Solved

PIX 501 VPN Either Cisco VPN or PPTP - neither are working even with google and prior threads

Posted on 2007-11-19
13
773 Views
Last Modified: 2010-04-11
I need help because none of the threads are helping and I can't get any of the hundreds of permutations I've tried work.  I have a static ip address (DSL) connected to the Cisco PIX 501, no DNS server, just plug it into a 10 port hub.  So simple network.  Nothing complicated.  Goal was to setup VPN so that users can work from home.  

So tried PPTP vpn configuration.  I then created a VPN connection and tried to connect to the office remotely.  It said it was connected.  But I couldn't ping anything.  I couldn't remote desktop anything or see any file shares either by ip address or by server names resolving via name.  I was thinking there was a problem possibly with the primary WINS Server I put, I put 192.168.1.1 which is the internal ip of the Cisco pix.  

I also tried creating a Cisco VPN using pre-share key - user group and group password.  Then using the VPN client, tried to connect.  I got the error:  Reason 412:  The remote peer is no longer responding.  I have the Firewall turned off.  I have used vpn client on other networks and it works fine, so it is not due to anti-virus or firewalls.  It's simply the config on the PIX 501.

Anyway, here's my configuration.  Maybe you can give me some help on how to fix this.  I of course would prefer to use the VPN Client.  By the way, I am using just the local database of users for vpn on the pix itself, not AAA server or anything else.  I don't have a DNS server either.


Cisco PIX Firewall Version 6.2(2)
Cisco PIX Device Manager Version 2.0(2)

Compiled on Fri 07-Jun-02 17:49 by morlee

topper up 1 day 0 hours

Hardware:   PIX-501, 16 MB RAM, CPU Am5x86 133 MHz
Flash E28F640J3 @ 0x3000000, 8MB
BIOS Flash E28F640J3 @ 0xfffd8000, 128KB

0: ethernet0: address is 000c.30a1.460f, irq 9
1: ethernet1: address is 000c.30a1.4610, irq 10
Licensed Features:
Failover:           Disabled
VPN-DES:            Enabled
VPN-3DES:           Disabled
Maximum Interfaces: 2
Cut-through Proxy:  Enabled
Guards:             Enabled
URL-filtering:      Enabled
Inside Hosts:       50
Throughput:         Limited
IKE peers:          5
-------------------------------------------------------

PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password vxaiY3m67V1.pDhG encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname topper
domain-name centurytel.net
clock timezone CST -6
clock summer-time CDT recurring
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
names
name 192.168.1.150 web-server
object-group service mailserver tcp
  description email server
  port-object eq ident
  port-object eq pop3
  port-object eq imap4
  port-object eq www
  port-object eq https
  port-object eq smtp
  port-object range 135 135
object-group service vpnudp udp
  description vpn udp
  port-object range 1701 1701
  port-object range isakmp isakmp
object-group service FTPGroup tcp
  port-object eq ftp-data
  port-object eq ftp
object-group service pptpgroup tcp
  port-object eq 1723
access-list inside_access_in permit ip any any
access-list inside_access_in permit icmp any any
access-list inside_access_in permit gre any any
access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 192.168.1.200 255.255.255.248
access-list inside_outbound_nat0_acl permit ip any 192.168.1.200 255.255.255.248
access-list inside_outbound_nat0_acl permit ip any 192.168.1.192 255.255.255.224
access-list inside_outbound_nat0_acl permit ip host web-server 192.168.1.200 255.255.255.248
access-list inside_outbound_nat0_acl permit ip host 192.168.1.1 192.168.1.200 255.255.255.248
access-list inside_outbound_nat0_acl permit ip any 192.168.1.192 255.255.255.192
access-list outside_cryptomap_dyn_20 permit ip any 192.168.1.200 255.255.255.248
access-list outside_access_in permit gre any any
access-list outside_access_in permit tcp any any eq 3389
access-list inbound permit icmp any any
access-list inbound permit tcp any any eq www
access-list outside_cryptomap_dyn_40 permit ip any 192.168.1.200 255.255.255.248
pager lines 24
interface ethernet0 10baset
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address outside 96.226.0.30 255.255.255.0
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool arlington-test 192.168.1.50
ip local pool TOPPER 192.168.1.201-192.168.1.205
ip local pool VPN_DHCP 192.168.1.210-192.168.1.230
pdm location 0.0.0.0 255.0.0.0 outside
pdm location 0.0.0.0 0.0.0.0 outside
pdm location 192.168.1.192 255.255.255.224 outside
pdm location web-server 255.255.255.255 inside
pdm location 0.0.0.0 255.255.255.255 outside
pdm location 192.168.1.200 255.255.255.248 outside
pdm location 192.168.1.200 255.255.255.255 inside
pdm location 192.168.1.192 255.255.255.192 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface www web-server www netmask 255.255.255.255 0 0
static (inside,outside) tcp interface pptp 192.168.1.200 pptp netmask 255.255.255.255 0 0
access-group inbound in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 96.226.0.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
no sysopt route dnat
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-SHA
crypto dynamic-map outside_dyn_map 40 match address outside_cryptomap_dyn_40
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup TOPPER-GRP address-pool TOPPER
vpngroup TOPPER-GRP dns-server 68.238.96.12 68.238.112.12
vpngroup TOPPER-GRP wins-server 192.168.1.1
vpngroup TOPPER-GRP idle-time 1800
vpngroup TOPPER-GRP password ********
vpngroup airbuds address-pool TOPPER
vpngroup airbuds dns-server 68.238.96.12 68.238.112.12
vpngroup airbuds wins-server 192.168.1.1
vpngroup airbuds idle-time 1800
vpngroup airbuds password ********
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 5
vpdn group PPTP-VPDN-GROUP accept dialin pptp
vpdn group PPTP-VPDN-GROUP ppp authentication mschap
vpdn group PPTP-VPDN-GROUP ppp encryption mppe 40 required
vpdn group PPTP-VPDN-GROUP client configuration address local VPN_DHCP
vpdn group PPTP-VPDN-GROUP client configuration dns 68.238.96.12 68.238.112.12
vpdn group PPTP-VPDN-GROUP client configuration wins 192.168.1.1
vpdn group PPTP-VPDN-GROUP pptp echo 60
vpdn group PPTP-VPDN-GROUP client authentication local
vpdn username glen password *********
vpdn username bill password *********
vpdn username carolyn password *********
vpdn username mike password *********
vpdn enable outside
vpdn enable inside
dhcpd address 192.168.1.100-192.168.1.200 inside
dhcpd dns 68.238.96.12 68.238.112.12
dhcpd lease 1382400
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
username admin password OXCRCO4.AJ7L5AV9 encrypted privilege 15
username bill password Hg2m5LIK/3euaX9D encrypted privilege 5
username glen password dGcPoGp4DhUbJR9o encrypted privilege 15
terminal width 80
Cryptochecksum:0394789087a3636c2b0e2e8eb383afeb
: end
0
Comment
Question by:glengillman
  • 6
  • 6
13 Comments
 
LVL 29

Accepted Solution

by:
Alan Huseyin Kayahan earned 500 total points
ID: 20318958
 I assume your remote network is in 192.168.1 range, which is the same range of your vpn client pool. You should use a different VPN client pool.
   
Regards
0
 
LVL 29

Assisted Solution

by:Alan Huseyin Kayahan
Alan Huseyin Kayahan earned 500 total points
ID: 20319025
 Also you better use split tunneling. Following is an example RA VPN

     vpngroup TOPPER-GRP password 1234
      ip local pool VPNPool 172.6.10.1-172.6.10.254
      vpngroup TOPPER-GRP address-pool VPNPool
      access-list splitTunnelAclRA permit ip 192.168.1.0 255.255.255.0 172.6.10.0 255.255.255.0
      access-list inside_outbound_nat0_acl line 4 permit ip 192.168.1.0 255.255.255.0  172.6.10.0 255.255.255.0
      access-list outside_cryptomap_dyn_40 permit ip 172.6.10.0 255.255.255.0 192.168.1.0 255.255.255.0
      crypto dynamic-map outside_dyn_map 40 match address outside_cryptomap_dyn_40
      crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-MD5
      crypto dynamic-map outside_dyn_map 40 set security-association lifetime seconds 28800 kilobytes 4608000
      crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
      crypto map outside_map client  authentication LOCAL
      crypto map outside_map interface outside
      vpngroup TOPPER-GRP split-tunnel splitTunnelAclRa
      sysopt connection permit-ipsec

Regards

   
0
 

Author Comment

by:glengillman
ID: 20319914
I don't understand what split tunneling is.  Why do you think I should use it.  By the way, I did have a separate ip's for VPN.  

What is this ip you plugged in for the example above?   172.6.10.0

Yes my router and inside the office all the boxes resolve to 192.168.1.x.   But I configured VPN to resolve DHCP at the range 192.168.2.210- 192.;168.2.220.  

Thanks
0
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 20320000
"But I configured VPN to resolve DHCP at the range 192.168.2.210- 192.;168.2.220."
  But your following configuration does not say so
ip local pool VPN_DHCP 192.168.1.210-192.168.1.230
    Also, your mistake goes on in your exempt nat rule
access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 192.168.1.200 255.255.255.248

0
 

Author Comment

by:glengillman
ID: 20320117
ok, my mistake.  thanks for clarifying that.

Now do I still need o use the split tunneling?  If you could answer the questions about that I would really appreciate it.
0
 

Author Comment

by:glengillman
ID: 20320179
how do I correct that exempt nat rule ?  
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 20322135
  Hi glengillman
       If you do not use split-tunneling, VPN client will loose connectivity with its Local Area Network. By using split tunneling, you can specify the networks which you want the client to go through the VPN tunnel.
      A correct exempt nat statement takes place in my example above
access-list inside_outbound_nat0_acl line 4 permit ip 192.168.1.0 255.255.255.0  172.6.10.0 255.255.255.0

     In the example above, 192.168.1.0 is your local network and 172.6.10.0 is the VPN client pool.

Regards
0
 

Author Comment

by:glengillman
ID: 20325744
Thank you for your time on this.  I am still unable to connect via PPTP or VPN client.  I am focusing on the VPN Client, of which I have version 4.0.3.  Anyway, here is my config after trying to cleanup and add what you suggested.  I am still getting Secure VPN Connectio nterminated locally by the Client.  Reason 412:  The remote peer is no longer responding.

If something needs to be deleted in the config below, please tell me how to delete it via commandline or where to find it in the web interface please.


PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password vxaiY3m67V1.pDhG encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname topper
domain-name centurytel.net
clock timezone CST -6
clock summer-time CDT recurring
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
names
name 192.168.1.150 web-server
object-group service mailserver tcp
  description email server
  port-object eq ident
  port-object eq pop3
  port-object eq imap4
  port-object eq www
  port-object eq https
  port-object eq smtp
  port-object range 135 135
object-group service vpnudp udp
  description vpn udp
  port-object range 1701 1701
  port-object range isakmp isakmp
object-group service FTPGroup tcp
  port-object eq ftp-data
  port-object eq ftp
object-group service pptpgroup tcp
  port-object eq 1723
access-list inside_access_in permit ip any any
access-list inside_access_in permit icmp any any
access-list inside_access_in permit gre any any
access-list inside_outbound_nat0_acl permit ip any 192.168.1.192 255.255.255.224
access-list inside_outbound_nat0_acl permit ip host web-server 192.168.1.200 255.255.255.248
access-list inside_outbound_nat0_acl permit ip any 192.168.1.192 255.255.255.192
access-list inside_outbound_nat0_acl permit ip any 172.6.10.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 172.6.10.0 255.255.255.0
access-list outside_access_in permit gre any any
access-list outside_access_in permit tcp any any eq 3389
access-list inbound permit icmp any any
access-list inbound permit tcp any any eq www
access-list outside_cryptomap_dyn_40 permit ip 172.6.10.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list splitTunnelAclRA permit ip 192.168.1.0 255.255.255.0 172.6.10.0 255.255.255.0
access-list outside_cryptomap_dyn_60 permit ip any 172.6.10.0 255.255.255.0
access-list outside_cryptomap_dyn_80 permit ip any 172.6.10.0 255.255.255.0
access-list airbuds_splitTunnelAcl permit ip 172.6.10.0 255.255.255.0 any
pager lines 24
interface ethernet0 10baset
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address outside 96.226.0.30 255.255.255.0
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool arlington-test 192.168.1.50
ip local pool TOPPER 192.168.1.201-192.168.1.205
ip local pool VPN_DHCP 192.168.1.210-192.168.1.230
ip local pool VPNPool 172.6.10.1-172.6.10.254
pdm location 0.0.0.0 255.0.0.0 outside
pdm location 0.0.0.0 0.0.0.0 outside
pdm location 192.168.1.192 255.255.255.224 outside
pdm location web-server 255.255.255.255 inside
pdm location 0.0.0.0 255.255.255.255 outside
pdm location 192.168.1.200 255.255.255.248 outside
pdm location 192.168.1.200 255.255.255.255 inside
pdm location 192.168.1.192 255.255.255.192 outside
pdm location 172.6.10.0 255.255.255.0 outside
pdm location 192.168.1.0 255.255.255.0 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface www web-server www netmask 255.255.255.255 0 0
static (inside,outside) tcp interface pptp 192.168.1.200 pptp netmask 255.255.255.255 0 0
access-group inbound in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 96.226.0.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
no sysopt route dnat
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-SHA
crypto dynamic-map outside_dyn_map 40 match address outside_cryptomap_dyn_40
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-DES-SHA
crypto dynamic-map outside_dyn_map 60 match address outside_cryptomap_dyn_60
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-DES-SHA
crypto dynamic-map outside_dyn_map 80 match address outside_cryptomap_dyn_80
crypto dynamic-map outside_dyn_map 80 set transform-set ESP-DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup airbuds address-pool VPNPool
vpngroup airbuds dns-server 68.238.96.12 68.238.112.12
vpngroup airbuds wins-server 192.168.1.1
vpngroup airbuds split-tunnel splitTunnelAclRA
vpngroup airbuds idle-time 1800
vpngroup airbuds password ********
vpngroup VpnPool split-tunnel splitTunnelAclRA
vpngroup VpnPool idle-time 1800
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 5
vpdn username glen password *********
vpdn username bill password *********
vpdn username carolyn password *********
vpdn username mike password *********
vpdn enable outside
vpdn enable inside
dhcpd address 192.168.1.100-192.168.1.200 inside
dhcpd dns 68.238.96.12 68.238.112.12
dhcpd lease 1382400
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
username admin password OXCRCO4.AJ7L5AV9 encrypted privilege 15
username bill password Hg2m5LIK/3euaX9D encrypted privilege 5
username glen password dGcPoGp4DhUbJR9o encrypted privilege 15
terminal width 80
Cryptochecksum:9e809e356b94cdbcae6452ca48acd83e
0
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 20326198
no crypto dynamic-map outside_dyn_map 40 set transform-set ESP-DES-SHA
no crypto dynamic-map outside_dyn_map 60 match address outside_cryptomap_dyn_60
no crypto dynamic-map outside_dyn_map 60 set transform-set ESP-DES-SHA
no crypto dynamic-map outside_dyn_map 80 match address outside_cryptomap_dyn_80
no crypto dynamic-map outside_dyn_map 80 set transform-set ESP-DES-SHA
no vpngroup VpnPool split-tunnel splitTunnelAclRA
no vpngroup VpnPool idle-time 1800
no access-list outside_cryptomap_dyn_40 permit ip 172.6.10.0 255.255.255.0 192.168.1.0 255.255.255.0
no access-list outside_cryptomap_dyn_60 permit ip any 172.6.10.0 255.255.255.0
no access-list outside_cryptomap_dyn_80 permit ip any 172.6.10.0 255.255.255.0
no crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

access-list outside_cryptomap_dyn_20 permit ip 172.6.10.0 255.255.255.0 192.168.1.0 255.255.255.0
crypto map outside_map client  authentication LOCAL
      crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
      crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
      crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
      crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 28800 kilobytes 4608000


After applying the code above, make sure your VPN client has airbuds written in group name, and the password matches

Regards
0
 

Author Comment

by:glengillman
ID: 20327365
ok great.  I will try this.  One thing  forgot to mention RE:  crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5

I don't have a license for ESP-3DES-MD5 on my pix so that command won't work.
0
 

Author Comment

by:glengillman
ID: 20327737
ok, most of the commands worked.  3 of them didn't - so below see the errors for the 3 and I included my latest config.  I appreciate your help and time.

Result of PIX command: "crypto map outside_map client  authentication LOCAL"
 
Protocol "local" is available only for console authentication
and command authorization
Command failed

Result of PIX command: "crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac"
 
VPN-Triple-DES is not enabled with current activation key.
usage: crypto ipsec transform-set <trans-name> [ ah-md5-hmac|ah-sha-hmac ]
            [ esp-des|esp-null ] [ esp-md5-hmac|esp-sha-hmac ]
        crypto ipsec transform-set <trans-name> mode transport
Command failed

Result of PIX command: "crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5"
 
ERROR: transform set with tag "ESP-3DES-MD5" does not exist.
Command failed



my config now:

PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password vxaiY3m67V1.pDhG encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname topper
domain-name centurytel.net
clock timezone CST -6
clock summer-time CDT recurring
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
names
name 192.168.1.150 web-server
object-group service mailserver tcp
  description email server
  port-object eq ident
  port-object eq pop3
  port-object eq imap4
  port-object eq www
  port-object eq https
  port-object eq smtp
  port-object range 135 135
object-group service vpnudp udp
  description vpn udp
  port-object range 1701 1701
  port-object range isakmp isakmp
object-group service FTPGroup tcp
  port-object eq ftp-data
  port-object eq ftp
object-group service pptpgroup tcp
  port-object eq 1723
access-list inside_access_in permit ip any any
access-list inside_access_in permit icmp any any
access-list inside_access_in permit gre any any
access-list inside_outbound_nat0_acl permit ip any 192.168.1.192 255.255.255.224
access-list inside_outbound_nat0_acl permit ip host web-server 192.168.1.200 255.255.255.248
access-list inside_outbound_nat0_acl permit ip any 192.168.1.192 255.255.255.192
access-list inside_outbound_nat0_acl permit ip any 172.6.10.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 172.6.10.0 255.255.255.0
access-list outside_cryptomap_dyn_20 permit ip 172.6.10.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list outside_access_in permit gre any any
access-list outside_access_in permit tcp any any eq 3389
access-list inbound permit icmp any any
access-list inbound permit tcp any any eq www
access-list splitTunnelAclRA permit ip 192.168.1.0 255.255.255.0 172.6.10.0 255.255.255.0
access-list airbuds_splitTunnelAcl permit ip 172.6.10.0 255.255.255.0 any
pager lines 24
interface ethernet0 10baset
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address outside 96.226.0.30 255.255.255.0
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool arlington-test 192.168.1.50
ip local pool TOPPER 192.168.1.201-192.168.1.205
ip local pool VPN_DHCP 192.168.1.210-192.168.1.230
ip local pool VPNPool 172.6.10.1-172.6.10.254
pdm location 0.0.0.0 255.0.0.0 outside
pdm location 0.0.0.0 0.0.0.0 outside
pdm location 192.168.1.192 255.255.255.224 outside
pdm location web-server 255.255.255.255 inside
pdm location 0.0.0.0 255.255.255.255 outside
pdm location 192.168.1.200 255.255.255.248 outside
pdm location 192.168.1.200 255.255.255.255 inside
pdm location 192.168.1.192 255.255.255.192 outside
pdm location 172.6.10.0 255.255.255.0 outside
pdm location 192.168.1.0 255.255.255.0 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface www web-server www netmask 255.255.255.255 0 0
static (inside,outside) tcp interface pptp 192.168.1.200 pptp netmask 255.255.255.255 0 0
access-group inbound in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 96.226.0.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
no sysopt route dnat
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup airbuds address-pool VPNPool
vpngroup airbuds dns-server 68.238.96.12 68.238.112.12
vpngroup airbuds wins-server 192.168.1.1
vpngroup airbuds split-tunnel splitTunnelAclRA
vpngroup airbuds idle-time 1800
vpngroup airbuds password ********
vpngroup VpnPool idle-time 1800
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 5
vpdn username glen password *********
vpdn username bill password *********
vpdn username carolyn password *********
vpdn username mike password *********
vpdn enable outside
vpdn enable inside
dhcpd address 192.168.1.100-192.168.1.200 inside
dhcpd dns 68.238.96.12 68.238.112.12
dhcpd lease 1382400
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
username admin password OXCRCO4.AJ7L5AV9 encrypted privilege 15
username bill password Hg2m5LIK/3euaX9D encrypted privilege 5
username glen password dGcPoGp4DhUbJR9o encrypted privilege 15
terminal width 80
Cryptochecksum:7414c9e4860ac498d316f5ed1250bfbd
0
 
LVL 29

Assisted Solution

by:Alan Huseyin Kayahan
Alan Huseyin Kayahan earned 500 total points
ID: 20334139
hmm add following then

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
no access-list inside_outbound_nat0_acl permit ip any 172.6.10.0 255.255.255.0
no access-list inside_outbound_nat0_acl permit ip any 192.168.1.192 255.255.255.224
no access-list inside_outbound_nat0_acl permit ip host web-server 192.168.1.200 255.255.255.248
no access-list inside_outbound_nat0_acl permit ip any 192.168.1.192 255.255.255.192
no access-list inside_outbound_nat0_acl permit ip any 172.6.10.0 255.255.255.0




What I recommend is,
         *Download the latest version of Cisco VPN client
         *Double/Triple check that in VPN client properties, airbuds is entered in group name and 1 as pre shared key
         *Upgrade your IOS to 6.3(5)
         *apply write mem and reload(restart) the PIX
         
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Cisco Pix/ASA hairpinning The term, hairpinning, comes from the fact that the traffic comes from one source into a router or similar device, makes a U-turn, and goes back the same way it came. Visualize this and you will see something that looks …
I recently updated from an old PIX platform to the new ASA platform.  While upgrading, I was tremendously confused about how the VPN and AnyConnect licensing works.  It turns out that the ASA has 3 different VPN licensing schemes. "site-to-site" …
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now