Solved

remote access vpn with PIX 525 ver 7.2 issue

Posted on 2009-04-06
2
798 Views
Last Modified: 2012-08-14
I've been searching for days for the solution to this problem. A lot of people seem to have the problem, but no one has posted a solution, i.e., exact commands to solve the problem.

I have a Cisco PIX 525 and am trying to create a VPN that would allow employees to remote in from home. Employees can remote in using Windows but cannot access any LAN resources.  it just authenticates but iam not able to get to the inside network, i cannot even ping th inside interface of the PIX. iam using version 7.2 and below is the configuration applied ,, ive searched for solutions and some are suggexting that the  pool address used should be ina a different subnet range than the LAN, the subnet LAN ranges of the routes behind the pix are 10.232.0.0/22, 10.232.100.0/22 and 10.232.200.0/22,  i used the address pool 10.232.8.0 ( 10.232.8.100-10.232.8.150 ) but this time iam not able to authenticate so i reverted back using the address pool 10.232.3-100- 10.232.3.150 mask 255.255.252.0 bearing in mind that the address pool assigned  does not confilict with the ip addresses assigned to the LAN resources

config


UCCFW# sh run
: Saved
:
PIX Version 7.2(3)
!
hostname UCCFW
domain-name iq.lafarge.com
enable password Gq00./HFgspM1n9G encrypted
names
name 10.232.0.15 ISA-Server
!
interface Ethernet0
 nameif outside
 security-level 0
 ip address ----------------------
interface Ethernet1
 speed 100
 nameif inside
 security-level 100
 ip address 10.232.0.5 255.255.252.0
!
interface Ethernet2
 speed 100
 duplex full
 nameif visitors
 security-level 100
 ip address 10.232.4.5 255.255.252.0
!
interface Ethernet3
 shutdown
 no nameif
 no security-level
 no ip address
!
passwd Gq00./HFgspM1n9G encrypted
ftp mode passive
clock timezone AST 3
dns server-group DefaultDNS
 domain-name iq.lafarge.com
access-list 101 extended permit ip 10.232.0.0 255.255.252.0 10.0.0.0 255.0.0.0
access-list 101 extended permit ip 10.232.0.0 255.255.252.0 192.168.0.0 255.255.0.0
access-list 101 extended permit ip 10.232.0.0 255.255.252.0 172.16.0.0 255.240.0.0
access-list 101 extended permit ip 10.232.100.0 255.255.252.0 10.0.0.0 255.0.0.0
access-list 101 extended permit ip 10.232.100.0 255.255.252.0 192.168.0.0 255.255.0.0
access-list 101 extended permit ip 10.232.100.0 255.255.252.0 172.16.0.0 255.240.0.0
access-list 101 extended permit ip 10.232.200.0 255.255.252.0 10.0.0.0 255.0.0.0
access-list 101 extended permit ip 10.232.200.0 255.255.252.0 192.168.0.0 255.255.0.0
access-list 101 extended permit ip 10.232.200.0 255.255.252.0 172.16.0.0 255.240.0.0
access-list 101 extended permit ip 10.232.0.0 255.255.252.0 10.232.8.0 255.255.255.0
access-list 101 extended permit ip 10.232.100.0 255.255.252.0 10.232.8.0 255.255.255.0
access-list 101 extended permit ip 10.232.200.0 255.255.252.0 10.232.8.0 255.255.255.0
access-list laf-acl extended permit ip 10.232.0.0 255.255.252.0 10.0.0.0 255.0.0.0
access-list laf-acl extended permit ip 10.232.0.0 255.255.252.0 192.168.0.0 255.255.0.0
access-list laf-acl extended permit ip 10.232.0.0 255.255.252.0 192.16.0.0 255.240.0.0
access-list laf-acl extended permit ip 10.232.100.0 255.255.252.0 10.0.0.0 255.0.0.0
access-list laf-acl extended permit ip 10.232.100.0 255.255.252.0 192.168.0.0 255.255.0.0
access-list laf-acl extended permit ip 10.232.100.0 255.255.252.0 192.16.0.0 255.240.0.0
access-list laf-acl extended permit ip 10.232.200.0 255.255.252.0 10.0.0.0 255.0.0.0
access-list laf-acl extended permit ip 10.232.200.0 255.255.252.0 192.168.0.0 255.255.0.0
access-list laf-acl extended permit ip 10.232.200.0 255.255.252.0 192.16.0.0 255.240.0.0
access-list outside_access_in remark allow SNMP polls from outside
access-list outside_access_in extended permit udp host 10.100.43.31 any eq snmp
access-list uccbcc_tn_splitTunnelAcl extended permit ip 10.232.0.0 255.255.252.0 any
access-list uccbcc_tn_splitTunnelAcl extended permit ip 10.232.100.0 255.255.252.0 any
access-list uccbcc_tn_splitTunnelAcl extended permit ip 10.232.200.0 255.255.252.0 any
access-list outside_dyn_map extended permit ip any 10.232.8.0 255.255.252.0
pager lines 24
logging enable
logging monitor errors
logging buffered informational
logging trap informational
logging history critical
logging asdm informational
logging debug-trace
mtu outside 1500
mtu inside 1500
mtu visitors 1500
ip local pool vpnpool1 10.232.8.100-10.232.8.150 mask 255.255.252.0
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any echo inside
icmp permit any echo-reply inside
asdm image flash:/asdm
no asdm history enable
arp timeout 14400
global (outside) 10 209.8.244.103
global (outside) 20 209.8.244.104
nat (inside) 0 access-list 101
nat (inside) 10 ISA-Server 255.255.255.255
nat (inside) 10 10.232.0.210 255.255.255.255
nat (visitors) 20 10.232.4.0 255.255.252.0
nat (visitors) 20 10.232.104.0 255.255.252.0
nat (visitors) 20 10.232.204.0 255.255.252.0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 209.8.244.97 1
route outside 10.0.0.0 255.0.0.0 195.33.65.158 1
route outside 172.16.0.0 255.240.0.0 195.33.65.158 1
route outside 192.168.0.0 255.255.0.0 195.33.65.158 1
route inside 10.232.100.0 255.255.252.0 10.232.0.1 1
route inside 10.232.200.0 255.255.252.0 10.232.0.1 1
route visitors 10.232.104.0 255.255.252.0 10.232.4.1 1
route visitors 10.232.204.0 255.255.252.0 10.232.4.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 10.232.0.0 255.255.252.0 inside
snmp-server host outside 10.100.43.31 community lafarge version 2c udp-port 161
snmp-server location Tasluja UCC Building, Lafarge IRAQ
snmp-server contact Osama Elolemy, +9647708686881
snmp-server community lafarge
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set laf-ts esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 3600
crypto dynamic-map outside_dyn_map 20 match address outside_dyn_map
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set laf-ts
crypto map uccbcc-cm 1 match address laf-acl
crypto map uccbcc-cm 1 set peer 195.33.65.158
crypto map uccbcc-cm 1 set transform-set laf-ts
crypto map uccbcc-cm 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map uccbcc-cm interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 1
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 1440
crypto isakmp nat-traversal  20
telnet 10.232.0.0 255.255.252.0 inside
telnet timeout 10
ssh timeout 5
console timeout 0
management-access inside
!
!
group-policy uccbcc_tn internal
group-policy uccbcc_tn attributes
 wins-server value 10.232.0.35
 dns-server value 10.232.0.35 10.232.0.40
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value uccbcc_tn_splitTunnelAcl
 default-domain value tasluja.ucc.iq
username oelolemy password bGFTsyNhqFXNYFox encrypted privilege 15
username oelolemy attributes
 vpn-group-policy uccbcc_tn
tunnel-group 195.33.65.158 type ipsec-l2l
tunnel-group 195.33.65.158 ipsec-attributes
 pre-shared-key *
tunnel-group uccbcc_tn type ipsec-ra
tunnel-group uccbcc_tn general-attributes
 address-pool vpnpool1
 default-group-policy uccbcc_tn
tunnel-group uccbcc_tn ipsec-attributes
 pre-shared-key *
prompt hostname context
Cryptochecksum:a7346c8d0e20e2f302457561418769fb
: end


-=======================
kindly check my configuration and advise why this is not working even though this has been configured by the ASDM wizard
0
Comment
Question by:oelolemy
  • 2
2 Comments
 
LVL 57

Accepted Solution

by:
Pete Long earned 500 total points
Comment Utility
Im confused - you can anly log into a network through a PIX with a windows VPN client, it you are using PPTP VPNs - which are not supported on your version of firewall
So your clients MUST use the CIsco VPN client version 3 or higher.
do the following
conf t
ip local pool vpnpool2 192.168.99.1-192.168.99.150 mask 255.255.255.0
tunnel-group uccbcc_tn general-attributes
no address-pool vpnpool1
address-pool vpnpool2
exit
write mem
If that does not work then start from scrach see my website here http://www.petenetlive.com/Tech/Firewalls/Cisco/c2svpn.htm
 

 

 
 
0
 
LVL 57

Expert Comment

by:Pete Long
Comment Utility
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

There are many useful and sometimes not well documented or forgotten IOS or ASA/PIX commands. See IPE article here , there was also one on PacketU and on Cisco Tips & Tricks. Below are my favorites. I give also a few most often used for Cisco IPS an…
Have you experienced traffic destined through a Cisco ASA firewall disappears and you do not know if the traffic stops in the firewall or somewhere else? The solution is the capture feature. This feature was released in 6.2(1) and works in all firew…
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now