06-08-2007 10:36 AM - edited 03-11-2019 03:27 AM
Hi,
I am untrained in Cisco but 20 year IT experience with some Unix, Linux, Windows mix.
I am setting up a 506E VPN to allow users with Cisco VPN client software to connect.
I have gone through a couple of training videos and I'm looking for some examples now of configs and steps to configure this.
My network is very simple, I have a DSL connection coming through a Linksys router (I'll be putting an 1800 up there soon, but not yet), I'll be attaching the outside firewall interface right to the the linksys, I'll be attaching the inside firewall interface directly to my single LAN hub. All PC's and servers have home runs to the hub.
Remote clients are coming across public internet connections.
Thanks for any help you can give.
P.S. - My Cisco reports that it has a Restricted (R) license, and some of the commands from the video I watched don't seem to be available, like "group-policy" - could these be related, do I need to enter a license number or something?
JP
06-08-2007 11:23 AM
The group-policy command you are referring to is only available on pix version 7. You are running pix 6.3.
Here is the config guide for 6.3 which should get you started with your vpn.
http://cisco.com/en/US/docs/security/pix/pix63/configuration/guide/config.html
06-08-2007 11:56 AM
Found a good link for this, if anyone's reading.
http://cisco.com/en/US/products/hw/vpndevc/ps2030/prod_configuration_examples_list.html#anchor1
06-11-2007 04:00 AM
As the environment you are working in very staightforward you should be able to use the Cisco VPN wizard. You may need to enable PDM on thi inside interface, and then just point a web browser at the firewall.
The only issue I can see is with the DSL, does the linksys router perform NAT, and if not is you internet IP address static or dynamic?
06-12-2007 12:45 PM
We have one static IP address, the linksys is performing NAT. Thank you for your help on this.
One thing - This whole deal is on a test network, with no connections to the world. I have the two external firewall interfaces connected to a little switch (that would be the internet/PSTN in the real world), the inside interfaces are connected to separate vlans on a catalyst 2950, and the server and test PC I'm using are each connected to those vlans. On the server, I'm trying to load PDM. The Win2K3 server is straight off the CD, no service packs, nothing. IE is version 6.0.3790.0.
The PDM doesn't seem to be loading. Is there any hope for me without connecting this thing to the web?
Thanks again.
Here's a diagram:
JP
06-13-2007 04:48 AM
I'm a little confused here, initialy you asked for information on VPN client setup. The more recent post mentions two external interfaces, do you mean two seperate firewalls, as the 506E only has two interfaces? If so you are looking at a VPN tunnel, not a VPN client setup.
Either way you should be able to test this in your lab environment.
If you are trying to setup a VPN client ( client to network ) connect the outside interface of the 506E to your "internet" switch, connect the client PC onto this switch as well. Connect the inside interface to the same VLAN as your server.
Ensure the PC can "see" the firewall outside interface, ping the interface, don't be surprised if you don't get a response, but check the arp cache of the PC to see if the MAC address of the outside interface is there.
The server should be able to ping the inside interface and open PDM. If this isn't working, run the "sh ver" command on the firewall to ensure pdm is installed, if so enable pdm with the "http server enable" command followd by the "http
You will need to have Java installed on the server, but read the messages as PDM is very fussy about the version, and there can be compatability issues.
If it is a VPN tunnel ( network to network ) you are looking for then both Firewall outside interfaces should be connected to the "internet". Make sure each firewall has a default gateway of its peer.
The two inside interfaces should be connected to seperate VLANS, and the server and client PC should be able to connect via PDM to thier relivant firewall.
06-14-2007 05:04 AM
I'm lucky enough to have 2 firewalls to work with, so I have them set up as if they were in different sites - simulating both ends of the WAN connection. I'm setting up a VPN client, not a tunnel because normally I won't have control of the other firewall. Thanks for your help.
06-14-2007 05:26 AM
OK, it looks like PDM isn't going to run on my server. Until I can figure out how to get my test network connected to the internet without screwing up life for my normal users, I'm going to try to configure this by hand. Does anyone have a simple running VPN configuration you can post here?
thanks,
JP
06-14-2007 07:18 AM
Thanks to all the help from you all, I think I'm getting there - I have the client giving different responses for different configurations, which I'm assuming means I'm at least communicating with the firewall.
I've done a VPN setup on the firewall from an example configuration.
In order to simplify things, now I've tried to connect my client PC to the same network as the outside interface of my PIX. So the client ip is now 200.1.1.55, and the outside interface of the pix is 200.1.1.2.
Also, for now, I've opened up(?) ip, udp and tcp (permit ip any any) and I'll nail those down after I get everything working.
Here is the VPN client configuration:
Version 4.6.00.0049
Host=200.1.1.2
Transport=IPSec/TCP
Using Group Authentication
Enable Transparent Tunneling
IPSec over TCP, TCP Port: 10000
Peer response timeout (seconds): 90
I'm entering vpn3000 as the username, and the password I set for the vpn3000 group.
---------------------------------
Here is the PIX configuration:
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ...
passwd ...
hostname ...
domain-name ...
fixup protocol ...
... (edited for space, these are all standard fixup statements)
fixup protocol tftp 69
names
access-list inbound permit tcp any host 200.1.1.2 eq www
access-list 90 permit ip 192.168.2.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 101 permit ip 192.168.2.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 102 permit tcp any host 200.1.1.2 eq www
access-list 102 permit icmp any any echo-reply
access-list 102 permit tcp any any
access-list 102 permit ip any any
access-list 102 permit udp any any
access-list nonat permit ip 192.168.2.0 255.255.255.0 192.168.2.0 255.255.255.0
pager lines 24
logging buffered errors
logging trap notifications
icmp deny host 200.1.1.2 outside
mtu outside 1500
mtu inside 1500
ip address outside 200.1.1.2 255.255.255.0
ip address inside 192.168.2.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool test 192.168.2.101-192.168.2.199
pdm location 192.168.2.0 255.255.255.0 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface www 192.168.2.1 www netmask 255.255.255.255 0 0
access-group 102 in interface outside
route outside 0.0.0.0 0.0.0.0 200.1.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
...(aaa statements edited for space)
aaa authentication http console LOCAL
http server enable
http 192.168.2.0 255.255.255.0 inside
http 192.168.2.1 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set transset1 esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set transset1
crypto map remotemap 10 ipsec-isakmp dynamic dynmap
crypto map remotemap client configuration address initiate
crypto map remotemap client configuration address respond
crypto map remotemap interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp identity address
isakmp client configuration address-pool local test outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
vpngroup vpn3000 address-pool test
vpngroup vpn3000 idle-time 1800
vpngroup vpn3000 password xxxxxxx
... (edited for space)
06-14-2007 09:27 AM
I've found the VPN Client debug log, so I'm able to watch the connection attempt. It dies at line 29, with the message "Unable to establish Phase 1 SA with server '200.1.1.2' because of 'DEL_REASON_PEER_NOT_RESPONDING'".
I see in line 15 that it does something with ISAKMP...
Then in line 16 I see a message "Bad cTCP trailer, Rsvd 26988, Magic# 3c396272h, trailer len 47, MajorVer 49, MinorVer 62"
Any tips? Thanks.
----------------------
Good News,
I changed my client to connect on IPSec/UDP, and I am now able to reliably make a connection attempt and watch the conversation between my client and my firewall, using debug statements on the firewall and using the log window on the client.
I am getting this message on the firewall "VPN Peer: ISAKMP: Peer Info for 200.1.1.55/500 not found - peers:0" - I'm looking to see if I need a peer statement of some kind now.
The client ends the connection attempt with the message "Unable to establish Phase 1 SA with server "200.1.1.2" because of "DEL_REASON_PEER_NOT_RESPONDING"
Getting there...
06-14-2007 10:59 AM
It seems to be working now. Thank you thank you thank you all. I'll post my config, since it's on a test network it's a good example.
06-15-2007 05:57 AM
Except that...
The VPN seems to be connecting, in that I get a locked symbol on the cisco client, but I can't ping or otherwise connect the machine that's on the "server" network, even by ip address.
One thing I've noticed is my default gateway on the cisco vpn network interface (client) is wrong. Here's my ipconfig after I've connected:
Ethernet adapter Local Area Connection:
Connection-specific...:
IP Address...: 192.168.3.13
Subnet Mask...:255.255.255.0
Default Gateway...:192.168.3.254
(this is the cisco vpn client below)
Ethernet adapter Local Area Connection 2:
Connection-specific...:
IP Address... : 192.168.2.101
Subnet Mask...:255.255.255.0
Default Gateway...:192.168.2.101
I'll post my firewall config in a few minutes.
06-15-2007 06:23 AM
Here's the config for my "server" network firewall:
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxx encrypted
passwd xxx encrypted
hostname pixfirewall2
domain-name my-turn.org
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list inbound permit tcp any host 200.1.1.2 eq www
access-list 102 permit tcp any host 200.1.1.2 eq www
access-list 102 permit icmp any any echo-reply
access-list 102 permit tcp 200.1.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 102 permit udp 200.1.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 102 permit ip 200.1.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list nonat permit ip 200.1.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list nonat permit ip 192.168.2.0 255.255.255.0 192.168.2.0 255.255.255.0
pager lines 24
logging buffered errors
logging trap notifications
mtu outside 1500
mtu inside 1500
ip address outside 200.1.1.2 255.255.255.0
ip address inside 192.168.2.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool internetpool 200.1.1.101-200.1.1.120
ip local pool test 192.168.2.101-192.168.2.199
pdm location 192.168.2.0 255.255.255.0 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface www 192.168.2.1 www netmask 255.255.255.255 0 0
access-group 102 in interface outside
route outside 0.0.0.0 0.0.0.0 200.1.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication telnet console LOCAL
aaa authentication http console LOCAL
http server enable
http 192.168.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map cisco 1 set transform-set myset
crypto map dyn-map 20 ipsec-isakmp dynamic cisco
crypto map dyn-map interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0 no-xauth
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup vpn3000 address-pool test
vpngroup vpn3000 default-domain MyTurnTest.local
vpngroup vpn3000 idle-time 1800
vpngroup vpn3000 password ********
telnet 192.168.2.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 10
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
username administrator password xxx encrypted privilege 15
terminal width 80
Cryptochecksum:xxxx
: end
06-15-2007 06:25 AM
Here's the config for my "client" network firewall (note the inside address is 192.168.3.254, as I was questioning whether it made sense to have the same ip on the cisco interface as my local interface, if I want to use the local network):
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxx encrypted
passwd xxx encrypted
hostname pixfirewall1
domain-name my-turn.org
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside permit icmp any any
access-list outside permit tcp any any
access-list outside permit udp any any
access-list outside permit ip any any
pager lines 40
icmp deny host 200.1.1.2 outside
icmp deny host 200.1.1.1 outside
mtu outside 1500
mtu inside 1500
ip address outside 200.1.1.1 255.255.255.0
ip address inside 192.168.3.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.3.0 255.255.255.0 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group outside in interface outside
route outside 0.0.0.0 0.0.0.0 200.1.1.2 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication telnet console LOCAL
aaa authentication http console LOCAL
http server enable
http 192.168.3.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt noproxyarp outside
telnet 192.168.3.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
username administrator password xxx encrypted privilege 15
terminal width 80
Cryptochecksum:xxx
: end
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: