• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 525
  • Last Modified:

how to configure ipsec vpn in pix 506e site to mobile users

(mobile users with vpn client software)-------------------(internet)----------------------(router)---(((pix506e)))-----(servers)

Where is the mistake?
Or any thing to remove or add?


6.3(4)
interface ethernet0 10baset
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 vpn security99
enable password v2QcRo7L8Va/yyaJ encrypted
passwd 2l1bK4MHwQjzsS4N encrypted
hostname Hostname
domain-name domainname.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list moderngroup_splitTunnelAcl permit ip host 192.168.0.2 any
access-list vpn_outbound_nat0_acl permit ip any 192.168.5.0 255.255.255.0
access-list outside_cryptomap_dyn_20 permit ip any 192.168.5.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu vpn 1500
ip address outside 1.2.3.4 255.255.255.240
ip address vpn 192.168.0.1 255.255.255.252
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.0.0 255.255.255.252 vpn
pdm history enable
arp timeout 14400
nat (vpn) 0 access-list vpn_outbound_nat0_acl
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.0.2 255.255.255.255 vpn
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
isakmp identity address
isakmp nat-traversal 100
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 1
isakmp policy 20 lifetime 86400
vpngroup ABCD split-tunnel moderngroup_splitTunnelAcl
vpngroup ABCD idle-time 1800
vpngroup ABCD password ********
telnet 195.229.191.80 255.255.255.240 outside
telnet 192.168.0.0 255.255.255.252 vpn
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
0
imran786
Asked:
imran786
  • 7
  • 6
2 Solutions
 
grbladesCommented:
You are missing some crypto commands. Add the following :-

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
!--- IPSEC applies to outside interface
crypto map outside_map interface outside
0
 
grbladesCommented:
You are also missing an address pool from your vpngroup. So you need to add something like :-

ip local pool vpnpool 192.168.100.1-192.168.100.254
vpngroup ABCD address-pool vpnpool
0
 
imran786Author Commented:
Thanks vpn client is connect to pix....


But after connecting users cant ping to server. (inside interface of pix) {192.168.0.2}
Also i cant ping from pix outside interface to other end. {1.2.3.5}




Sending you the current sh run......

PIX Version 6.3(4)
interface ethernet0 10baset
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 vpn security99
enable password v2QcRo7L8Va/yyaJ encrypted
passwd 2l1bK4MHwQjzsS4N encrypted
hostname Hostname
domain-name domainname.com
clock timezone gst 4
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list ABCD_splitTunnelAcl permit ip host 192.168.0.2 any
access-list vpn_outbound_nat0_acl permit ip any 192.168.5.0 255.255.255.0
access-list outside_cryptomap_dyn_20 permit ip any 192.168.5.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu vpn 1500
ip address outside 1.2.3.4 255.255.255.240
ip address vpn 192.168.0.1 255.255.255.252
ip audit info action alarm
ip audit attack action alarm
ip local pool testing 192.168.5.1-192.168.5.254
pdm location 192.168.0.0 255.255.255.252 vpn
pdm history enable
arp timeout 14400
nat (vpn) 0 access-list vpn_outbound_nat0_acl
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.0.2 255.255.255.255 vpn
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto map outside_dyn_map client configuration address initiate
crypto map outside_dyn_map client configuration address respond
isakmp enable outside
isakmp identity address
isakmp nat-traversal 100
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 1
isakmp policy 20 lifetime 86400
vpngroup ABCD address-pool testing
vpngroup ABCD split-tunnel ABCD_splitTunnelAcl
vpngroup ABCD idle-time 1800
vpngroup ABCD password ********
telnet 192.168.0.0 255.255.255.252 vpn
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
0
How do you know if your security is working?

Protecting your business doesn’t have to mean sifting through endless alerts and notifications. With WatchGuard Total Security Suite, you can feel confident that your business is secure, meaning you can get back to the things that have been sitting on your to-do list.

 
grbladesCommented:
You dont normally have a 'match address' for client vpn connections. Its normally only for fixed lan-lan connections. You can remove it by entering the following configuration :-
no crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20

Pinging 192.168.0.2 should work.
If you try pinging 1.2.3.5 then the traffic should not go over the vpn and just go over the internet normally.

You allocated points so is it now working?
0
 
imran786Author Commented:
I have removed "match address"entry.
But still after vpn client connection is established l not ping to 192.168.0.2.
[PC]vpn================vpn[PIX](192.168.0.1)-----------------(192.168.0.2)[Server]

I can ping from PC to outside interface of pix 1.2.3.5 (without vpn).
But I cant ping (using telnet) from pix outside interface to PC 1.2.3.4
 [PC](1.2.3.4)------------(1.2.3.5)[PIX]
0
 
imran786Author Commented:
I have removed "match address"entry.
But still after vpn client connection is established l not ping to 192.168.0.2.
[PC]vpn================vpn[PIX](192.168.0.1)-----------------(192.168.0.2)[Server]

I can ping from PC to outside interface of pix 1.2.3.5 (without vpn).
But I cant ping (using telnet) from pix outside interface to PC 1.2.3.4
 [PC](1.2.3.4)------------(1.2.3.5)[PIX]
0
 
grbladesCommented:
> But still after vpn client connection is established l not ping to 192.168.0.2.
> [PC]vpn================vpn[PIX](192.168.0.1)-----------------(192.168.0.2)[Server]
I cant see anything on the pix configuration to stop this from working. On the server can you make sure the subnet mask is set to 255.255.255.0 and that 192.168.0.1 is defined as the default gateway.

> But I cant ping (using telnet) from pix outside interface to PC 1.2.3.4
> [PC](1.2.3.4)------------(1.2.3.5)[PIX]
I cant follow where you are trying to ping from and to. You have the PIX outside interface defined as 1.2.3.4 in the config.
Can you tell me from what device to what device you are trying to ping and where those devices are physically connected to.
Trying to ping from the pix itself may be a problem since it may try and ping from the inside interface and since you dont have any NAT configured it wont work.
0
 
imran786Author Commented:
Pix is not installed in the real network. Just configuring it in a lab.

VPN is ok. Now i want to ping from PC to a server(192.168.0.2).

[PC]vpn====(direct connected)=========vpn[PIX](192.168.0.1)-----------------(192.168.0.2)[Server]


0
 
grbladesCommented:
On the server can you open a command prompt and post the output of the following commands :-
ipconfig /all
route print

To copy text in command prompt select the text by dragging the mouse so the white box covers all the text and then press the enter key to copy.
0
 
imran786Author Commented:
C:\Documents and Settings\imu>ipconfig /all

Windows IP Configuration

        Host Name . . . . . . . . . . . . : fs
        Primary Dns Suffix  . . . . . . . :
        Node Type . . . . . . . . . . . . : Unknown
        IP Routing Enabled. . . . . . . . : No
        WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Local Area Connection:

        Connection-specific DNS Suffix  . :
        Description . . . . . . . . . . . : Realtek RTL8139 Family PCI Fast Ethernet NIC
        Physical Address. . . . . . . . . : 00-E0-00-9A-0D-4b
        Dhcp Enabled. . . . . . . . . . . : No
        IP Address. . . . . . . . . . . . : 195.129.191.83
        Subnet Mask . . . . . . . . . . . : 255.255.255.240
        Default Gateway . . . . . . . . . :

Ethernet adapter Local Area Connection 2:

        Connection-specific DNS Suffix  . :
        Description . . . . . . . . . . . : Cisco Systems VPN Adapter
        Physical Address. . . . . . . . . : 00-05-9A-3C-78-00
        Dhcp Enabled. . . . . . . . . . . : No
        IP Address. . . . . . . . . . . . : 192.168.5.1
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . :

C:\Documents and Settings\abc>route print
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 e0 00 9a 0d 4c ...... Realtek RTL8139 Family PCI Fast Ethernet NIC - Teefer2 Miniport
0x30004 ...00 05 9a 3c 78 00 ...... Cisco Systems VPN Adapter - Teefer2 Miniport

===========================================================================
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface      Metric
        127.0.0.0          255.0.0.0                   127.0.0.1           127.0.0.1         1
      192.168.0.2  255.255.255.255          192.168.5.2     192.168.5.1          1
      192.168.5.0    255.255.255.0            192.168.5.1     192.168.5.1          30
      192.168.5.1  255.255.255.255            127.0.0.1       127.0.0.1                30
    192.168.5.255  255.255.255.255      192.168.5.1     192.168.5.1           30
   195.129.191.80  255.255.255.240   195.129.191.83  195.129.191.83       30
   195.129.191.82  255.255.255.255   195.129.191.83  195.129.191.83       1
   195.129.191.83  255.255.255.255        127.0.0.1            127.0.0.1            30
  195.129.191.255  255.255.255.255   195.129.191.83  195.129.191.83       30
        224.0.0.0        240.0.0.0                    192.168.5.1     192.168.5.1           30
        224.0.0.0        240.0.0.0                195.129.191.83  195.129.191.83       30
  255.255.255.255  255.255.255.255      192.168.5.1           192.168.5.1       1
  255.255.255.255  255.255.255.255   195.129.191.83    195.129.191.83       1
===========================================================================
Persistent Routes:
  None

C:\Documents and Settings\abc>ping 192.168.0.2

Pinging 192.168.0.2 with 32 bytes of data:

Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 192.168.0.2:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

THanks grblades
sorry to borthering you
0
 
grbladesCommented:
You are missing the default gateway on the server. You should set it to 192.168.0.1
Without it it does not know where to send the replies to VPN client back to or how to get onto the outside network.
0
 
imran786Author Commented:
Reply from 192.168.0.1: bytes=32 time<1ms TTL=255
Reply from 192.168.0.1: bytes=32 time<1ms TTL=255
Reply from 192.168.0.1: bytes=32 time<1ms TTL=255
Reply from 192.168.0.1: bytes=32 time<1ms TTL=255

Ethernet adapter Local Area Connection:

        Connection-specific DNS Suffix  . :
        Description . . . . . . . . . . . : Broadcom 440x 10/100 Integrated Controller
        Physical Address. . . . . . . . . : 00-17-08-3B-BF-4A
        Dhcp Enabled. . . . . . . . . . . : No
        IP Address. . . . . . . . . . . . : 192.168.0.2
        Subnet Mask . . . . . . . . . . . : 255.255.255.252
        Default Gateway . . . . . . . . . : 192.168.0.1

C:\Documents and Settings\Administrator>route print
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0                   192.168.0.1     192.168.0.2       20
        127.0.0.0        255.0.0.0                   127.0.0.1       127.0.0.1       1
      192.168.0.0  255.255.255.252      192.168.0.2     192.168.0.2       20
      192.168.0.2  255.255.255.255        127.0.0.1       127.0.0.1       20
    192.168.0.255  255.255.255.255      192.168.0.2     192.168.0.2       20
        224.0.0.0        240.0.0.0               192.168.0.2     192.168.0.2       20
  255.255.255.255  255.255.255.255      192.168.0.2     192.168.0.2       1
  255.255.255.255  255.255.255.255      192.168.0.2               2       1
Default Gateway:       192.168.0.1


0
 
grbladesCommented:
That looks fine now.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Choose an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

  • 7
  • 6
Tackle projects and never again get stuck behind a technical roadblock.
Join Now