12-03-2008 10:40 AM - edited 02-21-2020 03:08 AM
I am trying to setup my PIX 501e and i am having trouble. i'm trying to set it up as simple as possible. authentication to be done local on the PIX, just one user is fine. no AAA server. once in, i want to permit all ports for all traffic. i think i have it setup but i cant seem to log into it, is there anyone that can help me? I can post my show command if helpful.
12-03-2008 10:57 AM
Hi,
Can you post the configuration along with information on how you are trying to log in. That is through telnet, SSH, console, VPN, etc.
Regards,
Arul
12-03-2008 11:12 AM
I currently have two ASA 5505's in place and to VPN into those i have been using the cisco VPN client 5.0.00.0340. I would love to be able to use this same client to log into my PIX network as well but not manditory, i can get the vpn client to connect to my PIX, it authenticates on the group level, prompts for user info, but just remains at contacting security gateway until it times out. I have been programming (or call myself programming) the PIX using the PDM with an old win 2000 box. hope this is what you were looking for. Any and all help is greatly appreciated
12-03-2008 11:12 AM
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxx
passwd xxx
hostname catalystpix
domain-name catcomtec.com
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol pptp 47
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
object-group service VPN tcp-udp
port-object eq pim-auto-rp
port-object eq echo
port-object eq kerberos
port-object eq discard
port-object eq sunrpc
port-object eq domain
port-object eq tacacs
port-object eq talk
object-group network VPN1
description IP Addresses of VPN user
network-object 192.168.0.0 255.255.255.0
object-group network Everyone
network-object 192.168.0.0 255.255.255.0
access-list 101 permit tcp any host 216.12.74.100 eq pptp
access-list 101 permit tcp any host 216.12.74.100 eq netbios-ssn
access-list 101 permit udp any host 216.12.74.100 eq netbios-ns
access-list 101 permit udp any host 216.12.74.100 eq netbios-dgm
access-list 101 permit gre any host 216.12.74.100
access-list 101 permit tcp any eq www any eq www
access-list inside_outbound_nat0_acl permit ip object-group Everyone object-group VPN1
access-list inside_outbound_nat0_acl permit ip any 192.168.0.128 255.255.255.224
access-list outside_access_in permit icmp any any echo-reply
access-list outside_access_in permit icmp any any time-exceeded
access-list outside_access_in permit icmp any any unreachable
pager lines 24
logging timestamp
logging trap informational
mtu outside 1500
mtu inside 1500
ip address outside 206.248.243.98 255.255.255.0
ip address inside 192.168.0.1 255.255.255.0
ip verify reverse-path interface outside
ip audit info action alarm
ip audit attack action alarm
ip local pool VPN_POOL 192.168.0.130-192.168.0.145
pdm location 192.168.0.0 255.255.255.0 outside
pdm location 192.168.0.30 255.255.255.255 inside
pdm location 216.178.39.13 255.255.255.255 outside
pdm location 208.65.153.253 255.255.255.255 outside
pdm location 216.178.39.13 255.255.255.255 inside
pdm location 208.65.153.253 255.255.255.255 inside
pdm location 192.168.0.128 255.255.255.224 outside
pdm group VPN1 outside
pdm group Everyone inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 206.248.243.97 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa-server VPN protocol radius
aaa-server VPN (inside) host 192.168.0.30 catalyst timeout 15
http server enable
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
12-03-2008 11:13 AM
sysopt connection permit-ipsec
sysopt connection permit-pptp
sysopt connection permit-l2tp
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 1 set transform-set ESP-AES-256-MD5
crypto dynamic-map outside_dyn_map 21 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication VPN
crypto map outside_map interface outside
crypto map inside_map client authentication VPN
crypto map inside_map interface inside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup demo address-pool VPN_POOL
vpngroup demo idle-time 1800
vpngroup demo password ********
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group catalyst_vpn accept dialin pptp
vpdn group catalyst_vpn ppp authentication pap
vpdn group catalyst_vpn client configuration address local VPN_POOL
vpdn group catalyst_vpn pptp echo 60
vpdn group catalyst_vpn client authentication local
vpdn username test password *********
vpdn username demo password *********
vpdn enable outside
vpdn enable inside
dhcpd address 192.168.0.40-192.168.0.90 inside
dhcpd dns 206.x.x.97 209.145.84.131
dhcpd lease 604800
dhcpd ping_timeout 750
dhcpd domain catcomtec1.com
dhcpd enable inside
username demo password xxx encrypted privilege 15
terminal width 80
Cryptochecksum:xxx
: end
12-03-2008 11:52 AM
Hi,
vpngroup demo address-pool VPN_POOL
vpngroup demo idle-time 1800
vpngroup demo password ********
If you are using the above vpngroup, that is Group - demo and password - ***** and VPN Client 5.0, then you should not be prompted for a username/password since there is no user authentication configured.
Can you enable "isakmp identity address" on the Pix and try connecting using the VPN Client 5.0.
If you still having issues, can you post the outputs of "deb cry is" and "deb cry ips" from the pix and logs from the VPN Client.
Regards,
Arul
*Pls rate if it helps*
12-03-2008 12:24 PM
I appreciate your willingness to work with me on this, just not getting very far. i put in the three commands you requested into the PIX and the only feedback that i got was "this command has been sent to the firewall" for each of the entries. I am also pasting what i have in the logs window of my client, which i'm afraid isn't much. its just not making good sense to me. am i making this harder than it has to be? I would like to be able to use the client with the group authentication, user and password both "demo" no further prompts would be nice.
Cisco Systems VPN Client Version 5.0.00.0340
Copyright (C) 1998-2006 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.1.2600 Service Pack 3
12-03-2008 12:41 PM
Hi,
Can you remove the below command:
crypto map outside_map client authentication VPN
and configure this one and test the connection again.
crypto map outside_map client authentication LOCAL
Regards,
Arul
*Pls rate if it helps*
12-03-2008 01:02 PM
that helped a lot, it will now let me connect from my pc behind the ASA out to the internet then into the PIX i get authenticated there and get the local ip address of 192.168.0.130 which is the beginning of my ip pool. so far so good. behind the pix i have a machine sitting at 192.168.0.15. I cannot ping from my .130 address to the .15 address. how can i open up the doors so that i am seen as being local to the .15 box?
12-03-2008 01:14 PM
Hi,
Thanks for the update and rating.
I dont see anything obvious that will block traffic between the VPN Client and the subnet behind the Pix.
Is the 192.168.0.15 a valid host on the network. Can you ping this ip address from the Pix itself. Also, what is the default gateway of this host. And, can you try pinging a different ip address via the vpn client and see if it works. Maybe 192.168.0.40 address, the first one in your DHCP Pool.
Also, if everything looks good, try doing a "clear xlate" and then try the connectivity again through the tunnel.
Regards,
Arul
*Pls rate if it helps*
12-03-2008 01:36 PM
the machine behind the pix (formerly .15) i have now made DHCP and it was assigned 192.168.0.40 from the PIX. my outside connection coming in is still 192.168.0.130. from the 192.168.0.130, once connected I can ping the outside address of the pix (206.248.243.98) but cannot ping the inside address (192.168.0.1) nor can i ping the machine behind the pix (192.168.0.40)
from the .40 machine, i can ping 192.168.0.1 (inside of pix) but not outside or the .130 address.
from the pix ping command, i can ping 192.168.0.40 but not 192.168.0.130, even though i can go into the monitor feature of the PDM and see there is one tunnel in place.
am i running into something stupid because the machine that is getting a vpn address of 192.168.0.130 has a local address behind the ASA of 192.168.0.52. All subnets for all 192 addresses are using 255.255.255.0
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: