Solved

PIX - Unable to connect to remote VPN

Posted on 2013-01-09
9
459 Views
Last Modified: 2013-09-30
I'm having trouble get remote access VPN setup on an old Firewall in my lab.
Cisco PIX running 8.0.5

Whenever a user tries to connect I get the following debug:

OncallNetworks(config)# Jan 09 02:04:52 [IKEv1]: Group = RemoteAccess, IP = *REMOTEIP*, Removing peer from peer table failed, no match!
Jan 09 02:04:52 [IKEv1]: Group = RemoteAccess, IP = *REMOTEIP*, Error: Unable to remove PeerTblEntry

From what I understand of it the firewall is parsing the incoming IP but can't match it to any group policy.

But I can't figure out the configuration bug.


Here is the sanitized code:

access-list RemoteAccess_splitTunnelAcl standard permit 172.16.1.0 255.255.255.0
access-list inside_nat0_outbound line 1 extended permit ip 172.16.1.0 255.255.255.0 192.168.33.0 255.255.255.0      

      ip local pool VPNPool 192.168.33.100-192.168.33.150 mask 255.255.255.0
      group-policy RemoteAccess internal
      group-policy RemoteAccess attributes
        vpn-tunnel-protocol ipsec
        split-tunnel-policy   tunnelspecified
        split-tunnel-network-list value RemoteAccess_splitTunnelAcl
        dns-server value 208.67.222.222 208.67.220.220
        default-domain value OncallNetworks.local
      exit
      tunnel-group RemoteAccess type remote-access
      tunnel-group RemoteAccess general-attributes
        default-group-policy RemoteAccess
        address-pool  VPNPool
      tunnel-group RemoteAccess ipsec-attributes
        pre-shared-key *PANTS!*
      crypto isakmp policy 10
        group 5
        encryption aes
        hash sha
      crypto isakmp enable  outside
      no crypto isakmp nat-traversal
      crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac
      crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set  pfs group1
      crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set  transform-set  ESP-AES-SHA
      crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
      crypto map outside_map interface  outside
      nat (inside) 0 access-list inside_nat0_outbound  tcp 0 0 udp 0
0
Comment
Question by:PerimeterIT
  • 4
  • 2
  • 2
  • +1
9 Comments
 

Expert Comment

by:ronembriss
ID: 38760925
hello.
Your code doesn't seem to have an issue.
But have you tried configuring the VPN using ASDM? it does wonders in eliminating trivial errors we usually make in CLI.
0
 
LVL 1

Author Comment

by:PerimeterIT
ID: 38761042
ASDM won't load on the device, it's a PIX not an ASA.
0
 
LVL 20

Expert Comment

by:rauenpc
ID: 38761340
Under policy 10, specify authentication pre-share.
0
 
LVL 15

Expert Comment

by:max_the_king
ID: 38762329
Hi,
you need to modify your configuration:

crypto isakmp policy 10
        group 2
        authentication pre-share

crypto isakmp nat-traversal  20

crypto map outside_map interface  outside

it should then work
hope this helps
max
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 1

Author Comment

by:PerimeterIT
ID: 38763459
It accepted the pre-shared in the policy but still the same error message...
0
 
LVL 20

Expert Comment

by:rauenpc
ID: 38763590
Maybe repost the config to show updates, and possibly something is just hosed up in the PIX... have you rebooted it?
0
 
LVL 1

Author Comment

by:PerimeterIT
ID: 38764647
Here's the whole sanitized config, maybe I missed something?

PIX Version 8.0(4)28
!
hostname OncallNetworks
domain-name oncall-networks.net
enable password ! encrypted
passwd ! encrypted
no names
dns-guard
!
interface Ethernet0
 nameif outside
 security-level 0
 pppoe client vpdn group managementDSL
 ip address pppoe setroute
!
interface Ethernet0.1
 vlan 20
 nameif exchange
 security-level 0
 ip address dhcp setroute
!
interface Ethernet1
 nameif inside
 security-level 100
 ip address 172.16.1.254 255.255.255.0
!
interface Ethernet1.1
 no vlan
 no nameif
 no security-level
 no ip address
!
interface Ethernet2
 nameif DMZ
 security-level 50
 ip address 172.43.1.254 255.255.255.0
!
boot system flash:/pix804-28.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
 domain-name oncall-networks.net
access-list RemoteAccess_splitTunnelAcl standard permit 172.16.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.16.1.0 255.255.255.0 192.168.33.0 255.255.255.0
pager lines 24
logging timestamp
logging console debugging
logging monitor debugging
logging buffered debugging
logging trap informational
logging asdm warnings
mtu outside 1500
mtu exchange 1500
mtu inside 1500
mtu DMZ 1500
ip local pool VPNPool 192.168.33.100-192.168.33.150 mask 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip verify reverse-path interface DMZ
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm508.bin
asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community *****
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption aes
 hash sha
 group 5
 lifetime 28800
crypto isakmp policy 65535
 authentication pre-share
 encryption aes
 hash sha
 group 5
 lifetime 28800
no crypto isakmp nat-traversal
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 25
ssh version 1
console timeout 0
management-access inside
vpdn group managementDSL request dialout pppoe
vpdn group managementDSL localname !
vpdn group managementDSL ppp authentication pap
vpdn username ! password *********
dhcpd dns 172.16.1.2
dhcpd ping_timeout 750
dhcpd domain oncall-networks.net
!
dhcpd address 172.16.1.100-172.16.1.131 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tftp-server inside 172.16.1.100 Overkill-PIX.bin
group-policy RemoteAccess internal
group-policy RemoteAccess attributes
 dns-server value 208.67.222.222 208.67.220.220
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value RemoteAccess_splitTunnelAcl
 default-domain value OncallNetworks.local
username ! password ! encrypted privilege 15
username ! attributes
 vpn-group-policy work
username ! password ! encrypted privilege 15
username ! attributes
 vpn-group-policy work
tunnel-group RemoteAccess type remote-access
tunnel-group RemoteAccess general-attributes
 address-pool VPNPool
 default-group-policy RemoteAccess
tunnel-group RemoteAccess ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect http
  inspect ils
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global
prompt hostname context
0
 
LVL 1

Author Comment

by:PerimeterIT
ID: 38768573
Just did a reload to factory defaults and re-entered the configuration.

Same error.
0
 
LVL 15

Accepted Solution

by:
max_the_king earned 500 total points
ID: 38769632
Hi,
as i wrote in my previous post, you should try and set group 2 instead of group 5.

max
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Optimal Xbox 360 connectivity requires "OPEN NAT". If you use Juniper Netscreen or SSG firewall products in a home setting, the following steps will allow you get rid of the dreaded warning screen below and achieve the best online gaming environment…
Network traffic routing plays key role in your network, if you have single site with heavy browsing or multiple sites, replicating important application data from your Primary Default Gateway ,you have to route your other network traffic from your p…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now