cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
631
Views
5
Helpful
13
Replies

Newbie making VPN with 506E

jpenney
Level 1
Level 1

Hi,

I am untrained in Cisco but 20 year IT experience with some Unix, Linux, Windows mix.

I am setting up a 506E VPN to allow users with Cisco VPN client software to connect.

I have gone through a couple of training videos and I'm looking for some examples now of configs and steps to configure this.

My network is very simple, I have a DSL connection coming through a Linksys router (I'll be putting an 1800 up there soon, but not yet), I'll be attaching the outside firewall interface right to the the linksys, I'll be attaching the inside firewall interface directly to my single LAN hub. All PC's and servers have home runs to the hub.

Remote clients are coming across public internet connections.

Thanks for any help you can give.

P.S. - My Cisco reports that it has a Restricted (R) license, and some of the commands from the video I watched don't seem to be available, like "group-policy" - could these be related, do I need to enter a license number or something?

JP

13 Replies 13

acomiskey
Level 10
Level 10

The group-policy command you are referring to is only available on pix version 7. You are running pix 6.3.

Here is the config guide for 6.3 which should get you started with your vpn.

http://cisco.com/en/US/docs/security/pix/pix63/configuration/guide/config.html

jpenney
Level 1
Level 1

mark.j.hodge
Level 3
Level 3

As the environment you are working in very staightforward you should be able to use the Cisco VPN wizard. You may need to enable PDM on thi inside interface, and then just point a web browser at the firewall.

The only issue I can see is with the DSL, does the linksys router perform NAT, and if not is you internet IP address static or dynamic?

We have one static IP address, the linksys is performing NAT. Thank you for your help on this.

One thing - This whole deal is on a test network, with no connections to the world. I have the two external firewall interfaces connected to a little switch (that would be the internet/PSTN in the real world), the inside interfaces are connected to separate vlans on a catalyst 2950, and the server and test PC I'm using are each connected to those vlans. On the server, I'm trying to load PDM. The Win2K3 server is straight off the CD, no service packs, nothing. IE is version 6.0.3790.0.

The PDM doesn't seem to be loading. Is there any hope for me without connecting this thing to the web?

Thanks again.

Here's a diagram:

JP

I'm a little confused here, initialy you asked for information on VPN client setup. The more recent post mentions two external interfaces, do you mean two seperate firewalls, as the 506E only has two interfaces? If so you are looking at a VPN tunnel, not a VPN client setup.

Either way you should be able to test this in your lab environment.

If you are trying to setup a VPN client ( client to network ) connect the outside interface of the 506E to your "internet" switch, connect the client PC onto this switch as well. Connect the inside interface to the same VLAN as your server.

Ensure the PC can "see" the firewall outside interface, ping the interface, don't be surprised if you don't get a response, but check the arp cache of the PC to see if the MAC address of the outside interface is there.

The server should be able to ping the inside interface and open PDM. If this isn't working, run the "sh ver" command on the firewall to ensure pdm is installed, if so enable pdm with the "http server enable" command followd by the "http 255.255.255.255 inside" command, where ipaddress is the address of your server.

You will need to have Java installed on the server, but read the messages as PDM is very fussy about the version, and there can be compatability issues.

If it is a VPN tunnel ( network to network ) you are looking for then both Firewall outside interfaces should be connected to the "internet". Make sure each firewall has a default gateway of its peer.

The two inside interfaces should be connected to seperate VLANS, and the server and client PC should be able to connect via PDM to thier relivant firewall.

I'm lucky enough to have 2 firewalls to work with, so I have them set up as if they were in different sites - simulating both ends of the WAN connection. I'm setting up a VPN client, not a tunnel because normally I won't have control of the other firewall. Thanks for your help.

jpenney
Level 1
Level 1

OK, it looks like PDM isn't going to run on my server. Until I can figure out how to get my test network connected to the internet without screwing up life for my normal users, I'm going to try to configure this by hand. Does anyone have a simple running VPN configuration you can post here?

thanks,

JP

jpenney
Level 1
Level 1

Thanks to all the help from you all, I think I'm getting there - I have the client giving different responses for different configurations, which I'm assuming means I'm at least communicating with the firewall.

I've done a VPN setup on the firewall from an example configuration.

In order to simplify things, now I've tried to connect my client PC to the same network as the outside interface of my PIX. So the client ip is now 200.1.1.55, and the outside interface of the pix is 200.1.1.2.

Also, for now, I've opened up(?) ip, udp and tcp (permit ip any any) and I'll nail those down after I get everything working.

Here is the VPN client configuration:

Version 4.6.00.0049

Host=200.1.1.2

Transport=IPSec/TCP

Using Group Authentication

Enable Transparent Tunneling

IPSec over TCP, TCP Port: 10000

Peer response timeout (seconds): 90

I'm entering vpn3000 as the username, and the password I set for the vpn3000 group.

---------------------------------

Here is the PIX configuration:

: Saved

:

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password ...

passwd ...

hostname ...

domain-name ...

fixup protocol ...

... (edited for space, these are all standard fixup statements)

fixup protocol tftp 69

names

access-list inbound permit tcp any host 200.1.1.2 eq www

access-list 90 permit ip 192.168.2.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list 101 permit ip 192.168.2.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list 102 permit tcp any host 200.1.1.2 eq www

access-list 102 permit icmp any any echo-reply

access-list 102 permit tcp any any

access-list 102 permit ip any any

access-list 102 permit udp any any

access-list nonat permit ip 192.168.2.0 255.255.255.0 192.168.2.0 255.255.255.0

pager lines 24

logging buffered errors

logging trap notifications

icmp deny host 200.1.1.2 outside

mtu outside 1500

mtu inside 1500

ip address outside 200.1.1.2 255.255.255.0

ip address inside 192.168.2.254 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool test 192.168.2.101-192.168.2.199

pdm location 192.168.2.0 255.255.255.0 inside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp interface www 192.168.2.1 www netmask 255.255.255.255 0 0

access-group 102 in interface outside

route outside 0.0.0.0 0.0.0.0 200.1.1.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

...(aaa statements edited for space)

aaa authentication http console LOCAL

http server enable

http 192.168.2.0 255.255.255.0 inside

http 192.168.2.1 255.255.255.255 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set transset1 esp-des esp-md5-hmac

crypto dynamic-map dynmap 10 set transform-set transset1

crypto map remotemap 10 ipsec-isakmp dynamic dynmap

crypto map remotemap client configuration address initiate

crypto map remotemap client configuration address respond

crypto map remotemap interface outside

isakmp enable outside

isakmp key ******** address 0.0.0.0 netmask 0.0.0.0

isakmp identity address

isakmp client configuration address-pool local test outside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 1

isakmp policy 10 lifetime 86400

vpngroup vpn3000 address-pool test

vpngroup vpn3000 idle-time 1800

vpngroup vpn3000 password xxxxxxx

... (edited for space)

I've found the VPN Client debug log, so I'm able to watch the connection attempt. It dies at line 29, with the message "Unable to establish Phase 1 SA with server '200.1.1.2' because of 'DEL_REASON_PEER_NOT_RESPONDING'".

I see in line 15 that it does something with ISAKMP...

Then in line 16 I see a message "Bad cTCP trailer, Rsvd 26988, Magic# 3c396272h, trailer len 47, MajorVer 49, MinorVer 62"

Any tips? Thanks.

----------------------

Good News,

I changed my client to connect on IPSec/UDP, and I am now able to reliably make a connection attempt and watch the conversation between my client and my firewall, using debug statements on the firewall and using the log window on the client.

I am getting this message on the firewall "VPN Peer: ISAKMP: Peer Info for 200.1.1.55/500 not found - peers:0" - I'm looking to see if I need a peer statement of some kind now.

The client ends the connection attempt with the message "Unable to establish Phase 1 SA with server "200.1.1.2" because of "DEL_REASON_PEER_NOT_RESPONDING"

Getting there...

It seems to be working now. Thank you thank you thank you all. I'll post my config, since it's on a test network it's a good example.

Except that...

The VPN seems to be connecting, in that I get a locked symbol on the cisco client, but I can't ping or otherwise connect the machine that's on the "server" network, even by ip address.

One thing I've noticed is my default gateway on the cisco vpn network interface (client) is wrong. Here's my ipconfig after I've connected:

Ethernet adapter Local Area Connection:

Connection-specific...:

IP Address...: 192.168.3.13

Subnet Mask...:255.255.255.0

Default Gateway...:192.168.3.254

(this is the cisco vpn client below)

Ethernet adapter Local Area Connection 2:

Connection-specific...:

IP Address... : 192.168.2.101

Subnet Mask...:255.255.255.0

Default Gateway...:192.168.2.101

I'll post my firewall config in a few minutes.

Here's the config for my "server" network firewall:

interface ethernet0 auto

interface ethernet1 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxx encrypted

passwd xxx encrypted

hostname pixfirewall2

domain-name my-turn.org

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list inbound permit tcp any host 200.1.1.2 eq www

access-list 102 permit tcp any host 200.1.1.2 eq www

access-list 102 permit icmp any any echo-reply

access-list 102 permit tcp 200.1.1.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list 102 permit udp 200.1.1.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list 102 permit ip 200.1.1.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list nonat permit ip 200.1.1.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list nonat permit ip 192.168.2.0 255.255.255.0 192.168.2.0 255.255.255.0

pager lines 24

logging buffered errors

logging trap notifications

mtu outside 1500

mtu inside 1500

ip address outside 200.1.1.2 255.255.255.0

ip address inside 192.168.2.254 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool internetpool 200.1.1.101-200.1.1.120

ip local pool test 192.168.2.101-192.168.2.199

pdm location 192.168.2.0 255.255.255.0 inside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp interface www 192.168.2.1 www netmask 255.255.255.255 0 0

access-group 102 in interface outside

route outside 0.0.0.0 0.0.0.0 200.1.1.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

aaa authentication telnet console LOCAL

aaa authentication http console LOCAL

http server enable

http 192.168.2.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto dynamic-map cisco 1 set transform-set myset

crypto map dyn-map 20 ipsec-isakmp dynamic cisco

crypto map dyn-map interface outside

isakmp enable outside

isakmp key ******** address 0.0.0.0 netmask 0.0.0.0 no-xauth

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

vpngroup vpn3000 address-pool test

vpngroup vpn3000 default-domain MyTurnTest.local

vpngroup vpn3000 idle-time 1800

vpngroup vpn3000 password ********

telnet 192.168.2.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 10

console timeout 0

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

username administrator password xxx encrypted privilege 15

terminal width 80

Cryptochecksum:xxxx

: end

Here's the config for my "client" network firewall (note the inside address is 192.168.3.254, as I was questioning whether it made sense to have the same ip on the cisco interface as my local interface, if I want to use the local network):

PIX Version 6.3(4)

interface ethernet0 auto

interface ethernet1 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxx encrypted

passwd xxx encrypted

hostname pixfirewall1

domain-name my-turn.org

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list outside permit icmp any any

access-list outside permit tcp any any

access-list outside permit udp any any

access-list outside permit ip any any

pager lines 40

icmp deny host 200.1.1.2 outside

icmp deny host 200.1.1.1 outside

mtu outside 1500

mtu inside 1500

ip address outside 200.1.1.1 255.255.255.0

ip address inside 192.168.3.254 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm location 192.168.3.0 255.255.255.0 inside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

access-group outside in interface outside

route outside 0.0.0.0 0.0.0.0 200.1.1.2 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

aaa authentication telnet console LOCAL

aaa authentication http console LOCAL

http server enable

http 192.168.3.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt noproxyarp outside

telnet 192.168.3.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

username administrator password xxx encrypted privilege 15

terminal width 80

Cryptochecksum:xxx

: end

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: