Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

l2tp/ipsec through a PIX

hello,

the scenario is this:

I have a user in my network that needs to connect to a VPN server in the Internet, his VPN uses l2tp/ipsec, he uses the windows 2000/XP VPN Client. There is a PIX 535 6.2(2) between the user and his VPN server.

the problem is that this user can't establish a connection with his VPN, he can reach his VPN server, but cannot negotiate a successfull login, the VPN client says: "Remote server timeout" when the user tries to authenticate.

The VPN Client Logs a successfull VPN connection as follows:

******************************************************************

Operating System : Windows NT 5.1 Service Pack 1

Dialer Version : 7.2.2600.1106

Connection Name : ITG Connection Manager for Smart Cards

All Users/Single User : All Users

Start Date/Time : 4/1/2003, 16:43:33

******************************************************************

Module Name, Time, Log ID, Log Item Name, Other Info

For Connection Type, 0=dial-up, 1=VPN, 2=VPN over dial-up

******************************************************************

[cmdial32] 16:43:33 03 Pre-Init Event CallingProcess = C:\WINDOWS\System32\CMMON32.EXE

[cmdial32] 16:43:35 04 Pre-Connect Event ConnectionType = 1

[cmdial32] 16:43:35 09 Custom Action Exe ActionType = Pre-Connect Actions Description = Security Check before Connecting ActionPath = WSCRIPT.EXE. The program was launched successfully.

[cmdial32] 16:43:35 06 Pre-Tunnel Event UserName = my_user@northamerica.corp.company.com Domain = DUNSetting = ITG Connection Manager for Smart Cards Tunnel DeviceName = TunnelAddress = CXN-REDMOND.COMPANY.COM

[cmdial32] 16:44:09 07 Connect Event

[cmdial32] 16:44:09 09 Custom Action Exe ActionType = Connect Actions Description = Run additional cred harvesting for NTLM only aware apps ActionPath = WSCRIPT.EXE. The program was launched successfully.

[cmdial32] 16:44:09 09 Custom Action Exe ActionType = Connect Actions Description = Security Check after Connecting ActionPath = WSCRIPT.EXE. The program was launched successfully.

[cmdial32] 16:44:09 09 Custom Action Exe ActionType = Connect Actions Description = (none) ActionPath = CMDL32.EXE. The program was launched successfully.

[cmdial32] 16:44:09 08 Custom Action Dll ActionType = Connect Actions Description = to determine your proxy server ActionPath = C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Cm\ITGRASSC\CMSAMPLE.DLL ReturnValue = 0x0

[cmdial32] 16:44:09 08 Custom Action Dll ActionType = Connect Actions Description = to configure your IE proxy settings ActionPath = C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Cm\ITGRASSC\CMPROXY.DLL ReturnValue = 0x0

[cmdial32] 16:44:09 09 Custom Action Exe ActionType = Connect Actions Description = (none) ActionPath = CMDL32.EXE. The program was launched successfully.

[cmdial32] 16:44:09 09 Custom Action Exe ActionType = Connect Actions Description = CM Version Checking ActionPath = C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Cm\ITGRASSC\GETCM.EXE. The program was launched successfully.

[CMDL32] 16:44:26 26 Successful Phonebook download PhoneBookName = mscorppb RequestedPBVer = 73 PBServerUrl = cusredb11rad02

[CMDL32] 16:44:26 28 Phonebook successfully updated Type = No update required PhoneBookName = mscorppb OldPBVer = 73 NewPBVer = 73 PBServerUrl = cusredb11rad02

[CMDL32] 16:44:30 26 Successful Phonebook download PhoneBookName = Cisco RequestedPBVer = 73 PBServerUrl = cusredb11rad02

[CMDL32] 16:44:30 28 Phonebook successfully updated Type = No update required PhoneBookName = Cisco OldPBVer = 73 NewPBVer = 73 PBServerUrl = cusredb11rad02

[CMDL32] 16:44:36 27 Phonebook download failed ErrorCode = 204 PhoneBookName = MSROI PBServerUrl = phonebook.attglobal.net

[CMDL32] 16:44:37 27 Phonebook download failed ErrorCode = 204 PhoneBookName = MSPPP PBServerUrl = pbkMS.equant.com

[CMDL32] 16:44:48 27 Phonebook download failed ErrorCode = 502 PhoneBookName = UUpMSemp PBServerUrl = pbk.uudial.uu.net

[cmdial32] 17:01:15 12 Disconnect Event CallingProcess = C:\WINDOWS\explorer.exe

[CMMON32] 17:01:15 22 External Disconnect

[cmdial32] 17:01:15 08 Custom Action Dll ActionType = Disconnect Actions Description = to restore your previous IE proxy settings ActionPath = C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Cm\ITGRASSC\CMPROXY.DLL ReturnValue = 0x0

[cmdial32] 17:01:15 09 Custom Action Exe ActionType = Disconnect Actions Description = Security Check after Disconnect ActionPath = WSCRIPT.EXE. The program was launched successfully.

[cmdial32] 17:01:15 09 Custom Action Exe ActionType = Disconnect Actions Description = Install Updated CM Profile ActionPath = C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Cm\ITGRASSC\INSTCM.EXE. The program was launched successfully.

and the Log when trying to connect behind the PIX:

******************************************************************

Operating System : Windows NT 5.1 Service Pack 1

Dialer Version : 7.2.2600.1106

Connection Name : ITG Connection Manager for Smart Cards

All Users/Single User : All Users

Start Date/Time : 4/2/2003, 13:15:00

******************************************************************

Module Name, Time, Log ID, Log Item Name, Other Info

For Connection Type, 0=dial-up, 1=VPN, 2=VPN over dial-up

******************************************************************

[cmdial32] 13:15:00 03 Pre-Init Event CallingProcess = C:\WINDOWS\explorer.exe

[cmdial32] 13:15:09 04 Pre-Connect Event ConnectionType = 1

[cmdial32] 13:15:09 09 Custom Action Exe ActionType = Pre-Connect Actions Description = Security Check before Connecting ActionPath = WSCRIPT.EXE. The program was launched successfully.

[cmdial32] 13:15:09 06 Pre-Tunnel Event UserName = my_user@northamerica.corp.company.com Domain = DUNSetting = ITG Connection Manager for Smart Cards Tunnel DeviceName = TunnelAddress = CXN-REDMOND.COMPANY.COM

[cmdial32] 13:15:37 19 On-Cancel Event

[cmdial32] 13:15:46 04 Pre-Connect Event ConnectionType = 1

[cmdial32] 13:15:46 09 Custom Action Exe ActionType = Pre-Connect Actions Description = Security Check before Connecting ActionPath = WSCRIPT.EXE. The program was launched successfully.

[cmdial32] 13:15:46 06 Pre-Tunnel Event UserName = my_user@northamerica.corp.company.com Domain = DUNSetting = ITG Connection Manager for Smart Cards Tunnel DeviceName = TunnelAddress = CXN-REDMOND.COMPANY.COM

[cmdial32] 13:16:29 20 On-Error Event ErrorCode = 721 ErrorSource = RAS

I have no access-lists in my PIX, and I use PAT.

Is there an additional configuration that I have to enter in the pix in order to permit this kind of traffic? Is it that I have to use NAT besides PAT? Do I need to permit trafic from the outside interface?

thank you in advance

  • Other Security Subjects
1 REPLY
Bronze

Re: l2tp/ipsec through a PIX

Hi,

you need to make sure that:

1 - you have a static NAT for the PC on the PIX (PAT wont work)

2 - open up UDP 500, UDP 1701, and ESP traffic for client NATed address on the PIX.

Thx

Afaq

212
Views
0
Helpful
1
Replies
This widget could not be displayed.