Solved

Problem with Cisco vpn tunnel (lan2lan and cisco vpn client with auth from radius)

Posted on 2008-10-21
9
604 Views
Last Modified: 2012-06-27
The problem is there are no traffic from the pix to the software client. I can see the icmp traffic coming to the pix from the server. Can some one help with this problem ?

we will have:
lan2lan (it is working)
access from cisco vpn client with auth. from a radius server (it is not working)

Here is the conf from the router.

PIX Version 6.3(5)                                                              
interface ethernet0 10baset                                                    
interface ethernet1 100full                                                    
nameif ethernet0 outside security0                                              
nameif ethernet1 inside security100                                            
enable password 8hGlP7b4N32T6Hig encrypted                                      
passwd KdxwKPRUwioxYiJa encrypted                                                                                                
clock timezone CST -6                                                          
clock summer-time CDT recurring                                                
fixup protocol dns maximum-length 512                                          
fixup protocol ftp 21                                                          
fixup protocol h323 h225 1720                                                  
fixup protocol h323 ras 1718-1719                                              
fixup protocol http 80                                                          
fixup protocol rsh 514                                                          
fixup protocol rtsp 554                                                        
fixup protocol sip 5060                                                        
fixup protocol sip udp 5060                                                    
fixup protocol skinny 2000                                                      
fixup protocol smtp 25                                                          
fixup protocol sqlnet 1521                                                      
fixup protocol tftp 69                                                          
names                                                                          
access-list 101 permit ip 10.10.0.0 255.255.0.0 192.168.201.0 255.255.255.0    
access-list 101 permit ip 10.30.0.0 255.255.0.0 192.168.201.0 255.255.255.0    
access-list 101 permit ip 10.10.0.0 255.255.0.0 10.100.0.0 255.255.255.0        
access-list 101 permit ip 10.30.0.0 255.255.0.0 10.100.0.0 255.255.255.0        
access-list inbound permit tcp host 64.x.x.x interface outside eq xxx                            
access-list inbound remark Ingress ACL allow ping                              
access-list inbound permit icmp any any time-exceeded                          
access-list inbound permit icmp any any echo-reply                              
access-list inbound permit icmp any any unreachable                            
access-list inbound permit tcp host 64.x.x.x interface outside eq xx      
access-list inbound permit tcp host 64.x.x.x interface outside eq xx      
access-list inbound remark Ingress ACL allow ping                              
access-list inbound remark Ingress ACL allow ping                              
access-list remote_vpn permit ip 10.30.0.0 255.255.0.0 10.100.0.0 255.255.255.0
access-list remote_vpn permit ip 10.10.0.0 255.255.0.0 10.100.0.0 255.255.255.0
access-list outbound permit ip 10.30.0.0 255.255.0.0 10.100.0.0 255.255.255.0  
pager lines 24                                                                  
logging on                                                                      
logging trap informational                                                      
logging queue 100                                                              
mtu outside 1500                                                                
mtu inside 1500                                                                
ip address outside 69.x.x.x 255.255.255.224                                  
ip address inside 10.30.0.2 255.255.255.0                                      
ip audit info action alarm                                                      
ip audit attack action alarm                                                    
ip local pool vpn_pool 10.100.0.100-10.100.0.130 mask 255.255.255.0            
pdm history enable                                                              
arp timeout 14400                                                              
global (outside) 1 interface                                                    
nat (inside) 0 access-list 101                                                  
nat (inside) 1 0.0.0.0 0.0.0.0 0 0                                              
static (inside,outside) tcp interface www 10.30.0.11 www netmask 255.255.255.255
 0 0                                                                            
static (inside,outside) tcp interface xx 10.30.0.20 xx netmask 255.255.255.2
55 0 0                                                                          
static (inside,outside) tcp interface xx 10.30.0.1 telnet netmask 255.255.255
.255 0 0                                                                        
access-group outbound in interface outside                                      
route outside 0.0.0.0 0.0.0.0 69.x.x.x 1                                    
route inside 10.10.0.0 255.255.0.0 10.30.0.1 1                                  
route inside 10.100.0.0 255.255.255.0 10.30.0.2 1                              
timeout xlate 3:00:00                                                          
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00  
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00                
timeout sip-disconnect 0:02:00 sip-invite 0:03:00                              
timeout uauth 0:05:00 absolute                                                  
aaa-server TACACS+ protocol tacacs+                                            
aaa-server TACACS+ max-failed-attempts 3                                        
aaa-server TACACS+ deadtime 10                                                  
aaa-server RADIUS protocol radius                                              
aaa-server RADIUS max-failed-attempts 3                                        
aaa-server RADIUS deadtime 10                                                  
aaa-server LOCAL protocol local                                                
aaa-server authinbound protocol radius                                          
aaa-server authinbound max-failed-attempts 3                                    
aaa-server authinbound deadtime 10                                              
aaa-server partnerauth protocol radius                                          
aaa-server partnerauth max-failed-attempts 3                                    
aaa-server partnerauth deadtime 10                                              
aaa-server partnerauth (inside) host 10.30.0.3 xxxxxxxx  timeout 5                                              
http server enable                                                                                                  
http 10.10.0.0 255.255.0.0 inside                                              
no snmp-server location                                                        
no snmp-server contact                                                          
snmp-server community public                                                    
no snmp-server enable traps                                                    
tftp-server inside 192.168.201.132 .                                            
floodguard enable                                                              
sysopt connection permit-ipsec                                                  
crypto ipsec transform-set aes128 esp-aes esp-sha-hmac                          
crypto ipsec transform-set remote-access esp-aes esp-md5-hmac                  
crypto dynamic-map dynmap 10 set transform-set remote-access                    
crypto map newmap 10 ipsec-isakmp                                              
crypto map newmap 10 match address 101                                          
crypto map newmap 10 set peer 80.x.x.x                                    
crypto map newmap 10 set transform-set aes128                                  
crypto map newmap 20 ipsec-isakmp dynamic dynmap                                
crypto map newmap client authentication partnerauth                            
crypto map newmap interface outside                                            
isakmp enable outside                                                          
isakmp key ******** address 80.x.x.x netmask 255.255.255.255 no-xauth no-co
nfig-mode                                                                      
isakmp identity address                                                        
isakmp nat-traversal 10                                                        
isakmp policy 10 authentication pre-share                                      
isakmp policy 10 encryption aes                                                
isakmp policy 10 hash sha                                                      
isakmp policy 10 group 2                                                        
isakmp policy 10 lifetime 86400                                                
isakmp policy 20 authentication pre-share                                      
isakmp policy 20 encryption 3des                                                
isakmp policy 20 hash md5                                                      
isakmp policy 20 group 2                                                        
isakmp policy 20 lifetime 86400                                                
vpngroup vpn3000 address-pool vpn_pool                                          
vpngroup vpn3000 default-domain test                        
vpngroup vpn3000 split-tunnel remote_vpn                                        
vpngroup vpn3000 idle-time 1800                                                
vpngroup vpn3000 password ********                                              
telnet 10.10.0.0 255.255.0.0 inside                                            
telnet 10.30.0.0 255.255.0.0 inside                                            
telnet 192.168.201.0 255.255.255.0 inside                                      
telnet timeout 60  
0
Comment
Question by:deo112
  • 5
  • 3
9 Comments
 
LVL 4

Expert Comment

by:yurisk
ID: 22774711
On what does it fail ?
VPN client connects ok, then pops up authentication windiows then fails ?
Or it doesnt connect at all?
Or it connects and authenticates ok but no traffic ?
0
 

Author Comment

by:deo112
ID: 22775003
I can login no problem, but no traffic.

If I make a debug icmp I can see the packet on the inside interface, but no traffic trough the vpn tunnel for the software client.
0
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 22776313
Try that
    no isakmp nat-traversal 10  
    isakmp nat-traversal 20
    fixup protocol icmp
0
 

Author Comment

by:deo112
ID: 22779490
nop this not solve the problem
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 22780168
  Can you see that the VPN lock icon is closed at right-bottom of screen (that means connection is successfull), if no, where does it disconnect? username password section? as soon as you click on connect? If VPN icon is closed, can you see the 10.10 and 10.30 networks listed in *Right-click VPN icon at right-bottom>Click statistics>Click route details>Look at the right pane if networks are listed"

try these also
no route inside 10.100.0.0 255.255.255.0 10.30.0.2
sysopt connection permit-ipsec
0
 

Accepted Solution

by:
deo112 earned 0 total points
ID: 22786866
Nop this not solve the problem.

The is solve. It was a acl problem. Thanks any way.
0
 

Author Comment

by:deo112
ID: 22786897
I will post the working conf in the weekend. Just for info.
0
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 22787713
The working, or the ACL change would be great. Nice to hear that issue is resolved
0
 

Author Comment

by:deo112
ID: 22806911
The working conf.
conf.txt
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Suggested Solutions

I recently updated from an old PIX platform to the new ASA platform.  While upgrading, I was tremendously confused about how the VPN and AnyConnect licensing works.  It turns out that the ASA has 3 different VPN licensing schemes. "site-to-site" …
From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

26 Experts available now in Live!

Get 1:1 Help Now