12-23-2002 09:16 AM - edited 03-10-2019 07:05 AM
Hi
I'm trying to configure our PIX for dial-up vpn using ACS 2.6 NT and the TACACS+ protocol.
I have managed to configure the VPN user authentication OK, although once connected and the tunnel to the internal network is established, if I try to ping a host inside I only get one ICMP packet back out of four. Subsequent attempts to ping the host get absolutely no response. This happens with all hosts you try to ping...
...strange.
The Firewall itself is also configured to use TACACS+ for console and enable authentication, perhaps this config is causing a problem?
Here is a snippet of the pertinent config from the firewall.
access-list clients permit ip 172.17.0.0 255.255.0.0 172.17.50.0 255.255.255.0
access-list vpn permit ip 172.17.0.0 255.255.0.0 172.17.50.0 255.255.
ip local pool clients 172.17.50.10-172.17.50.254
nat (inside) 0 access-list vpn
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
conduit permit icmp any any
aaa-server TACSERVER protocol tacacs+
aaa-server TACSERVER (inside) host 172.17.0.x akey timeout 10
aaa authentication enable console TACSERVER
aaa authentication match clients outside TACSERVERsysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set vpn ah-md5-hmac esp-des
crypto ipsec transform-set clients esp-des esp-sha-hmac
crypto ipsec security-association lifetime seconds 86400 kilobytes 46080000
crypto dynamic-map vpnusers 50 set transform-set clientscrypto map gibpix client configuration address initiate
crypto map gibpix client configuration address respond
crypto map gibpix client authentication TACSERVER
crypto map gibpix interface outside
isakmp enable outside
isakmp identity address
isakmp client configuration address-pool local clients outside
vpngroup ras address-pool clients
vpngroup ras dns-server ns0
vpngroup ras default-domain mydomain.com
vpngroup ras split-tunnel clients
vpngroup ras idle-time 1800
vpngroup ras password ********
I can't see the wood for the trees as i've scoured many cisco docs, can anyone point me in the right direction?
Many thanks and merry christmas to all.
12-27-2002 09:53 AM
If this traffic is traversing a router, I would suggest running a debug ip icmp to see what is happening to the ping packets. If not, I would suggest that you set up a sniffer on the line to determine where the point of failure is.
HTH!
12-30-2002 09:40 AM
Here is what i use for my PIX515 and VPN and VPDN for 2000 users with the cisco TACACS 2.3crypto ipsec transform-set ********* esp-3des esp-md5-hmac
crypto dynamic-map users 11 set transform-set ********
crypto map remote 11 ipsec-isakmp dynamic users
crypto map remote client configuration address initiate
crypto map remote client configuration address respond
crypto map remote client authentication XauthVPN
crypto map remote interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp client configuration address-pool local ******** outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 6400
isakmp policy 11 authentication pre-share
isakmp policy 11 encryption 3des
isakmp policy 11 hash md5
isakmp policy 11 group 2
isakmp policy 11 lifetime 86400
vpngroup mygroup idle-time 1800
vpngroup 1 address-pool ********
vpngroup 1 dns-server ***.***.***.***
vpngroup 1 wins-server ***.***.***.***
vpngroup 1 default-domain ********.com
vpngroup 1 split-tunnel 101
vpngroup 1 idle-time 1800
vpngroup 1 password ********
telnet 192.168.0.0 255.255.0.0 inside
telnet timeout 60
ssh timeout 5
vpdn group 1 accept dialin pptp
vpdn group 1 ppp authentication pap
vpdn group 1 ppp authentication chap
vpdn group 1 ppp authentication mschap
vpdn group 1 client configuration address local *******
vpdn group 1 client authentication aaa TACACS+
vpdn group 1 pptp echo 60
vpdn username ****** password ***
vpdn enable outside
01-05-2003 07:12 PM
Can't see that this is a PIX config issue, you generally either get nothing or everything through, not one packet then nothing. Your PIX config looks OK, and the TACACS stuff shouldn't have anything to do with it cause the authentication has completed successfully already.
You'd have to look at the VPN client stats and see if the Encrypted Packet count goes up when you ping, then do a "sho cry ipsec sa" on the PIX and see if the Pkts Decaps (received packets from the VPN client) and Pkts Encaps (packets sent to the VPN client) increment also. This should give you an indication of where the problem lies.
01-08-2003 07:55 AM
Thanks for all the feedback people. Sorry I haven't replied sooner, I needed a break from banging my head against the wall with this one...
Once authenticated, i've set the client to continially ping a host on the internal network. On the client connection statistics, the packets bypassed are increasing with pretty much every icmp packet sent. Packets encrypted are increasing slowly, at a ratio of one for every 10 that are discarded.
The Pkts Decaps/Encaps statistics are increasing, although this can be attributed to the fact that we also have a peer to peer (pix to pix) vpn tunnel configured on this firewall.
I am at a loss...
Do I need to configure anything else for the groups that the users are in on the ACS server? I can see some stuff about ACL's, but it give's the impression that these ACL's are used to set permissions on commands rather than restricting TCP/UDP packets.
01-08-2003 09:00 AM
Just to add to this...It seems that I can access web sites on the internal network...although I still cannot ping or telnet to anything...
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: