Link to home
Create AccountLog in
Avatar of Shanehaggerty
Shanehaggerty

asked on

Trouble setting up vpn connection using cisco client software

I have a cisco pix 501 firewall and am trying to setup a vpn connection using the VPN client connection software version 5.0.02.0090 .  When i click on connect, i am asked to put in user name and password into the user authentication window.  How can i create a user and associate it with this connection? or what am i missing?  Am i correct in assuming that the pix 501 makes the vpn connection or is there supposed to be some authentication with the server machine i have as well?  The server is a windows 2003 box
Avatar of batry_boy
batry_boy
Flag of United States of America image

The simplest way is to create a local user on the PIX with the following command:

username <user_id> password <password>

So, for example, to create a user account named "johndoe" with the password "johnpass", you would put in:

username johndoe password johnpass

You need to run this command from configuration mode in the CLI.
Avatar of Shanehaggerty
Shanehaggerty

ASKER

The error i get is secure vpn connection terminated locally by the client.  
Reason 413 User authentication failed.

This was after i added the user as you detailed in your last post.  I think thats the same error i was gettin before as well.  Is there a setting i need to give the user to allow that user vpn permissions or does my problem reside somewhere different?
Make sure you also have the following commands in your configuration:

aaa-server LOCAL protocol local
crypto map outside_map client authentication LOCAL

The map name "outside_map" in the above "crypto" command is just an example.  You will have a crypto map applied to your outside interface and it may be named something other than "outside_map".  Substitute whatever your map name is for "outside_map" in the above command and try that.
no luck with that either.  I get the same error
Can you post a sanitized config so I can take a look?

absolutely!!

Result of firewall command: "show run"
 
: Saved
:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password BOCZwyoE9di4h34l encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.5.115 insideserver
name 192.168.5.253 yermom
access-list inmap permit tcp any host 192.168.15.100
access-list inside_outbound_nat0_acl permit ip any 192.168.5.10 255.255.255.254
access-list inside_outbound_nat0_acl permit ip any 192.168.5.0 255.255.255.192
access-list outside_cryptomap_dyn_20 permit ip any 192.168.5.0 255.255.255.192
access-list outside_cryptomap_dyn_40 permit ip any 192.168.5.0 255.255.255.192
access-list outside_cryptomap_dyn_60 permit ip any 192.168.5.0 255.255.255.192
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute retry 4
ip address inside 192.168.5.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpn 192.168.5.30-192.168.5.40
pdm location insideserver 255.255.255.255 inside
pdm location 0.0.0.0 255.255.255.255 outside
pdm location 0.0.0.0 255.255.255.0 outside
pdm location 192.168.15.1 255.255.255.255 outside
pdm location 192.168.15.100 255.255.255.255 inside
pdm location 192.168.5.10 255.255.255.254 outside
pdm location yermom 255.255.255.255 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 3389 insideserver 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface https insideserver https netmask 255.255.255.255 0 0
static (inside,outside) tcp interface pptp insideserver pptp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 1702 insideserver 1702 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 47 insideserver 47 netmask 255.255.255.255 0 0
access-group inmap in interface outside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ (inside) host 192.168.5.1 timeout 10
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa-server server protocol tacacs+
aaa-server server (inside) host insideserver 1234567890 timeout 10
aaa-server server2 protocol tacacs+
aaa-server server2 (inside) host insideserver 1234567890 timeout 10
aaa-server yerdad protocol tacacs+
aaa-server yerdad (inside) host insideserver 1234567890 timeout 10
http server enable
http 192.168.5.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
sysopt connection permit-l2tp
crypto ipsec transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_MD5 mode transport
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 40 match address outside_cryptomap_dyn_40
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 60 match address outside_cryptomap_dyn_60
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication TACACS+
crypto map outside_map interface outside
crypto map outside client authentication LOCAL
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup suncity address-pool vpn
vpngroup suncity dns-server 192.168.5.1 insideserver
vpngroup suncity idle-time 1800
vpngroup suncity secure-unit-authentication
vpngroup suncity password ********
vpngroup suncitylending address-pool vpn
vpngroup suncitylending dns-server insideserver 192.168.5.1
vpngroup suncitylending idle-time 1800
vpngroup suncitylending authentication-server yerdad
vpngroup suncitylending user-authentication
vpngroup suncitylending password ********
vpngroup suncitylg address-pool vpn
vpngroup suncitylg split-tunnel outside_cryptomap_dyn_20
vpngroup suncitylg pfs
vpngroup suncitylg idle-time 1800
vpngroup suncitylg authentication-server yerdad
vpngroup suncitylg user-authentication
vpngroup suncitylg password ********
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group vpnuser accept dialin l2tp
vpdn group vpnuser ppp authentication mschap
vpdn group vpnuser client configuration address local vpn
vpdn group vpnuser client configuration dns 192.168.5.1 insideserver
vpdn group vpnuser client authentication local
vpdn group vpnuser l2tp tunnel hello 60
vpdn group addys accept dialin pptp
vpdn group addys ppp authentication pap
vpdn group addys ppp authentication chap
vpdn group addys ppp authentication mschap
vpdn group addys client configuration address local vpn
vpdn group addys pptp echo 60
vpdn group addys client authentication local
vpdn username server password *********
vpdn username vpnuser password *********
vpdn enable outside
dhcpd address 192.168.5.2-192.168.5.254 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
username vpnuser password mhoG9ngDVvDV1PKF encrypted privilege 2
terminal width 80
Cryptochecksum:567f1fdf4e72e61ba602d196ad18ebd3
: end

Result of firewall command: "show run"
 
: Saved
:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password BOCZwyoE9di4h34l encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.5.115 insideserver
name 192.168.5.253 yermom
access-list inmap permit tcp any host 192.168.15.100
access-list inside_outbound_nat0_acl permit ip any 192.168.5.10 255.255.255.254
access-list inside_outbound_nat0_acl permit ip any 192.168.5.0 255.255.255.192
access-list outside_cryptomap_dyn_20 permit ip any 192.168.5.0 255.255.255.192
access-list outside_cryptomap_dyn_40 permit ip any 192.168.5.0 255.255.255.192
access-list outside_cryptomap_dyn_60 permit ip any 192.168.5.0 255.255.255.192
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute retry 4
ip address inside 192.168.5.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpn 192.168.5.30-192.168.5.40
pdm location insideserver 255.255.255.255 inside
pdm location 0.0.0.0 255.255.255.255 outside
pdm location 0.0.0.0 255.255.255.0 outside
pdm location 192.168.15.1 255.255.255.255 outside
pdm location 192.168.15.100 255.255.255.255 inside
pdm location 192.168.5.10 255.255.255.254 outside
pdm location yermom 255.255.255.255 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 3389 insideserver 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface https insideserver https netmask 255.255.255.255 0 0
static (inside,outside) tcp interface pptp insideserver pptp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 1702 insideserver 1702 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 47 insideserver 47 netmask 255.255.255.255 0 0
access-group inmap in interface outside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ (inside) host 192.168.5.1 timeout 10
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa-server server protocol tacacs+
aaa-server server (inside) host insideserver 1234567890 timeout 10
aaa-server server2 protocol tacacs+
aaa-server server2 (inside) host insideserver 1234567890 timeout 10
aaa-server yerdad protocol tacacs+
aaa-server yerdad (inside) host insideserver 1234567890 timeout 10
http server enable
http 192.168.5.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
sysopt connection permit-l2tp
crypto ipsec transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_MD5 mode transport
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 40 match address outside_cryptomap_dyn_40
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 60 match address outside_cryptomap_dyn_60
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication TACACS+
crypto map outside_map interface outside
crypto map outside client authentication LOCAL
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup suncity address-pool vpn
vpngroup suncity dns-server 192.168.5.1 insideserver
vpngroup suncity idle-time 1800
vpngroup suncity secure-unit-authentication
vpngroup suncity password ********
vpngroup suncitylending address-pool vpn
vpngroup suncitylending dns-server insideserver 192.168.5.1
vpngroup suncitylending idle-time 1800
vpngroup suncitylending authentication-server yerdad
vpngroup suncitylending user-authentication
vpngroup suncitylending password ********
vpngroup suncitylg address-pool vpn
vpngroup suncitylg split-tunnel outside_cryptomap_dyn_20
vpngroup suncitylg pfs
vpngroup suncitylg idle-time 1800
vpngroup suncitylg authentication-server yerdad
vpngroup suncitylg user-authentication
vpngroup suncitylg password ********
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group vpnuser accept dialin l2tp
vpdn group vpnuser ppp authentication mschap
vpdn group vpnuser client configuration address local vpn
vpdn group vpnuser client configuration dns 192.168.5.1 insideserver
vpdn group vpnuser client authentication local
vpdn group vpnuser l2tp tunnel hello 60
vpdn group addys accept dialin pptp
vpdn group addys ppp authentication pap
vpdn group addys ppp authentication chap
vpdn group addys ppp authentication mschap
vpdn group addys client configuration address local vpn
vpdn group addys pptp echo 60
vpdn group addys client authentication local
vpdn username server password *********
vpdn username vpnuser password *********
vpdn enable outside
dhcpd address 192.168.5.2-192.168.5.254 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
username vpnuser password mhoG9ngDVvDV1PKF encrypted privilege 2
terminal width 80
Cryptochecksum:567f1fdf4e72e61ba602d196ad18ebd3
: end

Result of firewall command: "show run"
 
: Saved
:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password BOCZwyoE9di4h34l encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.5.115 insideserver
name 192.168.5.253 yermom
access-list inmap permit tcp any host 192.168.15.100
access-list inside_outbound_nat0_acl permit ip any 192.168.5.10 255.255.255.254
access-list inside_outbound_nat0_acl permit ip any 192.168.5.0 255.255.255.192
access-list outside_cryptomap_dyn_20 permit ip any 192.168.5.0 255.255.255.192
access-list outside_cryptomap_dyn_40 permit ip any 192.168.5.0 255.255.255.192
access-list outside_cryptomap_dyn_60 permit ip any 192.168.5.0 255.255.255.192
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute retry 4
ip address inside 192.168.5.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpn 192.168.5.30-192.168.5.40
pdm location insideserver 255.255.255.255 inside
pdm location 0.0.0.0 255.255.255.255 outside
pdm location 0.0.0.0 255.255.255.0 outside
pdm location 192.168.15.1 255.255.255.255 outside
pdm location 192.168.15.100 255.255.255.255 inside
pdm location 192.168.5.10 255.255.255.254 outside
pdm location yermom 255.255.255.255 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 3389 insideserver 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface https insideserver https netmask 255.255.255.255 0 0
static (inside,outside) tcp interface pptp insideserver pptp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 1702 insideserver 1702 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 47 insideserver 47 netmask 255.255.255.255 0 0
access-group inmap in interface outside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ (inside) host 192.168.5.1 timeout 10
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa-server server protocol tacacs+
aaa-server server (inside) host insideserver 1234567890 timeout 10
aaa-server server2 protocol tacacs+
aaa-server server2 (inside) host insideserver 1234567890 timeout 10
aaa-server yerdad protocol tacacs+
aaa-server yerdad (inside) host insideserver 1234567890 timeout 10
http server enable
http 192.168.5.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
sysopt connection permit-l2tp
crypto ipsec transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_MD5 mode transport
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 40 match address outside_cryptomap_dyn_40
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 60 match address outside_cryptomap_dyn_60
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication TACACS+
crypto map outside_map interface outside
crypto map outside client authentication LOCAL
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup suncity address-pool vpn
vpngroup suncity dns-server 192.168.5.1 insideserver
vpngroup suncity idle-time 1800
vpngroup suncity secure-unit-authentication
vpngroup suncity password ********
vpngroup suncitylending address-pool vpn
vpngroup suncitylending dns-server insideserver 192.168.5.1
vpngroup suncitylending idle-time 1800
vpngroup suncitylending authentication-server yerdad
vpngroup suncitylending user-authentication
vpngroup suncitylending password ********
vpngroup suncitylg address-pool vpn
vpngroup suncitylg split-tunnel outside_cryptomap_dyn_20
vpngroup suncitylg pfs
vpngroup suncitylg idle-time 1800
vpngroup suncitylg authentication-server yerdad
vpngroup suncitylg user-authentication
vpngroup suncitylg password ********
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group vpnuser accept dialin l2tp
vpdn group vpnuser ppp authentication mschap
vpdn group vpnuser client configuration address local vpn
vpdn group vpnuser client configuration dns 192.168.5.1 insideserver
vpdn group vpnuser client authentication local
vpdn group vpnuser l2tp tunnel hello 60
vpdn group addys accept dialin pptp
vpdn group addys ppp authentication pap
vpdn group addys ppp authentication chap
vpdn group addys ppp authentication mschap
vpdn group addys client configuration address local vpn
vpdn group addys pptp echo 60
vpdn group addys client authentication local
vpdn username server password *********
vpdn username vpnuser password *********
vpdn enable outside
dhcpd address 192.168.5.2-192.168.5.254 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
username vpnuser password mhoG9ngDVvDV1PKF encrypted privilege 2
terminal width 80
Cryptochecksum:567f1fdf4e72e61ba602d196ad18ebd3
: end
If you look closely at your config, you'll see the following lines:

crypto map outside_map client authentication TACACS+
crypto map outside_map interface outside
crypto map outside client authentication LOCAL

You'll notice that you have the LOCAL authentication using a crypto map named "outside", but there is another crypto map named "outside_map" that is actually bound to the outside interface (the middle command above).  And with that crypto map, you have client authentication set to use TACACS+, which you have defined elsewhere in your configuration to point to a server at 192.168.5.1:

aaa-server TACACS+ (inside) host 192.168.5.1 timeout 10

So, you have a couple of choices:

1.  Add the VPN user account credentials to the server at 192.168.5.1 and then try to connect to the VPN with those credentials.  This will require that you know how to add a user account on this server.  I don't know what this server is so I can't really help much here.
2.  Issue the following commands on the firewall so that you are truly using local authentication for your VPN access:

no crypto map outside_map client authentication TACACS+
crypto map outside_map client authentication LOCAL

and then try again!

BTW, which vpngroup are you using for your testing: suncity, suncitylending or suncitylg?  I see some parameters that will probably need to be removed in order for you to use local authentication (like the user-authentication parameter or the secure-unit-authentication)
you'll notice quite a few vpn entries.... ive tried every configuration i could think of to try and make it work.  I have even tried to port forward pptp and l2tp into my internal server to try and have the windows box make the connection
If all of those are the result of you testing and are not needed, then we need to go ahead and take out those paraemeters I mentioned in the last part of my post.  If you are using the "suncity" vpn group, then issue the command:

no vpngroup suncity secure-unit-authentication

If you are using the vpn group "suncitylending", then issue the following commands:

no vpngroup suncitylending authentication-server yerdad
no vpngroup suncitylending user-authentication

If you are using the vpn group "suncitylg", then issue the following commands:

no vpngroup suncitylg authentication-server yerdad
no vpngroup suncitylg user-authentication

Issue these as well as the commands in my previous post.  If it's still not working after these changes, please repost the current config and I'll take another look.  Also, let me know which VPN group you are trying to use.
the server 192.168.5.1 is the pix firewall. my windows box is the 192.168.5.115.  If i tell the pix to use .5.115 will it look to the windows box for authentication? However, that being asked, i somehow feel that the pix will create a much more reliable vpn connection than windows will
Well, to use Windows for VPN user authentication from the PIX, you have to have IAS configured for RADIUS.  Do you have this configured?  If not, configuring local user accounts on the PIX is a much easier route to go.
No sir, i don't have radius configured, i saw it required a pre-shared key and i didnt know where to assign the key in the pix.  I followed your instructions for suncitylending but it still asks for a user acct after i make the initial connection and then gives me the same error.  here is the config:

Result of firewall command: "show run"
 
: Saved
:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password BOCZwyoE9di4h34l encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.5.115 insideserver
name 192.168.5.253 yermom
access-list inmap permit tcp any host 192.168.15.100
access-list inside_outbound_nat0_acl permit ip any 192.168.5.10 255.255.255.254
access-list inside_outbound_nat0_acl permit ip any 192.168.5.0 255.255.255.192
access-list outside_cryptomap_dyn_20 permit ip any 192.168.5.0 255.255.255.192
access-list outside_cryptomap_dyn_40 permit ip any 192.168.5.0 255.255.255.192
access-list outside_cryptomap_dyn_60 permit ip any 192.168.5.0 255.255.255.192
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute retry 4
ip address inside 192.168.5.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpn 192.168.5.30-192.168.5.40
pdm location insideserver 255.255.255.255 inside
pdm location 0.0.0.0 255.255.255.255 outside
pdm location 0.0.0.0 255.255.255.0 outside
pdm location 192.168.15.1 255.255.255.255 outside
pdm location 192.168.15.100 255.255.255.255 inside
pdm location 192.168.5.10 255.255.255.254 outside
pdm location yermom 255.255.255.255 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 3389 insideserver 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface https insideserver https netmask 255.255.255.255 0 0
static (inside,outside) tcp interface pptp insideserver pptp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 1702 insideserver 1702 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 47 insideserver 47 netmask 255.255.255.255 0 0
access-group inmap in interface outside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ (inside) host 192.168.5.1 timeout 10
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa-server server protocol tacacs+
aaa-server server (inside) host insideserver 1234567890 timeout 10
aaa-server server2 protocol tacacs+
aaa-server server2 (inside) host insideserver 1234567890 timeout 10
aaa-server yerdad protocol tacacs+
aaa-server yerdad (inside) host insideserver 1234567890 timeout 10
http server enable
http 192.168.5.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
sysopt connection permit-l2tp
crypto ipsec transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_MD5 mode transport
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 40 match address outside_cryptomap_dyn_40
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 60 match address outside_cryptomap_dyn_60
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication TACACS+
crypto map outside_map interface outside
crypto map outside client authentication LOCAL
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup suncity address-pool vpn
vpngroup suncity dns-server 192.168.5.1 insideserver
vpngroup suncity idle-time 1800
vpngroup suncity secure-unit-authentication
vpngroup suncity password ********
vpngroup suncitylending address-pool vpn
vpngroup suncitylending dns-server insideserver 192.168.5.1
vpngroup suncitylending idle-time 1800
vpngroup suncitylending password ********
vpngroup suncitylg address-pool vpn
vpngroup suncitylg split-tunnel outside_cryptomap_dyn_20
vpngroup suncitylg pfs
vpngroup suncitylg idle-time 1800
vpngroup suncitylg authentication-server yerdad
vpngroup suncitylg user-authentication
vpngroup suncitylg password ********
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group vpnuser accept dialin l2tp
vpdn group vpnuser ppp authentication mschap
vpdn group vpnuser client configuration address local vpn
vpdn group vpnuser client configuration dns 192.168.5.1 insideserver
vpdn group vpnuser client authentication local
vpdn group vpnuser l2tp tunnel hello 60
vpdn group addys accept dialin pptp
vpdn group addys ppp authentication pap
vpdn group addys ppp authentication chap
vpdn group addys ppp authentication mschap
vpdn group addys client configuration address local vpn
vpdn group addys pptp echo 60
vpdn group addys client authentication local
vpdn username server password *********
vpdn username vpnuser password *********
vpdn enable outside
dhcpd address 192.168.5.2-192.168.5.254 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
username vpnuser password mhoG9ngDVvDV1PKF encrypted privilege 2
terminal width 80
Cryptochecksum:567f1fdf4e72e61ba602d196ad18ebd3
: end

ASKER CERTIFIED SOLUTION
Avatar of batry_boy
batry_boy
Flag of United States of America image

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
That is exactly what i needed!  The vpn is working perfectly and i actually understand why it works.  Thank you batry boy!
Glad to help!
This is the second time you have helped me with a solution to my cisco problems.  Thank you again for putting an end to my frustration while teaching me more about routing in a cisco environment