Solved

Establishing VPN using Cisco Pix-515E

Posted on 2007-04-04
21
1,860 Views
Last Modified: 2012-06-27
I am a complete Newbie when it comes to using the PIX.

Cisco PIX-515E-R-BUN, Software Version 7.0(4)
Cisco ASDM 5.0(4)
Cisco VPN Client Version 4.8.02.0010, Windows

I need help in establishing a VPN connection. I have followed the VPN Wizard, configured a Tunnel Group called SSLStaff type ipsec-ra. It has it's own Group Policy also called SSStaff which is internal and the protocol is inherited. I have created a local user called SSLStaff01.

When I connect I get the challenge for username and password. On entering these I rapidly get disconnected. On the PIX I get the following entries on the log below. Can anynone help me work out what I am doing wrong or have failed to do?

----------------------------------------------------------------------------------------------------------

5|Apr 04 2007 04:20:54|713904: IP = 86.34.122.100, Received encrypted packet with no matching SA, dropping
4|Apr 04 2007 04:20:54|113019: Group = SSLStaff01, Username = SSLRemote01, IP = 86.34.122.100, Session disconnected. Session Type: IPSec, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: crypto map policy not found
3|Apr 04 2007 04:20:54|713902: Group = SSLStaff01, Username = SSLRemote01, IP = 86.34.122.100, Removing peer from correlator table failed, no match!
3|Apr 04 2007 04:20:54|713902: Group = SSLStaff01, Username = SSLRemote01, IP = 86.34.122.100, QM FSM error (P2 struct &0x1d31010, mess id 0x74d10662)!
3|Apr 04 2007 04:20:54|713061: Group = SSLStaff01, Username = SSLRemote01, IP = 86.34.122.100, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 10.0.33.140/255.255.255.255/0/0 local proxy 0.0.0.0/0.0.0.0/0/0 on interface outside
3|Apr 04 2007 04:20:54|713119: Group = SSLStaff01, Username = SSLRemote01, IP = 86.34.122.100, PHASE 1 COMPLETED
6|Apr 04 2007 04:20:54|713228: Group = SSLStaff01, Username = SSLRemote01, IP = 86.34.122.100, Assigned private IP address 10.0.33.140 to remote user
6|Apr 04 2007 04:20:54|713184: Group = SSLStaff01, Username = SSLRemote01, IP = 86.34.122.100, Client Type: WinNT  Client Application Version: 4.8.02.0010
5|Apr 04 2007 04:20:54|713131: Group = SSLStaff01, Username = SSLRemote01, IP = 86.34.122.100, Received unknown transaction mode attribute: 28683
5|Apr 04 2007 04:20:54|713130: Group = SSLStaff01, Username = SSLRemote01, IP = 86.34.122.100, Received unsupported transaction mode attribute: 5
6|Apr 04 2007 04:20:50|713172: Group = SSLStaff01, IP = 86.34.122.100, Automatic NAT Detection Status:     Remote end   IS   behind a NAT device     This   end is NOT behind a NAT device
6|Apr 04 2007 04:20:50|302015: Built inbound UDP connection 92318 for outside:86.34.122.100/63280 (86.34.122.100/63280) to NP Identity Ifc:217.10.129.40/4500 (217.10.129.40/4500)
6|Apr 04 2007 04:20:50|302015: Built inbound UDP connection 92317 for outside:86.34.122.100/63279 (86.34.122.100/63279) to NP Identity Ifc:217.10.129.40/500 (217.10.129.40/500)
0
Comment
Question by:cescentman
  • 11
  • 8
21 Comments
 
LVL 10

Expert Comment

by:Sorenson
ID: 18849918
Please post a sanitized config of the pix.
0
 
LVL 1

Author Comment

by:cescentman
ID: 18850156
How do I do this?
0
 
LVL 10

Expert Comment

by:Sorenson
ID: 18850171
telnet to the pix
get into enable mode

enable (enter)

type show run and capture the output to a text file.

remove passwords, and change ip addresses as you see necc.
0
 
LVL 10

Expert Comment

by:Sorenson
ID: 18850189
Or if you are using the pdm, I believe you can download the config to a text file.  not sure exactly, but if you have an option under file to show running-config in new window, etc you can copy and paste that as well.
0
 
LVL 1

Author Comment

by:cescentman
ID: 18850685
Thanks for such speedy responses.

asdm image flash:/asdm-504.bin
asdm location 10.3.27.0 255.255.255.0 inside
asdm location 217.10.128.128 255.255.255.128 outside
asdm location OurServer01 255.255.255.255 inside
asdm location OurServer02 255.255.255.255 inside
asdm location OurServerGW01 255.255.255.255 inside
asdm location OurDC 255.255.255.255 inside
asdm location OurServer03 255.255.255.255 inside
asdm location 244.152.10.27 255.255.255.255 outside
asdm location 244.152.10.26 255.255.255.255 outside
asdm location 244.152.10.28 255.255.255.255 outside
asdm location 244.152.10.29 255.255.255.255 outside
asdm location 244.152.10.37 255.255.255.255 outside
asdm location 244.152.10.38 255.255.255.255 outside
asdm location CMSMac 255.255.255.255 inside
asdm location OurServerApp01 255.255.255.255 inside
asdm location VMDC 255.255.255.255 inside
asdm location OurServer04 255.255.255.255 inside
asdm location mysql01 255.255.255.255 inside
asdm location 10.3.27.9 255.255.255.255 inside
asdm history enable
: Saved
:
PIX Version 7.0(4)
!
hostname pix
domain-name mydomain.com
enable password Vg3sdcbY24Vs546Y1p encrypted
names
name 10.3.27.27 OurServer01
name 10.3.27.28 OurServer02
name 10.3.27.29 OurServerGW01
name 10.3.27.37 OurDC
name 10.3.27.38 OurServer03
name 10.3.27.39 CMSMac
name 217.10.128.170 HostCo
name 10.3.27.91 OurServerApp01
name 10.3.27.26 VMDC
name 10.3.27.74 OurServer04
name 10.3.27.40 mysql01
!
interface Ethernet0
 nameif outside
 security-level 0
 ip address 244.152.10.40 255.255.255.0
!
interface Ethernet1
 nameif inside
 security-level 100
 ip address 10.3.27.1 255.255.255.0
!
passwd Vg3XxN79JHYVsY1p encrypted
boot system flash:/image.bin
ftp mode passive
access-list acl_outside extended permit icmp any any
access-list acl_outside extended permit tcp any host 244.152.10.29 eq 3389
access-list acl_outside extended permit tcp any host 244.152.10.26 eq 3389
access-list acl_outside extended permit tcp any host 244.152.10.28 eq 3306
access-list acl_outside extended permit tcp any host 244.152.10.37 eq 3389
access-list acl_outside extended permit tcp any host 244.152.10.38 eq 3389
access-list acl_outside extended permit tcp any host 244.152.10.24 eq 1801
access-list acl_outside extended permit udp any host 244.152.10.24 eq 1801
access-list acl_outside extended permit udp any host 244.152.10.24 eq 3527
access-list acl_outside extended permit tcp any host 244.152.10.24 eq 3389
access-list acl_outside extended permit tcp any host 244.152.10.27 eq www
access-list acl_outside extended permit tcp any host 244.152.10.27 eq https
access-list acl_umis extended permit ip 10.3.27.0 255.255.255.0 151.133.134.0 255.255.255.0
access-list acl_umis extended permit ip 10.3.27.0 255.255.255.0 151.133.156.0 255.255.252.0
access-list acl_umis extended permit ip 10.3.27.0 255.255.255.0 151.133.160.0 255.255.240.0
access-list acl_umis extended permit ip host OurServerApp01 10.3.27.128 255.255.255.224
access-list outside_cryptomap_dyn_20 extended permit ip host OurServerApp01 10.3.27.128 255.255.255.224
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
ip local pool VPNPool01 10.3.27.140-10.3.27.149 mask 255.255.255.255
ERROR: Command requires failover license
ERROR: Command requires failover license
asdm image flash:/asdm-504.bin
asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list acl_umis
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 244.152.10.29 OurServer03 netmask 255.255.255.255
static (inside,outside) 244.152.10.26 OurServerApp01 netmask 255.255.255.255
static (inside,outside) 244.152.10.38 OurServer04 netmask 255.255.255.255
static (inside,outside) 244.152.10.37 OurDC netmask 255.255.255.255
static (inside,outside) 244.152.10.24 10.3.27.9 netmask 255.255.255.255
static (inside,outside) 244.152.10.28 mysql01 netmask 255.255.255.255
static (inside,outside) 244.152.10.27 10.3.27.11 netmask 255.255.255.255
access-group acl_outside in interface outside
route outside 0.0.0.0 0.0.0.0 244.152.10.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
group-policy SSLStaff internal
username admin password /p.HD5sqxnbve12225272rvug encrypted privilege 15
username HostCosupport password O0Cqxv2030407587swenbvxhIED encrypted privilege 15
username SSLRemote01 password 48C5/lUsuq315281xvqwe426vuxvqtq/ encrypted privilege 15
username SSLRemote01 attributes
 vpn-group-policy SSLStaff
http server enable
http 217.10.128.128 255.255.255.128 outside
http 192.168.1.0 255.255.255.0 inside
http 10.3.27.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
crypto ipsec transform-set esp-3des-md5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map socsoft 10 match address acl_umis
crypto map socsoft 10 set pfs
crypto map socsoft 10 set peer 151.213.220.249
crypto map socsoft 10 set transform-set esp-3des-md5
crypto map socsoft 10 set security-association lifetime seconds 3600
crypto map socsoft 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map socsoft interface outside
isakmp identity address
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 28800
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption 3des
isakmp policy 30 hash sha
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400
isakmp nat-traversal  20
tunnel-group DefaultL2LGroup ipsec-attributes
 isakmp keepalive threshold 20
tunnel-group DefaultRAGroup ipsec-attributes
 isakmp keepalive threshold 20
tunnel-group 151.213.220.249 type ipsec-l2l
tunnel-group 151.213.220.249 ipsec-attributes
 pre-shared-key *
 isakmp keepalive threshold 20
tunnel-group SSLStaff01 type ipsec-ra
tunnel-group SSLStaff01 general-attributes
 address-pool VPNPool01
 default-group-policy SSLStaff01
tunnel-group SSLStaff01 ipsec-attributes
 pre-shared-key *
telnet 217.10.128.128 255.255.255.128 outside
telnet OurDC 255.255.255.255 inside
telnet OurServerApp01 255.255.255.255 inside
telnet 10.3.27.191 255.255.255.255 inside
telnet timeout 5
ssh 217.10.128.128 255.255.255.128 outside
ssh OurDC 255.255.255.255 inside
ssh timeout 60
ssh version 1
console timeout 0
management-access inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect http
  inspect ils
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global
tftp-server inside OurDC /pix
ssl encryption des-sha1 rc4-md5
Cryptochecksum:ba8df0alamftwmbcd6244474398fskbf814466aeb2d1138eca
: end

0
 
LVL 10

Expert Comment

by:Sorenson
ID: 18850715
You are trying to configure a client vpn into this pix correct?  I see you already have a point to point vpn configured on this pix.
0
 
LVL 1

Author Comment

by:cescentman
ID: 18850834
Yes the was configured by my predecessor I am now trying to add a remote connection for a number of staff.
0
 
LVL 1

Author Comment

by:cescentman
ID: 18881344
Have you had any further thoughts where I might be going wrong?
0
 
LVL 1

Author Comment

by:cescentman
ID: 18888798
Hmm puzzled by the sudden silence have I done something to offend?
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 10

Expert Comment

by:Sorenson
ID: 18899158
Sorry. I am out of contact for a few days.  I will be back on monday.  Sorry for the lack of replies.
0
 
LVL 1

Author Comment

by:cescentman
ID: 18903881
Brilliant, I hope you didn't think I was pushing too much. I will wait patiently.
0
 
LVL 10

Expert Comment

by:Sorenson
ID: 18918269
To create the vpn access for the client I would suggest using the vpn wizard within the ASDM.  Before you do that, I would cleanup a few things.  The wizard will do this if started from the beginning, however you are part way through the configuration...  It would be easiest to clean it up from the command line.

The ip local pool should be a group of addresses that are not currently utilized on the inside network.

!
no ip local pool VPNPool01 10.3.27.140-10.3.27.149 mask 255.255.255.255
ip local pool VPNPool01 192.168.27.1-192.168.27.254
!

Next the Nat (0) access-list will need to be appended to allow the vpn traffic

!
access-list acl_umis permit ip 10.3.27.0 255.255.255.0 192.168.27.0 255.255.255.0
!

Then create the split tunnel list (if you want the vpn users to be able to access the internet when connected)

!
access-list SSLStaff-Split permit ip 10.3.27.0 255.255.255.0 192.168.27.0 255.255.255.0
!

Next you need to cleanup the attributes for your vpn group.

!
group-policy SSLStaff attributes
  dns-server value x.x.x.x    (your internal DNS servers)
 default-domain value xxxxxx.xxx    (your internal DNS name (AD?) )
 wins-server value x.x.x.x   (internal Wins Server if used)
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value SSLStaff-Split
!

Lets see if that does it for you.  



 
 
0
 
LVL 1

Author Comment

by:cescentman
ID: 18918515
Brilliant many thanks. I will try this. There is one thing nagging at me, there isn't an obvious way of backing up the config and saving it elsewhere, could you advise how I do this before I try the changes just in case ...?
0
 
LVL 10

Accepted Solution

by:
Sorenson earned 500 total points
ID: 18918661
In the adsm, under file, select "show running config in new window" and copy / paste that information to a text file.

I use a program called kiwi cat tools, http://www.kiwisyslog.com/cattools-info.php to automate backup and change management for my cisco devices.  Might be worth looking at as well...
0
 
LVL 1

Author Comment

by:cescentman
ID: 18918795
Thanks the the helpful reply will get back to you the soonest.
0
 
LVL 1

Author Comment

by:cescentman
ID: 18999817
Getting very behind on this. However got kiwi cat tools and set them up excellent tool. Many Thanks. I won't forget to get back to this.
0
 
LVL 1

Author Comment

by:cescentman
ID: 19217271
I have still to complete this but haven't forgotten. To be hones I have been fighting shy of trying it until I know I have a window where it won't disrupt services if I get it wrong. I have planned this for middle weekend of this month will be back to you after this. Thanks for your patience.
0
 
LVL 10

Expert Comment

by:Sorenson
ID: 19218136
ok
0
 
LVL 1

Author Comment

by:cescentman
ID: 19675955
I'm sorry I missed this I am unsure how it happened as I have kept up with all my other tickets. I am very happy that the points were allocated to Sorensen.

Apologies Sornesen and thanks for your help.
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

Suggested Solutions

Overview The Cisco PIX 501, PIX 506e, ASA 5505 and ASA 5510 (most if not all of this information will be relevant to the PIX 515e but I do not have a working configuration handy to verify the validity) are primarily used within small to medium busi…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now