Solved

Need to use Windows VPN Client on Cisco PIX ???

Posted on 2010-09-20
25
438 Views
Last Modified: 2012-05-10
Hi Cisco Guru's and Experts...

I was trying to get working L2TP over IPSec as my Windows XP clients to get connected with Cisco PIX.
I was searching the web and passed through many tutorials and finally I have followed below;

http://gregsowell.com/?p=805&cpage=1#comment-3376

But my Client don't even see the VPN port open in the PIX. Below is my config please have a look and advice.....

Thanks  a lot !

FW1# sh run

: Saved

:

PIX Version 8.0(4)

!

hostname FW1

domain-name company.local

enable password DRoOs2EWSVtHzPat encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0

 nameif outside

 security-level 0

 ip address 1x1.3x.44.2 255.255.255.224

 ospf cost 10

!

interface Ethernet1

 nameif inside

 security-level 100

 ip address 192.168.134.254 255.255.255.0

 ospf cost 10

!

interface Ethernet2

 description LAN/STATE Failover Interface

!

interface Ethernet3

 shutdown

 no nameif

 no security-level

 no ip address

!

interface Ethernet4

 shutdown

 no nameif

 no security-level

 no ip address

!

interface Ethernet5

 shutdown

 no nameif

 no security-level

 no ip address

!

ftp mode passive

clock timezone EST 10

clock summer-time EDT recurring last Sun Oct 2:00 last Sun Mar 3:00

dns server-group DefaultDNS

 domain-name company.local

same-security-traffic permit intra-interface

access-list inside_nat0_outbound extended permit ip any 192.168.4.0 255.255.255.192

access-list 110 extended permit tcp any host 1x1.3x.44.28 eq 3389

access-list 110 extended permit tcp any host 1x1.3x.44.8 eq ftp

access-list 110 extended permit tcp any host 1x1.3x.44.8 eq www

access-list 110 extended permit tcp any host 1x1.3x.44.8 eq 3389

access-list 110 extended permit tcp any host 1x1.3x.44.10 eq 3389

access-list 110 extended permit tcp any host 1x1.3x.44.14 eq www

access-list 110 extended permit tcp any host 1x1.3x.44.15 eq www

access-list 110 extended permit tcp any host 1x1.3x.44.16 eq www

access-list 110 extended permit tcp any host 1x1.3x.44.18 eq www

access-list 110 extended permit tcp any host 1x1.3x.44.9 eq https

access-list 110 extended permit tcp any host 1x1.3x.44.9 eq smtp

access-list 110 extended permit tcp any host 1x1.3x.44.9 eq pop3

access-list 110 extended permit tcp any host 1x1.3x.44.20 eq 8080

access-list 110 extended permit tcp any host 1x1.3x.44.20 eq 8081

access-list 110 extended permit tcp any host 1x1.3x.44.21 eq www

access-list 110 extended permit tcp any host 1x1.3x.44.19 eq 8080

access-list 110 extended permit tcp any host 1x1.3x.44.23 eq www

access-list 110 extended permit tcp any host 1x1.3x.44.13 eq www

pager lines 24

logging asdm informational

mtu outside 1500

mtu inside 1500

ip local pool VPN-POOL1 192.168.4.1-192.168.4.50 mask 255.255.255.0

failover

failover lan unit primary

failover lan interface LANFALL Ethernet2

failover lan enable

failover key *****

failover link LANFALL Ethernet2

failover interface ip LANFALL 172.17.100.1 255.255.255.0 standby 172.17.100.7

icmp unreachable rate-limit 1 burst-size 1

asdm image flash:/asdm-615.bin

no asdm history enable

arp timeout 14400

global (outside) 1 1x1.3x.44.25-1x1.3x.44.26 netmask 255.255.255.224

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp 1x1.3x.44.19 8080 192.168.134.69 www netmask 255.255.255.255

static (inside,outside) tcp 1x1.3x.44.22 www 192.168.134.82 8080 netmask 255.255.255.255

static (inside,outside) tcp 1x1.3x.44.13 www 192.168.134.83 4000 netmask 255.255.255.255

static (inside,outside) 1x1.3x.44.8 192.168.134.47 netmask 255.255.255.255

static (inside,outside) 1x1.3x.44.10 192.168.134.90 netmask 255.255.255.255

static (inside,outside) 1x1.3x.44.14 192.168.134.81 netmask 255.255.255.255

static (inside,outside) 1x1.3x.44.15 192.168.134.11 netmask 255.255.255.255

static (inside,outside) 1x1.3x.44.16 192.168.134.68 netmask 255.255.255.255

static (inside,outside) 1x1.3x.44.18 192.168.134.111 netmask 255.255.255.255

static (inside,outside) 1x1.3x.44.9 192.168.134.14 netmask 255.255.255.255

static (inside,outside) 1x1.3x.44.20 192.168.134.13 netmask 255.255.255.255

static (inside,outside) 1x1.3x.44.21 192.168.134.112 netmask 255.255.255.255

static (inside,inside) 192.168.13420.0 192.168.13420.0 netmask 255.255.255.0

access-group 110 in interface outside

route outside 0.0.0.0 0.0.0.0 1x1.3x.44.1 1

route inside 192.168.13420.0 255.255.255.0 192.168.134.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.134.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac

crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set TRANS_ESP_3DES_SHA ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

 authentication pre-share

 encryption 3des

 hash md5

 group 2

 lifetime 86400

telnet 192.168.134.0 255.255.255.0 inside

telnet timeout 60

ssh 0.0.0.0 0.0.0.0 outside

ssh 192.168.134.0 255.255.255.255 inside

ssh timeout 60

console timeout 0

threat-detection basic-threat

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

group-policy DefaultRAGroup internal

group-policy DefaultRAGroup attributes

 dns-server value 192.168.134.14

 vpn-tunnel-protocol IPSec l2tp-ipsec

 default-domain value company.local

username testing password q/VM1nA1RWbzHiqrsIJF4g== nt-encrypted privilege 0

username testing attributes

 vpn-group-policy DefaultRAGroup

tunnel-group DefaultRAGroup general-attributes

 address-pool VPN-POOL1

 default-group-policy DefaultRAGroup

tunnel-group DefaultRAGroup ipsec-attributes

 pre-shared-key *

tunnel-group DefaultRAGroup ppp-attributes

 no authentication chap

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map global_policy

 class inspection_default

  inspect icmp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:d004962688cf24422fb9ef3bc1d07329

: end

FW1#

Open in new window

0
Comment
Question by:Shakthi777
  • 13
  • 8
  • 2
  • +1
25 Comments
 
LVL 15

Expert Comment

by:Ivan
ID: 33723004

Hi,

as i can see you have access-group 110 on wan interface, but there are no rules for l2tp/ipsec (udp port 1701).
0
 

Author Comment

by:Shakthi777
ID: 33723194
how do i fix that ?
0
 
LVL 15

Accepted Solution

by:
Ivan earned 72 total points
ID: 33723223
well...if address you vpn clients are traying to connect is  1x1.3x.44.2 (ip of interface Ethernet0)
the you need another rule

access-list 110 extended permit udp any host 1x1.3x.44.2 eq 1701

0
 

Author Comment

by:Shakthi777
ID: 33723241
tnx... i just tried it but it's not opening the port to outside....plz advise !
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 33725158
I do not see in the configuration posted above where an access-list was applied to the outside interface.

Additionally, the author needs to allow UDP ports 500 and 4500 (ipsec and NAT-T) in the access list that will be used on the outside interface.
0
 

Author Comment

by:Shakthi777
ID: 33726818
_jesper_: please be kind enough to post the relevant commands.

and thanks a lot !
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 33729217
access-list 110 extended permit udp any host 1x1.3x.44.2 eq 500
access-list 110 extended permit udp any host 1x1.3x.44.2 eq 4500
access-list 110 extended permit esp any host 1x1.3x.44.2

interface Ethernet0
 ip access-group 110 in
0
 

Author Comment

by:Shakthi777
ID: 33731782
Hi Jesper, got a error:

FW1(config-if)# ip access-group 110 in
                           ^
ERROR: % Invalid input detected at '^' marker.
0
 

Author Comment

by:Shakthi777
ID: 33731788
BTW I already have this in my config "access-group 110 in interface outside" ???
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 33734458
I did not see that.  

If you add the lines to the end of the access list, that should allow remote vpn connections.
0
 

Author Comment

by:Shakthi777
ID: 33735370
nope _jesper_ it's not opening even the ports..
any idea ?
0
 
LVL 28

Assisted Solution

by:Jan Springer
Jan Springer earned 284 total points
ID: 33735509
The only other things that I can think of ...

On the PIX pre v7, I had to reapply the access-group statement after making changes to the access list.  I don't know if that's the case with > 6.3 (it isn't necessary on the ASAs).

And, you may need a "sysopt connection permit-ipsec" configured.  I don't know if that's the exact syntax for that version.

Your options to debug:

1) add a deny ip any any log at the end of access-list 110 and check the log to see if the client is getting denied by the access list

2) if not #1,
       debug crypto ipsec
       debug crypto isakmp
       term mon
    start a vpn session to determine if you are hitting Phase 1 or Phase 2 at all.

You may post the debug but comment out sensitive information (IPs, usernames, etc)
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 

Author Comment

by:Shakthi777
ID: 33736212
nothing logs.. nothing hits on the outside IP, (but all other port forwards are working to the relevant public IPs)

any help full tips would be highly appreciated !
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 33736300
Have you:

added the 'sysopt' command?
reapplied the access-group?
received any information via a debug?
0
 

Author Comment

by:Shakthi777
ID: 33736395
##added the 'sysopt' command?
YES

##reapplied the access-group?
"access-group 110 in interface outside" is already there...
in your method it' gave me below error (i already mentioned it in top)

FW1(config-if)# ip access-group 110 in
                           ^
ERROR: % Invalid input detected at '^' marker.

##received any information via a debug?
I enabled logging like below and it's gave attached information

logging on
logging cons 4
logging mon 4
term mon
debug crypto ipsec
debug crypto isakmp

1x2.1x5.84.1x1 is VPN Client IP

Please advise and thanks for your time !
%PIX-3-710003: TCP access denied by ACL from 1x2.1x5.84.1x1/49467 to outside:1x1.3x.44.2/443

%PIX-3-710003: TCP access denied by ACL from 1x2.1x5.84.1x1/49467 to outside:1x1.3x.44.2/443

%PIX-3-710003: TCP access denied by ACL from 1x2.1x5.84.1x1/49467 to outside:1x1.3x.44.2/443

%PIX-4-106023: Deny tcp src outside:1x2.1x5.84.1x1/49470 dst inside:1x1.3x.44.26/1723 by access-group "110" [0x0, 0x0]

%PIX-4-106023: Deny tcp src outside:1x2.1x5.84.1x1/49470 dst inside:1x1.3x.44.26/1723 by access-group "110" [0x0, 0x0]

%PIX-4-106023: Deny tcp src outside:1x2.1x5.84.1x1/49470 dst inside:1x1.3x.44.26/1723 by access-group "110" [0x0, 0x0]

Open in new window

0
 
LVL 28

Assisted Solution

by:Jan Springer
Jan Springer earned 284 total points
ID: 33736527
pptp is tcp port 1723

!allow a single IP
access-list 110 extended permit tcp host 1x2.1x5.84.1x1 host 1x1.3x.44 eq 1723

However, this is not a crypto vpn connection to the firewall.

Do you have any output from the debug?
0
 

Author Comment

by:Shakthi777
ID: 33736630
I put access-list 110 extended permit tcp host 1x2.1x5.84.1x1 host 1x1.3x.44 eq 1723

and I see below in the log
%PIX-3-710003: TCP access denied by ACL from 1x2.1x5.84.1x1/49780 to outside:1x1.3x.44.2/443

%PIX-3-710003: TCP access denied by ACL from 1x2.1x5.84.1x1/49780 to outside:1x1.3x.44.2/443

%PIX-3-710003: TCP access denied by ACL from 112.135.84.101/49780 to outside:1x1.3x.44.2/443

Open in new window

0
 

Author Comment

by:Shakthi777
ID: 33736664
and entered below;

access-list 110 extended permit tcp host 1x2.1x5.84.1x1 host 1x1.3x.44 eq 443

but I got same above logs back !
0
 
LVL 28

Assisted Solution

by:Jan Springer
Jan Springer earned 284 total points
ID: 33736760
On the PIX, prior to v7, I had to reapply the access-group statement after making changes to the access-list:

access-group 110 in interface outside

I don't know if this applies to the PIX v7 and later.
0
 

Author Comment

by:Shakthi777
ID: 33736872
ok I did that and got the same logs as above... !

I'll be back in 8 hours from now to attend on any other queries if you have ....
0
 
LVL 28

Assisted Solution

by:Jan Springer
Jan Springer earned 284 total points
ID: 33737450
I guess I need to understand the problem.

The logs indicate failed https and pptp.  The configuration and problem is regarding a crypto vpn to the cisco.

Are we working two problems?
0
 
LVL 6

Assisted Solution

by:kuoh
kuoh earned 144 total points
ID: 33737924
Guessing by the info in the access logs, you might have missed configuring the "advanced" and "IPSec settings" options in the XP VPN client, which is causing it to default to PPTP.  Then you're trying to determine if the port is open by opening an HTTPS connection to the PIX?  Try deleting then reconfiguring the XP VPN client with these settings.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807213a7.shtml#win
0
 

Author Comment

by:Shakthi777
ID: 33740446
kuoh: ok recreated but nothing changed...
0
 
LVL 6

Assisted Solution

by:kuoh
kuoh earned 144 total points
ID: 33740860
The logs on the PIX should definitely have changed if you've configured the XP client correctly.  There should be no more access attempts to the PPTP port 1723.  What shows up in the logs now when you attempt to open the tunnel?
0
 

Author Closing Comment

by:Shakthi777
ID: 33762040
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

Suggested Solutions

If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
Cisco Pix/ASA hairpinning The term, hairpinning, comes from the fact that the traffic comes from one source into a router or similar device, makes a U-turn, and goes back the same way it came. Visualize this and you will see something that looks …
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
This video discusses moving either the default database or any database to a new volume.

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now