Solved

how to configure ipsec vpn in pix 506e site to mobile users

Posted on 2007-11-26
13
478 Views
Last Modified: 2008-02-01
(mobile users with vpn client software)-------------------(internet)----------------------(router)---(((pix506e)))-----(servers)

Where is the mistake?
Or any thing to remove or add?


6.3(4)
interface ethernet0 10baset
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 vpn security99
enable password v2QcRo7L8Va/yyaJ encrypted
passwd 2l1bK4MHwQjzsS4N encrypted
hostname Hostname
domain-name domainname.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list moderngroup_splitTunnelAcl permit ip host 192.168.0.2 any
access-list vpn_outbound_nat0_acl permit ip any 192.168.5.0 255.255.255.0
access-list outside_cryptomap_dyn_20 permit ip any 192.168.5.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu vpn 1500
ip address outside 1.2.3.4 255.255.255.240
ip address vpn 192.168.0.1 255.255.255.252
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.0.0 255.255.255.252 vpn
pdm history enable
arp timeout 14400
nat (vpn) 0 access-list vpn_outbound_nat0_acl
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.0.2 255.255.255.255 vpn
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
isakmp identity address
isakmp nat-traversal 100
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 1
isakmp policy 20 lifetime 86400
vpngroup ABCD split-tunnel moderngroup_splitTunnelAcl
vpngroup ABCD idle-time 1800
vpngroup ABCD password ********
telnet 195.229.191.80 255.255.255.240 outside
telnet 192.168.0.0 255.255.255.252 vpn
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
0
Comment
Question by:imran786
  • 7
  • 6
13 Comments
 
LVL 36

Accepted Solution

by:
grblades earned 500 total points
ID: 20349482
You are missing some crypto commands. Add the following :-

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
!--- IPSEC applies to outside interface
crypto map outside_map interface outside
0
 
LVL 36

Assisted Solution

by:grblades
grblades earned 500 total points
ID: 20349495
You are also missing an address pool from your vpngroup. So you need to add something like :-

ip local pool vpnpool 192.168.100.1-192.168.100.254
vpngroup ABCD address-pool vpnpool
0
 
LVL 1

Author Comment

by:imran786
ID: 20356065
Thanks vpn client is connect to pix....


But after connecting users cant ping to server. (inside interface of pix) {192.168.0.2}
Also i cant ping from pix outside interface to other end. {1.2.3.5}




Sending you the current sh run......

PIX Version 6.3(4)
interface ethernet0 10baset
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 vpn security99
enable password v2QcRo7L8Va/yyaJ encrypted
passwd 2l1bK4MHwQjzsS4N encrypted
hostname Hostname
domain-name domainname.com
clock timezone gst 4
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list ABCD_splitTunnelAcl permit ip host 192.168.0.2 any
access-list vpn_outbound_nat0_acl permit ip any 192.168.5.0 255.255.255.0
access-list outside_cryptomap_dyn_20 permit ip any 192.168.5.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu vpn 1500
ip address outside 1.2.3.4 255.255.255.240
ip address vpn 192.168.0.1 255.255.255.252
ip audit info action alarm
ip audit attack action alarm
ip local pool testing 192.168.5.1-192.168.5.254
pdm location 192.168.0.0 255.255.255.252 vpn
pdm history enable
arp timeout 14400
nat (vpn) 0 access-list vpn_outbound_nat0_acl
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.0.2 255.255.255.255 vpn
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto map outside_dyn_map client configuration address initiate
crypto map outside_dyn_map client configuration address respond
isakmp enable outside
isakmp identity address
isakmp nat-traversal 100
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 1
isakmp policy 20 lifetime 86400
vpngroup ABCD address-pool testing
vpngroup ABCD split-tunnel ABCD_splitTunnelAcl
vpngroup ABCD idle-time 1800
vpngroup ABCD password ********
telnet 192.168.0.0 255.255.255.252 vpn
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
0
 
LVL 36

Expert Comment

by:grblades
ID: 20356478
You dont normally have a 'match address' for client vpn connections. Its normally only for fixed lan-lan connections. You can remove it by entering the following configuration :-
no crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20

Pinging 192.168.0.2 should work.
If you try pinging 1.2.3.5 then the traffic should not go over the vpn and just go over the internet normally.

You allocated points so is it now working?
0
 
LVL 1

Author Comment

by:imran786
ID: 20356756
I have removed "match address"entry.
But still after vpn client connection is established l not ping to 192.168.0.2.
[PC]vpn================vpn[PIX](192.168.0.1)-----------------(192.168.0.2)[Server]

I can ping from PC to outside interface of pix 1.2.3.5 (without vpn).
But I cant ping (using telnet) from pix outside interface to PC 1.2.3.4
 [PC](1.2.3.4)------------(1.2.3.5)[PIX]
0
 
LVL 1

Author Comment

by:imran786
ID: 20356757
I have removed "match address"entry.
But still after vpn client connection is established l not ping to 192.168.0.2.
[PC]vpn================vpn[PIX](192.168.0.1)-----------------(192.168.0.2)[Server]

I can ping from PC to outside interface of pix 1.2.3.5 (without vpn).
But I cant ping (using telnet) from pix outside interface to PC 1.2.3.4
 [PC](1.2.3.4)------------(1.2.3.5)[PIX]
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 
LVL 36

Expert Comment

by:grblades
ID: 20356801
> But still after vpn client connection is established l not ping to 192.168.0.2.
> [PC]vpn================vpn[PIX](192.168.0.1)-----------------(192.168.0.2)[Server]
I cant see anything on the pix configuration to stop this from working. On the server can you make sure the subnet mask is set to 255.255.255.0 and that 192.168.0.1 is defined as the default gateway.

> But I cant ping (using telnet) from pix outside interface to PC 1.2.3.4
> [PC](1.2.3.4)------------(1.2.3.5)[PIX]
I cant follow where you are trying to ping from and to. You have the PIX outside interface defined as 1.2.3.4 in the config.
Can you tell me from what device to what device you are trying to ping and where those devices are physically connected to.
Trying to ping from the pix itself may be a problem since it may try and ping from the inside interface and since you dont have any NAT configured it wont work.
0
 
LVL 1

Author Comment

by:imran786
ID: 20356853
Pix is not installed in the real network. Just configuring it in a lab.

VPN is ok. Now i want to ping from PC to a server(192.168.0.2).

[PC]vpn====(direct connected)=========vpn[PIX](192.168.0.1)-----------------(192.168.0.2)[Server]


0
 
LVL 36

Expert Comment

by:grblades
ID: 20356943
On the server can you open a command prompt and post the output of the following commands :-
ipconfig /all
route print

To copy text in command prompt select the text by dragging the mouse so the white box covers all the text and then press the enter key to copy.
0
 
LVL 1

Author Comment

by:imran786
ID: 20357165
C:\Documents and Settings\imu>ipconfig /all

Windows IP Configuration

        Host Name . . . . . . . . . . . . : fs
        Primary Dns Suffix  . . . . . . . :
        Node Type . . . . . . . . . . . . : Unknown
        IP Routing Enabled. . . . . . . . : No
        WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Local Area Connection:

        Connection-specific DNS Suffix  . :
        Description . . . . . . . . . . . : Realtek RTL8139 Family PCI Fast Ethernet NIC
        Physical Address. . . . . . . . . : 00-E0-00-9A-0D-4b
        Dhcp Enabled. . . . . . . . . . . : No
        IP Address. . . . . . . . . . . . : 195.129.191.83
        Subnet Mask . . . . . . . . . . . : 255.255.255.240
        Default Gateway . . . . . . . . . :

Ethernet adapter Local Area Connection 2:

        Connection-specific DNS Suffix  . :
        Description . . . . . . . . . . . : Cisco Systems VPN Adapter
        Physical Address. . . . . . . . . : 00-05-9A-3C-78-00
        Dhcp Enabled. . . . . . . . . . . : No
        IP Address. . . . . . . . . . . . : 192.168.5.1
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . :

C:\Documents and Settings\abc>route print
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 e0 00 9a 0d 4c ...... Realtek RTL8139 Family PCI Fast Ethernet NIC - Teefer2 Miniport
0x30004 ...00 05 9a 3c 78 00 ...... Cisco Systems VPN Adapter - Teefer2 Miniport

===========================================================================
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface      Metric
        127.0.0.0          255.0.0.0                   127.0.0.1           127.0.0.1         1
      192.168.0.2  255.255.255.255          192.168.5.2     192.168.5.1          1
      192.168.5.0    255.255.255.0            192.168.5.1     192.168.5.1          30
      192.168.5.1  255.255.255.255            127.0.0.1       127.0.0.1                30
    192.168.5.255  255.255.255.255      192.168.5.1     192.168.5.1           30
   195.129.191.80  255.255.255.240   195.129.191.83  195.129.191.83       30
   195.129.191.82  255.255.255.255   195.129.191.83  195.129.191.83       1
   195.129.191.83  255.255.255.255        127.0.0.1            127.0.0.1            30
  195.129.191.255  255.255.255.255   195.129.191.83  195.129.191.83       30
        224.0.0.0        240.0.0.0                    192.168.5.1     192.168.5.1           30
        224.0.0.0        240.0.0.0                195.129.191.83  195.129.191.83       30
  255.255.255.255  255.255.255.255      192.168.5.1           192.168.5.1       1
  255.255.255.255  255.255.255.255   195.129.191.83    195.129.191.83       1
===========================================================================
Persistent Routes:
  None

C:\Documents and Settings\abc>ping 192.168.0.2

Pinging 192.168.0.2 with 32 bytes of data:

Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 192.168.0.2:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

THanks grblades
sorry to borthering you
0
 
LVL 36

Expert Comment

by:grblades
ID: 20357319
You are missing the default gateway on the server. You should set it to 192.168.0.1
Without it it does not know where to send the replies to VPN client back to or how to get onto the outside network.
0
 
LVL 1

Author Comment

by:imran786
ID: 20363507
Reply from 192.168.0.1: bytes=32 time<1ms TTL=255
Reply from 192.168.0.1: bytes=32 time<1ms TTL=255
Reply from 192.168.0.1: bytes=32 time<1ms TTL=255
Reply from 192.168.0.1: bytes=32 time<1ms TTL=255

Ethernet adapter Local Area Connection:

        Connection-specific DNS Suffix  . :
        Description . . . . . . . . . . . : Broadcom 440x 10/100 Integrated Controller
        Physical Address. . . . . . . . . : 00-17-08-3B-BF-4A
        Dhcp Enabled. . . . . . . . . . . : No
        IP Address. . . . . . . . . . . . : 192.168.0.2
        Subnet Mask . . . . . . . . . . . : 255.255.255.252
        Default Gateway . . . . . . . . . : 192.168.0.1

C:\Documents and Settings\Administrator>route print
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0                   192.168.0.1     192.168.0.2       20
        127.0.0.0        255.0.0.0                   127.0.0.1       127.0.0.1       1
      192.168.0.0  255.255.255.252      192.168.0.2     192.168.0.2       20
      192.168.0.2  255.255.255.255        127.0.0.1       127.0.0.1       20
    192.168.0.255  255.255.255.255      192.168.0.2     192.168.0.2       20
        224.0.0.0        240.0.0.0               192.168.0.2     192.168.0.2       20
  255.255.255.255  255.255.255.255      192.168.0.2     192.168.0.2       1
  255.255.255.255  255.255.255.255      192.168.0.2               2       1
Default Gateway:       192.168.0.1


0
 
LVL 36

Expert Comment

by:grblades
ID: 20364093
That looks fine now.
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
Juniper VPN devices are a popular alternative to using Cisco products. Last year I needed to set up an international site-to-site VPN over the Internet, but the client had high security requirements -- FIPS 140. What and Why of FIPS 140 Federa…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now