jasonpiper01
asked on
Configuring a VPN connection
I am trying to get my pix to allow vpn connections via cisco vpn client. I am trying to get the basic group authenincation to work. I can not get it to work correctly. When I try to connect via my client, it atempts and then goes to not connection without any errors, or log entries. Here is my pix config. it has been editted for posting here, if you have questions please ask. I need help.
Building configuration...
: Saved
:
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
access-list inside_outbound_nat0_acl permit ip any vpn 255.255.255.192
access-list inside_outbound_nat0_acl permit ip any 10.0.0.224 255.255.255.224
access-list inside_outbound_nat0_acl permit ip any 192.168.1.0 255.255.255.192
access-list inside_access_in remark Outbound DNS for Mail Server
access-list inside_access_in permit udp host any eq domain
access-list inside_access_in remark Outbound DNS (primary DNS server)
access-list inside_access_in permit udp host any eq domain
access-list inside_access_in remark Outbound DNS (secondary DNS server)
access-list inside_access_in permit udp host any eq domain
access-list inside_access_in remark Outbound web browsing
access-list inside_access_in permit tcp any any eq www
access-list inside_access_in remark Outbound ping/traceroute
access-list inside_access_in permit icmp any any echo
access-list inside_access_in remark Outbound web browsing (secure)
access-list inside_access_in permit tcp any any eq https
access-list inside_access_in remark Outbound ftp
access-list inside_access_in permit tcp any any eq ftp
access-list inside_access_in remark Outbound ftp
access-list inside_access_in permit tcp any any eq ftp-data
access-list inside_access_in remark Outbound terminal services/remote desktop
access-list inside_access_in permit tcp any any eq 3389
access-list inside_access_in remark Outbound sql
access-list inside_access_in permit tcp any any eq 1433
access-list inside_access_in remark Outbound sql
access-list inside_access_in permit udp any any eq 1433
access-list inside_access_in remark Outbound sql
access-list inside_access_in permit tcp any any eq 1434
access-list inside_access_in remark Outbound pc anywhere
access-list inside_access_in permit tcp any any eq pcanywhere-data
access-list inside_access_in remark Outbound pc anywhere
access-list inside_access_in permit udp any any eq pcanywhere-status
access-list inside_access_in remark Outbound email
access-list inside_access_in permit tcp host any eq smtp
access-list inside_access_in remark outbound for VPN
access-list inside_access_in permit tcp any any eq pptp
access-list inside_access_in remark AOL Messenger
access-list inside_access_in permit tcp any any eq aol
access-list inside_access_in remark SalesMasters SMTP
access-list inside_access_in permit tcp any any eq 1025
access-list inside_access_in permit tcp any any eq 3101
access-list inside_access_in permit tcp any any eq 2145
access-list inside_access_in permit tcp any any eq 2144
access-list inside_access_in permit tcp any any eq smtp
access-list inside_access_in permit tcp any any eq pop3
access-list outside_access_in remark Inbound
access-list outside_access_in permit tcp any host ip address and subnet eq pptp
access-list outside_access_in remark Inbound
access-list outside_access_in permit tcp any host ip address and subnet eq smtp
access-list outside_access_in remark Inbound
access-list outside_access_in permit tcp any host ip address and subnet eq https
access-list outside_access_in remark Inbound
access-list outside_access_in permit tcp any host ip address and subnet eq www
access-list outside_access_in remark Inbound
access-list outside_access_in permit tcp any host ip address and subnet eq www
access-list outside_access_in remark Inbound
access-list outside_access_in permit icmp any any echo-reply
access-list outside_access_in remark ping
access-list outside_access_in permit icmp any any echo
access-list outside_access_in remark Tracert
access-list outside_access_in permit icmp any any traceroute
access-list outside_access_in remark
access-list outside_access_in remark Inbound traceroute response
access-list outside_access_in permit icmp any any time-exceeded
access-list outside_access_in remark Inbound ftp from production
access-list outside_access_in permit tcp host SQL host ip address eq ftp
access-list outside_access_in remark Inbound ftp from production
access-list outside_access_in permit tcp host sql host ip address eq ftp-data
access-list outside_access_in remark Inbound ftp from production
access-list outside_access_in permit tcp host prod host ip address eq ftp
access-list outside_access_in remark Inbound ftp from production
access-list outside_access_in permit tcp host prod host ip address eq ftp-data
access-list outside_access_in remark Inbound ftp from production
access-list outside_access_in remark
access-list outside_access_in permit tcp host CQ host ip address eq ftp
access-list outside_access_in remark Inbound ftp from production
access-list outside_access_in permit tcp host CQ host ip address eq ftp-data
access-list outside_access_in remark Inbound port 80 from production
access-list outside_access_in permit tcp host sql host ip address eq www
access-list outside_access_in remark Inbound port 80 from production
access-list outside_access_in permit tcp host prod host ip address eq www
access-list outside_access_in remark Inbound port 80 from production
access-list outside_access_in permit tcp host CQ host Ip address eq www
access-list outside_access_in remark Inbound SSL from production
access-list outside_access_in permit tcp host CQ host ip address eq https
access-list outside_access_in remark Inbound ftp from
access-list outside_access_in permit tcp host office host ip address eq ftp
access-list outside_access_in remark Inbound ftp from
access-list outside_access_in permit tcp host Office host ip address eq ftp-data
access-list outside_access_in remark Inbound port 80 from
access-list outside_access_in permit tcp host Office host ip address eq www
access-list outside_access_in permit tcp any host turkey eq 3101
access-list outside_access_in remark POP3
access-list outside_access_in permit tcp host ip address any eq pop3
access-list outside_access_in permit tcp host ip address any eq pop3
access-list outside_cryptomap_dyn_20 permit ip any vpn 255.255.255.192
access-list outside_cryptomap_dyn_40 permit ip any 10.0.0.224 255.255.255.224
access-list outside_cryptomap_dyn_60 permit ip any 192.168.1.0 255.255.255.192
access-list 101 permit ip 192.162.1.0 255.255.255.0 10.0.0.0 255.255.255.0
pager lines 24
logging on
icmp permit host Office echo outside
icmp permit host prod echo outside
icmp deny any outside
icmp permit host CQ echo outside
icmp permit host sql echo outside
mtu outside 1500
mtu inside 1500
ip address outside ip address and subnet mask
ip address inside 10.0.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpn_ip_pool 10.0.0.200-10.0.0.230
ip local pool CLICKPOOL 10.0.0.231-10.0.0.254
ip local pool VPN1 192.168.1.10-192.168.1.35
pdm location 10.0.0.200 255.255.255.255 outside
pdm location vpn 255.255.255.192 outside
pdm location 10.0.0.0 255.255.255.255 inside
pdm location 10.0.0.0 255.255.255.0 outside
pdm location 255.255.255.255 inside
pdm location 255.255.255.255 inside
pdm location CQ 255.255.255.255 outside
pdm location turkey 255.255.255.255 inside
pdm location bear 255.255.255.255 inside
pdm location Office 255.255.255.255 outside
pdm location prod 255.255.255.255 outside
pdm location sql 255.255.255.255 outside
pdm location computer 255.255.255.255 inside
pdm location master 255.255.255.255 inside
pdm location penguin 255.255.255.255 inside
pdm location Masters 255.255.255.255 outside
pdm location ip address and subnet mast outside
pdm location ip address and subnet outside
pdm location 10.0.0.224 255.255.255.224 outside
pdm location 192.162.1.0 255.255.255.0 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) ip address and subnet
static (inside,outside) ip address and subnet
static (inside,outside) ip address and subnet
static (inside,outside) ip address and subnet
static (inside,outside) ip address and subnet
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 69.233.191.97 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host timeout 10
aaa-server LOCAL protocol local
http server enable
http 10.0.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 40 match address outside_cryptomap_dyn_40
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 60 match address outside_cryptomap_dyn_60
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication RADIUS
crypto map outside_map interface outside
isakmp enable outside
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
isakmp policy 40 authentication pre-share
isakmp policy 40 encryption des
isakmp policy 40 hash md5
isakmp policy 40 group 2
isakmp policy 40 lifetime 86400
vpngroup Remoteadmin address-pool VPN1
vpngroup Remoteadmin dns-server
vpngroup Remoteadmin default-domain correct domain
vpngroup Remoteadmin split-tunnel 101
vpngroup Remoteadmin idle-time 1800
vpngroup Remoteadmin password ********
telnet 10.0.0.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group PPTP-VPDN-GROUP accept dialin pptp
vpdn group PPTP-VPDN-GROUP ppp authentication mschap
vpdn group PPTP-VPDN-GROUP ppp encryption mppe 128 required
vpdn group PPTP-VPDN-GROUP client configuration address local vpn_ip_pool
vpdn group PPTP-VPDN-GROUP client configuration dns
vpdn group PPTP-VPDN-GROUP client configuration wins
vpdn group PPTP-VPDN-GROUP pptp echo 60
vpdn group PPTP-VPDN-GROUP client authentication local
vpdn enable outside
dhcpd address 10.0.0.100-10.0.0.199 inside
dhcpd dns turkey brain
dhcpd wins turkey brain
dhcpd lease 432000
dhcpd ping_timeout 750
dhcpd domain
terminal width 80
Cryptochecksum:c0d209fab6c
: end
[OK]
Building configuration...
: Saved
:
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
access-list inside_outbound_nat0_acl permit ip any vpn 255.255.255.192
access-list inside_outbound_nat0_acl permit ip any 10.0.0.224 255.255.255.224
access-list inside_outbound_nat0_acl permit ip any 192.168.1.0 255.255.255.192
access-list inside_access_in remark Outbound DNS for Mail Server
access-list inside_access_in permit udp host any eq domain
access-list inside_access_in remark Outbound DNS (primary DNS server)
access-list inside_access_in permit udp host any eq domain
access-list inside_access_in remark Outbound DNS (secondary DNS server)
access-list inside_access_in permit udp host any eq domain
access-list inside_access_in remark Outbound web browsing
access-list inside_access_in permit tcp any any eq www
access-list inside_access_in remark Outbound ping/traceroute
access-list inside_access_in permit icmp any any echo
access-list inside_access_in remark Outbound web browsing (secure)
access-list inside_access_in permit tcp any any eq https
access-list inside_access_in remark Outbound ftp
access-list inside_access_in permit tcp any any eq ftp
access-list inside_access_in remark Outbound ftp
access-list inside_access_in permit tcp any any eq ftp-data
access-list inside_access_in remark Outbound terminal services/remote desktop
access-list inside_access_in permit tcp any any eq 3389
access-list inside_access_in remark Outbound sql
access-list inside_access_in permit tcp any any eq 1433
access-list inside_access_in remark Outbound sql
access-list inside_access_in permit udp any any eq 1433
access-list inside_access_in remark Outbound sql
access-list inside_access_in permit tcp any any eq 1434
access-list inside_access_in remark Outbound pc anywhere
access-list inside_access_in permit tcp any any eq pcanywhere-data
access-list inside_access_in remark Outbound pc anywhere
access-list inside_access_in permit udp any any eq pcanywhere-status
access-list inside_access_in remark Outbound email
access-list inside_access_in permit tcp host any eq smtp
access-list inside_access_in remark outbound for VPN
access-list inside_access_in permit tcp any any eq pptp
access-list inside_access_in remark AOL Messenger
access-list inside_access_in permit tcp any any eq aol
access-list inside_access_in remark SalesMasters SMTP
access-list inside_access_in permit tcp any any eq 1025
access-list inside_access_in permit tcp any any eq 3101
access-list inside_access_in permit tcp any any eq 2145
access-list inside_access_in permit tcp any any eq 2144
access-list inside_access_in permit tcp any any eq smtp
access-list inside_access_in permit tcp any any eq pop3
access-list outside_access_in remark Inbound
access-list outside_access_in permit tcp any host ip address and subnet eq pptp
access-list outside_access_in remark Inbound
access-list outside_access_in permit tcp any host ip address and subnet eq smtp
access-list outside_access_in remark Inbound
access-list outside_access_in permit tcp any host ip address and subnet eq https
access-list outside_access_in remark Inbound
access-list outside_access_in permit tcp any host ip address and subnet eq www
access-list outside_access_in remark Inbound
access-list outside_access_in permit tcp any host ip address and subnet eq www
access-list outside_access_in remark Inbound
access-list outside_access_in permit icmp any any echo-reply
access-list outside_access_in remark ping
access-list outside_access_in permit icmp any any echo
access-list outside_access_in remark Tracert
access-list outside_access_in permit icmp any any traceroute
access-list outside_access_in remark
access-list outside_access_in remark Inbound traceroute response
access-list outside_access_in permit icmp any any time-exceeded
access-list outside_access_in remark Inbound ftp from production
access-list outside_access_in permit tcp host SQL host ip address eq ftp
access-list outside_access_in remark Inbound ftp from production
access-list outside_access_in permit tcp host sql host ip address eq ftp-data
access-list outside_access_in remark Inbound ftp from production
access-list outside_access_in permit tcp host prod host ip address eq ftp
access-list outside_access_in remark Inbound ftp from production
access-list outside_access_in permit tcp host prod host ip address eq ftp-data
access-list outside_access_in remark Inbound ftp from production
access-list outside_access_in remark
access-list outside_access_in permit tcp host CQ host ip address eq ftp
access-list outside_access_in remark Inbound ftp from production
access-list outside_access_in permit tcp host CQ host ip address eq ftp-data
access-list outside_access_in remark Inbound port 80 from production
access-list outside_access_in permit tcp host sql host ip address eq www
access-list outside_access_in remark Inbound port 80 from production
access-list outside_access_in permit tcp host prod host ip address eq www
access-list outside_access_in remark Inbound port 80 from production
access-list outside_access_in permit tcp host CQ host Ip address eq www
access-list outside_access_in remark Inbound SSL from production
access-list outside_access_in permit tcp host CQ host ip address eq https
access-list outside_access_in remark Inbound ftp from
access-list outside_access_in permit tcp host office host ip address eq ftp
access-list outside_access_in remark Inbound ftp from
access-list outside_access_in permit tcp host Office host ip address eq ftp-data
access-list outside_access_in remark Inbound port 80 from
access-list outside_access_in permit tcp host Office host ip address eq www
access-list outside_access_in permit tcp any host turkey eq 3101
access-list outside_access_in remark POP3
access-list outside_access_in permit tcp host ip address any eq pop3
access-list outside_access_in permit tcp host ip address any eq pop3
access-list outside_cryptomap_dyn_20 permit ip any vpn 255.255.255.192
access-list outside_cryptomap_dyn_40 permit ip any 10.0.0.224 255.255.255.224
access-list outside_cryptomap_dyn_60 permit ip any 192.168.1.0 255.255.255.192
access-list 101 permit ip 192.162.1.0 255.255.255.0 10.0.0.0 255.255.255.0
pager lines 24
logging on
icmp permit host Office echo outside
icmp permit host prod echo outside
icmp deny any outside
icmp permit host CQ echo outside
icmp permit host sql echo outside
mtu outside 1500
mtu inside 1500
ip address outside ip address and subnet mask
ip address inside 10.0.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpn_ip_pool 10.0.0.200-10.0.0.230
ip local pool CLICKPOOL 10.0.0.231-10.0.0.254
ip local pool VPN1 192.168.1.10-192.168.1.35
pdm location 10.0.0.200 255.255.255.255 outside
pdm location vpn 255.255.255.192 outside
pdm location 10.0.0.0 255.255.255.255 inside
pdm location 10.0.0.0 255.255.255.0 outside
pdm location 255.255.255.255 inside
pdm location 255.255.255.255 inside
pdm location CQ 255.255.255.255 outside
pdm location turkey 255.255.255.255 inside
pdm location bear 255.255.255.255 inside
pdm location Office 255.255.255.255 outside
pdm location prod 255.255.255.255 outside
pdm location sql 255.255.255.255 outside
pdm location computer 255.255.255.255 inside
pdm location master 255.255.255.255 inside
pdm location penguin 255.255.255.255 inside
pdm location Masters 255.255.255.255 outside
pdm location ip address and subnet mast outside
pdm location ip address and subnet outside
pdm location 10.0.0.224 255.255.255.224 outside
pdm location 192.162.1.0 255.255.255.0 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) ip address and subnet
static (inside,outside) ip address and subnet
static (inside,outside) ip address and subnet
static (inside,outside) ip address and subnet
static (inside,outside) ip address and subnet
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 69.233.191.97 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host timeout 10
aaa-server LOCAL protocol local
http server enable
http 10.0.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 40 match address outside_cryptomap_dyn_40
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 60 match address outside_cryptomap_dyn_60
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication RADIUS
crypto map outside_map interface outside
isakmp enable outside
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
isakmp policy 40 authentication pre-share
isakmp policy 40 encryption des
isakmp policy 40 hash md5
isakmp policy 40 group 2
isakmp policy 40 lifetime 86400
vpngroup Remoteadmin address-pool VPN1
vpngroup Remoteadmin dns-server
vpngroup Remoteadmin default-domain correct domain
vpngroup Remoteadmin split-tunnel 101
vpngroup Remoteadmin idle-time 1800
vpngroup Remoteadmin password ********
telnet 10.0.0.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group PPTP-VPDN-GROUP accept dialin pptp
vpdn group PPTP-VPDN-GROUP ppp authentication mschap
vpdn group PPTP-VPDN-GROUP ppp encryption mppe 128 required
vpdn group PPTP-VPDN-GROUP client configuration address local vpn_ip_pool
vpdn group PPTP-VPDN-GROUP client configuration dns
vpdn group PPTP-VPDN-GROUP client configuration wins
vpdn group PPTP-VPDN-GROUP pptp echo 60
vpdn group PPTP-VPDN-GROUP client authentication local
vpdn enable outside
dhcpd address 10.0.0.100-10.0.0.199 inside
dhcpd dns turkey brain
dhcpd wins turkey brain
dhcpd lease 432000
dhcpd ping_timeout 750
dhcpd domain
terminal width 80
Cryptochecksum:c0d209fab6c
: end
[OK]
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
The address space was the same, I have change that, i do have one question, that is that last line is missing a part, what part were you trying to include.
access-list inside_access_in permit ip 10.0.0.0 255.255.255.0
access-list inside_access_in permit ip 10.0.0.0 255.255.255.0
Sorry, must have hit subit too soon....
Permit internal local traffic to the VPN pool addresses
access-list inside_access_in permit ip 10.0.0.0 255.255.255.0 192.168.168.0 255.255.255.0
Permit internal local traffic to the VPN pool addresses
access-list inside_access_in permit ip 10.0.0.0 255.255.255.0 192.168.168.0 255.255.255.0
ASKER
Thx, i did get closer, but when i try to connect via the client it says securing gateway, then it jumps to not connected.
>PIX Version 6.3(1)
Lots of bugs in this particular version. Highly suggest updating this to 6.3(5) ASAP.
Can you post your current running config after you made the changes? This particular behavior usually means that you are not getting an IP address from the pool....
Do you have client logging enabled? Open a log window on the client and try to connect and see what the log says.
Lots of bugs in this particular version. Highly suggest updating this to 6.3(5) ASAP.
Can you post your current running config after you made the changes? This particular behavior usually means that you are not getting an IP address from the pool....
Do you have client logging enabled? Open a log window on the client and try to connect and see what the log says.
ASKER
I dont think i will be able to update the pix os. We do not have access to download software from cisco. here is the error message
1 07:07:21.546 10/04/07 Sev=Warning/2 IKE/0xA3000067
Received Unexpected InitialContact Notify (PLMgrNotify:886)
1 07:07:21.546 10/04/07 Sev=Warning/2 IKE/0xA3000067
Received Unexpected InitialContact Notify (PLMgrNotify:886)
Can you post your current config since you made several changes?
ASKER
access-list inside_outbound_nat0_acl permit ip any vpn 255.255.255.192
access-list inside_outbound_nat0_acl permit ip any 10.0.0.224 255.255.255.224
access-list inside_outbound_nat0_acl permit ip any 192.168.1.0 255.255.255.192
access-list inside_access_in remark Outbound DNS for Mail Server
access-list inside_access_in permit udp host any eq domain
access-list inside_access_in remark Outbound DNS (primary DNS server)
access-list inside_access_in permit udp host any eq domain
access-list inside_access_in remark Outbound DNS (secondary DNS server)
access-list inside_access_in permit udp host any eq domain
access-list inside_access_in remark Outbound web browsing
access-list inside_access_in permit tcp any any eq www
access-list inside_access_in remark Outbound ping/traceroute
access-list inside_access_in permit icmp any any echo
access-list inside_access_in remark Outbound web browsing (secure)
access-list inside_access_in permit tcp any any eq https
access-list inside_access_in remark Outbound ftp
access-list inside_access_in permit tcp any any eq ftp
access-list inside_access_in remark Outbound ftp
access-list inside_access_in permit tcp any any eq ftp-data
access-list inside_access_in remark Outbound terminal services/remote desktop
access-list inside_access_in permit tcp any any eq 3389
access-list inside_access_in remark Outbound sql
access-list inside_access_in permit tcp any any eq 1433
access-list inside_access_in remark Outbound sql
access-list inside_access_in permit udp any any eq 1433
access-list inside_access_in remark Outbound sql
access-list inside_access_in permit tcp any any eq 1434
access-list inside_access_in remark Outbound pc anywhere
access-list inside_access_in permit tcp any any eq
access-list inside_access_in remark Outbound pc anywhere
access-list inside_access_in permit udp any any eq
access-list inside_access_in remark Outbound email
access-list inside_access_in permit tcp host any eq smtp
access-list inside_access_in remark outbound for VPN
access-list inside_access_in permit tcp any any eq pptp
access-list inside_access_in remark AOL
access-list inside_access_in permit tcp any any eq aol
access-list inside_access_in remark
access-list inside_access_in permit tcp any any eq 1025
access-list inside_access_in permit tcp any any eq 3101
access-list inside_access_in permit tcp any any eq 2145
access-list inside_access_in permit tcp any any eq 2144
access-list inside_access_in permit tcp any any eq smtp
access-list inside_access_in permit tcp any any eq pop3
access-list inside_access_in permit ip 10.0.0.0 255.255.255.0 192.168.168.0 255.255.255.0
access-list outside_access_in remark Inbound VPN to Turkey
access-list outside_access_in permit tcp any host eq pptp
access-list outside_access_in remark Inbound email
access-list outside_access_in permit tcp any host eq smtp
access-list outside_access_in remark Inbound Secure Outlook Web Access
access-list outside_access_in permit tcp any host eq https
access-list outside_access_in remark Inbound
access-list outside_access_in permit tcp any host eq www
access-list outside_access_in remark Inbound qc.clicksafety.net
access-list outside_access_in permit tcp any host eq www
access-list outside_access_in remark Inbound ping response
access-list outside_access_in permit icmp any any echo-reply
access-list outside_access_in remark ping
access-list outside_access_in permit icmp any any echo
access-list outside_access_in remark Tracert
access-list outside_access_in permit icmp any any traceroute
access-list outside_access_in remark
access-list outside_access_in remark Inbound traceroute response
access-list outside_access_in permit icmp any any time-exceeded
access-list outside_access_in remark Inbound ftp from production
access-list outside_access_in permit tcp host ip address eq ftp
access-list outside_access_in remark Inbound ftp from production
access-list outside_access_in permit tcp host ip address eq ftp-data
access-list outside_access_in remark Inbound ftp from production
access-list outside_access_in permit tcp host ip address eq ftp
access-list outside_access_in remark Inbound ftp from production
access-list outside_access_in permit tcp hostip address eq ftp-data
access-list outside_access_in remark Inbound ftp from production
access-list outside_access_in remark
access-list outside_access_in permit tcp host ip address eq ftp
access-list outside_access_in remark Inbound ftp from production
access-list outside_access_in permit tcp host ip addresseq ftp-data
access-list outside_access_in remark Inbound port 80 from production
access-list outside_access_in permit tcp host ip address eq www
access-list outside_access_in remark Inbound port 80 from production
access-list outside_access_in permit tcp host ip address eq www
access-list outside_access_in remark Inbound port 80 from production
access-list outside_access_in permit tcp host ip address eq www
access-list outside_access_in remark Inbound SSL from production
access-list outside_access_in permit tcp host ip address eq https
access-list outside_access_in remark Inbound ftp from lafayette
access-list outside_access_in permit tcp host ip address eq ftp
access-list outside_access_in remark Inbound ftp from lafayette
access-list outside_access_in permit tcp host ip address eq ftp-data
access-list outside_access_in remark Inbound port 80 from lafayette
access-list outside_access_in permit tcp host ip address eq www
access-list outside_access_in permit tcp any host t eq 3101
access-list outside_access_in remark POP3
access-list outside_access_in permit tcp host ip address any eq pop3
access-list outside_access_in permit tcp host ip address any eq pop3
access-list outside_cryptomap_dyn_20 permit ip any vpn 255.255.255.192
access-list outside_cryptomap_dyn_40 permit ip any 10.0.0.224 255.255.255.224
access-list outside_cryptomap_dyn_60 permit ip any 192.168.1.0 255.255.255.192
access-list nonat permit ip 10.0.0.0 255.255.255.0 192.168.168.0 255.255.255.240
pager lines 24
logging on
icmp permit host echo outside
icmp permit host echo outside
icmp deny any outside
icmp permit host echo outside
icmp permit host echo outside
mtu outside 1500
mtu inside 1500
ip address outside ip address
ip address inside 10.0.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpn_ip_pool 10.0.0.200-10.0.0.230
ip local pool CLICKPOOL 10.0.0.231-10.0.0.254
ip local pool VPN1 192.168.168.1-192.168.168.
pdm location 10.0.0.200 255.255.255.255 outside
pdm location vpn 255.255.255.192 outside
pdm location 10.0.0.0 255.255.255.255 inside
pdm location 10.0.0.0 255.255.255.0 outside
pdm location ip address inside
pdm location ip address inside
pdm location ip addressoutside
pdm location ip address inside
pdm location ip address inside
pdm location ip address outside
pdm location ip address outside
pdm location sip address outside
pdm location ip address inside
pdm location brain 255.255.255.255 inside
pdm location penguin 255.255.255.255 inside
pdm location SalesMasters 255.255.255.255 outside
pdm location ip address outside
pdm location ip address outside
pdm location ip address outside
pdm location ip address inside
pdm location ip address outside
pdm location ip address outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) ip address
static (inside,outside) ip address
static (inside,outside) ip address
static (inside,outside) ip address
static (inside,outside) ip address
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 69.233.191.97 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) timeout 10
aaa-server LOCAL protocol local
http server enable
http 10.0.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 40 match address outside_cryptomap_dyn_40
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 60 match address outside_cryptomap_dyn_60
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp identity address
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
isakmp policy 40 authentication pre-share
isakmp policy 40 encryption des
isakmp policy 40 hash md5
isakmp policy 40 group 2
isakmp policy 40 lifetime 86400
vpngroup Remoteadmin address-pool VPN1
vpngroup Remoteadmin dns-server brain turkey
vpngroup Remoteadmin default-domain Clicksafety.com
vpngroup Remoteadmin split-tunnel 101
vpngroup Remoteadmin idle-time 1800
vpngroup Remoteadmin password ********
telnet 10.0.0.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group PPTP-VPDN-GROUP accept dialin pptp
vpdn group PPTP-VPDN-GROUP ppp authentication mschap
vpdn group PPTP-VPDN-GROUP ppp encryption mppe 128 required
vpdn group PPTP-VPDN-GROUP client configuration address local vpn_ip_pool
vpdn group PPTP-VPDN-GROUP client configuration dns turkey brain
vpdn group PPTP-VPDN-GROUP client configuration wins turkey brain
vpdn group PPTP-VPDN-GROUP pptp echo 60
vpdn group PPTP-VPDN-GROUP client authentication local
vpdn enable outside
dhcpd address 10.0.0.100-10.0.0.199 inside
dhcpd dns
dhcpd wins
dhcpd lease 432000
dhcpd ping_timeout 750
dhcpd
terminal width 80
Cryptochecksum:c0750bc404d
: end
[OK]
Your site-site vpn tunnels are broken because you substituted "nonat" acl for inside_outbound_nat0_acl
Try this:
access-list inside_outbound_nat0_acl permit ip 10.0.0.0 255.255.255.0 1921.68.168.0 255.255.255.0
nat (inside) 0 access-list inside_outbound_nat0_acl
Try this:
access-list inside_outbound_nat0_acl permit ip 10.0.0.0 255.255.255.0 1921.68.168.0 255.255.255.0
nat (inside) 0 access-list inside_outbound_nat0_acl
ASKER
2 22:02:39.893 10/09/07 Sev=Warning/2 IKE/0xA3000067
Received Unexpected InitialContact Notify (PLMgrNotify:886)
looks like the same error.
Received Unexpected InitialContact Notify (PLMgrNotify:886)
looks like the same error.
Ok, try this now....
no crypto map outside_map interface outside
no crypto dynamic-map outside_dyn_map 40 match address outside_cryptomap_dyn_40
no crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-MD5
no crypto dynamic-map outside_dyn_map 60 match address outside_cryptomap_dyn_60
no crypto dynamic-map outside_dyn_map 60 set transform-set ESP-DES-MD5
crypto map outside_map interface outside
This will leave you with just one outside_dyn_map 20
Now, make the acl accurate
access-list outside_cryptomap_dyn_20 permit ip 10.0.0.0 255.255.255.0 192.168.168.0 255.255.255.240
no access-list outside_cryptomap_dyn_20 permit ip any vpn 255.255.255.192
no crypto map outside_map interface outside
no crypto dynamic-map outside_dyn_map 40 match address outside_cryptomap_dyn_40
no crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-MD5
no crypto dynamic-map outside_dyn_map 60 match address outside_cryptomap_dyn_60
no crypto dynamic-map outside_dyn_map 60 set transform-set ESP-DES-MD5
crypto map outside_map interface outside
This will leave you with just one outside_dyn_map 20
Now, make the acl accurate
access-list outside_cryptomap_dyn_20 permit ip 10.0.0.0 255.255.255.0 192.168.168.0 255.255.255.240
no access-list outside_cryptomap_dyn_20 permit ip any vpn 255.255.255.192
ASKER
I need to know what that does, we current are using another vpn solution and do not want to mess the current solution up.
You currently have 3 different versions of the same dyn_map and you should only have one - the one that matches your inside lan to vpn clients (Cisco vpn clients only).
The commands above will clean it up.
The commands above will clean it up.
ASKER
We currently are using a Windows VPN server that is directly connecting to a windows machine. The pix just passes the packets. Will these commands prevent that from working
ASKER
I wasnt able to get it to work, i didnt delete those maps, I am going to give you credit for this question
If you trust the Radius server, you could do it as 1 access-list entry...
access-list inside_access_in permit ip host <radius server ip> host 10.0.0.1
Otherwise, here are the common ports for different Radius servers...
Access-list inside_access_in permit udp any eq 1645 host 10.0.0.1
Access-list inside_access_in permit tcp any eq 1645 host 10.0.0.1
Access-list inside_access_in permit udp any eq 1646 host 10.0.0.1
Access-list inside_access_in permit tcp any eq 1646 host 10.0.0.1
Access-list inside_access_in permit udp any eq 1812 host 10.0.0.1
Access-list inside_access_in permit tcp any eq 1812 host 10.0.0.1
Access-list inside_access_in permit udp any eq 1813 host 10.0.0.1
Access-list inside_access_in permit tcp any eq 1813 host 10.0.0.1
Hope it helps.
- Brich330