troubleshooting Question

VPN setup w/ Cisco PIX 515e & MS Server 2003 IAS RADIUS authentication

Avatar of wasabikev
wasabikev asked on
VPNCisco
5 Comments1 Solution506 ViewsLast Modified:
I've been staring at this all day... I'd very much appricate a second opinon at this point. I'm just not certain where the configuraiton is incorrect at this point

I believe that the MS Server side is setup correctly, as I'm much more confident with the MS side than the Cisco side of things. .

When trying to connect with the VPN client (3.6.2) I get the errors:
Sev=Warning/2     IKE/0xE300007C
Exceeded 3 IKE SA negotiation retransmits... peer is not responding

Sev=Warning/3     DIALER/0xE3300008
GI VPNStart callback failed "CM_PEER_NOT_RESPONDING" (16h)

My best guess at this point is that my ACL's are not correct... but I'm really not sure.

My PIX VPN config:

hostname PIX1
domain-name internalDomain.com
names
name 192.168.200.1 HKP
name 192.168.200.2 ISASERVER
name x.x.10.152 Internet
name x.x.10.157 external
access-list deny-flow-max 300
access-list vpn permit ip any 10.10.0.0 255.255.0.0
access-list vpn permit ip 192.168.200.0 255.255.255.0 10.10.0.0 255.255.0.0
ip address outside external 255.255.255.248
ip address inside HKP 255.255.255.0
ip address DMZ1 169.254.200.1 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface DMZ1
ip local pool vpnIP 10.10.0.40-10.10.0.50
arp timeout 14400
nat (inside) 0 access-list vpn
nat (inside) 0 192.168.200.0 255.255.255.0 0 0
access-group smtp in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.10.158 1
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa-server partnerauth protocol radius
aaa-server partnerauth (inside) host 10.10.0.3  timeout 10
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 1 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication partnerauth
crypto map outside_map interface outside
isakmp enable outside
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup HKP address-pool vpnIP
vpngroup HKP dns-server 10.10.0.3
vpngroup HKP wins-server 10.10.0.3
vpngroup HKP default-domain internalDomain.com
vpngroup HKP idle-time 1800
vpngroup HKP password ********
vpngroup wins-server idle-time 1800
ASKER CERTIFIED SOLUTION
Les Moore
Systems Architect
Join our community to see this answer!
Unlock 1 Answer and 5 Comments.
Start Free Trial
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 5 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros