[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 489
  • Last Modified:

Need to use Windows VPN Client on Cisco PIX ???

Hi Cisco Guru's and Experts...

I was trying to get working L2TP over IPSec as my Windows XP clients to get connected with Cisco PIX.
I was searching the web and passed through many tutorials and finally I have followed below;

http://gregsowell.com/?p=805&cpage=1#comment-3376

But my Client don't even see the VPN port open in the PIX. Below is my config please have a look and advice.....

Thanks  a lot !

FW1# sh run
: Saved
:
PIX Version 8.0(4)
!
hostname FW1
domain-name company.local
enable password DRoOs2EWSVtHzPat encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0
 nameif outside
 security-level 0
 ip address 1x1.3x.44.2 255.255.255.224
 ospf cost 10
!
interface Ethernet1
 nameif inside
 security-level 100
 ip address 192.168.134.254 255.255.255.0
 ospf cost 10
!
interface Ethernet2
 description LAN/STATE Failover Interface
!
interface Ethernet3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet5
 shutdown
 no nameif
 no security-level
 no ip address
!
ftp mode passive
clock timezone EST 10
clock summer-time EDT recurring last Sun Oct 2:00 last Sun Mar 3:00
dns server-group DefaultDNS
 domain-name company.local
same-security-traffic permit intra-interface
access-list inside_nat0_outbound extended permit ip any 192.168.4.0 255.255.255.192
access-list 110 extended permit tcp any host 1x1.3x.44.28 eq 3389
access-list 110 extended permit tcp any host 1x1.3x.44.8 eq ftp
access-list 110 extended permit tcp any host 1x1.3x.44.8 eq www
access-list 110 extended permit tcp any host 1x1.3x.44.8 eq 3389
access-list 110 extended permit tcp any host 1x1.3x.44.10 eq 3389
access-list 110 extended permit tcp any host 1x1.3x.44.14 eq www
access-list 110 extended permit tcp any host 1x1.3x.44.15 eq www
access-list 110 extended permit tcp any host 1x1.3x.44.16 eq www
access-list 110 extended permit tcp any host 1x1.3x.44.18 eq www
access-list 110 extended permit tcp any host 1x1.3x.44.9 eq https
access-list 110 extended permit tcp any host 1x1.3x.44.9 eq smtp
access-list 110 extended permit tcp any host 1x1.3x.44.9 eq pop3
access-list 110 extended permit tcp any host 1x1.3x.44.20 eq 8080
access-list 110 extended permit tcp any host 1x1.3x.44.20 eq 8081
access-list 110 extended permit tcp any host 1x1.3x.44.21 eq www
access-list 110 extended permit tcp any host 1x1.3x.44.19 eq 8080
access-list 110 extended permit tcp any host 1x1.3x.44.23 eq www
access-list 110 extended permit tcp any host 1x1.3x.44.13 eq www
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
ip local pool VPN-POOL1 192.168.4.1-192.168.4.50 mask 255.255.255.0
failover
failover lan unit primary
failover lan interface LANFALL Ethernet2
failover lan enable
failover key *****
failover link LANFALL Ethernet2
failover interface ip LANFALL 172.17.100.1 255.255.255.0 standby 172.17.100.7
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm-615.bin
no asdm history enable
arp timeout 14400
global (outside) 1 1x1.3x.44.25-1x1.3x.44.26 netmask 255.255.255.224
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp 1x1.3x.44.19 8080 192.168.134.69 www netmask 255.255.255.255
static (inside,outside) tcp 1x1.3x.44.22 www 192.168.134.82 8080 netmask 255.255.255.255
static (inside,outside) tcp 1x1.3x.44.13 www 192.168.134.83 4000 netmask 255.255.255.255
static (inside,outside) 1x1.3x.44.8 192.168.134.47 netmask 255.255.255.255
static (inside,outside) 1x1.3x.44.10 192.168.134.90 netmask 255.255.255.255
static (inside,outside) 1x1.3x.44.14 192.168.134.81 netmask 255.255.255.255
static (inside,outside) 1x1.3x.44.15 192.168.134.11 netmask 255.255.255.255
static (inside,outside) 1x1.3x.44.16 192.168.134.68 netmask 255.255.255.255
static (inside,outside) 1x1.3x.44.18 192.168.134.111 netmask 255.255.255.255
static (inside,outside) 1x1.3x.44.9 192.168.134.14 netmask 255.255.255.255
static (inside,outside) 1x1.3x.44.20 192.168.134.13 netmask 255.255.255.255
static (inside,outside) 1x1.3x.44.21 192.168.134.112 netmask 255.255.255.255
static (inside,inside) 192.168.13420.0 192.168.13420.0 netmask 255.255.255.0
access-group 110 in interface outside
route outside 0.0.0.0 0.0.0.0 1x1.3x.44.1 1
route inside 192.168.13420.0 255.255.255.0 192.168.134.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.134.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set TRANS_ESP_3DES_SHA ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
telnet 192.168.134.0 255.255.255.0 inside
telnet timeout 60
ssh 0.0.0.0 0.0.0.0 outside
ssh 192.168.134.0 255.255.255.255 inside
ssh timeout 60
console timeout 0
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
 dns-server value 192.168.134.14
 vpn-tunnel-protocol IPSec l2tp-ipsec
 default-domain value company.local
username testing password q/VM1nA1RWbzHiqrsIJF4g== nt-encrypted privilege 0
username testing attributes
 vpn-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup general-attributes
 address-pool VPN-POOL1
 default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
 pre-shared-key *
tunnel-group DefaultRAGroup ppp-attributes
 no authentication chap
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:d004962688cf24422fb9ef3bc1d07329
: end
FW1#

Open in new window

0
Shakthi777
Asked:
Shakthi777
  • 13
  • 8
  • 2
  • +1
7 Solutions
 
IvanSystem EngineerCommented:

Hi,

as i can see you have access-group 110 on wan interface, but there are no rules for l2tp/ipsec (udp port 1701).
0
 
Shakthi777Author Commented:
how do i fix that ?
0
 
IvanSystem EngineerCommented:
well...if address you vpn clients are traying to connect is  1x1.3x.44.2 (ip of interface Ethernet0)
the you need another rule

access-list 110 extended permit udp any host 1x1.3x.44.2 eq 1701

0
Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

 
Shakthi777Author Commented:
tnx... i just tried it but it's not opening the port to outside....plz advise !
0
 
Jan SpringerCommented:
I do not see in the configuration posted above where an access-list was applied to the outside interface.

Additionally, the author needs to allow UDP ports 500 and 4500 (ipsec and NAT-T) in the access list that will be used on the outside interface.
0
 
Shakthi777Author Commented:
_jesper_: please be kind enough to post the relevant commands.

and thanks a lot !
0
 
Jan SpringerCommented:
access-list 110 extended permit udp any host 1x1.3x.44.2 eq 500
access-list 110 extended permit udp any host 1x1.3x.44.2 eq 4500
access-list 110 extended permit esp any host 1x1.3x.44.2

interface Ethernet0
 ip access-group 110 in
0
 
Shakthi777Author Commented:
Hi Jesper, got a error:

FW1(config-if)# ip access-group 110 in
                           ^
ERROR: % Invalid input detected at '^' marker.
0
 
Shakthi777Author Commented:
BTW I already have this in my config "access-group 110 in interface outside" ???
0
 
Jan SpringerCommented:
I did not see that.  

If you add the lines to the end of the access list, that should allow remote vpn connections.
0
 
Shakthi777Author Commented:
nope _jesper_ it's not opening even the ports..
any idea ?
0
 
Jan SpringerCommented:
The only other things that I can think of ...

On the PIX pre v7, I had to reapply the access-group statement after making changes to the access list.  I don't know if that's the case with > 6.3 (it isn't necessary on the ASAs).

And, you may need a "sysopt connection permit-ipsec" configured.  I don't know if that's the exact syntax for that version.

Your options to debug:

1) add a deny ip any any log at the end of access-list 110 and check the log to see if the client is getting denied by the access list

2) if not #1,
       debug crypto ipsec
       debug crypto isakmp
       term mon
    start a vpn session to determine if you are hitting Phase 1 or Phase 2 at all.

You may post the debug but comment out sensitive information (IPs, usernames, etc)
0
 
Shakthi777Author Commented:
nothing logs.. nothing hits on the outside IP, (but all other port forwards are working to the relevant public IPs)

any help full tips would be highly appreciated !
0
 
Jan SpringerCommented:
Have you:

added the 'sysopt' command?
reapplied the access-group?
received any information via a debug?
0
 
Shakthi777Author Commented:
##added the 'sysopt' command?
YES

##reapplied the access-group?
"access-group 110 in interface outside" is already there...
in your method it' gave me below error (i already mentioned it in top)

FW1(config-if)# ip access-group 110 in
                           ^
ERROR: % Invalid input detected at '^' marker.

##received any information via a debug?
I enabled logging like below and it's gave attached information

logging on
logging cons 4
logging mon 4
term mon
debug crypto ipsec
debug crypto isakmp

1x2.1x5.84.1x1 is VPN Client IP

Please advise and thanks for your time !
%PIX-3-710003: TCP access denied by ACL from 1x2.1x5.84.1x1/49467 to outside:1x1.3x.44.2/443
%PIX-3-710003: TCP access denied by ACL from 1x2.1x5.84.1x1/49467 to outside:1x1.3x.44.2/443
%PIX-3-710003: TCP access denied by ACL from 1x2.1x5.84.1x1/49467 to outside:1x1.3x.44.2/443
%PIX-4-106023: Deny tcp src outside:1x2.1x5.84.1x1/49470 dst inside:1x1.3x.44.26/1723 by access-group "110" [0x0, 0x0]
%PIX-4-106023: Deny tcp src outside:1x2.1x5.84.1x1/49470 dst inside:1x1.3x.44.26/1723 by access-group "110" [0x0, 0x0]
%PIX-4-106023: Deny tcp src outside:1x2.1x5.84.1x1/49470 dst inside:1x1.3x.44.26/1723 by access-group "110" [0x0, 0x0]

Open in new window

0
 
Jan SpringerCommented:
pptp is tcp port 1723

!allow a single IP
access-list 110 extended permit tcp host 1x2.1x5.84.1x1 host 1x1.3x.44 eq 1723

However, this is not a crypto vpn connection to the firewall.

Do you have any output from the debug?
0
 
Shakthi777Author Commented:
I put access-list 110 extended permit tcp host 1x2.1x5.84.1x1 host 1x1.3x.44 eq 1723

and I see below in the log
%PIX-3-710003: TCP access denied by ACL from 1x2.1x5.84.1x1/49780 to outside:1x1.3x.44.2/443
%PIX-3-710003: TCP access denied by ACL from 1x2.1x5.84.1x1/49780 to outside:1x1.3x.44.2/443
%PIX-3-710003: TCP access denied by ACL from 112.135.84.101/49780 to outside:1x1.3x.44.2/443

Open in new window

0
 
Shakthi777Author Commented:
and entered below;

access-list 110 extended permit tcp host 1x2.1x5.84.1x1 host 1x1.3x.44 eq 443

but I got same above logs back !
0
 
Jan SpringerCommented:
On the PIX, prior to v7, I had to reapply the access-group statement after making changes to the access-list:

access-group 110 in interface outside

I don't know if this applies to the PIX v7 and later.
0
 
Shakthi777Author Commented:
ok I did that and got the same logs as above... !

I'll be back in 8 hours from now to attend on any other queries if you have ....
0
 
Jan SpringerCommented:
I guess I need to understand the problem.

The logs indicate failed https and pptp.  The configuration and problem is regarding a crypto vpn to the cisco.

Are we working two problems?
0
 
kuohCommented:
Guessing by the info in the access logs, you might have missed configuring the "advanced" and "IPSec settings" options in the XP VPN client, which is causing it to default to PPTP.  Then you're trying to determine if the port is open by opening an HTTPS connection to the PIX?  Try deleting then reconfiguring the XP VPN client with these settings.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807213a7.shtml#win
0
 
Shakthi777Author Commented:
kuoh: ok recreated but nothing changed...
0
 
kuohCommented:
The logs on the PIX should definitely have changed if you've configured the XP client correctly.  There should be no more access attempts to the PPTP port 1723.  What shows up in the logs now when you attempt to open the tunnel?
0
 
Shakthi777Author Commented:
0

Featured Post

Rewarding opportunities for women in IT

Across the nation, technology jobs are vacant because there aren’t enough qualified professionals to fill them. With a degree from WGU, you can get the credentials it takes to become an in-demand IT professional. Plus, WGU’s IT programs include industry certifications.

  • 13
  • 8
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now