Problem with Cisco vpn tunnel (lan2lan and cisco vpn client with auth from radius)

Posted on 2008-10-21
Last Modified: 2012-06-27
The problem is there are no traffic from the pix to the software client. I can see the icmp traffic coming to the pix from the server. Can some one help with this problem ?

we will have:
lan2lan (it is working)
access from cisco vpn client with auth. from a radius server (it is not working)

Here is the conf from the router.

PIX Version 6.3(5)                                                              
interface ethernet0 10baset                                                    
interface ethernet1 100full                                                    
nameif ethernet0 outside security0                                              
nameif ethernet1 inside security100                                            
enable password 8hGlP7b4N32T6Hig encrypted                                      
passwd KdxwKPRUwioxYiJa encrypted                                                                                                
clock timezone CST -6                                                          
clock summer-time CDT recurring                                                
fixup protocol dns maximum-length 512                                          
fixup protocol ftp 21                                                          
fixup protocol h323 h225 1720                                                  
fixup protocol h323 ras 1718-1719                                              
fixup protocol http 80                                                          
fixup protocol rsh 514                                                          
fixup protocol rtsp 554                                                        
fixup protocol sip 5060                                                        
fixup protocol sip udp 5060                                                    
fixup protocol skinny 2000                                                      
fixup protocol smtp 25                                                          
fixup protocol sqlnet 1521                                                      
fixup protocol tftp 69                                                          
access-list 101 permit ip    
access-list 101 permit ip    
access-list 101 permit ip        
access-list 101 permit ip        
access-list inbound permit tcp host 64.x.x.x interface outside eq xxx                            
access-list inbound remark Ingress ACL allow ping                              
access-list inbound permit icmp any any time-exceeded                          
access-list inbound permit icmp any any echo-reply                              
access-list inbound permit icmp any any unreachable                            
access-list inbound permit tcp host 64.x.x.x interface outside eq xx      
access-list inbound permit tcp host 64.x.x.x interface outside eq xx      
access-list inbound remark Ingress ACL allow ping                              
access-list inbound remark Ingress ACL allow ping                              
access-list remote_vpn permit ip
access-list remote_vpn permit ip
access-list outbound permit ip  
pager lines 24                                                                  
logging on                                                                      
logging trap informational                                                      
logging queue 100                                                              
mtu outside 1500                                                                
mtu inside 1500                                                                
ip address outside 69.x.x.x                                  
ip address inside                                      
ip audit info action alarm                                                      
ip audit attack action alarm                                                    
ip local pool vpn_pool mask            
pdm history enable                                                              
arp timeout 14400                                                              
global (outside) 1 interface                                                    
nat (inside) 0 access-list 101                                                  
nat (inside) 1 0 0                                              
static (inside,outside) tcp interface www www netmask
 0 0                                                                            
static (inside,outside) tcp interface xx xx netmask
55 0 0                                                                          
static (inside,outside) tcp interface xx telnet netmask 255.255.255
.255 0 0                                                                        
access-group outbound in interface outside                                      
route outside 69.x.x.x 1                                    
route inside 1                                  
route inside 1                              
timeout xlate 3:00:00                                                          
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00  
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00                
timeout sip-disconnect 0:02:00 sip-invite 0:03:00                              
timeout uauth 0:05:00 absolute                                                  
aaa-server TACACS+ protocol tacacs+                                            
aaa-server TACACS+ max-failed-attempts 3                                        
aaa-server TACACS+ deadtime 10                                                  
aaa-server RADIUS protocol radius                                              
aaa-server RADIUS max-failed-attempts 3                                        
aaa-server RADIUS deadtime 10                                                  
aaa-server LOCAL protocol local                                                
aaa-server authinbound protocol radius                                          
aaa-server authinbound max-failed-attempts 3                                    
aaa-server authinbound deadtime 10                                              
aaa-server partnerauth protocol radius                                          
aaa-server partnerauth max-failed-attempts 3                                    
aaa-server partnerauth deadtime 10                                              
aaa-server partnerauth (inside) host xxxxxxxx  timeout 5                                              
http server enable                                                                                                  
http inside                                              
no snmp-server location                                                        
no snmp-server contact                                                          
snmp-server community public                                                    
no snmp-server enable traps                                                    
tftp-server inside .                                            
floodguard enable                                                              
sysopt connection permit-ipsec                                                  
crypto ipsec transform-set aes128 esp-aes esp-sha-hmac                          
crypto ipsec transform-set remote-access esp-aes esp-md5-hmac                  
crypto dynamic-map dynmap 10 set transform-set remote-access                    
crypto map newmap 10 ipsec-isakmp                                              
crypto map newmap 10 match address 101                                          
crypto map newmap 10 set peer 80.x.x.x                                    
crypto map newmap 10 set transform-set aes128                                  
crypto map newmap 20 ipsec-isakmp dynamic dynmap                                
crypto map newmap client authentication partnerauth                            
crypto map newmap interface outside                                            
isakmp enable outside                                                          
isakmp key ******** address 80.x.x.x netmask no-xauth no-co
isakmp identity address                                                        
isakmp nat-traversal 10                                                        
isakmp policy 10 authentication pre-share                                      
isakmp policy 10 encryption aes                                                
isakmp policy 10 hash sha                                                      
isakmp policy 10 group 2                                                        
isakmp policy 10 lifetime 86400                                                
isakmp policy 20 authentication pre-share                                      
isakmp policy 20 encryption 3des                                                
isakmp policy 20 hash md5                                                      
isakmp policy 20 group 2                                                        
isakmp policy 20 lifetime 86400                                                
vpngroup vpn3000 address-pool vpn_pool                                          
vpngroup vpn3000 default-domain test                        
vpngroup vpn3000 split-tunnel remote_vpn                                        
vpngroup vpn3000 idle-time 1800                                                
vpngroup vpn3000 password ********                                              
telnet inside                                            
telnet inside                                            
telnet inside                                      
telnet timeout 60  
Question by:deo112
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3

Expert Comment

ID: 22774711
On what does it fail ?
VPN client connects ok, then pops up authentication windiows then fails ?
Or it doesnt connect at all?
Or it connects and authenticates ok but no traffic ?

Author Comment

ID: 22775003
I can login no problem, but no traffic.

If I make a debug icmp I can see the packet on the inside interface, but no traffic trough the vpn tunnel for the software client.
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 22776313
Try that
    no isakmp nat-traversal 10  
    isakmp nat-traversal 20
    fixup protocol icmp
Get your Disaster Recovery as a Service basics

Disaster Recovery as a Service is one go-to solution that revolutionizes DR planning. Implementing DRaaS could be an efficient process, easily accessible to non-DR experts. Learn about monitoring, testing, executing failovers and failbacks to ensure a "healthy" DR environment.


Author Comment

ID: 22779490
nop this not solve the problem
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 22780168
  Can you see that the VPN lock icon is closed at right-bottom of screen (that means connection is successfull), if no, where does it disconnect? username password section? as soon as you click on connect? If VPN icon is closed, can you see the 10.10 and 10.30 networks listed in *Right-click VPN icon at right-bottom>Click statistics>Click route details>Look at the right pane if networks are listed"

try these also
no route inside
sysopt connection permit-ipsec

Accepted Solution

deo112 earned 0 total points
ID: 22786866
Nop this not solve the problem.

The is solve. It was a acl problem. Thanks any way.

Author Comment

ID: 22786897
I will post the working conf in the weekend. Just for info.
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 22787713
The working, or the ACL change would be great. Nice to hear that issue is resolved

Author Comment

ID: 22806911
The working conf.

Featured Post

NFR key for Veeam Agent for Linux

Veeam is happy to provide a free NFR license for one year.  It allows for the non‑production use and valid for five workstations and two servers. Veeam Agent for Linux is a simple backup tool for your Linux installations, both on‑premises and in the public cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses
Course of the Month6 days, 19 hours left to enroll

622 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question