?
Solved

Have SITE to SITE working , need to allow access to server at one end

Posted on 2008-11-07
47
Medium Priority
?
620 Views
Last Modified: 2012-05-05
I have a completely functional SITE to SITE vpn set up and need 3 clients to connect to a server on 1 end. they do not have to access resourses on PIX2 site. The two are set up as follows and I will be using Cisco client 5.01. Please any help would be greatly appreciated. The three clients will be accessing the PIX1 site using the clients , all three are from the same local with a Static IP DSL connection to the internet.
Resources needed from PIX1 site are exchange server (can use OWA if need be) , A fileshare and an Access 2007 database.
PIX1 needs access to this end 
 
 
Xerox2> enable
Password: ***********
Xerox2# show conf
: Saved
: Written by enable_15 at 14:03:33.656 UTC Wed Jun 18 2008
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxxxxi7NaKtkDr encrypted
passwd xxxxxxxxi7NaKtkDr encrypted
hostname Xerox2
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside_in permit tcp any host xxx.xxx.105.182 eq www
access-list outside_in permit tcp any host xxx.xxx.105.182 eq https
access-list outside_in permit tcp any host xxx.xxx.105.182 eq 3389
access-list 101 permit ip 192.168.15.0 255.255.255.0 192.168.2.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside pppoe setroute
ip address inside 192.168.15.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.15.200 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp xxx.xxx.105.182 www 192.168.15.200 www netmask 255.255.255.255 0 0
static (inside,outside) tcp xxx.xxx.105.182 https 192.168.15.200 https netmask 255.255.255.255 0 0
static (inside,outside) tcp xxx.xxx.105.182 3389 192.168.15.200 3389 netmask 255.255.255.255 0 0
access-group outside_in in interface outside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.15.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set example_set esp-des esp-md5-hmac
crypto map example_map 10 ipsec-isakmp
crypto map example_map 10 match address 101
crypto map example_map 10 set peer xxx.xxx.200.150
crypto map example_map 10 set transform-set example_set
crypto map example_map interface outside
isakmp enable outside
isakmp key ******** address xxx.xxx.200.150 netmask 255.255.255.255
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
telnet 0.0.0.0 0.0.0.0 outside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0
vpdn group pppoe_group request dialout pppoe
vpdn group pppoe_group localname xxxxxxxxxxxxxxx
vpdn group pppoe_group ppp authentication pap
vpdn username xxxxxxxxxxxxxa password ********
dhcpd address 192.168.15.2-192.168.15.254 inside
dhcpd dns xxx.xxx.0.140 xxx.xxx.0.210
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:cb7a875d57b7b76xx7d724e243e336
Xerox2#
 
 
 
 
 
 
PIX2 (Only site to site tunnel clients will need access to this end not the client based access on the other end)
 
Xerox1> enable
Password: ***********
Xerox1# show conf
: Saved
: Written by enable_15 at 15:46:51.759 EDT Fri Jun 27 2008
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxxxxxxxxxxi7NaKtkDr encrypted
passwd xxxxxxxxxNaKtkDr encrypted
hostname Xerox1
domain-name ciscopix.com
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside_in permit tcp any host xxx.xxx.200.150 eq 3389
access-list outside_in permit tcp any host xxx.xxx.200.150 eq www
access-list 101 permit ip 192.168.2.0 255.255.255.0 192.168.15.0 255.255.255.0
pager lines 24
mtu outside 1492
mtu inside 1492
ip address outside pppoe setroute
ip address inside 192.168.2.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.2.155 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp xxx.xxx.200.150 3389 192.168.2.155 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp xxx.xxx.200.150 www 192.168.2.155 www netmask 255.255.255.255 0 0
access-group outside_in in interface outside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set example_set esp-des esp-md5-hmac
crypto map example_map 10 ipsec-isakmp
crypto map example_map 10 match address 101
crypto map example_map 10 set peer xxx.xxx.105.182
crypto map example_map 10 set transform-set example_set
crypto map example_map interface outside
isakmp enable outside
isakmp key ******** address xxx.xxx.105.182 netmask xxx.xxx.255.255
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
telnet 0.0.0.0 0.0.0.0 outside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0
vpdn group pppoe_group request dialout pppoe
vpdn group pppoe_group localname xxxxxxxxxxxxxx
vpdn group pppoe_group ppp authentication pap
vpdn username xxxxxxxxxx password ********
dhcpd address 192.168.2.2-192.168.2.254 inside
dhcpd dns xxx.xxx.184.7 xxx.xxx.244.52
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:ff9631dc88xxxxxxxf7c5ec21dc1d55
Xerox1#

Open in new window

0
Comment
Question by:Davidloc
  • 25
  • 14
  • 8
47 Comments
 
LVL 79

Assisted Solution

by:lrmoore
lrmoore earned 800 total points
ID: 22912441
ip local pool IPSEC 192.168.99.33-192.168.99.63
access-list 101 permit ip 192.168.15.0 255.255.255.0 192.168.99.0 255.255.255.0
nat (inside) 0 access-list 101

crypto dynamic-map dynmap 20 set transform-set example_set
crypto map example_map 1000 ipsec-isakmp dynamic dynmap
crypto map example_map client configuration address initiate
crypto map example_map interface outside
isakmp enable outside

vpngroup VPNUSER address-pool IPSEC
vpngroup VPNUSER default-domain yourdomain.loc
vpngroup VPNUSER idle-time 1800
vpngroup VPNUSER password Pa$$w0rd!
0
 
LVL 2

Accepted Solution

by:
dano2112 earned 1200 total points
ID: 22912468

Davidloc...

The configuration you're asking for is certainly possible.  Even though you already have the S2S tunnel between PIX1 and PIX2, we can still allow software-based VPN clients access to resources behind PIX1.  Keep in mind that it will not be possible, using your current hardware, to have VPN clients come in to PIX1 and then try access resources behind PIX2.  You've already stated that you don't need this type of functionality so we should be okay there.

First, take a look at this Cisco configuration example:
http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_configuration_example09186a0080094680.shtml

This example assumes that you are building a S2S tunnel between two PIX firewalls where you have a static IP address assigned to the ouside interface of one PIX and a dynamically configured IP address on the outside inteface of the other PIX.  This part of the example isn't relevant to your situation, however, the other part of the example shows how to allow software-based VPN clients access to one side.  I'll try to pick out the relevant parts of the example for you.  Your PIX1 device will correspond to the Lion PIX in the Cisco example:

First, define a local ip pool for VPN clients connecting to the PIX1.  This will act somewhat like a DHCP pool and it will hand out addresses to the incoming VPN clients.  It's important to make this pool a unique IP network.  Here's the Cisco example:
ip local pool clientpool 10.3.3.1-10.3.3.10

I prefer to specify a mask when defining the pool.  So, if I know that there will never be more than 6 vpn clients at a time, I could so something liike "ip local pool clientpool 10.3.3.1-10.3.3.6 mask 255.255.255.248".

Ok, so now we know the ip addresses that that VPN clients will use when the connect in to PIX1.  We now need to modify our no-nat statement so that when inside hosts send traffic to the VPN clients, it won't get translated.  In the Cisco example the corresponding lines are:
access-list 100 permit ip 10.2.2.0 255.255.255.0 10.3.3.0 255.255.255.0
nat (inside) 0 access-list 100

You're already doing this for your S2S tunnel with access-list 101 so we're just going to add additional elements to this access-list.  We coud do something like this:

access-list 101 permit ip 192.168.15.0 255.255.255.0 10.3.3.0 255.255.255.248

And, you already have "nat (inside) 0 access-list 101" so we're just adding additional elements to access-list 101 to suppress address translation.  The above statement will not translate any traffic from your inside network 192.168.15.0 to the new VPN client network of 10.3.3.0.

Now, if you only want the VPN clients to be able to reach the three specific servers you mentioned earlier. we'll need to get more granular with the new elements of the access-list 101.  Instead of "access-list 101 permit ip 192.168.15.0 255.255.255.0 10.3.3.0 255.255.255.248", we could do something like "access-list 101 permit ip host 192.168.15.200 10.3.3.0 255.255.255.248".  This specifies that only traffic from your 192.168.15.200 to the 10.3.3.0 VPN client network will be matched and therefore NAT will be suppressed.

Ok, so now we've defined an ip pool for our incoming clients and we've suppressed the NAT from inside hosts to the VPN clients.  We now need to add to the existing crypto-map on PIX1 to allow for dynamically addressed VPN clients to make connections.  The relevant statements from the Cisco example are:

crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map cisco 1 set transform-set myset
crypto map dyn-map 20 ipsec-isakmp dynamic cisco
crypto map dyn-map interface outside

So, in your config, you already have a transform-set statement defined:
crypto ipsec transform-set example_set esp-des esp-md5-hmac

And you already have a crypto-map defined and applied to your outside interface:
crypto map example_map 10 ipsec-isakmp
crypto map example_map 10 match address 101
crypto map example_map 10 set peer xxx.xxx.105.182
crypto map example_map 10 set transform-set example_set
crypto map example_map interface outside

We just want to add on to that to allow for the dynamic clients.  So, something like this:

crypto dynamic-map vpnclient_map 10 set transform-set example_set
(This defines a dynamic crypto map called vpnclient_map with priorty 10 and it's using your existing transform set)

crypto map example_map 65535 ipsec-isakmp dynamic vpnclient_map
(This applies our newly-created dynamic map to the existing crypto map called examaple_map)


The next step would be to define an isakmp policy for the clients to use but you're exising policy will work for both the S2S tunnel and the incoming VPN clients:
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400

The last step is to define a common group for the VPN clients to connect with.  The relevant Cisco example statements are:
vpngroup unityclient address-pool clientpool
vpngroup unityclient dns-server 10.1.1.3
vpngroup unityclient wins-server 10.1.1.3
vpngroup unityclient default-domain cisco.com
vpngroup unityclient idle-time 1800
vpngroup unityclient password ********

Cisco's example here will work fine.  Here, "unityclient" refers to the group name so you might want to modify that to something more appropriate for your organizaion.  When setting up the VPN clients, whatever you name the vpngroup here will correspond to the value that you will enter into the Group Authentication section on the client.  The vpngroup password statement defines a pre-shared key that will be used between the client and the firewall for setting up the tunnel.  Whatever password you define here you will enter into the client under the Group Authentication section.

These statements should get you to the point where vpn clients can connect to the PIX1 firewall and access resources behind it.  Keep in mind that in these configuration examples, we did not allow for something called split tunneling.  Without split tunneling, when your VPN clients connect to PIX1, they will lose the ability to browse the internet directly from their PCs.  The should still be able to reach their local network segment however.  This means that they would need to browse the internet through a proxy server behind PIX1.  If you need split tunneling configured, I can provide those additional statements.

Another comment about your current config is your encryption level.   Your current transform-set statement read as:
crypto ipsec transform-set example_set esp-des esp-md5-hmac

Ideally, you would specify esp-3des instead of esp-des.  Triple-des encryption is much stronger than des encryption but your current PIX license may not allow you to turn on 3des encryption.  Consider changing that in the future for both your S2S tunnel and your client connections for improved security.

I hope this helps!

So, here we're using the vpngroup statement to define common attributes that the VPN group will share.  As you can see, this is a bit like setting options on a DHCP server as we can push out internal dns servers, wins servers, and domain names to the incoming VPN clients.

0
 

Author Comment

by:Davidloc
ID: 22912736
Hi ,

Just to clarify:

All three DSL sites are PPPOE static. PiX1 is tunneled to PIX2 with an IP address specific access

PIX 1 using PiX2's external

crypto map example_map 10 match address 101
crypto map example_map 10 set peer xxx.xxx.200.150
crypto map example_map 10 set transform-set example_set
crypto map example_map interface outside
isakmp enable outside
isakmp key ******** address xxx.xxx.200.150 netmask 255.255.255.255


And PIX2 doing the reverse with PiX1's external

crypto map example_map 10 match address 101
crypto map example_map 10 set peer xxx.xxx.105.182
crypto map example_map 10 set transform-set example_set
crypto map example_map interface outside
isakmp enable outside
isakmp key ******** address xxx.xxx.105.182 netmask xxx.xxx.255.255

Would this make a difference?

A huge thanks :)
0
Transaction-level recovery for Oracle database

Veeam Explore for Oracle delivers low RTOs and RPOs with agentless transaction log backup and transaction-level recovery of Oracle databases. You can restore the database to a precise point in time, even to a specific transaction.

 
LVL 79

Expert Comment

by:lrmoore
ID: 22912863
No difference.
There is also no material difference between my post and danno's, although danno spent considerable effort explaining each step.
0
 

Author Comment

by:Davidloc
ID: 22912890
Would a split tunnel be a big thing to add to this?

I will be trying this this afternoon , thanks again
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 22912998
Nope. Split-tunnel is simple. Just add these two lines to my reference config above:

access-list SPLIT permit ip 192.168.15.0 255.255.255.0 192.168.99.0 255.255.255.0
vpngroup VPNUSER split-tunnel SPLIT
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 22913003
Oh, and add this, too:

 isakmp nat-traversal 20
0
 
LVL 2

Expert Comment

by:dano2112
ID: 22913088

lrmoore...

You are, of course, correct.  There's really no difference between your post and mine.  When I started my post, there were not yet any replies.  As it took me 20 or 30 minutes to write my post, your post made it in before mine.

I just know from my own experience that I sometimes get frustated when I see snippets of config statements and there are no comments associated with them.  I wanted Davidloc to understand not only which commands to enter but to also understand WHY he's entering those commands.  I also wanted to point out the possible trouble he would run into with the lack of split-tunneling support and to suggest that he increase his encryption level from des to 3des.

I hope I didn't step on any toes by posting my comment/solution!


0
 
LVL 79

Expert Comment

by:lrmoore
ID: 22913135
No problems, dano2112. Between all the expert posts the idea is to help the asker and that's all that matters.
Your efforts are greatly appreciated!
Agree with you about using 3DES, but that is license dependent, so we need to know if 3des is even enabled on the PIX.
david, can you post result of "show ver" ?  Do you have a Cisco login? If yes, then you can get a free 3DES license update. Takes only a few minutes to fill out a short online form and your new license key is emailed to you. Then just input the new key and reboot.
0
 

Author Comment

by:Davidloc
ID: 22913665
lrmoore is one of the most prolific fountains of knowledge and his answers are usually bang on but Dano has answered the question exactly as I wanted with a big effort on making sure it was understood. lrmoore has , as usual, added to the answer making it "knowledge base" worthy.  I wish they had 1000 point questions because the answer , because of both of you, is now like one of the 10 to 15 really good pages in a computer book that are worth refering back to. I'll give it a go tonight and post the results. Yes fellow askers , the results are important to post :)
0
 

Author Comment

by:Davidloc
ID: 22914678
This is the final config that will be applied , minus the 3DES which I will apply when the site to site can afford to go down if I screw up for a couple of hours: Two questions come to mind though.

The no NAT will work even to I didn't explicitly define it for the mcsante group ?
I don't understand the mechanism behind the SPLIT keyword and did I do it right and in the right order? The added commands are separated so they stand out (sort of :)

Thanks again

login as: pix
Sent username "pix"
pix@192.168.15.1's password:
Type help or '?' for a list of available commands.
Xerox2>
Xerox2> enable
Password: ***********
Xerox2# show conf
: Saved
: Written by enable_15 at 14:03:33.656 UTC Wed Jun 18 2008
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxxNaKtkDr encrypted
passwd xxxxxxxxxNaKtkDr encrypted
hostname Xerox2
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside_in permit tcp any host xxx.xxx.105.182 eq www
access-list outside_in permit tcp any host xxx.xxx.105.182 eq https
access-list outside_in permit tcp any host xxx.xxx.105.182 eq 3389
access-list 101 permit ip 192.168.15.0 255.255.255.0 192.168.2.0 255.255.255.0
 
 
access-list 101 permit ip 192.168.15.0 255.255.255.0 10.3.3.0 255.255.255.248
access-list SPLIT permit ip 192.168.15.0 255.255.255.0 10.3.3.0 255.255.255.248
 
 
 
pager lines 24
mtu outside 1500
mtu inside 1500
 
 
ip local pool clientpool 10.3.3.1-10.3.3.6 mask 255.255.255.248
 
 
 
ip address outside pppoe setroute
ip address inside 192.168.15.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.15.200 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp xxx.xxx.105.182 www 192.168.15.200 www netmask 255.255.255.255 0 0
static (inside,outside) tcp xxx.xxx.105.182 https 192.168.15.200 https netmask 255.255.255.255 0 0
static (inside,outside) tcp xxx.xxx.105.182 3389 192.168.15.200 3389 netmask 255.255.255.255 0 0
access-group outside_in in interface outside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.15.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set example_set esp-des esp-md5-hmac
crypto map example_map 10 ipsec-isakmp
crypto map example_map 10 match address 101
crypto map example_map 10 set peer 76.65.200.150
crypto map example_map 10 set transform-set example_set
 
 
 
crypto dynamic-map vpnclient_map 10 set transform-set example_set
crypto map example_map 65535 ipsec-isakmp dynamic vpnclient_map
 
 
 
crypto map example_map interface outside
isakmp enable outside
isakmp key ******** address xxx.xxx.200.150 netmask 255.255.255.255
isakmp identity address
 
 
 
isakmp nat-traversal 20
 
 
 
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
 
 
 
 
vpngroup mcsante split-tunnel SPLIT
 
vpngroup mcsante address-pool clientpool
vpngroup mcsante dns-server 10.1.1.3
vpngroup mcsante wins-server 10.1.1.3
vpngroup mcsante default-domain cisco.com
vpngroup mcsante idle-time 1800
vpngroup mcsante password cisco1234!
 
 
 
telnet 0.0.0.0 0.0.0.0 outside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0
vpdn group pppoe_group request dialout pppoe
vpdn group pppoe_group xxxxxxxxxxxxxxxxx
vpdn group pppoe_group ppp authentication pap
vpdn username xxxxxxxxxxxxxxxx password ********
dhcpd address 192.168.15.2-192.168.15.254 inside
dhcpd dns xxx.xxx.0.140 xxx.xxx.0.210
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:xxxxxxxxxxxxxxxxx76b8c57d724e243e336
Xerox2#

Open in new window

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 22914947
The nat 0 acl gets applied to both the lan-lan tunnel and the vpn client pool so they both need to be in the same acl.
The SPLIT acl simply defines the traffic that is "protected" or encrypted within the tunnel. It sort of gets reversed from the perspective of the vpn client. All other traffic from the client goes out its own local internet connection.

>crypto dynamic-map vpnclient_map 10 set transform-set example_set
I would make this a different priority number, say 20 instead of 10 to make sure it is differentiated from the lan-lan
 
The rest of it looks good.
0
 

Author Comment

by:Davidloc
ID: 22915060
I can make the connection but I am not able to access anything. I am showing as on the 10.3.3.0 network on the cisco vpn client. The server pings by name but resolves to a different nework. Any ideas ?
0
 
LVL 2

Expert Comment

by:dano2112
ID: 22915939

Davidloc....

In your config, here's what you entered as part of your vpngroup:
vpngroup mcsante dns-server 10.1.1.3
vpngroup mcsante wins-server 10.1.1.3

I think the 10.1.1.3 address was from the Cisco example code that I provided.  Change the dns-server line to whatever server does your internal DNS and I think you'll have better results when trying to ping by name.  Are you able to ping inside hosts by IP instead of name?

That wins-server line is optional in the vpngroup config so if you don't use WINS, you can simply remove that line.

Hope this helps!
0
 
LVL 2

Expert Comment

by:dano2112
ID: 22915951

Davidloc....

Also, I just noticed these lines in your config:
telnet 0.0.0.0 0.0.0.0 outside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside

These lines allow both telnet and ssh access from ANY outside host!  If possible, you might want to try and make that access more restrictive.  Ideally, you would lock it down to just one or two hosts or maybe just one network (eg, ssh 1.1.1.x 255.255.255.240).  And, I would probably just disable the telnet access from the outside altogether since that does not use encryption.  Telnet is okay for inside management.

These are super-critical changes unless you do a lot of remote management so you can wait to clean them up when you switch from DES to 3DES.

Hope this helps!
0
 

Author Comment

by:Davidloc
ID: 22916293
The DNS line was changed and the WIMS line was removed. The connection is a follows 192.168.1.100 ==>192.168.15.0 ==> 192.168.2.1  which is mcsante ==> PIX1 ==> PIX2 mcsante cannot ping the inside interface on PIX1 (192.168.15.1 or the sever inside (192.168.15.200.
0
 
LVL 2

Expert Comment

by:dano2112
ID: 22916818

Davidloc...

By default, when you connect to the PIX using a VPN client or with a site-to-site tunnel, the inside interface of the PIX will be hidden.  To make that visible from a VPN connection do:

pix#conf t
pix(config)#management-access inside

Looking at your config, it seems like this should be working.  When you connect to PIX1 using a VPN client, are you receiving an IP address in the 10.3.3.0/29 range?  It might also be that dynamic-map statement:

crypto dynamic-map vpnclient_map 10 set transform-set example_set

A few posts back, lrmoore suggested changing the priority number from 10 to 20.  I don't think that would prevent the client tunnel from passing traffic but it might.

Finally, is your VPN client behind any type of firewall?  If so, you may have to enable some type of VPN pass-through (for IPSec) in order for the Phase2 traffic to flow.

Let us know if these changes make any difference!

0
 

Author Comment

by:Davidloc
ID: 22916897
Here is the newest config , 10.3.3.0 was replaced with 192.168.1.0
Test client is on 192.168.1.0 linksys subnet
PIX1 inside is 192.168.15.0     access to server here needed
PIX2 is 192.168.2.0   Don't care about this subnet from client


login as: pix
Sent username "pix"
pix@207.112.105.182's password:
Type help or '?' for a list of available commands.
Xerox2>
Xerox2> enable
Password: ***********
Xerox2# conf t
Xerox2(config)# show cfg
Type help or '?' for a list of available commands.
Xerox2(config)# show conf
: Saved
: Written by enable_15 at 17:42:53.096 UTC Wed Nov 5 2008
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxf9i7NaKtkDr encrypted
passwd xxxxxf9i7NaKtkDr encrypted
hostname Xerox2
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside_in permit tcp any host xxx.xxx.105.182 eq www
access-list outside_in permit tcp any host xxx.xxx.105.182 eq https
access-list outside_in permit tcp any host xxx.xxx.105.182 eq 3389
access-list 101 permit ip 192.168.15.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 101 permit ip 192.168.15.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list SPLIT permit ip 192.168.15.0 255.255.255.0 192.168.1.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside pppoe setroute
ip address inside 192.168.15.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool clientpool 192.168.1.196-192.168.1.200 mask 255.255.255.0
pdm location 192.168.15.200 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp xxx.xxx.105.182 www 192.168.15.200 www netmask 255.255.255.255 0 0
static (inside,outside) tcp xxx.xxx.105.182 https 192.168.15.200 https netmask 255.255.255.255 0 0
static (inside,outside) tcp xxx.xxx.105.182 3389 192.168.15.200 3389 netmask 255.255.255.255 0 0
access-group outside_in in interface outside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.15.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set example_set esp-des esp-md5-hmac
crypto dynamic-map vpnclient_map 20 set transform-set example_set
crypto map example_map 10 ipsec-isakmp
crypto map example_map 10 match address 101
crypto map example_map 10 set peer 76.65.200.150
crypto map example_map 10 set transform-set example_set
crypto map example_map 65535 ipsec-isakmp dynamic vpnclient_map
crypto map example_map interface outside
isakmp enable outside
isakmp key ******** address xx.xx.200.150 netmask 255.255.255.255
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup mcsante address-pool clientpool
vpngroup mcsante dns-server 192.168.15.200
vpngroup mcsante default-domain esfest.local
vpngroup mcsante split-tunnel SPLIT
vpngroup mcsante idle-time 3600
vpngroup mcsante password ********
telnet 0.0.0.0 0.0.0.0 outside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
management-access inside
console timeout 0
vpdn group pppoe_group request dialout pppoe
vpdn group pppoe_group localname xxxxxxxxxx
vpdn group pppoe_group ppp authentication pap
vpdn username xxxxxxxxxxxx  password ********
dhcpd address 192.168.15.2-192.168.15.254 inside
dhcpd dns xxx.xxx.0.140 xxx.xxx.0.210
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:xxxxxecb7bf053592befb96e658a3e23
Xerox2(config)#

Open in new window

0
 
LVL 2

Expert Comment

by:dano2112
ID: 22916967

Davidloc....

This config looks okay to me.  If that VPN client is behind a Linksys firewall/router, check the Linksys GUI for anything to do with VPN Passthrough and enable it for IPSec.  You can enable the other types of VPN if you'd like but the Cisco VPN will use IPSec only.

What model of Linksys device do you have?  If you look at the bottom of it, what's the version number and inside the GUI, what is the firmware version on the Linksys?  Sometimes firmware updates from Linksys are required to get the VPN passthrough stuff working.

Hope this helps...
0
 

Author Comment

by:Davidloc
ID: 22916991
I removed the Linksys and connected the test client directly to the cable modem. XP firewall is turned off . When connected I get :

C:\Documents and Settings\Bug>ipconfig

Windows IP Configuration


Ethernet adapter Local Area Connection:

        Connection-specific DNS Suffix  . : phub.net.cable.rogers.com
        IP Address. . . . . . . . . . . . : xx.xx.13.115
        Subnet Mask . . . . . . . . . . . : 255.255.254.0
        Default Gateway . . . . . . . . . : 99.241.12.1

Ethernet adapter Local Area Connection 5:

        Connection-specific DNS Suffix  . : esfest.local
        IP Address. . . . . . . . . . . . : 192.168.1.197
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . :


192.168.15.1 does not ping (PIX1 inside address)
0
 

Author Comment

by:Davidloc
ID: 22917212
The VPN logs


18     13:43:23.406  11/09/08  Sev=Info/4      CM/0x63100002
Begin connection process

19     13:43:23.421  11/09/08  Sev=Info/4      CM/0x63100004
Establish secure connection

20     13:43:23.421  11/09/08  Sev=Info/4      CM/0x63100024
Attempt connection with server "xxx.xxx.105.182"

21     13:43:23.421  11/09/08  Sev=Info/4      IKE/0x63000001
Starting IKE Phase 1 Negotiation

22     13:43:23.421  11/09/08  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to xxx.xxx.105.182

23     13:43:23.609  11/09/08  Sev=Info/4      IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (SA, VID(Xauth), VID(dpd), VID(Unity), VID(?), KE, ID, NON, VID(?), VID(Nat-T), NAT-D, NAT-D, HASH) from xxx.xxx.105.182

24     13:43:23.625  11/09/08  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, NAT-D, NAT-D, VID(?), VID(Unity)) to xxx.xxx.105.182

25     13:43:23.625  11/09/08  Sev=Info/4      IKE/0x63000083
IKE Port in use - Local Port =  0x0527, Remote Port = 0x1194

26     13:43:23.625  11/09/08  Sev=Info/4      CM/0x6310000E
Established Phase 1 SA.  1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system

27     13:43:23.625  11/09/08  Sev=Info/4      CM/0x6310000E
Established Phase 1 SA.  1 Crypto Active IKE SA, 1 User Authenticated IKE SA in the system

28     13:43:23.640  11/09/08  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to xxx.xxx.105.182

29     13:43:23.640  11/09/08  Sev=Info/4      IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:STATUS_RESP_LIFETIME) from xxx.xxx.105.182

30     13:43:23.671  11/09/08  Sev=Info/4      IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from xxx.xxx.105.182

31     13:43:23.671  11/09/08  Sev=Info/4      CM/0x63100019
Mode Config data received

32     13:43:23.671  11/09/08  Sev=Info/4      IKE/0x63000056
Received a key request from Driver: Local IP = 192.168.1.197, GW IP = xxx.xxx.105.182, Remote IP = 0.0.0.0

33     13:43:23.671  11/09/08  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK QM *(HASH, SA, NON, ID, ID) to xxx.xxx.105.182

34     13:43:23.703  11/09/08  Sev=Info/4      IKE/0x63000014
RECEIVING <<< ISAKMP OAK QM *(HASH, SA, NON, ID, ID, NOTIFY:STATUS_RESP_LIFETIME) from xxx.xxx.105.182

35     13:43:23.703  11/09/08  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK QM *(HASH) to xxx.xxx.105.182

36     13:43:24.703  11/09/08  Sev=Info/4      CM/0x63100034
The Virtual Adapter was enabled:
      IP=192.168.1.197/255.255.255.0
      DNS=192.168.15.200,0.0.0.0
      WINS=0.0.0.0,0.0.0.0
      Domain=esfest.local
      Split DNS Names=

37     13:43:24.718  11/09/08  Sev=Info/4      CM/0x63100038
Successfully saved route changes to file.

38     13:43:24.796  11/09/08  Sev=Info/4      CM/0x6310001A
One secure connection established

39     13:43:24.828  11/09/08  Sev=Info/4      CM/0x6310003B
Address watch added for 99.241.13.115.  Current hostname: Techs1, Current address(es): 192.168.1.197, 99.241.13.115.

40     13:43:24.843  11/09/08  Sev=Info/4      CM/0x6310003B
Address watch added for 192.168.1.197.  Current hostname: Techs1, Current address(es): 192.168.1.197, 99.241.13.115.

41     13:43:24.843  11/09/08  Sev=Info/4      IPSEC/0x63700008
IPSec driver successfully started

42     13:43:24.843  11/09/08  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

43     13:43:24.843  11/09/08  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

44     13:43:24.843  11/09/08  Sev=Info/4      IPSEC/0x63700010
Created a new key structure

45     13:43:24.843  11/09/08  Sev=Info/4      IPSEC/0x6370000F
Added key with SPI=0xa8006c89 into key list

46     13:43:24.843  11/09/08  Sev=Info/4      IPSEC/0x63700010
Created a new key structure

47     13:43:24.843  11/09/08  Sev=Info/4      IPSEC/0x6370000F
Added key with SPI=0xf2949e8c into key list

48     13:43:24.843  11/09/08  Sev=Info/4      IPSEC/0x6370002F
Assigned VA private interface addr 192.168.1.197

49     13:43:24.843  11/09/08  Sev=Info/4      IPSEC/0x63700037
Configure public interface: 99.241.13.115. SG: xxx.xxx.105.182

0
 
LVL 2

Expert Comment

by:dano2112
ID: 22917286

Davidloc...

Sorry it's still not working.  I keep going over your config and I can't seem to put my finger on where the problem might be.

Let's try temporarily turning off the split-tunneling.  Maybe something there is throwing us off.  So:

pix#config t
pix(config)#no vpngroup mcsante split-tunnel SPLIT

The SPLIT access-list can remain in the config - it just won't get used until we put the split-tunnel command back into the vpngroup.

See if you can ping any inside resources behind PIX1 with the split tunneling disabled.

Good luck!
0
 

Author Comment

by:Davidloc
ID: 22917345
Applied "no vpngroup mcsante split-tunnel SPLIT" wrote to mem and reloaded , cannot even ping 192.168.15.1 (the PIX1 itself)

0
 

Author Comment

by:Davidloc
ID: 22917374
The access list 101 is restricted to the other end of the site to site. Could this have anything to do with it ? Also should I leave the access list SPLIT or does it matter ?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 22917398
>10.3.3.0 was replaced with 192.168.1.0
>Test client is on 192.168.1.0 linksys subnet
This injected another issue where the local LAN and the VPN subnet are the same. Causes nothing but grief.  They need to be different.
It should have worked with the 10.3.3.x address getting assigned to the VPN client.
If you remove the split-tunnel group command, ALL traffic will be tunneled but that is the only drawback.

I've also had issues with 5.x VPN client and DES. It really wants 3DES or AES..
Try an older 4.x client, or upgrade the license to 3DES.
0
 
LVL 2

Expert Comment

by:dano2112
ID: 22917522

Davidloc...

Ok, well, it sounds like Phase 1 of the VPN is working because your tunnel is coming up.  Phase 2, however, where the IPSec traffic actually travels down the tunnel, is the part that's not working correctly.

It almost seems as if the IPSec packets are getting filtered somewhere between your client and the PIX1.  Do you have any kind of software firewall on the client that you're trying to connect from?  

On the PIX1, at an enable prompt, type "sh ipsec sa" and see what you get.  This should give you tunnel statistics for both your site-to-site tunnel and your client-to-site tunnel, if it's active.  When you send and receive packets, there are counters that should increment for the number of packets encrypted and decrypted.  

Connect to the VPN from your client and the do the "sh ipsec sa" command to see the packet counters.  Then, send some pings from the cilent to either 192.168.15.1 or 192.168.15.200.  Then do the "sh ipsec sa" command again and see how the counters have incremented.  We'll probably see one side incrementing and one side staying at zero or we'll see the send errors increment instead of the encrypted and decrypted packets.

Please let us know what you find out.  We have to be very close to getting this working!
0
 
LVL 2

Expert Comment

by:dano2112
ID: 22917539

lrmoore...

I haven't had any experience with the 5.x client and DES.  I've always used 3DES in my implementations so maybe that's where the hang-up is!

As for Davidloc changing his client pool, his inside network is 192.168.15.0/24 and his new client pool is 192.168.1.0/24 so I think that should be okay, right?
0
 

Author Comment

by:Davidloc
ID: 22917559
According to the PIX's (both) have 3DES enabled , I will change the site to site to 3DES once I get this working . I have just download 4.8 from Cisco and will try this next
0
 

Author Comment

by:Davidloc
ID: 22917781
from PIX with 4.8 client logged in

Xerox2# sh ipsec sa


interface: outside
    Crypto map tag: example_map, local addr. xxx.xxx.105.182

   local  ident (addr/mask/prot/port): (192.168.15.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
   current_peer: xx.xx.200.150:0
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: xxx.xxx.105.182, remote crypto endpt.: 76.65.200.150
     path mtu 1492, ipsec overhead 0, media mtu 1492
     current outbound spi: 0

     inbound esp sas:


     inbound ah sas:


     inbound pcp sas:


     outbound esp sas:


     outbound ah sas:


     outbound pcp sas:



   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (10.3.3.1/255.255.255.255/0/0)
   current_peer: 99.241.13.115:1170
   dynamic allocated peer ip: 10.3.3.1

     PERMIT, flags={transport_parent,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: xxx.xxx.105.182, remote crypto endpt.: 99.241.13.115
     path mtu 1492, ipsec overhead 64, media mtu 1492
     current outbound spi: 6e82a956

     inbound esp sas:
      spi: 0x59379399(1496814489)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel UDP-Encaps, }
        slot: 0, conn id: 1, crypto map: example_map
        sa timing: remaining key lifetime (k/sec): (4608000/28575)
        IV size: 8 bytes
        replay detection support: Y


     inbound ah sas:


     inbound pcp sas:


     outbound esp sas:
      spi: 0x6e82a956(1854056790)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel UDP-Encaps, }
        slot: 0, conn id: 2, crypto map: example_map
        sa timing: remaining key lifetime (k/sec): (4608000/28575)
        IV size: 8 bytes
        replay detection support: Y


     outbound ah sas:


     outbound pcp sas:



   local  ident (addr/mask/prot/port): (192.168.15.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (10.3.3.0/255.255.255.0/0/0)
   current_peer: xx.xx.200.150:0
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: xxx.xxx.105.182, remote crypto endpt.: 76.65.200.150
     path mtu 1492, ipsec overhead 0, media mtu 1492
     current outbound spi: 0

     inbound esp sas:


     inbound ah sas:


     inbound pcp sas:


     outbound esp sas:


     outbound ah sas:


     outbound pcp sas:


Xerox2#
0
 

Author Comment

by:Davidloc
ID: 22917784
I had to re-enable split to do this of course
0
 

Author Comment

by:Davidloc
ID: 22918161
The dynamic-map and the map statements don't seem right:

sysopt connection permit-ipsec
crypto ipsec transform-set example_set esp-des esp-md5-hmac
crypto dynamic-map vpnclient_map 20 set transform-set example_set
crypto map example_map 10 ipsec-isakmp
crypto map example_map 10 match address 101
crypto map example_map 10 set peer xx.xx.200.150   ==>>> This is the PIX2 peer (fixed IP)
crypto map example_map 10 set transform-set example_set
crypto map example_map 65535 ipsec-isakmp dynamic vpnclient_map
crypto map example_map interface outside
isakmp enable outside
isakmp key ******** address xx.xx.200.150 netmask 255.255.255.255
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup mcsante address-pool clientpool
vpngroup mcsante dns-server 192.168.15.200
vpngroup mcsante default-domain esfest.local
vpngroup mcsante split-tunnel SPLIT
vpngroup mcsante idle-time 3600
vpngroup mcsante password ********
0
 
LVL 2

Expert Comment

by:dano2112
ID: 22918347

Davidloc...

Sorry that you're still having trouble!  We could try removing the entire cryptomap from the outside interface and then reapplying it.  I've seen occasions where this can clear up some odd behavior.

Keep in mind that doing this will likely knock down the site-to-site tunnel for a short period until the map is reapplied and the tunnel sees more interesting traffic.

pix#config t
pix(config)#no crypto map example_map interface outside
(this will remove the crypto map)
pix(config)#crypto map example_map interface outside
(this will reapply the map)

What is it about the dynamic-map and map statements that looks odd to you?

Let us know how it goes...good luck!
0
 

Author Comment

by:Davidloc
ID: 22918363
This set the cypto map to accept only xx.xx.200.150 and seeing as the dynamic-map is using part of it I was wondering if this would stop the link even though the phase 1 completes

crypto map example_map 10 set peer xx.xx.200.150
crypto map example_map 10 set transform-set example_set
crypto map example_map 65535 ipsec-isakmp dynamic vpnclient_map
crypto map example_map interface outside
isakmp enable outside
isakmp key ******** address xx.xx.200.150 netmask 255.255.255.255
0
 

Author Comment

by:Davidloc
ID: 22918370
eg the peer is set  on example_map and then crypto map example_map 65535 ipsec-isakmp dynamic vpnclient_map says it should be linked dynamically. Again all locations are static DSL , I want the vpnclient to be dynamic so I can test it before implementation  

Thanks
0
 

Author Comment

by:Davidloc
ID: 22918538
My concern is that the "parent" crypto-map accepts only connections from xx.xx.200.150
0
 

Author Comment

by:Davidloc
ID: 22919246
I have switched the encryption from DES to 3DES on the tunnel as suggested with no change :(
0
 

Author Comment

by:Davidloc
ID: 22919286
new IKE logs from PIX1 on client 4.8 log on :


Cisco Systems VPN Client Version 4.8.02.0010
Copyright (C) 1998-2006 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.1.2600 Service Pack 2
 
270    00:12:07.781  11/10/08  Sev=Info/4	CM/0x63100002
Begin connection process
 
271    00:12:07.781  11/10/08  Sev=Info/4	CM/0x63100004
Establish secure connection
 
272    00:12:07.781  11/10/08  Sev=Info/4	CM/0x63100024
Attempt connection with server "***.***.105.182"
 
273    00:12:07.781  11/10/08  Sev=Info/6	IKE/0x6300003B
Attempting to establish a connection with ***.***.105.182.
 
274    00:12:07.796  11/10/08  Sev=Info/4	IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to ***.***.105.182
 
275    00:12:08.000  11/10/08  Sev=Info/5	IKE/0x6300002F
Received ISAKMP packet: peer = ***.***.105.182
 
276    00:12:08.000  11/10/08  Sev=Info/4	IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (SA, VID(Xauth), VID(dpd), VID(Unity), VID(?), KE, ID, NON, VID(?), VID(Nat-T), NAT-D, NAT-D, HASH) from ***.***.105.182
 
277    00:12:08.000  11/10/08  Sev=Info/5	IKE/0x63000001
Peer supports XAUTH
 
278    00:12:08.000  11/10/08  Sev=Info/5	IKE/0x63000001
Peer supports DPD
 
279    00:12:08.000  11/10/08  Sev=Info/5	IKE/0x63000001
Peer is a Cisco-Unity compliant peer
 
280    00:12:08.000  11/10/08  Sev=Info/5	IKE/0x63000082
Received IOS Vendor ID with unknown capabilities flag 0x000000A5
 
281    00:12:08.000  11/10/08  Sev=Info/5	IKE/0x63000001
Peer supports NAT-T
 
282    00:12:08.000  11/10/08  Sev=Info/6	IKE/0x63000001
IOS Vendor ID Contruction successful
 
283    00:12:08.000  11/10/08  Sev=Info/4	IKE/0x63000013
SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, NAT-D, NAT-D, VID(?), VID(Unity)) to ***.***.105.182
 
284    00:12:08.015  11/10/08  Sev=Info/6	IKE/0x63000055
Sent a keepalive on the IPSec SA
 
285    00:12:08.015  11/10/08  Sev=Info/4	IKE/0x63000083
IKE Port in use - Local Port =  0x04E2, Remote Port = 0x1194
 
286    00:12:08.015  11/10/08  Sev=Info/5	IKE/0x63000072
Automatic NAT Detection Status:
   Remote end is NOT behind a NAT device
   This   end IS behind a NAT device
 
287    00:12:08.015  11/10/08  Sev=Info/4	CM/0x6310000E
Established Phase 1 SA.  1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system
 
288    00:12:08.015  11/10/08  Sev=Info/4	CM/0x6310000E
Established Phase 1 SA.  1 Crypto Active IKE SA, 1 User Authenticated IKE SA in the system
 
289    00:12:08.015  11/10/08  Sev=Info/5	IKE/0x6300005E
Client sending a firewall request to concentrator
 
290    00:12:08.015  11/10/08  Sev=Info/5	IKE/0x6300005D
Firewall Policy: Product=Cisco Systems Integrated Client Firewall, Capability= (Centralized Protection Policy).
 
291    00:12:08.015  11/10/08  Sev=Info/4	IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to ***.***.105.182
 
292    00:12:08.031  11/10/08  Sev=Info/5	IKE/0x6300002F
Received ISAKMP packet: peer = ***.***.105.182
 
293    00:12:08.031  11/10/08  Sev=Info/4	IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:STATUS_RESP_LIFETIME) from ***.***.105.182
 
294    00:12:08.031  11/10/08  Sev=Info/5	IKE/0x63000045
RESPONDER-LIFETIME notify has value of 86400 seconds
 
295    00:12:08.031  11/10/08  Sev=Info/5	IKE/0x63000047
This SA has already been alive for 1 seconds, setting expiry to 86399 seconds from now
 
296    00:12:08.046  11/10/08  Sev=Info/5	IKE/0x6300002F
Received ISAKMP packet: peer = ***.***.105.182
 
297    00:12:08.046  11/10/08  Sev=Info/4	IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from ***.***.105.182
 
298    00:12:08.046  11/10/08  Sev=Info/5	IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_ADDRESS: , value = 10.3.3.1
 
299    00:12:08.046  11/10/08  Sev=Info/5	IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_NETMASK: , value = 255.255.255.0
 
300    00:12:08.046  11/10/08  Sev=Info/5	IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS(1): , value = 192.168.15.200
 
301    00:12:08.046  11/10/08  Sev=Info/5	IKE/0x6300000E
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_DEFDOMAIN: , value = esfest.local
 
302    00:12:08.046  11/10/08  Sev=Info/5	IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SPLIT_INCLUDE (# of split_nets), value = 0x00000001
 
303    00:12:08.046  11/10/08  Sev=Info/5	IKE/0x6300000F
SPLIT_NET #1
	subnet = 192.168.15.0 
	mask = 255.255.255.0
	protocol = 0
	src port = 0
	dest port=0
 
304    00:12:08.046  11/10/08  Sev=Info/5	IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_PFS: , value = 0x00000000
 
305    00:12:08.046  11/10/08  Sev=Info/5	IKE/0x6300000D
MODE_CFG_REPLY: Attribute = Received and using NAT-T port number , value = 0x00001194
 
306    00:12:08.046  11/10/08  Sev=Info/4	CM/0x63100019
Mode Config data received
 
307    00:12:08.046  11/10/08  Sev=Info/4	IKE/0x63000056
Received a key request from Driver: Local IP = 10.3.3.1, GW IP = ***.***.105.182, Remote IP = 0.0.0.0
 
308    00:12:08.046  11/10/08  Sev=Info/4	IKE/0x63000013
SENDING >>> ISAKMP OAK QM *(HASH, SA, NON, ID, ID) to ***.***.105.182
 
309    00:12:08.078  11/10/08  Sev=Info/5	IKE/0x6300002F
Received ISAKMP packet: peer = ***.***.105.182
 
310    00:12:08.078  11/10/08  Sev=Info/4	IKE/0x63000014
RECEIVING <<< ISAKMP OAK QM *(HASH, SA, NON, ID, ID, NOTIFY:STATUS_RESP_LIFETIME) from ***.***.105.182
 
311    00:12:08.078  11/10/08  Sev=Info/5	IKE/0x63000045
RESPONDER-LIFETIME notify has value of 28800 seconds
 
312    00:12:08.078  11/10/08  Sev=Info/5	IKE/0x63000046
RESPONDER-LIFETIME notify has value of 4608000 kb
 
313    00:12:08.078  11/10/08  Sev=Info/4	IKE/0x63000013
SENDING >>> ISAKMP OAK QM *(HASH) to ***.***.105.182
 
314    00:12:08.078  11/10/08  Sev=Info/5	IKE/0x63000059
Loading IPsec SA (MsgID=96FD2CB9 OUTBOUND SPI = 0xE486753B INBOUND SPI = 0xBC9BFD5F)
 
315    00:12:08.078  11/10/08  Sev=Info/5	IKE/0x63000025
Loaded OUTBOUND ESP SPI: 0xE486753B
 
316    00:12:08.078  11/10/08  Sev=Info/5	IKE/0x63000026
Loaded INBOUND ESP SPI: 0xBC9BFD5F
 
317    00:12:08.156  11/10/08  Sev=Info/5	CVPND/0x63400013
    Destination           Netmask           Gateway         Interface   Metric
        0.0.0.0           0.0.0.0       99.241.12.1     99.241.13.115       20
    99.241.12.0     255.255.254.0     99.241.13.115     99.241.13.115       20
  99.241.13.115   255.255.255.255         127.0.0.1         127.0.0.1       20
 99.255.255.255   255.255.255.255     99.241.13.115     99.241.13.115       20
      127.0.0.0         255.0.0.0         127.0.0.1         127.0.0.1        1
    169.254.0.0       255.255.0.0     99.241.13.115     99.241.13.115       30
      224.0.0.0         240.0.0.0     99.241.13.115     99.241.13.115       20
255.255.255.255   255.255.255.255     99.241.13.115     99.241.13.115        1
 
 
318    00:12:09.093  11/10/08  Sev=Info/4	CM/0x63100034
The Virtual Adapter was enabled: 
	IP=10.3.3.1/255.255.255.0
	DNS=192.168.15.200,0.0.0.0
	WINS=0.0.0.0,0.0.0.0
	Domain=esfest.local
	Split DNS Names=
 
319    00:12:09.093  11/10/08  Sev=Info/5	CVPND/0x63400013
    Destination           Netmask           Gateway         Interface   Metric
        0.0.0.0           0.0.0.0       99.241.12.1     99.241.13.115       20
       10.3.3.0     255.255.255.0          10.3.3.1          10.3.3.1       20
       10.3.3.1   255.255.255.255         127.0.0.1         127.0.0.1       20
 10.255.255.255   255.255.255.255          10.3.3.1          10.3.3.1       20
    99.241.12.0     255.255.254.0     99.241.13.115     99.241.13.115       20
  99.241.13.115   255.255.255.255         127.0.0.1         127.0.0.1       20
 99.255.255.255   255.255.255.255     99.241.13.115     99.241.13.115       20
      127.0.0.0         255.0.0.0         127.0.0.1         127.0.0.1        1
    169.254.0.0       255.255.0.0     99.241.13.115     99.241.13.115       30
      224.0.0.0         240.0.0.0          10.3.3.1          10.3.3.1       20
      224.0.0.0         240.0.0.0     99.241.13.115     99.241.13.115       20
255.255.255.255   255.255.255.255          10.3.3.1          10.3.3.1        1
255.255.255.255   255.255.255.255     99.241.13.115     99.241.13.115        1
 
 
320    00:12:09.093  11/10/08  Sev=Info/4	CM/0x63100038
Successfully saved route changes to file.
 
321    00:12:09.093  11/10/08  Sev=Info/5	CVPND/0x63400013
    Destination           Netmask           Gateway         Interface   Metric
        0.0.0.0           0.0.0.0       99.241.12.1     99.241.13.115       20
       10.3.3.0     255.255.255.0          10.3.3.1          10.3.3.1       20
       10.3.3.1   255.255.255.255         127.0.0.1         127.0.0.1       20
 10.255.255.255   255.255.255.255          10.3.3.1          10.3.3.1       20
   99.240.128.1   255.255.255.255       99.241.12.1     99.241.13.115        1
    99.241.12.0     255.255.254.0     99.241.13.115     99.241.13.115       20
  99.241.13.115   255.255.255.255         127.0.0.1         127.0.0.1       20
 99.255.255.255   255.255.255.255     99.241.13.115     99.241.13.115       20
      127.0.0.0         255.0.0.0         127.0.0.1         127.0.0.1        1
    169.254.0.0       255.255.0.0     99.241.13.115     99.241.13.115       30
   192.168.15.0     255.255.255.0          10.3.3.2          10.3.3.1        1
***.***.105.182   255.255.255.255       99.241.12.1     99.241.13.115        1
      224.0.0.0         240.0.0.0          10.3.3.1          10.3.3.1       20
      224.0.0.0         240.0.0.0     99.241.13.115     99.241.13.115       20
255.255.255.255   255.255.255.255          10.3.3.1          10.3.3.1        1
255.255.255.255   255.255.255.255     99.241.13.115     99.241.13.115        1
 
 
322    00:12:09.093  11/10/08  Sev=Info/6	CM/0x63100036
The routing table was updated for the Virtual Adapter
 
323    00:12:09.125  11/10/08  Sev=Info/4	CM/0x6310001A
One secure connection established
 
324    00:12:09.265  11/10/08  Sev=Info/4	CM/0x6310003B
Address watch added for 99.241.13.115.  Current hostname: Techs1, Current address(es): 10.3.3.1, 99.241.13.115.
 
325    00:12:09.265  11/10/08  Sev=Info/4	CM/0x6310003B
Address watch added for 10.3.3.1.  Current hostname: Techs1, Current address(es): 10.3.3.1, 99.241.13.115.
 
326    00:12:09.265  11/10/08  Sev=Info/4	IPSEC/0x63700008
IPSec driver successfully started
 
327    00:12:09.265  11/10/08  Sev=Info/4	IPSEC/0x63700014
Deleted all keys
 
328    00:12:09.265  11/10/08  Sev=Info/6	IPSEC/0x6370002C
Sent 131 packets, 0 were fragmented.
 
329    00:12:09.281  11/10/08  Sev=Info/4	IPSEC/0x63700014
Deleted all keys
 
330    00:12:09.281  11/10/08  Sev=Info/4	IPSEC/0x63700010
Created a new key structure
 
331    00:12:09.281  11/10/08  Sev=Info/4	IPSEC/0x6370000F
Added key with SPI=0x3b7586e4 into key list
 
332    00:12:09.281  11/10/08  Sev=Info/4	IPSEC/0x63700010
Created a new key structure
 
333    00:12:09.281  11/10/08  Sev=Info/4	IPSEC/0x6370000F
Added key with SPI=0x5ffd9bbc into key list
 
334    00:12:09.281  11/10/08  Sev=Info/4	IPSEC/0x6370002F
Assigned VA private interface addr 10.3.3.1
 
335    00:12:09.281  11/10/08  Sev=Info/4	IPSEC/0x63700037
Configure public interface: 99.241.13.115. SG: ***.***.105.182
 
336    00:12:09.281  11/10/08  Sev=Info/6	CM/0x63100046
Set tunnel established flag in registry to 1.
 
337    00:12:18.203  11/10/08  Sev=Info/6	IKE/0x63000055
Sent a keepalive on the IPSec SA
 
338    00:12:28.203  11/10/08  Sev=Info/6	IKE/0x63000055
Sent a keepalive on the IPSec SA

Open in new window

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 22921024
Everything in that log appears correct and just what we expect to see.

>Established Phase 1 SA

>SPLIT_NET #1
      subnet = 192.168.15.0
      mask = 255.255.255.0
>Local IP = 10.3.3.1

>The Virtual Adapter was enabled:
      IP=10.3.3.1/255.255.255.0
      DNS=192.168.15.200,0.0.0.0
      WINS=0.0.0.0,0.0.0.0
      Domain=esfest.local
      Split DNS Names=

>The routing table was updated for the Virtual Adapter
     192.168.15.0     255.255.255.0          10.3.3.2          10.3.3.1        1

>One secure connection established
>Set tunnel established flag in registry to 1

By all rights, this is a perfectly established VPN connection. When you try to ping something on the 192.168.15.x network, look in the statistics and see if you have sent and received packet counters increasing or if sent increases but received stays at zero..

0
 
LVL 2

Expert Comment

by:dano2112
ID: 22921421

Davidloc...

Like lrmoore has stated, everything with the config and your log output looks correct and normal.  I can't figure out why you would't be able to ping any hosts behind PIX1 once your tunnel comes up.

Is your site-to-site tunnel working okay still?  I've seen occasions where an ISP upgrades their modems or makes some other change and then IPSec traffic gets filtered inadvertantly.  But, if your site-to-site tunnel is still working, then we can eliminate that possibility.

Do you have any other laptops or PCs that you can install the VPN client on?  Maybe there's just something not quite right on the computer you've been testing with.

If we are still striking out, we can try to manually back out the commands that we entered for the client-to-site connections and then run the Client-To-Site wizard inside the GUI.  Maybe letting the wizard do the config will trigger something to work?!

0
 

Author Comment

by:Davidloc
ID: 22925600
Is the server based PDM more complete than the device based ? The Device base keeps telling me that is detected unsupported commands and will only allow read only and no config tab access.

Thanks again
0
 

Author Comment

by:Davidloc
ID: 22925605
Yes the site to site is up rock solid now using 3DES
0
 
LVL 2

Expert Comment

by:dano2112
ID: 22928058

Davidloc...

The PDM is probably complaining about the the fact that you've got access-list 101 used in two different places; the first in your no-nat statement and the second in the match statement for your site to site tunnel.  This is perfectly fine as far as the PIX IOS is concerned but for some reason, the PDM doesn't like it.

If you'd like to modify the config so that the PDM will run without error, you must create a new access-list and duplicate all of the elements in access-list 101.  For example:

pix(config)#access-list inside_outbound_nat0 permit ip 192.168.15.0 255.255.255.0 192.168.2.0 255.255.255.0
pix(config)#access-list inside_outbound_nat0 permit ip 192.168.15.0 255.255.255.0 192.168.1.0 255.255.255.0

Then, you would remove your no-nat statement and re-apply it using this new acces-list as the match.  Keep in mind that your site-to-site tunnel traffic will experience a small blip while the no-nat statement is missing.  The tunnel traffic should be restored as soon as you re-apply the no-nat using the different access list.

pix(config)#no nat (inside) 0 access-list 101
pix(config)#nat (inside) 0 access-list inside_outbound_nat0

If you make these changes, I believe the PDM will load in full-control mode instead of read-only mode.  If the PDM throws any other errors at you, please let me know.  Also, if you do make this change, try the client VPN connection again.  I doubt this change will make the client VPN work but, you never know!

Good luck!
0
 
LVL 2

Expert Comment

by:dano2112
ID: 22936679

Davidloc...

Any luck with the above change or any thing new to report with the client VPN connections?  I'd like to see if we can get this working for you - please post with the latest information.

Thanks!
0
 

Author Comment

by:Davidloc
ID: 22938679
I gave up and called Eric Severson the guy the wrote Pix Firewall Keys. He fixed the config so it works. I am testing it and will post the working config by Saturday. I normally have the patience to work through it and not pay for the answer but the customer ran out of patience. I didn't realize how fussy cisco was about the config. Definitely something I'll put in the knowlegebase after such an effort by Dano and lrmoore. You both pushed it in the right direction it just needed a little tweaking to work. It is a shame that a book doesn't exist with real working examples.
0
 

Author Comment

by:Davidloc
ID: 23018421
Final working solution is :

Points are split because of both pointed me in the right direction

Xerox2# show conf
: Saved
: Written by enable_15 at 02:07:06.789 UTC Tue Nov 18 2008
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password /Jog8NmcYagxc6rp encrypted
passwd /Jog8NmcYagxc6rp encrypted
hostname Xerox2
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside_in permit tcp any host xxx.xxx.xxx.xxx eq www
access-list outside_in permit tcp any host xxx.xxx.xxx.xxx eq https
access-list outside_in permit tcp any host xxx.xxx.xxx.xxx eq 3389
access-list 101 permit ip 192.168.15.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list SPLIT permit ip 192.168.15.0 255.255.255.0 any
access-list ra_crypto_acl permit ip any 10.3.3.0 255.255.255.0
access-list no_nat permit ip 192.168.15.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list no_nat permit ip any 10.3.3.0 255.255.255.0
pager lines 24
logging on
logging buffered warnings
mtu outside 1492
mtu inside 1500
ip address outside pppoe setroute
ip address inside 192.168.15.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool clientpool 10.3.3.1-10.3.3.6 mask 255.255.255.0
pdm location 192.168.15.200 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list no_nat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp xxx.xxx.xxx.xxx www 192.168.15.200 www netmask 255.255.255.255 0 0
static (inside,outside) tcp xxx.xxx.xxx.xxx https 192.168.15.200 https netmask 255.255.255.255 0 0
static (inside,outside) tcp xxx.xxx.xxx.xxx 3389 192.168.15.200 3389 netmask 255.255.255.255 0 0
access-group outside_in in interface outside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.15.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set example_set esp-3des esp-md5-hmac
crypto ipsec transform-set ra_set esp-3des esp-sha-hmac
crypto dynamic-map vpnclient_map 20 match address ra_crypto_acl
crypto dynamic-map vpnclient_map 20 set transform-set ra_set
crypto map example_map 10 ipsec-isakmp
crypto map example_map 10 match address 101
crypto map example_map 10 set peer xxx.xxx.xxx.xxx
crypto map example_map 10 set transform-set example_set
crypto map example_map 20 ipsec-isakmp dynamic vpnclient_map
crypto map example_map interface outside
isakmp enable outside
isakmp key ******** address xxx.xxx.xxx.xxx netmask 255.255.255.255
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup mcsante address-pool clientpool
vpngroup mcsante dns-server 192.168.15.200
vpngroup mcsante default-domain esfest.local
vpngroup mcsante split-tunnel SPLIT
vpngroup mcsante idle-time 3600
vpngroup mcsante password ********
telnet 0.0.0.0 0.0.0.0 outside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
management-access inside
console timeout 0
vpdn group pppoe_group request dialout pppoe
vpdn group pppoe_group localname esf@biz1m.primus.ca
vpdn group pppoe_group ppp authentication pap
vpdn username esf@biz1m.primus.ca password ********
dhcpd address 192.168.15.2-192.168.15.254 inside
dhcpd dns xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:xxxxxxxxxxdfe3bca174e4951d63ffd3
Xerox2#
0
 
LVL 2

Expert Comment

by:dano2112
ID: 23020609

Davidloc...

Thank you for the update and I'm very glad to hear that you were finally able to get this working.  Just out of curiosity, are you now able to get the PDM working since you have configured different access lists?

Thanks!
0
 

Author Comment

by:Davidloc
ID: 23023722
Na never got that part working, no biggie though .

thanks again
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When speed and performance are vital to revenue, companies must have complete confidence in their cloud environment.
Will you be ready when the clock on GDPR compliance runs out? Is GDPR even something you need to worry about? Find out more about the upcoming regulation changes and download our comprehensive GDPR checklist today !
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question