Solved

Having difficulty configuring PIX 501 with VPN

Posted on 2010-09-16
4
723 Views
Last Modified: 2012-05-10
I picked up a PIX 501 at a yard sale, and I've got the thing configured - with one exception.  I can't get a VPN client to authenticate correctly.  I've searched via google, but haven't found the solution.  Anybody out there remember?  I've attached both the configuration and the log file from the VPN client.  (Note...I got this "working" once - it connected - but I couldn't ping anything inside my network.  I saw an article that said the VPN network had to be different from the 'inside' network, so I changed it to 192.168.2.X/24 - and it hasn't connected since then.)

***

: Saved
: Written by enable_15 at 20:43:02.614 EDT Thu Sep 16 2010
PIX Version 6.3(5)
interface ethernet0 100full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password DELETED encrypted
passwd DELETED encrypted
hostname pix
domain-name local
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol ctiqbe 2748
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol icmp error
no fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
no fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.5.41.40 tick.usno.navy.mil
name 4.2.2.2 DNS_2
name 4.2.2.1 DNS_1
name 69.72.255.20 no-ip.org_host_server
access-list inside_in permit ip 192.168.1.0 255.255.255.0 any
access-list inside_in permit icmp 192.168.1.0 255.255.255.0 any
access-list inside_donat permit ip 192.168.1.0 255.255.255.0 any
access-list denyall deny ip any any
access-list outside_access_in permit icmp any any echo-reply
access-list outside_access_in permit icmp any any time-exceeded
access-list outside_access_in deny ip any any
access-list inside_outbound_nat0_acl permit ip any 192.168.1.48 255.255.255.248
access-list outside_cryptomap_dyn_20 permit ip any 192.168.1.48 255.255.255.248
pager lines 24
logging buffered notifications
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute retry 4
ip address inside 192.168.1.99 255.255.255.0
ip verify reverse-path interface outside
ip audit info action alarm drop
ip audit attack action alarm drop
ip local pool VPN-Pool 192.168.2.100-192.168.2.105 mask 255.255.255.0
pdm location DNS_1 255.255.255.255 outside
pdm location DNS_2 255.255.255.255 outside
pdm location tick.usno.navy.mil 255.255.255.255 outside
pdm location no-ip.org_host_server 255.255.255.255 outside
pdm location 192.168.1.48 255.255.255.248 outside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 dns 0 0
access-group outside_access_in in interface outside
access-group inside_in in interface inside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
ntp server tick.usno.navy.mil source outside prefer
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup diamond address-pool VPN-Pool
vpngroup diamond dns-server DNS_2 4.2.2.3
vpngroup diamond default-domain local
vpngroup diamond idle-time 1800
vpngroup diamond password DELETED
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 60
management-access inside
console timeout 0
dhcpd address 192.168.1.100-192.168.1.120 inside
dhcpd dns DNS_2 4.2.2.3
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain local
dhcpd auto_config outside
dhcpd enable inside

***

Cisco Systems VPN Client Version 5.0.04.0300
Copyright (C) 1998-2007 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.1.2600 Service Pack 3

53     20:59:00.234  09/16/10  Sev=Info/4      CM/0x63100002
Begin connection process

54     20:59:00.265  09/16/10  Sev=Info/4      CM/0x63100004
Establish secure connection

55     20:59:00.265  09/16/10  Sev=Info/4      CM/0x63100024
Attempt connection with server "gnurph.no-ip.org"

56     20:59:17.140  09/16/10  Sev=Info/6      IKE/0x6300003B
Attempting to establish a connection with 68.54.168.63.

57     20:59:17.140  09/16/10  Sev=Info/4      IKE/0x63000001
Starting IKE Phase 1 Negotiation

58     20:59:17.156  09/16/10  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to 68.54.168.63

59     20:59:17.187  09/16/10  Sev=Info/4      IPSEC/0x63700008
IPSec driver successfully started

60     20:59:17.187  09/16/10  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

61     20:59:17.187  09/16/10  Sev=Info/4      IPSEC/0x6370000D
Key(s) deleted by Interface (25.209.7.41)

62     20:59:18.515  09/16/10  Sev=Info/5      IKE/0x6300002F
Received ISAKMP packet: peer = 68.54.168.63

63     20:59:18.515  09/16/10  Sev=Info/4      IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (SA, VID(Xauth), VID(dpd), VID(Unity), VID(?), KE, ID, NON, HASH) from 68.54.168.63

64     20:59:18.515  09/16/10  Sev=Info/5      IKE/0x63000001
Peer supports XAUTH

65     20:59:18.515  09/16/10  Sev=Info/5      IKE/0x63000001
Peer supports DPD

66     20:59:18.515  09/16/10  Sev=Info/5      IKE/0x63000001
Peer is a Cisco-Unity compliant peer

67     20:59:18.515  09/16/10  Sev=Info/5      IKE/0x63000082
Received IOS Vendor ID with unknown capabilities flag 0x00000025

68     20:59:18.531  09/16/10  Sev=Info/6      IKE/0x63000001
IOS Vendor ID Contruction successful

69     20:59:18.531  09/16/10  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, VID(?), VID(Unity)) to 68.54.168.63

70     20:59:18.531  09/16/10  Sev=Info/4      IKE/0x63000083
IKE Port in use - Local Port =  0x050F, Remote Port = 0x01F4

71     20:59:18.531  09/16/10  Sev=Info/4      CM/0x6310000E
Established Phase 1 SA.  1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system

72     20:59:18.531  09/16/10  Sev=Info/4      CM/0x6310000E
Established Phase 1 SA.  1 Crypto Active IKE SA, 1 User Authenticated IKE SA in the system

73     20:59:18.578  09/16/10  Sev=Info/5      IKE/0x6300005E
Client sending a firewall request to concentrator

74     20:59:18.578  09/16/10  Sev=Info/5      IKE/0x6300005D
Firewall Policy: Product=Cisco Systems Integrated Client Firewall, Capability= (Centralized Protection Policy).

75     20:59:18.578  09/16/10  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 68.54.168.63

76     20:59:18.687  09/16/10  Sev=Info/5      IKE/0x6300002F
Received ISAKMP packet: peer = 68.54.168.63

77     20:59:18.687  09/16/10  Sev=Info/4      IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:STATUS_RESP_LIFETIME) from 68.54.168.63

78     20:59:18.687  09/16/10  Sev=Info/5      IKE/0x63000045
RESPONDER-LIFETIME notify has value of 86400 seconds

79     20:59:18.687  09/16/10  Sev=Info/5      IKE/0x63000047
This SA has already been alive for 1 seconds, setting expiry to 86399 seconds from now

80     20:59:18.734  09/16/10  Sev=Info/5      IKE/0x6300002F
Received ISAKMP packet: peer = 68.54.168.63

81     20:59:18.734  09/16/10  Sev=Info/4      IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 68.54.168.63

82     20:59:18.734  09/16/10  Sev=Info/5      IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_ADDRESS: , value = 192.168.2.100

83     20:59:18.734  09/16/10  Sev=Info/5      IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_NETMASK: , value = 255.255.255.0

84     20:59:18.734  09/16/10  Sev=Info/5      IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS(1): , value = 4.2.2.2

85     20:59:18.734  09/16/10  Sev=Info/5      IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS(2): , value = 4.2.2.3

86     20:59:18.734  09/16/10  Sev=Info/5      IKE/0x6300000E
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_DEFDOMAIN: , value = local

87     20:59:18.734  09/16/10  Sev=Info/5      IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_PFS: , value = 0x00000000

88     20:59:18.734  09/16/10  Sev=Info/4      CM/0x63100019
Mode Config data received

89     20:59:18.750  09/16/10  Sev=Info/4      IKE/0x63000056
Received a key request from Driver: Local IP = 192.168.2.100, GW IP = 68.54.168.63, Remote IP = 0.0.0.0

90     20:59:18.750  09/16/10  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK QM *(HASH, SA, NON, ID, ID) to 68.54.168.63

91     20:59:19.062  09/16/10  Sev=Info/5      IKE/0x6300002F
Received ISAKMP packet: peer = 68.54.168.63

92     20:59:19.062  09/16/10  Sev=Info/4      IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:NO_PROPOSAL_CHOSEN) from 68.54.168.63

93     20:59:19.062  09/16/10  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, DEL) to 68.54.168.63

94     20:59:19.062  09/16/10  Sev=Info/4      IKE/0x63000049
Discarding IPsec SA negotiation, MsgID=756AE1DA

95     20:59:19.062  09/16/10  Sev=Info/4      IKE/0x63000017
Marking IKE SA for deletion  (I_Cookie=F93198044BF6973A R_Cookie=7AC37329E9EEBDDF) reason = DEL_REASON_IKE_NEG_FAILED

96     20:59:19.203  09/16/10  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

97     20:59:22.203  09/16/10  Sev=Info/4      IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=F93198044BF6973A R_Cookie=7AC37329E9EEBDDF) reason = DEL_REASON_IKE_NEG_FAILED

98     20:59:22.203  09/16/10  Sev=Info/4      CM/0x63100012
Phase 1 SA deleted before first Phase 2 SA is up cause by "DEL_REASON_IKE_NEG_FAILED".  0 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system

99     20:59:22.203  09/16/10  Sev=Info/5      CM/0x63100025
Initializing CVPNDrv

100    20:59:22.218  09/16/10  Sev=Info/6      CM/0x63100046
Set tunnel established flag in registry to 0.

101    20:59:22.218  09/16/10  Sev=Info/4      IKE/0x63000001
IKE received signal to terminate VPN connection

102    20:59:22.218  09/16/10  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

103    20:59:22.218  09/16/10  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

104    20:59:22.218  09/16/10  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

105    20:59:22.218  09/16/10  Sev=Info/4      IPSEC/0x6370000A
IPSec driver successfully stopped
0
Comment
Question by:gnurph
  • 2
4 Comments
 

Assisted Solution

by:gnurph
gnurph earned 0 total points
ID: 33697813
I think the solution lies in the "crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20" and the address outside_cryptomap_dyn_20 appears to 192.168.1.48 (I have no idea why...PDM put it there.)  I'm not sure what that actually means, which might be my problem.
0
 
LVL 2

Expert Comment

by:mcorbitt
ID: 33697916
From the client side the  "RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:NO_PROPOSAL_CHOSEN) from 68.54.168.63" tells me your client and Pix don't get along;
Double-check your client/box security parameters; both the encryption and authentication  settings.
0
 

Author Comment

by:gnurph
ID: 33697959
I'm using Cisco VPN Client version 5.0.04.0300, which seems to provide exactly ZERO options for encryption / authentication - I had to guess at the 3DES / MD5 parameters, which seem to be the standard.  I'm not even sure how to check, though.

http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_administration_guide_chapter09186a00800bd991.html seems to indicate that

CiscoVPNClient-3DES-MD5   Preshared Keys (XAUTH)   MD5/HMAC-128   3DES-168 Group 2 (1024 bits) is valid, as is
IKE-3DES-MD5  with the same parameters.

0
 
LVL 6

Accepted Solution

by:
kuoh earned 450 total points
ID: 33698334
Cisco VPN troubleshooting docs recommend against using crypto ACLs with remote access clients.  Try making the following changes.

DELETE
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20

CHANGE
access-list inside_outbound_nat0_acl permit ip any 192.168.1.48 255.255.255.248

TO
access-list inside_outbound_nat0_acl permit ip any 192.168.2.0 255.255.255.0
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Have you experienced traffic destined through a Cisco ASA firewall disappears and you do not know if the traffic stops in the firewall or somewhere else? The solution is the capture feature. This feature was released in 6.2(1) and works in all firew…
Juniper VPN devices are a popular alternative to using Cisco products. Last year I needed to set up an international site-to-site VPN over the Internet, but the client had high security requirements -- FIPS 140. What and Why of FIPS 140 Federa…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now