH password xxxxxxxx
vpngroup LSTECH default-domain ADFQDNDOMAIN.INT
!


then create a vpn client and profile.  Test access.
After the vpn works successfully, then add the IAS authentication to it:

!
crypto map dyn-map client authentication LSTECH01
!



0
 

Author Comment

by:Shawnspi
ID: 18835746
After doing ALL the "no" commands .. I still have ...
Also ... the domain is jsut LSTECHLLC-HQ with no .

aaa-server radius-acctport 1813
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server RADIUS (inside) host 192.168.1.2 timeout 10
aaa-server LOCAL protocol local
aaa-server LSTECH01 protocol radius
aaa-server LSTECH01 max-failed-attempts 3
aaa-server LSTECH01 deadtime 10
aaa-server LSTECH01 (inside) host 192.168.1.2 1qazxsw2 timeout 10
0
 
LVL 10

Expert Comment

by:Sorenson
ID: 18835845
The AD domain (and so you have a DNS zone with no suffix for your AD) is LSTECHLLC-HQ ?

Ignore teh aaa-server RADIUS, if the other vpngroups are gone, it is not needed.

Looking at the last config you are also missing a nat (inside) 0 command...and I didn't put down the nat-traversal command

!
access-list vpntraffic permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
!
nat (inside) 0 access-list vpntraffic
!
vpngroup LSTECH split-tunnel vpntraffic
!
isakmp nat-traversal
!


add
vpngroup LSTECH split-tunnel
0
 
LVL 10

Expert Comment

by:Sorenson
ID: 18835848
ignore the  last add stuff... got ahead of myself typing...
0
 
LVL 10

Expert Comment

by:Sorenson
ID: 18835856
wow.  I need some coffee this morning..
add this to the config I gave you, before adding the client authentication...
!

!
access-list vpntraffic permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
!
nat (inside) 0 access-list vpntraffic
!
vpngroup LSTECH split-tunnel vpntraffic
!
isakmp nat-traversal
!
0
 

Author Comment

by:Shawnspi
ID: 18835882
starting from the config ... line 2 doesn't work ..
crypto dynamic-map ClientVPN 10 ipsec-isakmp dynamic dynmap



User Access Verification

Password:
Type help or '?' for a list of available commands.
lstechpix> en
Password: ********
lstechpix# config t
lstechpix(config)# crypto dynamic-map dynmap 10 set transform-set ESP-3DES-MD5
lstechpix(config)# crypto dynamic-map ClientVPN 10 ipsec-isakmp dynamic dynmap
ERROR: unknown subcommand <ipsec-isakmp>
usage: crypto dynamic-map <map-name> <seqno> {match|set} ...
lstechpix(config)# crypto dynamic-map ClientVPN 10 ipsec-isakmp dynamic dynmap
ERROR: unknown subcommand <ipsec-isakmp>
usage: crypto dynamic-map <map-name> <seqno> {match|set} ...
lstechpix(config)#

0
 
LVL 10

Expert Comment

by:Sorenson
ID: 18835930
typo on my part.  sorry.
!
crypto map ClientVPN 10 ipsec-isakmp dynamic dynmap
!

0
 

Author Comment

by:Shawnspi
ID: 18835967
OK!!!
we are getting somewhere!!!

it is now connecting!!1

but notprompting for a username / password

0
 
LVL 10

Expert Comment

by:Sorenson
ID: 18835987
ok.  that is fine.
can you ping and net use to your server?
0
 

Author Comment

by:Shawnspi
ID: 18836008
Yes! Everything else seems to work!  I am getting excited!
0
 

Author Comment

by:Shawnspi
ID: 18836294
I don't see any hits on the IAS server though
0
 
LVL 10

Expert Comment

by:Sorenson
ID: 18836348
Did you add the last line, to push the authentication to the IAS server?
!
crypto map dyn-map client authentication LSTECH01
!
0
 

Author Comment

by:Shawnspi
ID: 18836598
I did..
But don't I need to add

aaa-server LSTECH protocol radius
aaa-server LSTECH max-failed-attempts 3
aaa-server LSTECH deadtime 10
aaa-server LSTECH (inside) host 192.168.1.2 aaaaaaaa timeout 10

0
 
LVL 10

Expert Comment

by:Sorenson
ID: 18836639
no.  The LSTECH01 stuff is still in place.
just use it for authentication.

0
 

Author Comment

by:Shawnspi
ID: 18836704
Latest config ..

so why is it jsut connection me without prompting for name and password.. I also don't see any hits on the IAS server.

It is connecting whether or not I have IAS up and running...


User Access Verification

Password:
Password:
Type help or '?' for a list of available commands.
lstechpix> sh run
Type help or '?' for a list of available commands.
lstechpix> en
Password: ********
lstechpix# sh run
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ayES3UY1NuNSgrCy encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname lstechpix
domain-name lstechllc.com
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 101 permit tcp any host 70.183.5.248 eq ssh
access-list 101 permit tcp any host 70.183.5.248 eq https
access-list 101 permit tcp any host 70.183.5.248 eq 3389
access-list 101 permit tcp any host 70.183.5.248 eq ftp-data
access-list 101 permit tcp any host 70.183.5.248 eq ftp
access-list 111 deny ip host 202.213.201.85 any
access-list 111 permit ip any any
access-list 111 deny ip host 58.60.237.66 any
access-list 111 deny ip host 218.57.8.24 any
access-list 111 deny ip host 207.218.250.80 any
access-list 1 deny host 67.106.213.90
access-list 1 permit any
access-list vpntraffic permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.2
55.0
pager lines 24
logging on
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool VPNPOOL 192.168.2.1-192.168.2.254
pdm location 192.168.1.2 255.255.255.255 inside
pdm location 192.168.1.3 255.255.255.255 inside
pdm location 58.60.237.66 255.255.255.255 outside
pdm location 202.213.201.85 255.255.255.255 outside
pdm location 207.218.250.80 255.255.255.255 outside
pdm location 218.57.8.24 255.255.255.255 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list vpntraffic
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp 70.183.5.248 ssh 192.168.1.2 ssh netmask 255.255.255
.255 0 0
static (inside,outside) tcp 70.183.5.248 3389 192.168.1.3 3389 netmask 255.255.2
55.255 0 0
static (inside,outside) tcp 70.183.5.248 https 192.168.1.3 https netmask 255.255
.255.255 0 0
static (inside,outside) tcp 70.183.5.248 ftp-data 192.168.1.3 ftp-data netmask 2
55.255.255.255 0 0
static (inside,outside) tcp 70.183.5.248 ftp 192.168.1.3 ftp netmask 255.255.255
.255 0 0
access-group 111 in interface outside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server radius-acctport 1813
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server RADIUS (inside) host 192.168.1.2 timeout 10
aaa-server LOCAL protocol local
aaa-server LSTECH01 protocol radius
aaa-server LSTECH01 max-failed-attempts 3
aaa-server LSTECH01 deadtime 10
aaa-server LSTECH01 (inside) host 192.168.1.2 1aaaaaaaaaa timeout 10
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps
floodguard enable
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto dynamic-map dynmap 10 set transform-set ESP-3DES-MD5
crypto map ClientVPN 10 ipsec-isakmp dynamic dynmap
crypto map ClientVPN interface outside
crypto map dyn-map client authentication LSTECH01
isakmp enable outside
isakmp identity address
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup LSTECH address-pool VPNPOOL
vpngroup LSTECH dns-server 192.168.1.2 68.100.16.30
vpngroup LSTECH wins-server 192.168.1.2
vpngroup LSTECH default-domain LSTECHLLC-HQ
vpngroup LSTECH split-tunnel vpntraffic
vpngroup LSTECH idle-time 1800
vpngroup LSTECH password ********
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.150-192.168.1.254 inside
dhcpd dns 192.168.1.2 68.100.16.30
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:7bf99d832a2d70954fe1a7af53b06929
: end
lstechpix#
0
 
LVL 10

Expert Comment

by:Sorenson
ID: 18836751
clean up what is no longer needed
!
no crypto dynamic-map outside_dyn_map
!
clean up my mistake :)
!
no crypto map dyn-map client authentication LSTECH01
crypto map ClientVPN client authentication LSTECH01
!

test again
0
 

Author Comment

by:Shawnspi
ID: 18836785
Thank you SOOOOOOOOOOOOOOOOOOOOOOOOO much Sorenson.  

I will award you with the points.. but if you don't mind, I will leave it open a day or so, so I can verify it works the way I need it?

I am sure I will be back later with more things I need to do.  I just have to wait to earn more credits :-)

0
 
LVL 10

Expert Comment

by:Sorenson
ID: 18836805
Glad to hear it is working.
0
 

Author Comment

by:Shawnspi
ID: 18839367
I have a question...

I have used a VPN before.. and when I do it and then goto www.whatismyip.com it shows the IP of the .. host.

I noticed when I do it here.. it shows my cable modem IP and not the buisiness IP.

Is there a setting for that?

Thanks
0
 
LVL 10

Expert Comment

by:Sorenson
ID: 18839379
Because you are using split-tunnel, (Internet traffic goes out your internet connection, and only traffic that is within the acl goes to the vpn) it will show up your ISP address when you go to an external site.  To see your vpn assigned address look at properties of the vpn client icon located by the clock in the task bar when you are connected.
0
 

Author Comment

by:Shawnspi
ID: 18839419
Well I guess my real question then...

for example.. I am at home.. my network at home is also 192.168.1.x and the network at work is the same....

So.. there can be conflicts especially with all the home networks these days.

If I remove the split-tunnel will it behave as I think it should?
0
 
LVL 10

Expert Comment

by:Sorenson
ID: 18842946
If you remove the split tunnel line. When you vpn in, you will not be able to access anything on the internet.  You will only be able to access resources on your local network*, and your remote network.  The Pix does not allow "hair-pinning" in the 6.x code.  This means that the same packet cannot come in an interface and return out the interface without going through the inspection / nat engines.  In english, the vpn packet cannot come into the pix, and then go out the outside interface to the internet, so you will not be able to use the internet when you remove the split-tunnel.

* there will be conflicts if you have the same internal numbering at work as you do at home.  The easiest fix it to change your ip addresses at home.
0
 

Author Comment

by:Shawnspi
ID: 18843035
Thanks Sorenson.
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

The term "Bad USB" is a buzz word that is usually used when talking about attacks on computer systems that involve USB devices. In this article, I will show what possibilities modern windows systems (win8.x and win10) offer to fight these attacks wi…
SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now