VPN setup w/ Cisco PIX 515e & MS Server 2003 IAS RADIUS authentication

Posted on 2007-07-24
Last Modified: 2010-04-09
I've been staring at this all day... I'd very much appricate a second opinon at this point. I'm just not certain where the configuraiton is incorrect at this point

I believe that the MS Server side is setup correctly, as I'm much more confident with the MS side than the Cisco side of things. .

When trying to connect with the VPN client (3.6.2) I get the errors:
Sev=Warning/2     IKE/0xE300007C
Exceeded 3 IKE SA negotiation retransmits... peer is not responding

Sev=Warning/3     DIALER/0xE3300008
GI VPNStart callback failed "CM_PEER_NOT_RESPONDING" (16h)

My best guess at this point is that my ACL's are not correct... but I'm really not sure.

My PIX VPN config:

hostname PIX1
name HKP
name x.x.10.152 Internet
name x.x.10.157 external
access-list deny-flow-max 300
access-list vpn permit ip any
access-list vpn permit ip
ip address outside external
ip address inside HKP
ip address DMZ1
ip verify reverse-path interface outside
ip verify reverse-path interface DMZ1
ip local pool vpnIP
arp timeout 14400
nat (inside) 0 access-list vpn
nat (inside) 0 0 0
access-group smtp in interface outside
route outside x.x.10.158 1
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa-server partnerauth protocol radius
aaa-server partnerauth (inside) host  timeout 10
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 1 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication partnerauth
crypto map outside_map interface outside
isakmp enable outside
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup HKP address-pool vpnIP
vpngroup HKP dns-server
vpngroup HKP wins-server
vpngroup HKP default-domain
vpngroup HKP idle-time 1800
vpngroup HKP password ********
vpngroup wins-server idle-time 1800
Question by:wasabikev
    LVL 8

    Expert Comment

    access-list vpn permit ip any
    nat (inside) 0 0 0

    also i dont see any preshare key. how will firewall respond ??

    add the key using this comand :
    isakmp key <presharekey> address <remote public address> netmask
    LVL 79

    Accepted Solution

    >aaa-server partnerauth (inside) host  timeout 10
    >ip address inside

    How are you setting up this server on the inside, using same IP subnet as the vpnIP pool, when all of your other inside  hosts are 192.168.200.x ?
    Do you have another route statement somewhere?
    LVL 79

    Expert Comment


    Author Comment

    I'm an 1d10t

    The PIX is our external firewall.  There is then the DMZ (, and then there's an ISA firewall between the DMZ and the internal network. (  So yea... there's addtional route statements.

    Perhaps I'll have to rethink this.  
    LVL 79

    Expert Comment

    firewall behind a firewall makes for nice troublshooting headache and that's about it.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How to improve team productivity

    Quip adds documents, spreadsheets, and tasklists to your Slack experience
    - Elevate ideas to Quip docs
    - Share Quip docs in Slack
    - Get notified of changes to your docs
    - Available on iOS/Android/Desktop/Web
    - Online/Offline

    I recently updated from an old PIX platform to the new ASA platform.  While upgrading, I was tremendously confused about how the VPN and AnyConnect licensing works.  It turns out that the ASA has 3 different VPN licensing schemes. "site-to-site" …
    Let’s list some of the technologies that enable smooth teleworking. 
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    779 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    14 Experts available now in Live!

    Get 1:1 Help Now