Cisco client 4.6 - PIX-506e remote access

Unanswered Question
May 15th, 2007
User Badges:

I'm trying to get VPN remote access working.

I used the example in http://cisco.com/en/US/docs/security/pix/pix63/configuration/guide/basclnt.html#wp1076294

as a template; my resulting config file is attached, as is my client profile.

When I try to attach with the VPN client software I get the following error:

Cisco Systems VPN Client Version 4.6.00.0045

Copyright (C) 1998-2004 Cisco Systems, Inc. All Rights Reserved.

Client Type(s): Windows, WinNT

Running on: 5.1.2600 Service Pack 2

Config file directory: C:\Program Files\Cisco Systems\VPN Client

1 11:49:25.821 05/14/07 Sev=Warning/2 IKE/0xE3000099

Invalid SPI size (PayloadNotify:116)

2 11:49:25.821 05/14/07 Sev=Warning/3 IKE/0xA3000058

Received malformed message or negotiation no longer active (message id: 0x00000000)

At this point I'm kind of at a loss; this seems to imply that the basic connectivity is corrupt, but I can get internet traffic through the firewall.


Or is the client complaining about the security parameters I've set in the PIX?

Any advice? Is there a way to enable a log at the PIX to see what it thinks is happening?

Thanks,

dpm




  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
acomiskey Tue, 05/15/2007 - 06:51
User Badges:
  • Green, 3000 points or more

try this...


crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map client authentication partnerauth

crypto map outside_map interface outside

isakmp enable outside

isakmp nat-traversal 20

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption 3des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

ddidpm506 Tue, 05/15/2007 - 07:21
User Badges:

I did so; the client now reports an authentication failure. It obviously got a lot further; what's the problem with my original setup?


Here's the isakmp log from the PIX:

ISAKMP Debug Log:

-------------------------------------------------------------------------

08:09:11.012 UTC Tue May 15 2007, peer 216.178.86.111, DELETE_ALL_SPIS

08:09:10.012 UTC Tue May 15 2007, peer 216.178.86.111, ISAKMP_DISCONNECTED

08:09:09.962 UTC Tue May 15 2007, peer 216.178.86.111, MALFORMED_PAYLOAD (mess_id 3601719422)

08:09:09.152 UTC Tue May 15 2007, peer 216.178.86.111, P2_RETRAN (3) (mess_id 3601719422)

08:09:04.152 UTC Tue May 15 2007, peer 216.178.86.111, P2_RETRAN (2) (mess_id 3601719422)

08:08:59.152 UTC Tue May 15 2007, peer 216.178.86.111, P2_RETRAN (1) (mess_id 3601719422)

08:08:54.152 UTC Tue May 15 2007, peer 216.178.86.111, ISAKMP_CONNECTED

08:08:54.152 UTC Tue May 15 2007, peer 216.178.86.111, P1_DONE

08:08:54.152 UTC Tue May 15 2007, peer 216.178.86.111, DELETE_ALL_SPIS

08:08:54.152 UTC Tue May 15 2007, peer 216.178.86.111, INITIAL_CONTACT_RCVD

08:08:52.602 UTC Tue May 15 2007, peer 216.178.86.111, P1_RESP


In the original procedure step 6 it said:

Note Configure the authentication server with the vendor-specific acl=acl_ID identifier to specify the access-list ID. In this example, the access-list ID is 100. The entry in the authentication server would then be acl=100.


I condensed this into one access-list statement because I don't want to restrict the traffic on the VPN:

access-list 100 permit ip 192.168.100.0 255.255.255.0 192.168.0.0 255.255.255.0

I have 2 questions:

1. Will my access-list statement work?

2. I'm not clear on the "Note" above. My RADIUS server is the one built into Windows Server 2003. I can specify a RADIUS client, and "Cisco" is on the list. If I choose "Cisco", does that simply mean that the access-list ID should also be "Cisco", or is it more complicated than that?


Thanks,

dpm


acomiskey Tue, 05/15/2007 - 07:41
User Badges:
  • Green, 3000 points or more

access-list 100 is not doing anything that I can see. The acl that has anything to do with the vpn at all is 80 and does your nat exemption with these commands. These look good.


access-list 80 permit ip 192.168.0.0 255.255.255.0 192.168.100.0 255.255.255.0

nat (inside) 0 access-list 80


As far as your radius server goes, I assume you are talking about IAS? All you have to do in IAS is create a new client. That configuration is pretty straight forward. Enter a friendly name, which can be anything, an ip address which would be the inside address of the ASA. Use Radius Standard for Client-Vendor, not Cisco. Also enter a shared secret. You then must create a Remote Access Policy which defines the connection attributes and specify to Grant Remote Access Permission. Here is the doc for pix/asa 7 but it covers the IAS configuration which is the same and is easier than me typing it all out.


A good place to look at when you are trying to authenticate to your IAS/AD machine is your Event Viewer, under System. The authentication requests will show in there and help you troubleshoot.


http://cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806de37e.shtml#configuringthemicrosoftserverwithias


oh, and acl 100 is not needed you can get rid of it.

ddidpm506 Tue, 05/15/2007 - 08:28
User Badges:

Good stuff! This seems to work.


If I may impose on your patience for two more questions:


1. What was wrong with my original isakmp policies:

isakmp policy 8 authentication pre-share

isakmp policy 8 encryption aes

isakmp policy 8 hash sha

isakmp policy 8 group 5


2. The client can't access the internet through the VPN; how do I route that traffic to the outside interface?


Thanks for all your help.


Regards,

dpm



acomiskey Tue, 05/15/2007 - 09:13
User Badges:
  • Green, 3000 points or more

1. Honestly I'm not sure.


2. For internet access while connected to the vpn you will have to set up split tunneling. What this will do is define a policy for what traffic will be encrypted on the vpn. In your case anything to 192.168.0.0 will be encrypted, anthing else (internet) will not be and you will be able to simultaneously access the internet. It has nothing to do with routing. You will see the difference in your vpn client while connected under Status -> Statistics -> Route Details. Without split tunnel you will only see 0.0.0.0 under secured routes. When split tunnel is set up you will only see 192.168.0.0 under secured routes, meaning everything else is unsecured and not part of the vpn.


access-list split_tunnel permit ip 192.168.0.0 255.255.255.0 192.168.100.0 255.255.255.0

vpngroup ddiremote split-tunnel split_tunnel


Please rate posts if they helped.

ddidpm506 Tue, 05/15/2007 - 09:59
User Badges:

You said: "In your case anything to 192.168.0.0 will be encrypted, anthing else (internet) will not be and you will be able to simultaneously access the internet."


Well, no: when I'm connected to the VPN I want ALL traffic to go through it.


Example: I'm in an airport connected to an unsecured wireless router, and I want to check my email; I want that traffic encrypted!


Regards,

dpm


acomiskey Tue, 05/15/2007 - 10:10
User Badges:
  • Green, 3000 points or more

You did ask how to get the vpn client to access the internet.


If you are concerned about security you should not use split tunnel and should disconnect from the vpn when you want to use the internet.


Where's you mail server? If it is in your network then yes this would be encrypted, but if you wanted to browse www.google.com for example, this traffic can not be encrypted. There is an option in pix/asa version 7 which allows you to bounce vpn client internet traffic off the outside interface of the firewall, so in that case the traffic would be encrypted as far as the firwall, then the client would be nat'ed and the traffic would be cleartext to the internet. The return traffic would be encrypted from the firewall to the client. Hope that make sense.

ddidpm506 Tue, 05/15/2007 - 10:35
User Badges:

"If you are concerned about security you should not use split tunnel and should disconnect from the vpn when you want to use the internet."


Well, I'm confused: I *AM* concerned with security, that's why I'm using a VPN. If I could trust the local network I wouldn't need a VPN. I can set up the Microsoft RAS server to send all traffic down the VPN pipe, and then route any non-local traffic out to the default gateway at the server. I assumed that the PIX was able to do the same thing.


Are you implying that at the PIX it's impossible to NAT any traffic not destined for 192.168.0.0. out to the outside interface?


Regards,

dpm


acomiskey Tue, 05/15/2007 - 10:37
User Badges:
  • Green, 3000 points or more

I added to my previous post. I think that answers at least one of your questions concerning NAT.

ddidpm506 Tue, 05/15/2007 - 10:48
User Badges:

You got it. My mail server is at an internet address.


"There is an option in pix/asa version 7 which allows you to bounce vpn client internet traffic off the outside interface of the firewall, so in that case the traffic would be encrypted as far as the firwall, then the client would be nat'ed and the traffic would be cleartext to the internet. The return traffic would be encrypted from the firewall to the client."


This is EXACTLY what I want, but I bought a PIX-506e which is running version 6.3.


So, did I buy the wrong thing? Can version 7 be loaded onto a 506e?


Regards,

dpm


acomiskey Tue, 05/15/2007 - 10:52
User Badges:
  • Green, 3000 points or more

Sorry,


The PIX 501, PIX 506/506E, and PIX 520 security appliances are not supported in software Version 7.0.


http://cisco.com/en/US/products/sw/secursw/ps2120/prod_release_note09186a0080688c71.html#wp43534


http://cisco.com/en/US/products/sw/secursw/ps2120/products_upgrade_guides09186a0080369ee2.html#wp1032446


Another option you may have is to have an internal proxy server, not ideal probably, but an option.


ddidpm506 Tue, 05/15/2007 - 11:00
User Badges:

OK, let's consider falling back to Microsoft RAS.


With my old router I just specified port forwarding to point connection requests on a specific port to a specific internal IP address. May I assume that this can also be done with the PIX? And if so, can you point me to the commands that I'd need to enable it? Access-list, perhaps?


Thanks,

dpm


acomiskey Tue, 05/15/2007 - 11:07
User Badges:
  • Green, 3000 points or more

static (inside,outside) netmask 255.255.255.255

access-list outside_in permit any host eq

access-group outside_in in interface outside


ex.

static (inside,outside) tcp 1.1.1.1 80 192.168.0.10 80 netmask 255.255.255.255

access-list outside_in permit tcp any host 1.1.1.1 eq 80

access-group outside_in in interface outside


If is the outside address of pix then you would substitute the keywork "interface" in your static statement like so...


static (inside,outside) tcp interface 80 192.168.0.10 80 netmask 255.255.255.255


or if you wanted to forward port 80 to inside port 8080


static (inside,outside) tcp 1.1.1.1 80 192.168.0.10 8080 netmask 255.255.255.255



ddidpm506 Wed, 05/16/2007 - 04:55
User Badges:

Thanks - this was very helpful.


I had to add:


fixup protocol pptp 1723


Now it's working just like before.


Thanks again for your help. I can't say that the command reference is intuitive, so your advice really helped.


Regards,

dpm


sdesteuben Mon, 07/02/2007 - 19:14
User Badges:

1. i would guess you were using des and sha which doesn't seem to work for me. if i use des then i use md5 and if i 3des i use sha. not sure exactly why but thats how i've alwyas done it and its worked.


2. can't you just split tunnel it?

Actions

This Discussion