×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

VPN 3.x clients with TACACS+ AAA, ACS 2.6 NT

Unanswered Question
Dec 24th, 2002
User Badges:

Hi


I'm trying to configure our PIX for dial-up vpn using ACS 2.6 NT and the TACACS+ protocol.

I have managed to configure the VPN user authentication OK, although once connected and the tunnel to the internal network is established, if I try to ping a host inside I only get one ICMP packet back out of four. Subsequent attempts to ping the host get absolutely no response. This happens with all hosts you try to ping...


...strange.


The Firewall itself is also configured to use TACACS+ for console and enable authentication, perhaps this config is causing a problem?

Here is a snippet of the pertinent config from the firewall.


access-list clients permit ip 172.17.0.0 255.255.0.0 172.17.50.0 255.255.255.0

access-list vpn permit ip 172.17.0.0 255.255.0.0 172.17.50.0 255.255.

ip local pool clients 172.17.50.10-172.17.50.254

nat (inside) 0 access-list vpn

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

conduit permit icmp any any

aaa-server TACSERVER protocol tacacs+

aaa-server TACSERVER (inside) host 172.17.0.x akey timeout 10

aaa authentication enable console TACSERVER

aaa authentication match clients outside TACSERVERsysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set vpn ah-md5-hmac esp-des

crypto ipsec transform-set clients esp-des esp-sha-hmac

crypto ipsec security-association lifetime seconds 86400 kilobytes 46080000

crypto dynamic-map vpnusers 50 set transform-set clientscrypto map gibpix client configuration address initiate

crypto map gibpix client configuration address respond

crypto map gibpix client authentication TACSERVER

crypto map gibpix interface outside

isakmp enable outside

isakmp identity address

isakmp client configuration address-pool local clients outside

vpngroup ras address-pool clients

vpngroup ras dns-server ns0

vpngroup ras default-domain mydomain.com

vpngroup ras split-tunnel clients

vpngroup ras idle-time 1800

vpngroup ras password ********


I can't see the wood for the trees as i've scoured many cisco docs, can anyone point me in the right direction?


Many thanks and merry christmas to all.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
jfrahim Tue, 12/24/2002 - 09:27
User Badges:
  • Cisco Employee,

Hi rbirkin,

If you tunnel is coming up then I don't think you are running into any sort of authentication issues. It sounds more like a routing issue

If you want to be 100% sure, you can disable user authentication and see if you still run into this issue

Jazib

rbirkin Fri, 12/27/2002 - 02:59
User Badges:

Hi Jazib,

If it is in fact a routing issue, where do I check this?

Thanks


R

jfrahim Fri, 12/27/2002 - 07:01
User Badges:
  • Cisco Employee,

rbirkin,

I don't have your complete config, but by going through the config you have in the forum, it looks like your private ip address is in 172.17.0.0/16 subnet

Your pool of addresses is also in the same subnet ( 172.17.50.0 ).

Is it possible for you to change the pool subnet to something different like 192.168.1.0/24 or something and then try

Let me know what happens

Jazib

rbirkin Fri, 12/27/2002 - 07:37
User Badges:

Jazib


Thanks for you're feedback but I found the problem and it was this -:


crypto dynamic-map vpnusers 50 set security-association lifetime seconds 86400 kilobytes 46080000


That line had a '0' missing from the last number.

Cheers


Rowley


Actions

This Discussion