?
Solved

VPN setup w/ Cisco PIX 515e & MS Server 2003 IAS RADIUS authentication

Posted on 2007-07-24
5
Medium Priority
?
468 Views
Last Modified: 2010-04-09
I've been staring at this all day... I'd very much appricate a second opinon at this point. I'm just not certain where the configuraiton is incorrect at this point

I believe that the MS Server side is setup correctly, as I'm much more confident with the MS side than the Cisco side of things. .

When trying to connect with the VPN client (3.6.2) I get the errors:
Sev=Warning/2     IKE/0xE300007C
Exceeded 3 IKE SA negotiation retransmits... peer is not responding

Sev=Warning/3     DIALER/0xE3300008
GI VPNStart callback failed "CM_PEER_NOT_RESPONDING" (16h)

My best guess at this point is that my ACL's are not correct... but I'm really not sure.

My PIX VPN config:

hostname PIX1
domain-name internalDomain.com
names
name 192.168.200.1 HKP
name 192.168.200.2 ISASERVER
name x.x.10.152 Internet
name x.x.10.157 external
access-list deny-flow-max 300
access-list vpn permit ip any 10.10.0.0 255.255.0.0
access-list vpn permit ip 192.168.200.0 255.255.255.0 10.10.0.0 255.255.0.0
ip address outside external 255.255.255.248
ip address inside HKP 255.255.255.0
ip address DMZ1 169.254.200.1 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface DMZ1
ip local pool vpnIP 10.10.0.40-10.10.0.50
arp timeout 14400
nat (inside) 0 access-list vpn
nat (inside) 0 192.168.200.0 255.255.255.0 0 0
access-group smtp in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.10.158 1
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa-server partnerauth protocol radius
aaa-server partnerauth (inside) host 10.10.0.3  timeout 10
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 1 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication partnerauth
crypto map outside_map interface outside
isakmp enable outside
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup HKP address-pool vpnIP
vpngroup HKP dns-server 10.10.0.3
vpngroup HKP wins-server 10.10.0.3
vpngroup HKP default-domain internalDomain.com
vpngroup HKP idle-time 1800
vpngroup HKP password ********
vpngroup wins-server idle-time 1800
0
Comment
Question by:wasabikev
  • 3
5 Comments
 
LVL 8

Expert Comment

by:charan_jeetsingh
ID: 19562485
remove
access-list vpn permit ip any 10.10.0.0 255.255.0.0
nat (inside) 0 192.168.200.0 255.255.255.0 0 0


also i dont see any preshare key. how will firewall respond ??

add the key using this comand :
isakmp key <presharekey> address <remote public address> netmask 255.255.255.255
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 1500 total points
ID: 19564512
>aaa-server partnerauth (inside) host 10.10.0.3  timeout 10
>ip address inside 192.168.200.1

How are you setting up this server on the inside, using same IP subnet as the vpnIP pool, when all of your other inside  hosts are 192.168.200.x ?
Do you have another route statement somewhere?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 19564526
0
 

Author Comment

by:wasabikev
ID: 19569090
I'm an 1d10t

The PIX is our external firewall.  There is then the DMZ (192.168.200.0), and then there's an ISA firewall between the DMZ and the internal network. (10.10.0.0).  So yea... there's addtional route statements.

Perhaps I'll have to rethink this.  
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 19569156
firewall behind a firewall makes for nice troublshooting headache and that's about it.
0

Featured Post

How to Use the Help Bell

Need to boost the visibility of your question for solutions? Use the Experts Exchange Help Bell to confirm priority levels and contact subject-matter experts for question attention.  Check out this how-to article for more information.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
In this article, the configuration steps in Zabbix to monitor devices via SNMP will be discussed with some real examples on Cisco Router/Switch, Catalyst Switch, NAS Synology device.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses
Course of the Month17 days, 6 hours left to enroll

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question