VPN 3.x with TACACS+ authentication using ACS 2.6 NT

rbirkin · ‎12-23-2002

Hi

I'm trying to configure our PIX for dial-up vpn using ACS 2.6 NT and the TACACS+ protocol.

I have managed to configure the VPN user authentication OK, although once connected and the tunnel to the internal network is established, if I try to ping a host inside I only get one ICMP packet back out of four. Subsequent attempts to ping the host get absolutely no response. This happens with all hosts you try to ping...

...strange.

The Firewall itself is also configured to use TACACS+ for console and enable authentication, perhaps this config is causing a problem?

Here is a snippet of the pertinent config from the firewall.

access-list clients permit ip 172.17.0.0 255.255.0.0 172.17.50.0 255.255.255.0

access-list vpn permit ip 172.17.0.0 255.255.0.0 172.17.50.0 255.255.

ip local pool clients 172.17.50.10-172.17.50.254

nat (inside) 0 access-list vpn

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

conduit permit icmp any any

aaa-server TACSERVER protocol tacacs+

aaa-server TACSERVER (inside) host 172.17.0.x akey timeout 10

aaa authentication enable console TACSERVER

aaa authentication match clients outside TACSERVERsysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set vpn ah-md5-hmac esp-des

crypto ipsec transform-set clients esp-des esp-sha-hmac

crypto ipsec security-association lifetime seconds 86400 kilobytes 46080000

crypto dynamic-map vpnusers 50 set transform-set clientscrypto map gibpix client configuration address initiate

crypto map gibpix client configuration address respond

crypto map gibpix client authentication TACSERVER

crypto map gibpix interface outside

isakmp enable outside

isakmp identity address

isakmp client configuration address-pool local clients outside

vpngroup ras address-pool clients

vpngroup ras dns-server ns0

vpngroup ras default-domain mydomain.com

vpngroup ras split-tunnel clients

vpngroup ras idle-time 1800

vpngroup ras password ********

I can't see the wood for the trees as i've scoured many cisco docs, can anyone point me in the right direction?

Many thanks and merry christmas to all.

beth-martin · ‎12-27-2002

If this traffic is traversing a router, I would suggest running a debug ip icmp to see what is happening to the ping packets. If not, I would suggest that you set up a sniffer on the line to determine where the point of failure is.

HTH!

k.pate · ‎12-30-2002

Here is what i use for my PIX515 and VPN and VPDN for 2000 users with the cisco TACACS 2.3crypto ipsec transform-set ********* esp-3des esp-md5-hmac

crypto dynamic-map users 11 set transform-set ********

crypto map remote 11 ipsec-isakmp dynamic users

crypto map remote client configuration address initiate

crypto map remote client configuration address respond

crypto map remote client authentication XauthVPN

crypto map remote interface outside

isakmp enable outside

isakmp key ******** address 0.0.0.0 netmask 0.0.0.0

isakmp client configuration address-pool local ******** outside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 1

isakmp policy 10 lifetime 6400

isakmp policy 11 authentication pre-share

isakmp policy 11 encryption 3des

isakmp policy 11 hash md5

isakmp policy 11 group 2

isakmp policy 11 lifetime 86400

vpngroup mygroup idle-time 1800

vpngroup 1 address-pool ********

vpngroup 1 dns-server ***.***.***.***

vpngroup 1 wins-server ***.***.***.***

vpngroup 1 default-domain ********.com

vpngroup 1 split-tunnel 101

vpngroup 1 idle-time 1800

vpngroup 1 password ********

telnet 192.168.0.0 255.255.0.0 inside

telnet timeout 60

ssh timeout 5

vpdn group 1 accept dialin pptp

vpdn group 1 ppp authentication pap

vpdn group 1 ppp authentication chap

vpdn group 1 ppp authentication mschap

vpdn group 1 client configuration address local *******

vpdn group 1 client authentication aaa TACACS+

vpdn group 1 pptp echo 60

vpdn username ****** password ***

vpdn enable outside

gfullage · ‎01-05-2003

Can't see that this is a PIX config issue, you generally either get nothing or everything through, not one packet then nothing. Your PIX config looks OK, and the TACACS stuff shouldn't have anything to do with it cause the authentication has completed successfully already.

You'd have to look at the VPN client stats and see if the Encrypted Packet count goes up when you ping, then do a "sho cry ipsec sa" on the PIX and see if the Pkts Decaps (received packets from the VPN client) and Pkts Encaps (packets sent to the VPN client) increment also. This should give you an indication of where the problem lies.

rbirkin · ‎01-08-2003

Thanks for all the feedback people. Sorry I haven't replied sooner, I needed a break from banging my head against the wall with this one...

Once authenticated, i've set the client to continially ping a host on the internal network. On the client connection statistics, the packets bypassed are increasing with pretty much every icmp packet sent. Packets encrypted are increasing slowly, at a ratio of one for every 10 that are discarded.

The Pkts Decaps/Encaps statistics are increasing, although this can be attributed to the fact that we also have a peer to peer (pix to pix) vpn tunnel configured on this firewall.

I am at a loss...

Do I need to configure anything else for the groups that the users are in on the ACS server? I can see some stuff about ACL's, but it give's the impression that these ACL's are used to set permissions on commands rather than restricting TCP/UDP packets.

rbirkin · ‎01-08-2003

Just to add to this...It seems that I can access web sites on the internal network...although I still cannot ping or telnet to anything...