I currently have two ASA 5505's in place and to VPN into those i have been using the cisco VPN client 5.0.00.0340. I would love to be able to use this same client to log into my PIX network as well but not manditory, i can get the vpn client to connect to my PIX, it authenticates on the group level, prompts for user info, but just remains at contacting security gateway until it times out. I have been programming (or call myself programming) the PIX using the PDM with an old win 2000 box. hope this is what you were looking for. Any and all help is greatly appreciated

PIX Version 6.3(1)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxx

passwd xxx

hostname catalystpix

domain-name catcomtec.com

clock timezone EST -5

clock summer-time EDT recurring

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol pptp 47

fixup protocol pptp 1723

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

names

object-group service VPN tcp-udp

port-object eq pim-auto-rp

port-object eq echo

port-object eq kerberos

port-object eq discard

port-object eq sunrpc

port-object eq domain

port-object eq tacacs

port-object eq talk

object-group network VPN1

description IP Addresses of VPN user

network-object 192.168.0.0 255.255.255.0

object-group network Everyone

network-object 192.168.0.0 255.255.255.0

access-list 101 permit tcp any host 216.12.74.100 eq pptp

access-list 101 permit tcp any host 216.12.74.100 eq netbios-ssn

access-list 101 permit udp any host 216.12.74.100 eq netbios-ns

access-list 101 permit udp any host 216.12.74.100 eq netbios-dgm

access-list 101 permit gre any host 216.12.74.100

access-list 101 permit tcp any eq www any eq www

access-list inside_outbound_nat0_acl permit ip object-group Everyone object-group VPN1

access-list inside_outbound_nat0_acl permit ip any 192.168.0.128 255.255.255.224

access-list outside_access_in permit icmp any any echo-reply

access-list outside_access_in permit icmp any any time-exceeded

access-list outside_access_in permit icmp any any unreachable

pager lines 24

logging timestamp

logging trap informational

mtu outside 1500

mtu inside 1500

ip address outside 206.248.243.98 255.255.255.0

ip address inside 192.168.0.1 255.255.255.0

ip verify reverse-path interface outside

ip audit info action alarm

ip audit attack action alarm

ip local pool VPN_POOL 192.168.0.130-192.168.0.145

pdm location 192.168.0.0 255.255.255.0 outside

pdm location 192.168.0.30 255.255.255.255 inside

pdm location 216.178.39.13 255.255.255.255 outside

pdm location 208.65.153.253 255.255.255.255 outside

pdm location 216.178.39.13 255.255.255.255 inside

pdm location 208.65.153.253 255.255.255.255 inside

pdm location 192.168.0.128 255.255.255.224 outside

pdm group VPN1 outside

pdm group Everyone inside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 206.248.243.97 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

aaa-server VPN protocol radius

aaa-server VPN (inside) host 192.168.0.30 catalyst timeout 15

http server enable

http 192.168.0.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

sysopt connection permit-pptp

sysopt connection permit-l2tp

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto dynamic-map outside_dyn_map 1 set transform-set ESP-AES-256-MD5

crypto dynamic-map outside_dyn_map 21 set transform-set ESP-3DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map client authentication VPN

crypto map outside_map interface outside

crypto map inside_map client authentication VPN

crypto map inside_map interface inside

isakmp enable outside

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption 3des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

vpngroup demo address-pool VPN_POOL

vpngroup demo idle-time 1800

vpngroup demo password ********

telnet timeout 5

ssh timeout 5

console timeout 0

vpdn group catalyst_vpn accept dialin pptp

vpdn group catalyst_vpn ppp authentication pap

vpdn group catalyst_vpn client configuration address local VPN_POOL

vpdn group catalyst_vpn pptp echo 60

vpdn group catalyst_vpn client authentication local

vpdn username test password *********

vpdn username demo password *********

vpdn enable outside

vpdn enable inside

dhcpd address 192.168.0.40-192.168.0.90 inside

dhcpd dns 206.x.x.97 209.145.84.131

dhcpd lease 604800

dhcpd ping_timeout 750

dhcpd domain catcomtec1.com

dhcpd enable inside

username demo password xxx encrypted privilege 15

terminal width 80

Cryptochecksum:xxx

: end

Hi,

vpngroup demo address-pool VPN_POOL

vpngroup demo idle-time 1800

vpngroup demo password ********

If you are using the above vpngroup, that is Group - demo and password - ***** and VPN Client 5.0, then you should not be prompted for a username/password since there is no user authentication configured.

Can you enable "isakmp identity address" on the Pix and try connecting using the VPN Client 5.0.

If you still having issues, can you post the outputs of "deb cry is" and "deb cry ips" from the pix and logs from the VPN Client.

Regards,

Arul

*Pls rate if it helps*

I appreciate your willingness to work with me on this, just not getting very far. i put in the three commands you requested into the PIX and the only feedback that i got was "this command has been sent to the firewall" for each of the entries. I am also pasting what i have in the logs window of my client, which i'm afraid isn't much. its just not making good sense to me. am i making this harder than it has to be? I would like to be able to use the client with the group authentication, user and password both "demo" no further prompts would be nice.

Cisco Systems VPN Client Version 5.0.00.0340

Copyright (C) 1998-2006 Cisco Systems, Inc. All Rights Reserved.

Client Type(s): Windows, WinNT

Running on: 5.1.2600 Service Pack 3

Hi,

Can you remove the below command:

crypto map outside_map client authentication VPN

and configure this one and test the connection again.

crypto map outside_map client authentication LOCAL

Regards,

Arul

*Pls rate if it helps*

that helped a lot, it will now let me connect from my pc behind the ASA out to the internet then into the PIX i get authenticated there and get the local ip address of 192.168.0.130 which is the beginning of my ip pool. so far so good. behind the pix i have a machine sitting at 192.168.0.15. I cannot ping from my .130 address to the .15 address. how can i open up the doors so that i am seen as being local to the .15 box?

Hi,

Thanks for the update and rating.

I dont see anything obvious that will block traffic between the VPN Client and the subnet behind the Pix.

Is the 192.168.0.15 a valid host on the network. Can you ping this ip address from the Pix itself. Also, what is the default gateway of this host. And, can you try pinging a different ip address via the vpn client and see if it works. Maybe 192.168.0.40 address, the first one in your DHCP Pool.

Also, if everything looks good, try doing a "clear xlate" and then try the connectivity again through the tunnel.

Regards,

Arul

*Pls rate if it helps*

the machine behind the pix (formerly .15) i have now made DHCP and it was assigned 192.168.0.40 from the PIX. my outside connection coming in is still 192.168.0.130. from the 192.168.0.130, once connected I can ping the outside address of the pix (206.248.243.98) but cannot ping the inside address (192.168.0.1) nor can i ping the machine behind the pix (192.168.0.40)

from the .40 machine, i can ping 192.168.0.1 (inside of pix) but not outside or the .130 address.

from the pix ping command, i can ping 192.168.0.40 but not 192.168.0.130, even though i can go into the monitor feature of the PDM and see there is one tunnel in place.

am i running into something stupid because the machine that is getting a vpn address of 192.168.0.130 has a local address behind the ASA of 192.168.0.52. All subnets for all 192 addresses are using 255.255.255.0