[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Configuring a VPN connection

Posted on 2007-09-28
16
Medium Priority
?
284 Views
Last Modified: 2010-04-12
I am trying to get my pix to allow vpn connections via cisco vpn client. I am trying to get the basic group authenincation to work. I can not get it to work correctly. When I try to connect via my client, it atempts and then goes to not connection without any errors, or log entries. Here is my pix config. it has been editted for posting here, if you have questions please ask. I need help.

Building configuration...
: Saved
:
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
access-list inside_outbound_nat0_acl permit ip any vpn 255.255.255.192
access-list inside_outbound_nat0_acl permit ip any 10.0.0.224 255.255.255.224
access-list inside_outbound_nat0_acl permit ip any 192.168.1.0 255.255.255.192
access-list inside_access_in remark Outbound DNS for Mail Server
access-list inside_access_in permit udp host  any eq domain
access-list inside_access_in remark Outbound DNS (primary DNS server)
access-list inside_access_in permit udp host  any eq domain
access-list inside_access_in remark Outbound DNS (secondary DNS server)
access-list inside_access_in permit udp host  any eq domain
access-list inside_access_in remark Outbound web browsing
access-list inside_access_in permit tcp any any eq www
access-list inside_access_in remark Outbound ping/traceroute
access-list inside_access_in permit icmp any any echo
access-list inside_access_in remark Outbound web browsing (secure)
access-list inside_access_in permit tcp any any eq https
access-list inside_access_in remark Outbound ftp
access-list inside_access_in permit tcp any any eq ftp
access-list inside_access_in remark Outbound ftp
access-list inside_access_in permit tcp any any eq ftp-data
access-list inside_access_in remark Outbound terminal services/remote desktop
access-list inside_access_in permit tcp any any eq 3389
access-list inside_access_in remark Outbound sql
access-list inside_access_in permit tcp any any eq 1433
access-list inside_access_in remark Outbound sql
access-list inside_access_in permit udp any any eq 1433
access-list inside_access_in remark Outbound sql
access-list inside_access_in permit tcp any any eq 1434
access-list inside_access_in remark Outbound pc anywhere
access-list inside_access_in permit tcp any any eq pcanywhere-data
access-list inside_access_in remark Outbound pc anywhere
access-list inside_access_in permit udp any any eq pcanywhere-status
access-list inside_access_in remark Outbound email
access-list inside_access_in permit tcp host  any eq smtp
access-list inside_access_in remark outbound for VPN
access-list inside_access_in permit tcp any any eq pptp
access-list inside_access_in remark AOL Messenger
access-list inside_access_in permit tcp any any eq aol
access-list inside_access_in remark SalesMasters SMTP
access-list inside_access_in permit tcp any any eq 1025
access-list inside_access_in permit tcp any any eq 3101
access-list inside_access_in permit tcp any any eq 2145
access-list inside_access_in permit tcp any any eq 2144
access-list inside_access_in permit tcp any any eq smtp
access-list inside_access_in permit tcp any any eq pop3
access-list outside_access_in remark Inbound
access-list outside_access_in permit tcp any host ip address and subnet eq pptp
access-list outside_access_in remark Inbound
access-list outside_access_in permit tcp any host ip address and subnet eq smtp
access-list outside_access_in remark Inbound
access-list outside_access_in permit tcp any host ip address and subnet eq https
access-list outside_access_in remark Inbound
access-list outside_access_in permit tcp any host ip address and subnet eq www
access-list outside_access_in remark Inbound
access-list outside_access_in permit tcp any host ip address and subnet eq www
access-list outside_access_in remark Inbound
access-list outside_access_in permit icmp any any echo-reply
access-list outside_access_in remark ping
access-list outside_access_in permit icmp any any echo
access-list outside_access_in remark Tracert
access-list outside_access_in permit icmp any any traceroute
access-list outside_access_in remark
access-list outside_access_in remark Inbound traceroute response
access-list outside_access_in permit icmp any any time-exceeded
access-list outside_access_in remark Inbound ftp from production
access-list outside_access_in permit tcp host SQL host ip address eq ftp
access-list outside_access_in remark Inbound ftp from production
access-list outside_access_in permit tcp host sql host ip address eq ftp-data
access-list outside_access_in remark Inbound ftp from production
access-list outside_access_in permit tcp host prod host ip address eq ftp
access-list outside_access_in remark Inbound ftp from production
access-list outside_access_in permit tcp host prod host ip address eq ftp-data
access-list outside_access_in remark Inbound ftp from production
access-list outside_access_in remark
access-list outside_access_in permit tcp host CQ host ip address eq ftp
access-list outside_access_in remark Inbound ftp from production
access-list outside_access_in permit tcp host CQ host ip address eq ftp-data
access-list outside_access_in remark Inbound port 80 from production
access-list outside_access_in permit tcp host sql host ip address eq www
access-list outside_access_in remark Inbound port 80 from production
access-list outside_access_in permit tcp host prod host ip address eq www
access-list outside_access_in remark Inbound port 80 from production
access-list outside_access_in permit tcp host CQ host Ip address eq www
access-list outside_access_in remark Inbound SSL from production
access-list outside_access_in permit tcp host CQ host ip address eq https
access-list outside_access_in remark Inbound ftp from
access-list outside_access_in permit tcp host office host ip address eq ftp
access-list outside_access_in remark Inbound ftp from
access-list outside_access_in permit tcp host Office host ip address eq ftp-data
access-list outside_access_in remark Inbound port 80 from
access-list outside_access_in permit tcp host Office host ip address eq www
access-list outside_access_in permit tcp any host turkey eq 3101
access-list outside_access_in remark  POP3
access-list outside_access_in permit tcp host ip address any eq pop3
access-list outside_access_in permit tcp host ip address any eq pop3
access-list outside_cryptomap_dyn_20 permit ip any vpn 255.255.255.192
access-list outside_cryptomap_dyn_40 permit ip any 10.0.0.224 255.255.255.224
access-list outside_cryptomap_dyn_60 permit ip any 192.168.1.0 255.255.255.192
access-list 101 permit ip 192.162.1.0 255.255.255.0 10.0.0.0 255.255.255.0
pager lines 24
logging on
icmp permit host Office echo outside
icmp permit host prod echo outside
icmp deny any outside
icmp permit host CQ echo outside
icmp permit host sql echo outside
mtu outside 1500
mtu inside 1500
ip address outside ip address and subnet mask
ip address inside 10.0.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpn_ip_pool 10.0.0.200-10.0.0.230
ip local pool CLICKPOOL 10.0.0.231-10.0.0.254
ip local pool VPN1 192.168.1.10-192.168.1.35
pdm location 10.0.0.200 255.255.255.255 outside
pdm location vpn 255.255.255.192 outside
pdm location 10.0.0.0 255.255.255.255 inside
pdm location 10.0.0.0 255.255.255.0 outside
pdm location 255.255.255.255 inside
pdm location 255.255.255.255 inside
pdm location CQ 255.255.255.255 outside
pdm location turkey 255.255.255.255 inside
pdm location bear 255.255.255.255 inside
pdm location Office 255.255.255.255 outside
pdm location prod 255.255.255.255 outside
pdm location sql 255.255.255.255 outside
pdm location computer 255.255.255.255 inside
pdm location master 255.255.255.255 inside
pdm location penguin 255.255.255.255 inside
pdm location Masters 255.255.255.255 outside
pdm location ip address and subnet mast outside
pdm location ip address and subnet outside
pdm location 10.0.0.224 255.255.255.224 outside
pdm location 192.162.1.0 255.255.255.0 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) ip address and subnet
static (inside,outside) ip address and subnet
static (inside,outside) ip address and subnet
static (inside,outside) ip address and subnet
static (inside,outside) ip address and subnet
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 69.233.191.97 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host  timeout 10
aaa-server LOCAL protocol local
http server enable
http 10.0.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 40 match address outside_cryptomap_dyn_40
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 60 match address outside_cryptomap_dyn_60
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication RADIUS
crypto map outside_map interface outside
isakmp enable outside
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
isakmp policy 40 authentication pre-share
isakmp policy 40 encryption des
isakmp policy 40 hash md5
isakmp policy 40 group 2
isakmp policy 40 lifetime 86400
vpngroup Remoteadmin address-pool VPN1
vpngroup Remoteadmin dns-server
vpngroup Remoteadmin default-domain correct domain
vpngroup Remoteadmin split-tunnel 101
vpngroup Remoteadmin idle-time 1800
vpngroup Remoteadmin password ********
telnet 10.0.0.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group PPTP-VPDN-GROUP accept dialin pptp
vpdn group PPTP-VPDN-GROUP ppp authentication mschap
vpdn group PPTP-VPDN-GROUP ppp encryption mppe 128 required
vpdn group PPTP-VPDN-GROUP client configuration address local vpn_ip_pool
vpdn group PPTP-VPDN-GROUP client configuration dns
vpdn group PPTP-VPDN-GROUP client configuration wins
vpdn group PPTP-VPDN-GROUP pptp echo 60
vpdn group PPTP-VPDN-GROUP client authentication local
vpdn enable outside
dhcpd address 10.0.0.100-10.0.0.199 inside
dhcpd dns turkey brain
dhcpd wins turkey brain
dhcpd lease 432000
dhcpd ping_timeout 750
dhcpd domain
terminal width 80
Cryptochecksum:c0d209fab6cb55cb3ce8ac851a97ffa9
: end
[OK]
0
Comment
Question by:jasonpiper01
  • 8
  • 7
16 Comments
 
LVL 1

Expert Comment

by:brich330
ID: 19982982
Taking a look at the config, it looks like you are missing the Radius ports on the inside access-list&

If you trust the Radius server, you could do it as 1 access-list entry...
access-list inside_access_in permit ip host <radius server ip> host 10.0.0.1

Otherwise, here are the common ports for different Radius servers...

Access-list inside_access_in permit udp any eq 1645 host 10.0.0.1
Access-list inside_access_in permit tcp any eq 1645 host 10.0.0.1
Access-list inside_access_in permit udp any eq 1646 host 10.0.0.1
Access-list inside_access_in permit tcp any eq 1646 host 10.0.0.1
Access-list inside_access_in permit udp any eq 1812 host 10.0.0.1
Access-list inside_access_in permit tcp any eq 1812 host 10.0.0.1
Access-list inside_access_in permit udp any eq 1813 host 10.0.0.1
Access-list inside_access_in permit tcp any eq 1813 host 10.0.0.1

Hope it helps.
- Brich330
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 1000 total points
ID: 19984019
>ip local pool VPN1 192.168.1.10-192.168.1.35
Is your home PC LAN also the same 192.168.1.x network?

Regardless, try this:

ip local pool VPNPOOL 192.168.168.1-192.168.168.13
no access-list 101 permit ip 192.162.1.0 255.255.255.0 10.0.0.0 255.255.255.0
no nat (inside) 0 access-list 101
access-list nonat permit ip 10.0.0.0 255.255.255.0 192.168.168.0 255.255.255.240
nat (inside) 0 access-list nonat
no vpngroup Remoteadmin address-pool VPN1
vpngroup Remoteadmin address-pool VPNPOOL
isakmp nat-traversal 20
access-list inside_access_in permit ip 10.0.0.0 255.255.255.0
0
 

Author Comment

by:jasonpiper01
ID: 19992335
The address space was the same, I have change that, i do have one question, that is that last line is missing a part, what part were you trying to include.

access-list inside_access_in permit ip 10.0.0.0 255.255.255.0
0
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

 
LVL 79

Expert Comment

by:lrmoore
ID: 19992981
Sorry, must have hit subit too soon....
Permit internal local traffic to the VPN pool addresses

access-list inside_access_in permit ip 10.0.0.0 255.255.255.0 192.168.168.0 255.255.255.0
0
 

Author Comment

by:jasonpiper01
ID: 20002143
Thx, i did get closer, but when i try to connect via the client it says securing gateway, then it jumps to not connected.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 20002169
>PIX Version 6.3(1)
Lots of bugs in this particular version. Highly suggest updating this to 6.3(5) ASAP.

Can you post your current running config after you made the changes? This particular behavior usually means that you are not getting an IP address from the pool....
Do you have client logging enabled? Open a log window on the client and try to connect and see what the log says.

 
0
 

Author Comment

by:jasonpiper01
ID: 20014210
I dont think i will be able to update the pix os. We do not have access to download software from cisco. here is the error message
1      07:07:21.546  10/04/07  Sev=Warning/2      IKE/0xA3000067
Received Unexpected InitialContact Notify (PLMgrNotify:886)
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 20014578
Can you post your current config since you made several changes?
0
 

Author Comment

by:jasonpiper01
ID: 20042127

access-list inside_outbound_nat0_acl permit ip any vpn 255.255.255.192
access-list inside_outbound_nat0_acl permit ip any 10.0.0.224 255.255.255.224
access-list inside_outbound_nat0_acl permit ip any 192.168.1.0 255.255.255.192
access-list inside_access_in remark Outbound DNS for Mail Server
access-list inside_access_in permit udp host  any eq domain
access-list inside_access_in remark Outbound DNS (primary DNS server)
access-list inside_access_in permit udp host  any eq domain
access-list inside_access_in remark Outbound DNS (secondary DNS server)
access-list inside_access_in permit udp host any eq domain
access-list inside_access_in remark Outbound web browsing
access-list inside_access_in permit tcp any any eq www
access-list inside_access_in remark Outbound ping/traceroute
access-list inside_access_in permit icmp any any echo
access-list inside_access_in remark Outbound web browsing (secure)
access-list inside_access_in permit tcp any any eq https
access-list inside_access_in remark Outbound ftp
access-list inside_access_in permit tcp any any eq ftp
access-list inside_access_in remark Outbound ftp
access-list inside_access_in permit tcp any any eq ftp-data
access-list inside_access_in remark Outbound terminal services/remote desktop
access-list inside_access_in permit tcp any any eq 3389
access-list inside_access_in remark Outbound sql
access-list inside_access_in permit tcp any any eq 1433
access-list inside_access_in remark Outbound sql
access-list inside_access_in permit udp any any eq 1433
access-list inside_access_in remark Outbound sql
access-list inside_access_in permit tcp any any eq 1434
access-list inside_access_in remark Outbound pc anywhere
access-list inside_access_in permit tcp any any eq
access-list inside_access_in remark Outbound pc anywhere
access-list inside_access_in permit udp any any eq
access-list inside_access_in remark Outbound email
access-list inside_access_in permit tcp host  any eq smtp
access-list inside_access_in remark outbound for VPN
access-list inside_access_in permit tcp any any eq pptp
access-list inside_access_in remark AOL
access-list inside_access_in permit tcp any any eq aol
access-list inside_access_in remark
access-list inside_access_in permit tcp any any eq 1025
access-list inside_access_in permit tcp any any eq 3101
access-list inside_access_in permit tcp any any eq 2145
access-list inside_access_in permit tcp any any eq 2144
access-list inside_access_in permit tcp any any eq smtp
access-list inside_access_in permit tcp any any eq pop3
access-list inside_access_in permit ip 10.0.0.0 255.255.255.0 192.168.168.0 255.255.255.0
access-list outside_access_in remark Inbound VPN to Turkey
access-list outside_access_in permit tcp any host  eq pptp
access-list outside_access_in remark Inbound email
access-list outside_access_in permit tcp any host  eq smtp
access-list outside_access_in remark Inbound Secure Outlook Web Access
access-list outside_access_in permit tcp any host  eq https
access-list outside_access_in remark Inbound
access-list outside_access_in permit tcp any host  eq www
access-list outside_access_in remark Inbound qc.clicksafety.net
access-list outside_access_in permit tcp any host  eq www
access-list outside_access_in remark Inbound ping response
access-list outside_access_in permit icmp any any echo-reply
access-list outside_access_in remark ping
access-list outside_access_in permit icmp any any echo
access-list outside_access_in remark Tracert
access-list outside_access_in permit icmp any any traceroute
access-list outside_access_in remark
access-list outside_access_in remark Inbound traceroute response
access-list outside_access_in permit icmp any any time-exceeded
access-list outside_access_in remark Inbound ftp from production
access-list outside_access_in permit tcp host ip address eq ftp
access-list outside_access_in remark Inbound ftp from production
access-list outside_access_in permit tcp host ip address eq ftp-data
access-list outside_access_in remark Inbound ftp from production
access-list outside_access_in permit tcp host ip address eq ftp
access-list outside_access_in remark Inbound ftp from production
access-list outside_access_in permit tcp hostip address eq ftp-data
access-list outside_access_in remark Inbound ftp from production
access-list outside_access_in remark
access-list outside_access_in permit tcp host ip address eq ftp
access-list outside_access_in remark Inbound ftp from production
access-list outside_access_in permit tcp host ip addresseq ftp-data
access-list outside_access_in remark Inbound port 80 from production
access-list outside_access_in permit tcp host ip address eq www
access-list outside_access_in remark Inbound port 80 from production
access-list outside_access_in permit tcp host ip address eq www
access-list outside_access_in remark Inbound port 80 from production
access-list outside_access_in permit tcp host ip address eq www
access-list outside_access_in remark Inbound SSL from production
access-list outside_access_in permit tcp host ip address eq https
access-list outside_access_in remark Inbound ftp from lafayette
access-list outside_access_in permit tcp host ip address eq ftp
access-list outside_access_in remark Inbound ftp from lafayette
access-list outside_access_in permit tcp host ip address eq ftp-data
access-list outside_access_in remark Inbound port 80 from lafayette
access-list outside_access_in permit tcp host ip address eq www
access-list outside_access_in permit tcp any host t eq 3101
access-list outside_access_in remark  POP3
access-list outside_access_in permit tcp host ip address any eq pop3
access-list outside_access_in permit tcp host ip address any eq pop3
access-list outside_cryptomap_dyn_20 permit ip any vpn 255.255.255.192
access-list outside_cryptomap_dyn_40 permit ip any 10.0.0.224 255.255.255.224
access-list outside_cryptomap_dyn_60 permit ip any 192.168.1.0 255.255.255.192
access-list nonat permit ip 10.0.0.0 255.255.255.0 192.168.168.0 255.255.255.240
pager lines 24
logging on
icmp permit host  echo outside
icmp permit host  echo outside
icmp deny any outside
icmp permit host  echo outside
icmp permit host  echo outside
mtu outside 1500
mtu inside 1500
ip address outside ip address
ip address inside 10.0.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpn_ip_pool 10.0.0.200-10.0.0.230
ip local pool CLICKPOOL 10.0.0.231-10.0.0.254
ip local pool VPN1 192.168.168.1-192.168.168.13
pdm location 10.0.0.200 255.255.255.255 outside
pdm location vpn 255.255.255.192 outside
pdm location 10.0.0.0 255.255.255.255 inside
pdm location 10.0.0.0 255.255.255.0 outside
pdm location  ip address inside
pdm location ip address inside
pdm location ip addressoutside
pdm location ip address inside
pdm location ip address inside
pdm location ip address outside
pdm location ip address outside
pdm location sip address outside
pdm location ip address inside
pdm location brain 255.255.255.255 inside
pdm location penguin 255.255.255.255 inside
pdm location SalesMasters 255.255.255.255 outside
pdm location ip address outside
pdm location ip address outside
pdm location ip address outside
pdm location ip address inside
pdm location ip address outside
pdm location ip address outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) ip address
static (inside,outside) ip address
static (inside,outside) ip address
static (inside,outside) ip address
static (inside,outside) ip address
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 69.233.191.97 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server RADIUS (inside)  timeout 10
aaa-server LOCAL protocol local
http server enable
http 10.0.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 40 match address outside_cryptomap_dyn_40
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 60 match address outside_cryptomap_dyn_60
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp identity address
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
isakmp policy 40 authentication pre-share
isakmp policy 40 encryption des
isakmp policy 40 hash md5
isakmp policy 40 group 2
isakmp policy 40 lifetime 86400
vpngroup Remoteadmin address-pool VPN1
vpngroup Remoteadmin dns-server brain turkey
vpngroup Remoteadmin default-domain Clicksafety.com
vpngroup Remoteadmin split-tunnel 101
vpngroup Remoteadmin idle-time 1800
vpngroup Remoteadmin password ********
telnet 10.0.0.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group PPTP-VPDN-GROUP accept dialin pptp
vpdn group PPTP-VPDN-GROUP ppp authentication mschap
vpdn group PPTP-VPDN-GROUP ppp encryption mppe 128 required
vpdn group PPTP-VPDN-GROUP client configuration address local vpn_ip_pool
vpdn group PPTP-VPDN-GROUP client configuration dns turkey brain
vpdn group PPTP-VPDN-GROUP client configuration wins turkey brain
vpdn group PPTP-VPDN-GROUP pptp echo 60
vpdn group PPTP-VPDN-GROUP client authentication local
vpdn enable outside
dhcpd address 10.0.0.100-10.0.0.199 inside
dhcpd dns
dhcpd wins
dhcpd lease 432000
dhcpd ping_timeout 750
dhcpd
terminal width 80
Cryptochecksum:c0750bc404d3d0a44bd7728db85639e6
: end
[OK]

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 20044280
Your site-site vpn tunnels are broken because you substituted "nonat" acl for inside_outbound_nat0_acl
Try this:
access-list inside_outbound_nat0_acl permit ip 10.0.0.0 255.255.255.0 1921.68.168.0 255.255.255.0
nat (inside) 0 access-list inside_outbound_nat0_acl
 
0
 

Author Comment

by:jasonpiper01
ID: 20046356
2      22:02:39.893  10/09/07  Sev=Warning/2      IKE/0xA3000067
Received Unexpected InitialContact Notify (PLMgrNotify:886)
looks like the same error.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 20047949
Ok, try this now....

no crypto map outside_map interface outside
no crypto dynamic-map outside_dyn_map 40 match address outside_cryptomap_dyn_40
no crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-MD5
no crypto dynamic-map outside_dyn_map 60 match address outside_cryptomap_dyn_60
no crypto dynamic-map outside_dyn_map 60 set transform-set ESP-DES-MD5
crypto map outside_map interface outside

This will leave you with just one outside_dyn_map 20
Now, make the acl accurate
access-list outside_cryptomap_dyn_20 permit ip 10.0.0.0 255.255.255.0 192.168.168.0 255.255.255.240
no access-list outside_cryptomap_dyn_20 permit ip any vpn 255.255.255.192


0
 

Author Comment

by:jasonpiper01
ID: 20049712
I need to know what that does, we current are using another vpn solution and do not want to mess the current solution up.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 20051173
You currently have 3 different versions of the same dyn_map and you should only have one - the one that matches your inside lan to vpn clients (Cisco vpn clients only).
The commands above will clean it up.
0
 

Author Comment

by:jasonpiper01
ID: 20079554
We currently are using a Windows VPN server that is directly connecting to a windows machine. The pix just passes the packets.  Will these commands prevent that from working
0
 

Author Comment

by:jasonpiper01
ID: 20134263
I wasnt able to get it to work, i didnt delete those maps, I am going to give you credit for this question
0

Featured Post

A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many of the companies I’ve worked with have embraced cloud solutions due to their desire to “get out of the datacenter business.” The ability to achieve better security and availability, and the speed with which they are able to deploy, is far grea…
On Feb. 28, Amazon’s Simple Storage Service (S3) went down after an employee issued the wrong command during a debugging exercise. Among those affected were big names like Netflix, Spotify and Expedia.
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Suggested Courses

873 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question