Cisco VPN PIX 515e setup woes

britishtaximan
britishtaximan used Ask the Experts™
on
I'm having a problem setting up a simple remote access VPN connection to a Cisco PIX 515E running 6.3.  When I attempt to connect via a Cisco VPN client I get the "Reason 429: Unable to resolve address" error.  I can ping the address of the PIX from the machine trying to connect to the PIX.  My running config is below.  I used the VPN wizard in PDM to setup the VPN components of the config.  Any ideas?
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
enable password S2RIUUIGRJKXW1 encrypted
passwd S2RIKGERGAtXW1 encrypted
hostname Orlando
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list ping_acl permit ip any any 
access-list inside_outbound_nat0_acl permit ip 192.168.100.0 255.255.255.0 192.168.100.0 255.255.255.0 
access-list outside_cryptomap_dyn_20 permit ip any 192.168.100.0 255.255.255.0 
access-list LMVPN permit udp any any 
access-list LMVPN permit ah any any 
access-list LMVPN permit esp any any 
pager lines 150
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside 207.30.192.11 255.255.255.0
ip address inside 192.168.100.2 255.255.255.0
no ip address intf2
ip audit info action alarm
ip audit attack action alarm
ip local pool 10 192.168.100.120-192.168.100.129
pdm location 192.168.100.0 255.255.255.0 inside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 207.30.192.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+ 
aaa-server RADIUS protocol radius 
aaa-server LOCAL protocol local 
http server enable
http 192.168.100.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication LOCAL
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup LMVPN address-pool 10
vpngroup LMVPN dns-server 209.26.88.31 71.3.0.116
vpngroup LMVPN default-domain acne.com
vpngroup LMVPN split-tunnel outside_cryptomap_dyn_20
vpngroup LMVPN idle-time 2200
vpngroup LMVPN password ********
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn enable outside
username Msmith password S2RIUfHJRUERXW1 encrypted privilege 15
terminal width 80
Cryptochecksum:788c5322847a2578c49add4b36f5f516
: end

Open in new window

Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Commented:
I will check your config but output from debug crypto isakmp and debug crypto ipsec
 is helpful to diagnose problem


thanks

Commented:
What address are you using, 207.30.192.11?  Or a DNS name?

It sounds like your using a dns name (vpn.domain.com) that isn't resolving.

Commented:
I would also upgrade to 6.3(5) and consider using a splt tunnel so users can still use their local network / Internet when they are connected.
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Author

Commented:
adam1115 - I'm using the ip address.  I can't upgrade because the company I support is dead (not even on life support) and I'm just around keeping things running with duct tape and baling wire.  So no smartnet for me.

Commented:
you don't need smartnet to download images, I just created a user account on cisco website and downloaded images yesterday without smartnet

debug crypto isakmp 127 and debut crypto ipsec 127 will be very helpful to troubleshoot

while I agree with adam1115 on upgrading if possible, I have gotton 6.3.3 versions to work. It is one of cisco's buggiest versions though
split tunnel is a convenience for the users but a security risk

Author

Commented:
Hum, I will try and give that a try - thanks for the tip.  I'll also try the debugs that you mentioned.

Commented:
debugs are critical to solving IPsec tunnel issues  they can pinpoint the issue and save a lot of time

Author

Commented:
PEER_REAPER_TIMER?

Author

Commented:
Unfortunately, since I am not a CCIE I cannot download PIX software images.  So I am stuck with 6.3(3).  Unless I snag some RAM from a PIX not being used and try to update to 7.0 which I have on my Cisco CD with PDM.  (I just found that it a box).. ugh.

Author

Commented:
debut crypto ipsec 127  - doesn't work.
try debug crypto ipsec 127....Bignewf just typoed it.

Author

Commented:
i got it too work and I'm not sure how.  I changed the TCP/IP settings to specify the DNS server and used the ones my ISP uses.  Left the IP address to automatically retrieve.

Went into VPN wizard and reran it and now it works.  Stumped.  Should I post my new config so we can figure out what changed that made it work??

Commented:
yes, post config so it if happens again, it will be easier to troubleshoot

Author

Commented:
Here's the new config that works.

PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
enable password S2RIUfWKJJKGGFFDFDBcPgJtXW1 encrypted
passwd S2RIUfWBGRDTERRHVSPOLKcPgJtXW1 encrypted
hostname London
domain-name XXXX.com
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list ping_acl permit ip any any
access-list inside_outbound_nat0_acl permit ip 192.168.100.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip any 192.168.100.0 255.255.255.0
access-list outside_cryptomap_dyn_20 permit ip any 192.168.100.0 255.255.255.0
access-list LMVPN permit udp any any
access-list LMVPN permit ah any any
access-list LMVPN permit esp any any
access-list outside_cryptomap_dyn_40 permit ip any 192.168.100.0 255.255.255.0
pager lines 150
logging on
logging console alerts
logging monitor alerts
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside 207.30.192.11 255.255.255.0
ip address inside 192.168.192.9 255.255.255.0
no ip address intf2
ip verify reverse-path interface outside
ip audit info action alarm
ip audit attack action alarm
ip local pool 10 192.168.100.120-192.168.100.129
pdm location 192.168.100.0 255.255.255.0 inside
pdm location 192.168.100.151 255.255.255.255 inside
pdm logging alerts 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 207.30.168.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:00:00 mgcp 0:00:00 sip 0:00:00 sip_media 0:00:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.100.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 40 match address outside_cryptomap_dyn_40
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication LOCAL
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup LMVPNUSERS address-pool 10
vpngroup LMVPNUSERS dns-server 209.26.88.31 71.3.0.116
vpngroup LMVPNUSERS default-domain aqmi.com
vpngroup LMVPNUSERS idle-time 1800
vpngroup LMVPNUSERS password ********
telnet 192.168.178.151 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn enable outside
username ********** password uHNP7893.BaVPv1u encrypted privilege 5
username ******** password h/EgW0iktwMQcvr1 encrypted privilege 15
terminal width 80
Cryptochecksum:94ff4c0abeb32a65f1adcac7a67a03e7
: end

How do I assign points???? if I figured it out??

Author

Commented:
ok, the access works - now I need to figure out split tunneling so the outside internet works while connected to the VPN.  back to the manuals..
I would do the following.

Add your split tunnel ACL

access-list LMSPLIT permit ip 192.168.192.0 255.255.255.0 192.168.100.0 255.255.255.0

vpngroup LMVPNUSERS split-tunnel LMSPLIT

There you go

Author

Commented:
Grape Soda

still doesn't work.
Commented:
grape soda's commands are correct, but the 6.3 IOS is considered a "crossover" IOS where the ASA commands should  work. I am uploading doc from cisco which shows both gui and CLI
if commands from grapesoda do not work then try the ones from the article. They include an addtional command that specifies the networks to exclude from the tunnel, or tunnelspecified networks. However, you will need to try the whole command set as it links specified networks to the split tunnel policy group attributes

worth a try
asa-split-tunnel-vpn-client.pdf
Sorry about that I switched those around.

.100 is your pool and .192 is the network behind your pix.  So it should be

access-list LMSPLIT permit ip 192.168.100.0 255.255.255.0 192.168.192.0 255.255.255.0

This should basically tell your remote client that the Tunnel should only carry traffic destined to the 192.168.192.0 subnet....all other traffic use local LAN.

Sorry about that
Thanks bignewf...

If ASA commands will work on this PIX and are necessary you should be able to use

access-list LMSPLIT standard permit 192.168.192.0 255.255.255.0

however the vpngroup statement is still valid...

Commented:
also post output from debug to see what traffic gets encrypted and what doesn't

Commented:
also, on the vpn client when you go to status>statistics>route details you should be able to see the secured routes. If the split tunnel lists are correct, then your local subnet should not appear, as the traffic is unencrypted plain text using your local gateway to reach the internet

Author

Commented:
Ok, I'm not as smart as I thing I am.  Still having issues.

1. I can connect to the VPN wirelessing via an air card and I get the local intranet ip range and can access the internal network,  Just can't access the internet - split tunnel issue.

2. My co-worker who is connecting with the client through a lan connection at his office - connects but cannot see the internal network through the VPN.  He has two cnnections 1- for his own internal network and 2 for the one that the VPN connects to.  The IP address of the VPN connection is correct - how do you differenciate between the two?

3. In the config below can't access or recieve pages from the internet.

any ideas

PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
enable password pSfOU0oiAO1m9cYY encrypted
passwd S2RIUfWBcPgJtXW1 encrypted
hostname London
domain-name aqmi.com
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list ping_acl permit ip any any
access-list inside_outbound_nat0_acl permit ip 192.168.100.0 255.255.255.0 192.1
68.100.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip any 192.168.100.0 255.255.255.0
access-list outside_cryptomap_dyn_20 permit ip any 192.168.100.0 255.255.255.0
access-list LMVPN permit udp any any
access-list LMVPN permit ah any any
access-list LMVPN permit esp any any
access-list outside_cryptomap_dyn_40 permit ip any 192.168.100.0 255.255.255.0
access-list LMSPLIT permit ip 192.168.100.0 255.255.255.0 192.168.192.0 255.255.
255.0
access-list LMVPNUSERS_splitTunnelAcl permit ip 192.168.100.0 255.255.255.0 any

access-list inside_access_in permit tcp 192.168.100.0 255.255.255.0 207.30.168.0
 255.255.255.0
pager lines 1500
logging on
logging console alerts
logging monitor alerts
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside 207.30.168.51 255.255.255.0
ip address inside 192.168.100.2 255.255.255.0
no ip address intf2
ip verify reverse-path interface outside
ip audit info action alarm
ip audit attack action alarm
ip local pool 10 192.168.100.120-192.168.100.129
pdm location 192.168.100.0 255.255.255.0 inside
pdm logging alerts 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 207.30.168.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.100.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 40 match address outside_cryptomap_dyn_40
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication LOCAL
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup LMVPN idle-time 1800
vpngroup LMVPNUSERS address-pool 10
vpngroup LMVPNUSERS dns-server 209.26.88.31 71.3.0.116
vpngroup LMVPNUSERS default-domain aqmi.com
vpngroup LMVPNUSERS idle-time 1800
vpngroup LMVPNUSERS password ********
telnet 192.168.100.0 255.255.255.0 outside
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn enable outside
username *********** password uHNP7893.BaVPv1u encrypted privilege 5
username *************** password S2RIUfWBcPgJtXW1 encrypted privilege 15
terminal width 80
Cryptochecksum:5ffa57d75813e59b35618f3a437e715c
: end

Author

Commented:
grape soda,

finally read your comment fully and understood.  Apply the change to my config and now split tunneling works.  Now on to the access to the local network and the network on the VPN.

Author

Commented:
ok, why can I ping www.google.com but not bring up the site?  from the config above?
Don't forget to add this to your vpngroup statement

vpngroup LMVPNUSERS split-tunnel LMSPLIT

This applies the Split tunnel Access list to the VPN Connection.

Author

Commented:
thanks grape soda, but what in my config would stop http connections??  in the office and not through the VPN?

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial