?
Solved

Troubleshooting Cisco 515E VPN Setup

Posted on 2009-06-27
2
Medium Priority
?
550 Views
Last Modified: 2013-11-16
I'm a novice as it relates to working with Cisco firewalls. I used the VPN setup wizard in the ASDM and all seemed to go ok. However, when I try to connect from the client I get an error:

"Secure VPN Connection terminated locally by Client.
Reason 412: The remote peer is no longer responding."

I've tried tinkering with a number of different settings within the ASDM, but I'm just guessing at this point. Any guidance on how to troubleshoot this would be greatly appreciated.

Here's the current config:

PIX Version 7.2(2)
!
hostname pixfirewall
domain-name default.domain.invalid
enable password BzxWid62IVAByXfs encrypted
names
!
interface Ethernet0
 nameif Outside
 security-level 0
 ip address dhcp setroute
!
interface Ethernet1
 nameif inside
 security-level 100
 ip address 192.168.40.1 255.255.255.0
!
interface Ethernet2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet5
 shutdown
 no nameif
 no security-level
 no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name default.domain.invalid
same-security-traffic permit intra-interface
access-list Outside_access_in extended permit tcp any host X.X.X.X eq www
access-list Outside_access_in extended permit tcp any host X.X.X.X eq 3389                
access-list inside_nat0_outbound extended permit ip any 192.168.40.0 255.255.255                .128
access-list outside_access_in extended permit icmp any any
access-list test2_splitTunnelAcl standard permit any
access-list test_splitTunnelAcl standard permit any
pager lines 24
logging asdm informational
mtu Outside 1500
mtu inside 1500
ip local pool VPNPool 192.168.40.50-192.168.40.100 mask 255.255.255.0
no failover
monitor-interface Outside
monitor-interface inside
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/adsm.bin
no asdm history enable
arp timeout 14400
nat-control
global (Outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,Outside) interface 192.168.40.2 netmask 255.255.255.255
access-group Outside_access_in in interface Outside
route Outside 0.0.0.0 0.0.0.0 192.168.1.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy test internal
group-policy test attributes
 vpn-tunnel-protocol IPSec l2tp-ipsec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value test_splitTunnelAcl
username user password A5XOy94YKDPXCo7U encrypted privilege 0
username user attributes
 vpn-group-policy test
http server enable
http 192.168.40.0 255.255.255.0 inside
http X.X.X.X 255.255.255.248 Outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map Outside_dyn_map 20 set pfs
crypto dynamic-map Outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map Outside_dyn_map 40 set pfs
crypto dynamic-map Outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map Outside_dyn_map 60 set pfs
crypto dynamic-map Outside_dyn_map 60 set transform-set ESP-3DES-SHA
crypto dynamic-map Outside_dyn_map 80 set pfs
crypto dynamic-map Outside_dyn_map 80 set transform-set ESP-3DES-SHA
crypto dynamic-map Outside_dyn_map 100 set pfs
crypto dynamic-map Outside_dyn_map 100 set transform-set ESP-3DES-SHA
crypto dynamic-map inside_dyn_map 20 set pfs
crypto dynamic-map inside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map inside_dyn_map 40 set pfs
crypto dynamic-map inside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map inside_dyn_map 60 set pfs
crypto dynamic-map inside_dyn_map 60 set transform-set ESP-3DES-SHA
crypto map Outside_map 65535 ipsec-isakmp dynamic Outside_dyn_map
crypto map Outside_map interface Outside
crypto map inside_map 65535 ipsec-isakmp dynamic inside_dyn_map
crypto map inside_map interface inside
crypto isakmp enable Outside
crypto isakmp enable inside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
tunnel-group test type ipsec-ra
tunnel-group test general-attributes
 address-pool VPNPool
 default-group-policy test
tunnel-group test ipsec-attributes
 pre-shared-key *
tunnel-group test2 type ipsec-ra
tunnel-group test2 general-attributes
 address-pool VPNPool
tunnel-group test2 ipsec-attributes
 pre-shared-key *
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 Outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0
dhcpd address 192.168.40.2-192.168.40.254 inside
!
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
client-update enable
prompt hostname context
Cryptochecksum:1f67d39fff1234823ca48d15810fda43


0
Comment
Question by:charvett
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 750 total points
ID: 24728685
Start with using a different ip subnet for the vpn client pool. Then make more specific acls instead of 'any'

ip local pool VPNPool2 192.168.44.50-192.168.44.100 mask 255.255.255.0
access-list inside_nat0 extended permit ip 192.168.40.0 255.255.255.0 192.168.44.0 255.255.255.0
nat (inside) 0 access-list inside_nat0
tunnel-group test general-attributes
 address-pool VPNPool2

access-list SPLIT standard permit 192.168.40.0 255.255.255.0
group-policy test attributes
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value SPLIT

policy-map global_policy
 class inspection_default
  inspect icmp

then clean up (copy/paste the folowing into Multiline command line tool)

no ip local pool VPNPool 192.168.40.50-192.168.40.100 mask 255.255.255.0
no access-list inside_nat0_outbound extended permit ip any 192.168.40.0 255.255.255.128
no access-list test2_splitTunnelAcl standard permit any
no access-list test_splitTunnelAcl standard permit any
no crypto dynamic-map Outside_dyn_map 40
no crypto dynamic-map Outside_dyn_map 60
no crypto dynamic-map Outside_dyn_map 80
no crypto dynamic-map Outside_dyn_map 100
no crypto map inside_map interface inside
no crypto map inside_map 65535 ipsec-isakmp dynamic inside_dyn_map
no crypto dynamic-map inside_dyn_map 20
no crypto dynamic-map inside_dyn_map 40
no crypto dynamic-map inside_dyn_map 60

That will take care of the configuration, but you actually have a bigger fundamental problem.
>route Outside 0.0.0.0 0.0.0.0 192.168.1.254 1
This means you are getting natted at the DSL modem/router and you need the public IP directly on your PIX before you can ever connect to it remotely using VPN.
0
 
LVL 1

Author Comment

by:charvett
ID: 24731923
Hmm, interesting comment on the natting that occurs with my AT&T router. Perhaps I should start a new thread to try to solve that problem, but I'll try to summarize in case you have some suggestions.

I currently have U-Verse service with a 3800HGV-B router in front of the pix. This router controls my phone and TV as well as the internet connection. I also purchased a bundle of static IP's with my service. When I talked to AT&T about putting the router in bridge mode so the PIX could pick up the public IP they seemed to think it wasn't possible with their router.

This seems like a fundamental problem with my setup and perhaps I'll need to switch providers if I can't solve it. I wonder if anyone else with U-Verse service has successfuly installed a PIX.

Any ideas would be greatly appreciated!
0

Featured Post

Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For a while, I have wanted to connect my HTC Incredible to my corporate network to take advantage of the phone's powerful capabilities. I searched online and came up with varied answers from "it won't work" to super complicated statements that I did…
Juniper VPN devices are a popular alternative to using Cisco products. Last year I needed to set up an international site-to-site VPN over the Internet, but the client had high security requirements -- FIPS 140. What and Why of FIPS 140 Federa…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses
Course of the Month12 days, 23 hours left to enroll

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question