Cisco Pix 501 - VPN Configuration Not Working

glengillman · ‎11-29-2007

I have a simple network, everything on my pix is working, except VPN access. I do not have a DNS server, I setup some users on the pix database and wanted to either use PPTP or Cisco client. I of course prefer the cisco client, but right now I'm desperate for anything to work.

Here's my current configuration, if you can help I would appreciate it. When I launch the cisco client and try to hit the pix it just doesn't succeed at all, fails immediately, not even prompting for a password.

Here's my config:

PIX Version 6.2(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxx

passwd xxx

hostname topper

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

name 192.168.1.150 web-server

object-group service mailserver tcp

description email server

port-object eq ident

port-object eq pop3

port-object eq imap4

port-object eq www

port-object eq https

port-object eq smtp

port-object range 135 135

object-group service vpnudp udp

description vpn udp

port-object range 1701 1701

port-object range isakmp isakmp

object-group service pptpgroup tcp

port-object eq 1723

access-list inside_access_in permit ip any any

access-list inside_access_in permit icmp any any

access-list inside_access_in permit gre any any

access-list inside_outbound_nat0_acl permit ip any 192.168.1.192 255.255.255.224

access-list inside_outbound_nat0_acl permit ip host web-server 192.168.1.200 255.255.255.248

access-list inside_outbound_nat0_acl permit ip any 192.168.1.192 255.255.255.192

access-list inside_outbound_nat0_acl permit ip any 172.6.10.0 255.255.255.0

access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 172.6.10.0 255.255.255.0

access-list outside_cryptomap_dyn_20 permit ip 172.6.10.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list outside_access_in permit gre any any

access-list outside_access_in permit tcp any any eq 3389

access-list inbound permit icmp any any

access-list inbound permit tcp any any eq www

access-list splitTunnelAclRA permit ip 192.168.1.0 255.255.255.0 172.6.10.0 255.255.255.0

access-list airbuds_splitTunnelAcl permit ip 172.6.10.0 255.255.255.0 any

pager lines 24

interface ethernet0 10baset

interface ethernet1 10full

mtu outside 1500

mtu inside 1500

ip address outside **.**.**.** 255.255.255.0

ip address inside 192.168.1.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool arlington-test 192.168.1.50

ip local pool TOPPER 192.168.1.201-192.168.1.205

ip local pool VPN_DHCP 192.168.1.210-192.168.1.230

ip local pool VPNPool 172.6.10.1-172.6.10.254

pdm location 0.0.0.0 255.0.0.0 outside

pdm location 0.0.0.0 0.0.0.0 outside

pdm location 192.168.1.192 255.255.255.224 outside

pdm location web-server 255.255.255.255 inside

pdm location 0.0.0.0 255.255.255.255 outside

pdm location 192.168.1.200 255.255.255.248 outside

pdm location 192.168.1.200 255.255.255.255 inside

pdm location 192.168.1.192 255.255.255.192 outside

pdm location 172.6.10.0 255.255.255.0 outside

pdm location 192.168.1.0 255.255.255.0 outside

pdm logging informational 100

pdm history enable

(cont on next post...)

glengillman · ‎11-29-2007

(configuration cont...)

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp interface www web-server www netmask 255.255.255.255 0 0

static (inside,outside) tcp interface pptp 192.168.1.200 pptp netmask 255.255.255.255 0 0

access-group inbound in interface outside

access-group inside_access_in in interface inside

route outside 0.0.0.0 0.0.0.0 96.226.0.1 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 192.168.1.0 255.255.255.0 inside

sysopt connection permit-ipsec

sysopt connection permit-pptp

no sysopt route dnat

crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

isakmp enable outside

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption des

isakmp policy 20 hash sha

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

vpngroup airbuds address-pool VPNPool

vpngroup airbuds dns-server 68.238.96.12 68.238.112.12

vpngroup airbuds wins-server 192.168.1.1

vpngroup airbuds split-tunnel splitTunnelAclRA

vpngroup airbuds idle-time 1800

vpngroup airbuds password ********

vpngroup VpnPool idle-time 1800

vpdn username glen password *********

vpdn enable outside

vpdn enable inside

dhcpd address 192.168.1.100-192.168.1.200 inside

dhcpd dns 68.x.x.12 68.238.112.12

dhcpd lease 1382400

dhcpd ping_timeout 750

dhcpd auto_config outside

dhcpd enable inside

username admin password xxx

encrypted privilege 15

terminal width 80

Cryptochecksum:xxx

ccbootcamp · ‎12-01-2007

Looks like your ipsec transform set needs a little love.

check out the sample config:

http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_configuration_example09186a00801e71c0.shtml

also, i would suggest upgrading to pix os 6.3(5). it is much more stable than 6.2. I would also suggest getting a 3des key and installing that.

-brad

www.ccbootcamp.com

(please rate the post!)