11-29-2007 07:10 PM
I have a simple network, everything on my pix is working, except VPN access. I do not have a DNS server, I setup some users on the pix database and wanted to either use PPTP or Cisco client. I of course prefer the cisco client, but right now I'm desperate for anything to work.
Here's my current configuration, if you can help I would appreciate it. When I launch the cisco client and try to hit the pix it just doesn't succeed at all, fails immediately, not even prompting for a password.
Here's my config:
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxx
passwd xxx
hostname topper
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
name 192.168.1.150 web-server
object-group service mailserver tcp
description email server
port-object eq ident
port-object eq pop3
port-object eq imap4
port-object eq www
port-object eq https
port-object eq smtp
port-object range 135 135
object-group service vpnudp udp
description vpn udp
port-object range 1701 1701
port-object range isakmp isakmp
object-group service pptpgroup tcp
port-object eq 1723
access-list inside_access_in permit ip any any
access-list inside_access_in permit icmp any any
access-list inside_access_in permit gre any any
access-list inside_outbound_nat0_acl permit ip any 192.168.1.192 255.255.255.224
access-list inside_outbound_nat0_acl permit ip host web-server 192.168.1.200 255.255.255.248
access-list inside_outbound_nat0_acl permit ip any 192.168.1.192 255.255.255.192
access-list inside_outbound_nat0_acl permit ip any 172.6.10.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 172.6.10.0 255.255.255.0
access-list outside_cryptomap_dyn_20 permit ip 172.6.10.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list outside_access_in permit gre any any
access-list outside_access_in permit tcp any any eq 3389
access-list inbound permit icmp any any
access-list inbound permit tcp any any eq www
access-list splitTunnelAclRA permit ip 192.168.1.0 255.255.255.0 172.6.10.0 255.255.255.0
access-list airbuds_splitTunnelAcl permit ip 172.6.10.0 255.255.255.0 any
pager lines 24
interface ethernet0 10baset
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address outside **.**.**.** 255.255.255.0
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool arlington-test 192.168.1.50
ip local pool TOPPER 192.168.1.201-192.168.1.205
ip local pool VPN_DHCP 192.168.1.210-192.168.1.230
ip local pool VPNPool 172.6.10.1-172.6.10.254
pdm location 0.0.0.0 255.0.0.0 outside
pdm location 0.0.0.0 0.0.0.0 outside
pdm location 192.168.1.192 255.255.255.224 outside
pdm location web-server 255.255.255.255 inside
pdm location 0.0.0.0 255.255.255.255 outside
pdm location 192.168.1.200 255.255.255.248 outside
pdm location 192.168.1.200 255.255.255.255 inside
pdm location 192.168.1.192 255.255.255.192 outside
pdm location 172.6.10.0 255.255.255.0 outside
pdm location 192.168.1.0 255.255.255.0 outside
pdm logging informational 100
pdm history enable
(cont on next post...)
11-29-2007 07:12 PM
(configuration cont...)
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface www web-server www netmask 255.255.255.255 0 0
static (inside,outside) tcp interface pptp 192.168.1.200 pptp netmask 255.255.255.255 0 0
access-group inbound in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 96.226.0.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
sysopt connection permit-ipsec
sysopt connection permit-pptp
no sysopt route dnat
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup airbuds address-pool VPNPool
vpngroup airbuds dns-server 68.238.96.12 68.238.112.12
vpngroup airbuds wins-server 192.168.1.1
vpngroup airbuds split-tunnel splitTunnelAclRA
vpngroup airbuds idle-time 1800
vpngroup airbuds password ********
vpngroup VpnPool idle-time 1800
vpdn username glen password *********
vpdn enable outside
vpdn enable inside
dhcpd address 192.168.1.100-192.168.1.200 inside
dhcpd dns 68.x.x.12 68.238.112.12
dhcpd lease 1382400
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
username admin password xxx
encrypted privilege 15
terminal width 80
Cryptochecksum:xxx
12-01-2007 12:54 PM
Looks like your ipsec transform set needs a little love.
check out the sample config:
also, i would suggest upgrading to pix os 6.3(5). it is much more stable than 6.2. I would also suggest getting a 3des key and installing that.
-brad
(please rate the post!)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide