Solved

Need to use Windows VPN Client on Cisco PIX ???

Posted on 2010-09-20
25
476 Views
Last Modified: 2012-05-10
Hi Cisco Guru's and Experts...

I was trying to get working L2TP over IPSec as my Windows XP clients to get connected with Cisco PIX.
I was searching the web and passed through many tutorials and finally I have followed below;

http://gregsowell.com/?p=805&cpage=1#comment-3376

But my Client don't even see the VPN port open in the PIX. Below is my config please have a look and advice.....

Thanks  a lot !

FW1# sh run
: Saved
:
PIX Version 8.0(4)
!
hostname FW1
domain-name company.local
enable password DRoOs2EWSVtHzPat encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0
 nameif outside
 security-level 0
 ip address 1x1.3x.44.2 255.255.255.224
 ospf cost 10
!
interface Ethernet1
 nameif inside
 security-level 100
 ip address 192.168.134.254 255.255.255.0
 ospf cost 10
!
interface Ethernet2
 description LAN/STATE Failover Interface
!
interface Ethernet3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet5
 shutdown
 no nameif
 no security-level
 no ip address
!
ftp mode passive
clock timezone EST 10
clock summer-time EDT recurring last Sun Oct 2:00 last Sun Mar 3:00
dns server-group DefaultDNS
 domain-name company.local
same-security-traffic permit intra-interface
access-list inside_nat0_outbound extended permit ip any 192.168.4.0 255.255.255.192
access-list 110 extended permit tcp any host 1x1.3x.44.28 eq 3389
access-list 110 extended permit tcp any host 1x1.3x.44.8 eq ftp
access-list 110 extended permit tcp any host 1x1.3x.44.8 eq www
access-list 110 extended permit tcp any host 1x1.3x.44.8 eq 3389
access-list 110 extended permit tcp any host 1x1.3x.44.10 eq 3389
access-list 110 extended permit tcp any host 1x1.3x.44.14 eq www
access-list 110 extended permit tcp any host 1x1.3x.44.15 eq www
access-list 110 extended permit tcp any host 1x1.3x.44.16 eq www
access-list 110 extended permit tcp any host 1x1.3x.44.18 eq www
access-list 110 extended permit tcp any host 1x1.3x.44.9 eq https
access-list 110 extended permit tcp any host 1x1.3x.44.9 eq smtp
access-list 110 extended permit tcp any host 1x1.3x.44.9 eq pop3
access-list 110 extended permit tcp any host 1x1.3x.44.20 eq 8080
access-list 110 extended permit tcp any host 1x1.3x.44.20 eq 8081
access-list 110 extended permit tcp any host 1x1.3x.44.21 eq www
access-list 110 extended permit tcp any host 1x1.3x.44.19 eq 8080
access-list 110 extended permit tcp any host 1x1.3x.44.23 eq www
access-list 110 extended permit tcp any host 1x1.3x.44.13 eq www
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
ip local pool VPN-POOL1 192.168.4.1-192.168.4.50 mask 255.255.255.0
failover
failover lan unit primary
failover lan interface LANFALL Ethernet2
failover lan enable
failover key *****
failover link LANFALL Ethernet2
failover interface ip LANFALL 172.17.100.1 255.255.255.0 standby 172.17.100.7
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm-615.bin
no asdm history enable
arp timeout 14400
global (outside) 1 1x1.3x.44.25-1x1.3x.44.26 netmask 255.255.255.224
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp 1x1.3x.44.19 8080 192.168.134.69 www netmask 255.255.255.255
static (inside,outside) tcp 1x1.3x.44.22 www 192.168.134.82 8080 netmask 255.255.255.255
static (inside,outside) tcp 1x1.3x.44.13 www 192.168.134.83 4000 netmask 255.255.255.255
static (inside,outside) 1x1.3x.44.8 192.168.134.47 netmask 255.255.255.255
static (inside,outside) 1x1.3x.44.10 192.168.134.90 netmask 255.255.255.255
static (inside,outside) 1x1.3x.44.14 192.168.134.81 netmask 255.255.255.255
static (inside,outside) 1x1.3x.44.15 192.168.134.11 netmask 255.255.255.255
static (inside,outside) 1x1.3x.44.16 192.168.134.68 netmask 255.255.255.255
static (inside,outside) 1x1.3x.44.18 192.168.134.111 netmask 255.255.255.255
static (inside,outside) 1x1.3x.44.9 192.168.134.14 netmask 255.255.255.255
static (inside,outside) 1x1.3x.44.20 192.168.134.13 netmask 255.255.255.255
static (inside,outside) 1x1.3x.44.21 192.168.134.112 netmask 255.255.255.255
static (inside,inside) 192.168.13420.0 192.168.13420.0 netmask 255.255.255.0
access-group 110 in interface outside
route outside 0.0.0.0 0.0.0.0 1x1.3x.44.1 1
route inside 192.168.13420.0 255.255.255.0 192.168.134.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.134.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set TRANS_ESP_3DES_SHA ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
telnet 192.168.134.0 255.255.255.0 inside
telnet timeout 60
ssh 0.0.0.0 0.0.0.0 outside
ssh 192.168.134.0 255.255.255.255 inside
ssh timeout 60
console timeout 0
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
 dns-server value 192.168.134.14
 vpn-tunnel-protocol IPSec l2tp-ipsec
 default-domain value company.local
username testing password q/VM1nA1RWbzHiqrsIJF4g== nt-encrypted privilege 0
username testing attributes
 vpn-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup general-attributes
 address-pool VPN-POOL1
 default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
 pre-shared-key *
tunnel-group DefaultRAGroup ppp-attributes
 no authentication chap
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:d004962688cf24422fb9ef3bc1d07329
: end
FW1#

Open in new window

0
Comment
Question by:Shakthi777
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 13
  • 8
  • 2
  • +1
25 Comments
 
LVL 16

Expert Comment

by:Ivan
ID: 33723004

Hi,

as i can see you have access-group 110 on wan interface, but there are no rules for l2tp/ipsec (udp port 1701).
0
 

Author Comment

by:Shakthi777
ID: 33723194
how do i fix that ?
0
 
LVL 16

Accepted Solution

by:
Ivan earned 72 total points
ID: 33723223
well...if address you vpn clients are traying to connect is  1x1.3x.44.2 (ip of interface Ethernet0)
the you need another rule

access-list 110 extended permit udp any host 1x1.3x.44.2 eq 1701

0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 

Author Comment

by:Shakthi777
ID: 33723241
tnx... i just tried it but it's not opening the port to outside....plz advise !
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 33725158
I do not see in the configuration posted above where an access-list was applied to the outside interface.

Additionally, the author needs to allow UDP ports 500 and 4500 (ipsec and NAT-T) in the access list that will be used on the outside interface.
0
 

Author Comment

by:Shakthi777
ID: 33726818
_jesper_: please be kind enough to post the relevant commands.

and thanks a lot !
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 33729217
access-list 110 extended permit udp any host 1x1.3x.44.2 eq 500
access-list 110 extended permit udp any host 1x1.3x.44.2 eq 4500
access-list 110 extended permit esp any host 1x1.3x.44.2

interface Ethernet0
 ip access-group 110 in
0
 

Author Comment

by:Shakthi777
ID: 33731782
Hi Jesper, got a error:

FW1(config-if)# ip access-group 110 in
                           ^
ERROR: % Invalid input detected at '^' marker.
0
 

Author Comment

by:Shakthi777
ID: 33731788
BTW I already have this in my config "access-group 110 in interface outside" ???
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 33734458
I did not see that.  

If you add the lines to the end of the access list, that should allow remote vpn connections.
0
 

Author Comment

by:Shakthi777
ID: 33735370
nope _jesper_ it's not opening even the ports..
any idea ?
0
 
LVL 28

Assisted Solution

by:Jan Springer
Jan Springer earned 284 total points
ID: 33735509
The only other things that I can think of ...

On the PIX pre v7, I had to reapply the access-group statement after making changes to the access list.  I don't know if that's the case with > 6.3 (it isn't necessary on the ASAs).

And, you may need a "sysopt connection permit-ipsec" configured.  I don't know if that's the exact syntax for that version.

Your options to debug:

1) add a deny ip any any log at the end of access-list 110 and check the log to see if the client is getting denied by the access list

2) if not #1,
       debug crypto ipsec
       debug crypto isakmp
       term mon
    start a vpn session to determine if you are hitting Phase 1 or Phase 2 at all.

You may post the debug but comment out sensitive information (IPs, usernames, etc)
0
 

Author Comment

by:Shakthi777
ID: 33736212
nothing logs.. nothing hits on the outside IP, (but all other port forwards are working to the relevant public IPs)

any help full tips would be highly appreciated !
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 33736300
Have you:

added the 'sysopt' command?
reapplied the access-group?
received any information via a debug?
0
 

Author Comment

by:Shakthi777
ID: 33736395
##added the 'sysopt' command?
YES

##reapplied the access-group?
"access-group 110 in interface outside" is already there...
in your method it' gave me below error (i already mentioned it in top)

FW1(config-if)# ip access-group 110 in
                           ^
ERROR: % Invalid input detected at '^' marker.

##received any information via a debug?
I enabled logging like below and it's gave attached information

logging on
logging cons 4
logging mon 4
term mon
debug crypto ipsec
debug crypto isakmp

1x2.1x5.84.1x1 is VPN Client IP

Please advise and thanks for your time !
%PIX-3-710003: TCP access denied by ACL from 1x2.1x5.84.1x1/49467 to outside:1x1.3x.44.2/443
%PIX-3-710003: TCP access denied by ACL from 1x2.1x5.84.1x1/49467 to outside:1x1.3x.44.2/443
%PIX-3-710003: TCP access denied by ACL from 1x2.1x5.84.1x1/49467 to outside:1x1.3x.44.2/443
%PIX-4-106023: Deny tcp src outside:1x2.1x5.84.1x1/49470 dst inside:1x1.3x.44.26/1723 by access-group "110" [0x0, 0x0]
%PIX-4-106023: Deny tcp src outside:1x2.1x5.84.1x1/49470 dst inside:1x1.3x.44.26/1723 by access-group "110" [0x0, 0x0]
%PIX-4-106023: Deny tcp src outside:1x2.1x5.84.1x1/49470 dst inside:1x1.3x.44.26/1723 by access-group "110" [0x0, 0x0]

Open in new window

0
 
LVL 28

Assisted Solution

by:Jan Springer
Jan Springer earned 284 total points
ID: 33736527
pptp is tcp port 1723

!allow a single IP
access-list 110 extended permit tcp host 1x2.1x5.84.1x1 host 1x1.3x.44 eq 1723

However, this is not a crypto vpn connection to the firewall.

Do you have any output from the debug?
0
 

Author Comment

by:Shakthi777
ID: 33736630
I put access-list 110 extended permit tcp host 1x2.1x5.84.1x1 host 1x1.3x.44 eq 1723

and I see below in the log
%PIX-3-710003: TCP access denied by ACL from 1x2.1x5.84.1x1/49780 to outside:1x1.3x.44.2/443
%PIX-3-710003: TCP access denied by ACL from 1x2.1x5.84.1x1/49780 to outside:1x1.3x.44.2/443
%PIX-3-710003: TCP access denied by ACL from 112.135.84.101/49780 to outside:1x1.3x.44.2/443

Open in new window

0
 

Author Comment

by:Shakthi777
ID: 33736664
and entered below;

access-list 110 extended permit tcp host 1x2.1x5.84.1x1 host 1x1.3x.44 eq 443

but I got same above logs back !
0
 
LVL 28

Assisted Solution

by:Jan Springer
Jan Springer earned 284 total points
ID: 33736760
On the PIX, prior to v7, I had to reapply the access-group statement after making changes to the access-list:

access-group 110 in interface outside

I don't know if this applies to the PIX v7 and later.
0
 

Author Comment

by:Shakthi777
ID: 33736872
ok I did that and got the same logs as above... !

I'll be back in 8 hours from now to attend on any other queries if you have ....
0
 
LVL 28

Assisted Solution

by:Jan Springer
Jan Springer earned 284 total points
ID: 33737450
I guess I need to understand the problem.

The logs indicate failed https and pptp.  The configuration and problem is regarding a crypto vpn to the cisco.

Are we working two problems?
0
 
LVL 6

Assisted Solution

by:kuoh
kuoh earned 144 total points
ID: 33737924
Guessing by the info in the access logs, you might have missed configuring the "advanced" and "IPSec settings" options in the XP VPN client, which is causing it to default to PPTP.  Then you're trying to determine if the port is open by opening an HTTPS connection to the PIX?  Try deleting then reconfiguring the XP VPN client with these settings.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807213a7.shtml#win
0
 

Author Comment

by:Shakthi777
ID: 33740446
kuoh: ok recreated but nothing changed...
0
 
LVL 6

Assisted Solution

by:kuoh
kuoh earned 144 total points
ID: 33740860
The logs on the PIX should definitely have changed if you've configured the XP client correctly.  There should be no more access attempts to the PPTP port 1723.  What shows up in the logs now when you attempt to open the tunnel?
0
 

Author Closing Comment

by:Shakthi777
ID: 33762040
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Cisco vWLC DHCP issues 36 138
Cisco router external connection issues. 6 45
connect to cisco 2690 series 6 69
Objects in Cisco ASA 2 55
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
Concerto Cloud Services, a provider of fully managed private, public and hybrid cloud solutions, announced today it was named to the 20 Coolest Cloud Infrastructure Vendors Of The 2017 Cloud  (http://www.concertocloud.com/about/in-the-news/2017/02/0…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

732 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question