Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
525
Views
0
Helpful
3
Replies

PIX 515 to 3.5 VPN-cannot access internal network

karlsd
Level 1
Level 1

‎07-16-2002 10:42 AM - edited ‎02-21-2020 11:56 AM

I used the Cisco PIX device Manager v2.0 to configure a client to PIX VPN. The configuration completed without errors. When I attemp to connect I pull down an address from the pool that was created and the VPN appears to create successfully. However I am unable to ping or access any device on my network.

I do receive this one error from the client log viewer: 1 14:15:48.205 07/16/02 Sev=Warning/3 IKE/0xA3000057

Received malformed message or negotiation no longer active (message id: 0xB99C6E91)

not sure what it means.

I though of a potential issue with my access lists but I am unable tolocate it. Below is a copy of my config.

I have multiple static site to ste VPNs. The client to site VPN is called internalVPN and the pool name is bigpool (192.168.65.10-20)

access-list acl_ping permit icmp any any

access-list acl_inside permit tcp any any eq ftp

access-list acl_inside permit tcp any any eq ftp-data

access-list acl_inside permit tcp any any eq telnet

access-list acl_inside permit icmp any any

access-list acl_inside permit tcp any any eq https

access-list acl_inside permit tcp any any eq smtp

access-list acl_inside permit ip host 192.168.68.200 any

access-list acl_inside permit ip host 192.168.55.12 any

access-list acl_inside permit udp any any eq 7070

access-list acl_inside permit udp any any eq 7007

access-list acl_inside permit tcp any any eq 7070

access-list acl_inside permit udp any any range 6970 7170

access-list acl_inside permit tcp any any eq 554

access-list acl_inside permit tcp any any eq 8001

access-list acl_inside permit tcp any any eq 8080

access-list acl_inside permit ip host 192.168.55.30 any

access-list acl_inside permit icmp host 192.168.55.30 any

access-list acl_inside permit tcp host 192.168.55.30 eq www any

access-list acl_inside permit tcp host 192.168.55.30 eq https any

access-list acl_inside permit ip 192.168.0.0 255.255.0.0 192.168.0.0 255.255.0.0

access-list acl_inside permit tcp host 192.168.55.21 eq ftp any

access-list acl_inside permit tcp host 192.168.55.21 eq ftp-data any

access-list acl_inside permit ip host 192.168.55.21 any

access-list acl_inside permit udp any host 192.168.55.96 range 5190 5193

access-list acl_inside permit tcp any host 192.168.55.96 range aol 5193

access-list acl_inside permit tcp host 192.168.55.96 any range aol 5193

access-list acl_inside permit udp host 192.168.55.96 any range 5190 5193

access-list acl_inside deny udp any any eq 5190

access-list acl_inside deny tcp any any eq aol

access-list acl_inside permit tcp any any eq 10000

access-list acl_inside permit udp any any eq 10000

access-list acl_inside permit tcp 192.168.67.0 255.255.255.0 eq citrix-ica any

access-list acl_inside permit udp 192.168.67.0 255.255.255.0 eq 1604 any

access-list acl_inside permit ip 192.168.0.0 255.255.0.0 192.168.65.0 255.255.25

5.0

access-list acl_inside permit ip 192.168.65.0 255.255.255.0 192.168.0.0 255.255.

0.0

access-list acl_inside permit tcp host 192.168.55.12 eq smtp any

access-list acl_inside permit tcp any host 192.168.55.12 eq smtp

access-list acl_inside permit tcp host 192.168.55.12 eq pop3 any

access-list acl_inside permit tcp any host 192.168.55.12 eq pop3

access-list acl_inside permit tcp any any eq pop3

access-list ipsec permit ip 192.168.55.0 255.255.255.0 192.168.67.0 255.255.255.

0

access-list ipsec permit ip 192.168.68.0 255.255.255.0 192.168.67.0 255.255.255.

0

access-list ipsec permit ip 192.168.0.0 255.255.0.0 192.168.67.0 255.255.255.0

access-list nonat permit ip 192.168.55.0 255.255.255.0 192.168.67.0 255.255.255.

0

access-list nonat permit ip 192.168.68.0 255.255.255.0 192.168.67.0 255.255.255.

0

access-list nonat permit ip 192.168.0.0 255.255.0.0 192.168.80.0 255.255.255.0

access-list nonat permit ip 10.0.0.0 255.0.0.0 192.168.80.0 255.255.255.0

access-list nonat permit ip 10.0.0.0 255.0.0.0 host 203.47.133.230

access-list nonat permit ip 192.168.0.0 255.255.0.0 host 203.47.133.230

access-list nonat permit ip 192.168.0.0 255.255.0.0 host 213.121.208.107

access-list nonat permit ip 192.168.0.0 255.255.0.0 172.16.0.0 255.255.0.0

access-list nonat permit ip 192.168.0.0 255.255.0.0 10.216.0.0 255.255.0.0

access-list nonat permit ip 192.168.0.0 255.255.0.0 192.168.65.0 255.255.255.0

access-list nonat permit ip any 192.168.65.0 255.255.255.224

access-list ipsecAust permit ip 192.168.0.0 255.255.0.0 192.168.80.0 255.255.255

.0

access-list ipsecAust permit ip 10.0.0.0 255.0.0.0 192.168.80.0 255.255.255.0

access-list ipsecAust permit ip 192.168.0.0 255.255.0.0 host 203.47.133.230

access-list ipsecAust permit ip 10.0.0.0 255.0.0.0 host 203.47.133.230

access-list ipsecUK permit ip 192.168.0.0 255.255.0.0 172.16.0.0 255.255.0.0

access-list ipsecUK permit ip 192.168.0.0 255.255.0.0 10.0.0.0 255.0.0.0

access-list ipsecUK permit ip 192.168.0.0 255.255.0.0 host 213.121.208.107

access-list ipsecUK permit ip 192.168.0.0 255.255.0.0 10.216.0.0 255.248.0.0

access-list internalVPN permit ip 192.168.0.0 255.255.0.0 192.168.65.0 255.255.2

55.0

access-list outside_cryptomap_dyn_20 permit ip any 192.168.65.0 255.255.255.224

pager lines 24

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 100full

mtu outside 1500

mtu inside 1500

mtu failover 1500

ip address outside 209.51.172.216 255.255.255.224

ip address inside 192.168.68.216 255.255.255.0

ip address failover 10.10.10.1 255.255.255.252

ip audit info action alarm

ip audit attack action alarm

ip local pool bigpool 192.168.65.10-192.168.65.20

failover

failover timeout 0:00:00

failover poll 15

failover ip address outside 209.51.172.217

failover ip address inside 192.168.68.217

failover ip address failover 10.10.10.2

failover link failover

arp timeout 14400

global (outside) 1 209.51.172.218

nat (inside) 0 access-list nonat

nat (inside) 1 193.168.1.0 255.255.255.0 0 0

nat (inside) 1 192.168.0.0 255.255.0.0 0 0

access-group acl_inside in interface inside

route outside 0.0.0.0 0.0.0.0 209.51.172.193 1

route inside 10.2.0.0 255.255.0.0 192.168.68.11 1

route inside 10.3.0.0 255.255.0.0 192.168.68.11 1

route inside 192.168.1.0 255.255.255.0 192.168.68.1 1

route inside 192.168.55.0 255.255.255.0 192.168.68.1 1

route inside 192.168.65.0 255.255.255.0 192.168.68.1 1

route inside 192.168.67.0 255.255.255.0 192.168.68.1 1

route inside 192.168.69.0 255.255.255.0 192.168.68.1 1

route inside 192.168.70.0 255.255.255.0 192.168.68.1 1

route inside 192.168.79.0 255.255.255.0 192.168.68.1 1

route inside 193.168.1.0 255.255.255.0 192.168.68.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si

p 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 192.168.68.216 255.255.255.255 inside

http 192.168.55.96 255.255.255.255 inside

snmp-server host inside 192.168.55.24

no snmp-server location

no snmp-server contact

snmp-server community ebn!!!ELE48642

snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set election esp-des esp-md5-hmac

crypto ipsec transform-set avalanche esp-des esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-SHA

crypto map forsberg 21 ipsec-isakmp

crypto map forsberg 21 match address ipsec

crypto map forsberg 21 set peer 208.168.175.72

crypto map forsberg 21 set transform-set avalanche

crypto map extVPN 20 ipsec-isakmp

crypto map extVPN 20 match address ipsecAust

crypto map extVPN 20 set peer 203.47.133.230

crypto map extVPN 20 set transform-set avalanche

crypto map extVPN 22 ipsec-isakmp

crypto map extVPN 22 match address ipsecUK

crypto map extVPN 22 set peer 213.121.208.107

crypto map extVPN 22 set transform-set avalanche

crypto map extVPN 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map extVPN interface outside

isakmp enable outside

isakmp key ******** address 208.168.175.72 netmask 255.255.255.255

isakmp key ******** address 203.47.133.230 netmask 255.255.255.255

isakmp key ******** address 213.121.208.107 netmask 255.255.255.255

isakmp identity address

isakmp policy 10 authentication rsa-sig

isakmp policy 10 encryption des

isakmp policy 10 hash sha

isakmp policy 10 group 1

isakmp policy 10 lifetime 86400

isakmp policy 21 authentication pre-share

isakmp policy 21 encryption des

isakmp policy 21 hash md5

isakmp policy 21 group 1

isakmp policy 21 lifetime 3600

isakmp policy 41 authentication pre-share

isakmp policy 41 encryption des

isakmp policy 41 hash sha

isakmp policy 41 group 2

isakmp policy 41 lifetime 86400

vpngroup internalVPN address-pool bigpool

vpngroup internalVPN dns-server 192.168.55.102 192.168.55.104

vpngroup internalVPN wins-server 192.168.55.102 192.168.55.104

vpngroup internalVPN default-domain election.com

vpngroup internalVPN idle-time 1800

vpngroup internalVPN password ********

telnet 192.168.0.0 255.255.0.0 inside

telnet timeout 5

ssh timeout 5

terminal width 80

Cryptochecksum:9f27aa46d954f33f2770f3e55b6ca758

: end

[OK]

USNY01PIX01#

Labels:
0 Helpful
3 Replies 3

paqiu
Level 1
Level 1

‎07-16-2002 05:17 PM

The problem is because of following static route:

"route inside 192.168.65.0 255.255.255.0 192.168.68.1 1"

Your bigpool (192.168.65.10-20)

Please change the ip pool to something else not overlapping with your inside network. Otherwise, the PIX will be confused and sending the traffic to your inside network instead of sending it back through the outside interface VPN tunnel.

Best Regards,

0 Helpful

p-lees
Level 1
Level 1

‎07-17-2002 01:59 AM

I have seen this problem many times.

If you decrease the MTU size in the client, using the MTU tool in start>programs>cisco VPN client..

Make sure you re-boot after changing it.

Phil

0 Helpful

karlsd
Level 1
Level 1
In response to p-lees

‎07-18-2002 08:37 AM

Actually the problem turned out to be with the config on my external router. After entering the following it worked:

access-list 100 permit esp any host 209.51.172.216

access-list 100 permit ahp any host 209.51.172.216

access-list 100 permit gre any host 209.51.172.216

access-list 100 permit tcp any host 209.51.172.216 eq 1723

access-list 100 permit udp any host 209.51.172.216 eq isakmp

The only reason I figured it out was because the same statements were entered for my VPN 3000's external address. Still not 100% sure as to why this was neccessary. I'm assuming that my router is my 1st line of defense and is configured only to allow certain types of traffic through and therefore must add the above 1st to allow traffic to flow to and from my PIX.

What is the normal practice when you have a PIX configured to be extra secure. What I mean is...Is it neccessary to lock down your router at all when everything is protected behind your firewall?

0 Helpful
Customers Also Viewed These Support Documents