Solved

how to configure ipsec vpn in pix 506e site to mobile users

Posted on 2007-11-26
13
467 Views
Last Modified: 2008-02-01
(mobile users with vpn client software)-------------------(internet)----------------------(router)---(((pix506e)))-----(servers)

Where is the mistake?
Or any thing to remove or add?


6.3(4)
interface ethernet0 10baset
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 vpn security99
enable password v2QcRo7L8Va/yyaJ encrypted
passwd 2l1bK4MHwQjzsS4N encrypted
hostname Hostname
domain-name domainname.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list moderngroup_splitTunnelAcl permit ip host 192.168.0.2 any
access-list vpn_outbound_nat0_acl permit ip any 192.168.5.0 255.255.255.0
access-list outside_cryptomap_dyn_20 permit ip any 192.168.5.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu vpn 1500
ip address outside 1.2.3.4 255.255.255.240
ip address vpn 192.168.0.1 255.255.255.252
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.0.0 255.255.255.252 vpn
pdm history enable
arp timeout 14400
nat (vpn) 0 access-list vpn_outbound_nat0_acl
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.0.2 255.255.255.255 vpn
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
isakmp identity address
isakmp nat-traversal 100
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 1
isakmp policy 20 lifetime 86400
vpngroup ABCD split-tunnel moderngroup_splitTunnelAcl
vpngroup ABCD idle-time 1800
vpngroup ABCD password ********
telnet 195.229.191.80 255.255.255.240 outside
telnet 192.168.0.0 255.255.255.252 vpn
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
0
Comment
Question by:imran786
  • 7
  • 6
13 Comments
 
LVL 36

Accepted Solution

by:
grblades earned 500 total points
Comment Utility
You are missing some crypto commands. Add the following :-

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
!--- IPSEC applies to outside interface
crypto map outside_map interface outside
0
 
LVL 36

Assisted Solution

by:grblades
grblades earned 500 total points
Comment Utility
You are also missing an address pool from your vpngroup. So you need to add something like :-

ip local pool vpnpool 192.168.100.1-192.168.100.254
vpngroup ABCD address-pool vpnpool
0
 
LVL 1

Author Comment

by:imran786
Comment Utility
Thanks vpn client is connect to pix....


But after connecting users cant ping to server. (inside interface of pix) {192.168.0.2}
Also i cant ping from pix outside interface to other end. {1.2.3.5}




Sending you the current sh run......

PIX Version 6.3(4)
interface ethernet0 10baset
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 vpn security99
enable password v2QcRo7L8Va/yyaJ encrypted
passwd 2l1bK4MHwQjzsS4N encrypted
hostname Hostname
domain-name domainname.com
clock timezone gst 4
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list ABCD_splitTunnelAcl permit ip host 192.168.0.2 any
access-list vpn_outbound_nat0_acl permit ip any 192.168.5.0 255.255.255.0
access-list outside_cryptomap_dyn_20 permit ip any 192.168.5.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu vpn 1500
ip address outside 1.2.3.4 255.255.255.240
ip address vpn 192.168.0.1 255.255.255.252
ip audit info action alarm
ip audit attack action alarm
ip local pool testing 192.168.5.1-192.168.5.254
pdm location 192.168.0.0 255.255.255.252 vpn
pdm history enable
arp timeout 14400
nat (vpn) 0 access-list vpn_outbound_nat0_acl
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.0.2 255.255.255.255 vpn
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto map outside_dyn_map client configuration address initiate
crypto map outside_dyn_map client configuration address respond
isakmp enable outside
isakmp identity address
isakmp nat-traversal 100
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 1
isakmp policy 20 lifetime 86400
vpngroup ABCD address-pool testing
vpngroup ABCD split-tunnel ABCD_splitTunnelAcl
vpngroup ABCD idle-time 1800
vpngroup ABCD password ********
telnet 192.168.0.0 255.255.255.252 vpn
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
0
 
LVL 36

Expert Comment

by:grblades
Comment Utility
You dont normally have a 'match address' for client vpn connections. Its normally only for fixed lan-lan connections. You can remove it by entering the following configuration :-
no crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20

Pinging 192.168.0.2 should work.
If you try pinging 1.2.3.5 then the traffic should not go over the vpn and just go over the internet normally.

You allocated points so is it now working?
0
 
LVL 1

Author Comment

by:imran786
Comment Utility
I have removed "match address"entry.
But still after vpn client connection is established l not ping to 192.168.0.2.
[PC]vpn================vpn[PIX](192.168.0.1)-----------------(192.168.0.2)[Server]

I can ping from PC to outside interface of pix 1.2.3.5 (without vpn).
But I cant ping (using telnet) from pix outside interface to PC 1.2.3.4
 [PC](1.2.3.4)------------(1.2.3.5)[PIX]
0
 
LVL 1

Author Comment

by:imran786
Comment Utility
I have removed "match address"entry.
But still after vpn client connection is established l not ping to 192.168.0.2.
[PC]vpn================vpn[PIX](192.168.0.1)-----------------(192.168.0.2)[Server]

I can ping from PC to outside interface of pix 1.2.3.5 (without vpn).
But I cant ping (using telnet) from pix outside interface to PC 1.2.3.4
 [PC](1.2.3.4)------------(1.2.3.5)[PIX]
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 
LVL 36

Expert Comment

by:grblades
Comment Utility
> But still after vpn client connection is established l not ping to 192.168.0.2.
> [PC]vpn================vpn[PIX](192.168.0.1)-----------------(192.168.0.2)[Server]
I cant see anything on the pix configuration to stop this from working. On the server can you make sure the subnet mask is set to 255.255.255.0 and that 192.168.0.1 is defined as the default gateway.

> But I cant ping (using telnet) from pix outside interface to PC 1.2.3.4
> [PC](1.2.3.4)------------(1.2.3.5)[PIX]
I cant follow where you are trying to ping from and to. You have the PIX outside interface defined as 1.2.3.4 in the config.
Can you tell me from what device to what device you are trying to ping and where those devices are physically connected to.
Trying to ping from the pix itself may be a problem since it may try and ping from the inside interface and since you dont have any NAT configured it wont work.
0
 
LVL 1

Author Comment

by:imran786
Comment Utility
Pix is not installed in the real network. Just configuring it in a lab.

VPN is ok. Now i want to ping from PC to a server(192.168.0.2).

[PC]vpn====(direct connected)=========vpn[PIX](192.168.0.1)-----------------(192.168.0.2)[Server]


0
 
LVL 36

Expert Comment

by:grblades
Comment Utility
On the server can you open a command prompt and post the output of the following commands :-
ipconfig /all
route print

To copy text in command prompt select the text by dragging the mouse so the white box covers all the text and then press the enter key to copy.
0
 
LVL 1

Author Comment

by:imran786
Comment Utility
C:\Documents and Settings\imu>ipconfig /all

Windows IP Configuration

        Host Name . . . . . . . . . . . . : fs
        Primary Dns Suffix  . . . . . . . :
        Node Type . . . . . . . . . . . . : Unknown
        IP Routing Enabled. . . . . . . . : No
        WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Local Area Connection:

        Connection-specific DNS Suffix  . :
        Description . . . . . . . . . . . : Realtek RTL8139 Family PCI Fast Ethernet NIC
        Physical Address. . . . . . . . . : 00-E0-00-9A-0D-4b
        Dhcp Enabled. . . . . . . . . . . : No
        IP Address. . . . . . . . . . . . : 195.129.191.83
        Subnet Mask . . . . . . . . . . . : 255.255.255.240
        Default Gateway . . . . . . . . . :

Ethernet adapter Local Area Connection 2:

        Connection-specific DNS Suffix  . :
        Description . . . . . . . . . . . : Cisco Systems VPN Adapter
        Physical Address. . . . . . . . . : 00-05-9A-3C-78-00
        Dhcp Enabled. . . . . . . . . . . : No
        IP Address. . . . . . . . . . . . : 192.168.5.1
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . :

C:\Documents and Settings\abc>route print
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 e0 00 9a 0d 4c ...... Realtek RTL8139 Family PCI Fast Ethernet NIC - Teefer2 Miniport
0x30004 ...00 05 9a 3c 78 00 ...... Cisco Systems VPN Adapter - Teefer2 Miniport

===========================================================================
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface      Metric
        127.0.0.0          255.0.0.0                   127.0.0.1           127.0.0.1         1
      192.168.0.2  255.255.255.255          192.168.5.2     192.168.5.1          1
      192.168.5.0    255.255.255.0            192.168.5.1     192.168.5.1          30
      192.168.5.1  255.255.255.255            127.0.0.1       127.0.0.1                30
    192.168.5.255  255.255.255.255      192.168.5.1     192.168.5.1           30
   195.129.191.80  255.255.255.240   195.129.191.83  195.129.191.83       30
   195.129.191.82  255.255.255.255   195.129.191.83  195.129.191.83       1
   195.129.191.83  255.255.255.255        127.0.0.1            127.0.0.1            30
  195.129.191.255  255.255.255.255   195.129.191.83  195.129.191.83       30
        224.0.0.0        240.0.0.0                    192.168.5.1     192.168.5.1           30
        224.0.0.0        240.0.0.0                195.129.191.83  195.129.191.83       30
  255.255.255.255  255.255.255.255      192.168.5.1           192.168.5.1       1
  255.255.255.255  255.255.255.255   195.129.191.83    195.129.191.83       1
===========================================================================
Persistent Routes:
  None

C:\Documents and Settings\abc>ping 192.168.0.2

Pinging 192.168.0.2 with 32 bytes of data:

Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 192.168.0.2:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

THanks grblades
sorry to borthering you
0
 
LVL 36

Expert Comment

by:grblades
Comment Utility
You are missing the default gateway on the server. You should set it to 192.168.0.1
Without it it does not know where to send the replies to VPN client back to or how to get onto the outside network.
0
 
LVL 1

Author Comment

by:imran786
Comment Utility
Reply from 192.168.0.1: bytes=32 time<1ms TTL=255
Reply from 192.168.0.1: bytes=32 time<1ms TTL=255
Reply from 192.168.0.1: bytes=32 time<1ms TTL=255
Reply from 192.168.0.1: bytes=32 time<1ms TTL=255

Ethernet adapter Local Area Connection:

        Connection-specific DNS Suffix  . :
        Description . . . . . . . . . . . : Broadcom 440x 10/100 Integrated Controller
        Physical Address. . . . . . . . . : 00-17-08-3B-BF-4A
        Dhcp Enabled. . . . . . . . . . . : No
        IP Address. . . . . . . . . . . . : 192.168.0.2
        Subnet Mask . . . . . . . . . . . : 255.255.255.252
        Default Gateway . . . . . . . . . : 192.168.0.1

C:\Documents and Settings\Administrator>route print
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0                   192.168.0.1     192.168.0.2       20
        127.0.0.0        255.0.0.0                   127.0.0.1       127.0.0.1       1
      192.168.0.0  255.255.255.252      192.168.0.2     192.168.0.2       20
      192.168.0.2  255.255.255.255        127.0.0.1       127.0.0.1       20
    192.168.0.255  255.255.255.255      192.168.0.2     192.168.0.2       20
        224.0.0.0        240.0.0.0               192.168.0.2     192.168.0.2       20
  255.255.255.255  255.255.255.255      192.168.0.2     192.168.0.2       1
  255.255.255.255  255.255.255.255      192.168.0.2               2       1
Default Gateway:       192.168.0.1


0
 
LVL 36

Expert Comment

by:grblades
Comment Utility
That looks fine now.
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Juniper VPN devices are a popular alternative to using Cisco products. Last year I needed to set up an international site-to-site VPN over the Internet, but the client had high security requirements -- FIPS 140. What and Why of FIPS 140 Federa…
This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now