Solved

Troubleshooting Cisco 515E VPN Setup

Posted on 2009-06-27
2
528 Views
Last Modified: 2013-11-16
I'm a novice as it relates to working with Cisco firewalls. I used the VPN setup wizard in the ASDM and all seemed to go ok. However, when I try to connect from the client I get an error:

"Secure VPN Connection terminated locally by Client.
Reason 412: The remote peer is no longer responding."

I've tried tinkering with a number of different settings within the ASDM, but I'm just guessing at this point. Any guidance on how to troubleshoot this would be greatly appreciated.

Here's the current config:

PIX Version 7.2(2)
!
hostname pixfirewall
domain-name default.domain.invalid
enable password BzxWid62IVAByXfs encrypted
names
!
interface Ethernet0
 nameif Outside
 security-level 0
 ip address dhcp setroute
!
interface Ethernet1
 nameif inside
 security-level 100
 ip address 192.168.40.1 255.255.255.0
!
interface Ethernet2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet5
 shutdown
 no nameif
 no security-level
 no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name default.domain.invalid
same-security-traffic permit intra-interface
access-list Outside_access_in extended permit tcp any host X.X.X.X eq www
access-list Outside_access_in extended permit tcp any host X.X.X.X eq 3389                
access-list inside_nat0_outbound extended permit ip any 192.168.40.0 255.255.255                .128
access-list outside_access_in extended permit icmp any any
access-list test2_splitTunnelAcl standard permit any
access-list test_splitTunnelAcl standard permit any
pager lines 24
logging asdm informational
mtu Outside 1500
mtu inside 1500
ip local pool VPNPool 192.168.40.50-192.168.40.100 mask 255.255.255.0
no failover
monitor-interface Outside
monitor-interface inside
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/adsm.bin
no asdm history enable
arp timeout 14400
nat-control
global (Outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,Outside) interface 192.168.40.2 netmask 255.255.255.255
access-group Outside_access_in in interface Outside
route Outside 0.0.0.0 0.0.0.0 192.168.1.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy test internal
group-policy test attributes
 vpn-tunnel-protocol IPSec l2tp-ipsec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value test_splitTunnelAcl
username user password A5XOy94YKDPXCo7U encrypted privilege 0
username user attributes
 vpn-group-policy test
http server enable
http 192.168.40.0 255.255.255.0 inside
http X.X.X.X 255.255.255.248 Outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map Outside_dyn_map 20 set pfs
crypto dynamic-map Outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map Outside_dyn_map 40 set pfs
crypto dynamic-map Outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map Outside_dyn_map 60 set pfs
crypto dynamic-map Outside_dyn_map 60 set transform-set ESP-3DES-SHA
crypto dynamic-map Outside_dyn_map 80 set pfs
crypto dynamic-map Outside_dyn_map 80 set transform-set ESP-3DES-SHA
crypto dynamic-map Outside_dyn_map 100 set pfs
crypto dynamic-map Outside_dyn_map 100 set transform-set ESP-3DES-SHA
crypto dynamic-map inside_dyn_map 20 set pfs
crypto dynamic-map inside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map inside_dyn_map 40 set pfs
crypto dynamic-map inside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map inside_dyn_map 60 set pfs
crypto dynamic-map inside_dyn_map 60 set transform-set ESP-3DES-SHA
crypto map Outside_map 65535 ipsec-isakmp dynamic Outside_dyn_map
crypto map Outside_map interface Outside
crypto map inside_map 65535 ipsec-isakmp dynamic inside_dyn_map
crypto map inside_map interface inside
crypto isakmp enable Outside
crypto isakmp enable inside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
tunnel-group test type ipsec-ra
tunnel-group test general-attributes
 address-pool VPNPool
 default-group-policy test
tunnel-group test ipsec-attributes
 pre-shared-key *
tunnel-group test2 type ipsec-ra
tunnel-group test2 general-attributes
 address-pool VPNPool
tunnel-group test2 ipsec-attributes
 pre-shared-key *
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 Outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0
dhcpd address 192.168.40.2-192.168.40.254 inside
!
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
client-update enable
prompt hostname context
Cryptochecksum:1f67d39fff1234823ca48d15810fda43


0
Comment
Question by:charvett
2 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 250 total points
ID: 24728685
Start with using a different ip subnet for the vpn client pool. Then make more specific acls instead of 'any'

ip local pool VPNPool2 192.168.44.50-192.168.44.100 mask 255.255.255.0
access-list inside_nat0 extended permit ip 192.168.40.0 255.255.255.0 192.168.44.0 255.255.255.0
nat (inside) 0 access-list inside_nat0
tunnel-group test general-attributes
 address-pool VPNPool2

access-list SPLIT standard permit 192.168.40.0 255.255.255.0
group-policy test attributes
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value SPLIT

policy-map global_policy
 class inspection_default
  inspect icmp

then clean up (copy/paste the folowing into Multiline command line tool)

no ip local pool VPNPool 192.168.40.50-192.168.40.100 mask 255.255.255.0
no access-list inside_nat0_outbound extended permit ip any 192.168.40.0 255.255.255.128
no access-list test2_splitTunnelAcl standard permit any
no access-list test_splitTunnelAcl standard permit any
no crypto dynamic-map Outside_dyn_map 40
no crypto dynamic-map Outside_dyn_map 60
no crypto dynamic-map Outside_dyn_map 80
no crypto dynamic-map Outside_dyn_map 100
no crypto map inside_map interface inside
no crypto map inside_map 65535 ipsec-isakmp dynamic inside_dyn_map
no crypto dynamic-map inside_dyn_map 20
no crypto dynamic-map inside_dyn_map 40
no crypto dynamic-map inside_dyn_map 60

That will take care of the configuration, but you actually have a bigger fundamental problem.
>route Outside 0.0.0.0 0.0.0.0 192.168.1.254 1
This means you are getting natted at the DSL modem/router and you need the public IP directly on your PIX before you can ever connect to it remotely using VPN.
0
 
LVL 1

Author Comment

by:charvett
ID: 24731923
Hmm, interesting comment on the natting that occurs with my AT&T router. Perhaps I should start a new thread to try to solve that problem, but I'll try to summarize in case you have some suggestions.

I currently have U-Verse service with a 3800HGV-B router in front of the pix. This router controls my phone and TV as well as the internet connection. I also purchased a bundle of static IP's with my service. When I talked to AT&T about putting the router in bridge mode so the PIX could pick up the public IP they seemed to think it wasn't possible with their router.

This seems like a fundamental problem with my setup and perhaps I'll need to switch providers if I can't solve it. I wonder if anyone else with U-Verse service has successfuly installed a PIX.

Any ideas would be greatly appreciated!
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Suggested Solutions

Secure VPN Connection terminated locally by the Client.  Reason 442: Failed to enable Virtual Adapter. If you receive this error on Windows 8 or Windows 8.1 while trying to connect with the Cisco VPN Client then the solution is a simple registry f…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now