cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1092
Views
4
Helpful
15
Replies

Cisco client 4.6 - PIX-506e remote access

ddidpm506
Level 1
Level 1

I'm trying to get VPN remote access working.

I used the example in http://cisco.com/en/US/docs/security/pix/pix63/configuration/guide/basclnt.html#wp1076294

as a template; my resulting config file is attached, as is my client profile.

When I try to attach with the VPN client software I get the following error:

Cisco Systems VPN Client Version 4.6.00.0045

Copyright (C) 1998-2004 Cisco Systems, Inc. All Rights Reserved.

Client Type(s): Windows, WinNT

Running on: 5.1.2600 Service Pack 2

Config file directory: C:\Program Files\Cisco Systems\VPN Client

1 11:49:25.821 05/14/07 Sev=Warning/2 IKE/0xE3000099

Invalid SPI size (PayloadNotify:116)

2 11:49:25.821 05/14/07 Sev=Warning/3 IKE/0xA3000058

Received malformed message or negotiation no longer active (message id: 0x00000000)

At this point I'm kind of at a loss; this seems to imply that the basic connectivity is corrupt, but I can get internet traffic through the firewall.

Or is the client complaining about the security parameters I've set in the PIX?

Any advice? Is there a way to enable a log at the PIX to see what it thinks is happening?

Thanks,

dpm

15 Replies 15

acomiskey
Level 10
Level 10

try this...

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map client authentication partnerauth

crypto map outside_map interface outside

isakmp enable outside

isakmp nat-traversal 20

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption 3des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

I did so; the client now reports an authentication failure. It obviously got a lot further; what's the problem with my original setup?

Here's the isakmp log from the PIX:

ISAKMP Debug Log:

-------------------------------------------------------------------------

08:09:11.012 UTC Tue May 15 2007, peer 216.178.86.111, DELETE_ALL_SPIS

08:09:10.012 UTC Tue May 15 2007, peer 216.178.86.111, ISAKMP_DISCONNECTED

08:09:09.962 UTC Tue May 15 2007, peer 216.178.86.111, MALFORMED_PAYLOAD (mess_id 3601719422)

08:09:09.152 UTC Tue May 15 2007, peer 216.178.86.111, P2_RETRAN (3) (mess_id 3601719422)

08:09:04.152 UTC Tue May 15 2007, peer 216.178.86.111, P2_RETRAN (2) (mess_id 3601719422)

08:08:59.152 UTC Tue May 15 2007, peer 216.178.86.111, P2_RETRAN (1) (mess_id 3601719422)

08:08:54.152 UTC Tue May 15 2007, peer 216.178.86.111, ISAKMP_CONNECTED

08:08:54.152 UTC Tue May 15 2007, peer 216.178.86.111, P1_DONE

08:08:54.152 UTC Tue May 15 2007, peer 216.178.86.111, DELETE_ALL_SPIS

08:08:54.152 UTC Tue May 15 2007, peer 216.178.86.111, INITIAL_CONTACT_RCVD

08:08:52.602 UTC Tue May 15 2007, peer 216.178.86.111, P1_RESP

In the original procedure step 6 it said:

Note Configure the authentication server with the vendor-specific acl=acl_ID identifier to specify the access-list ID. In this example, the access-list ID is 100. The entry in the authentication server would then be acl=100.

I condensed this into one access-list statement because I don't want to restrict the traffic on the VPN:

access-list 100 permit ip 192.168.100.0 255.255.255.0 192.168.0.0 255.255.255.0

I have 2 questions:

1. Will my access-list statement work?

2. I'm not clear on the "Note" above. My RADIUS server is the one built into Windows Server 2003. I can specify a RADIUS client, and "Cisco" is on the list. If I choose "Cisco", does that simply mean that the access-list ID should also be "Cisco", or is it more complicated than that?

Thanks,

dpm

access-list 100 is not doing anything that I can see. The acl that has anything to do with the vpn at all is 80 and does your nat exemption with these commands. These look good.

access-list 80 permit ip 192.168.0.0 255.255.255.0 192.168.100.0 255.255.255.0

nat (inside) 0 access-list 80

As far as your radius server goes, I assume you are talking about IAS? All you have to do in IAS is create a new client. That configuration is pretty straight forward. Enter a friendly name, which can be anything, an ip address which would be the inside address of the ASA. Use Radius Standard for Client-Vendor, not Cisco. Also enter a shared secret. You then must create a Remote Access Policy which defines the connection attributes and specify to Grant Remote Access Permission. Here is the doc for pix/asa 7 but it covers the IAS configuration which is the same and is easier than me typing it all out.

A good place to look at when you are trying to authenticate to your IAS/AD machine is your Event Viewer, under System. The authentication requests will show in there and help you troubleshoot.

http://cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806de37e.shtml#configuringthemicrosoftserverwithias

oh, and acl 100 is not needed you can get rid of it.

Good stuff! This seems to work.

If I may impose on your patience for two more questions:

1. What was wrong with my original isakmp policies:

isakmp policy 8 authentication pre-share

isakmp policy 8 encryption aes

isakmp policy 8 hash sha

isakmp policy 8 group 5

2. The client can't access the internet through the VPN; how do I route that traffic to the outside interface?

Thanks for all your help.

Regards,

dpm

1. Honestly I'm not sure.

2. For internet access while connected to the vpn you will have to set up split tunneling. What this will do is define a policy for what traffic will be encrypted on the vpn. In your case anything to 192.168.0.0 will be encrypted, anthing else (internet) will not be and you will be able to simultaneously access the internet. It has nothing to do with routing. You will see the difference in your vpn client while connected under Status -> Statistics -> Route Details. Without split tunnel you will only see 0.0.0.0 under secured routes. When split tunnel is set up you will only see 192.168.0.0 under secured routes, meaning everything else is unsecured and not part of the vpn.

access-list split_tunnel permit ip 192.168.0.0 255.255.255.0 192.168.100.0 255.255.255.0

vpngroup ddiremote split-tunnel split_tunnel

Please rate posts if they helped.

You said: "In your case anything to 192.168.0.0 will be encrypted, anthing else (internet) will not be and you will be able to simultaneously access the internet."

Well, no: when I'm connected to the VPN I want ALL traffic to go through it.

Example: I'm in an airport connected to an unsecured wireless router, and I want to check my email; I want that traffic encrypted!

Regards,

dpm

You did ask how to get the vpn client to access the internet.

If you are concerned about security you should not use split tunnel and should disconnect from the vpn when you want to use the internet.

Where's you mail server? If it is in your network then yes this would be encrypted, but if you wanted to browse www.google.com for example, this traffic can not be encrypted. There is an option in pix/asa version 7 which allows you to bounce vpn client internet traffic off the outside interface of the firewall, so in that case the traffic would be encrypted as far as the firwall, then the client would be nat'ed and the traffic would be cleartext to the internet. The return traffic would be encrypted from the firewall to the client. Hope that make sense.

"If you are concerned about security you should not use split tunnel and should disconnect from the vpn when you want to use the internet."

Well, I'm confused: I *AM* concerned with security, that's why I'm using a VPN. If I could trust the local network I wouldn't need a VPN. I can set up the Microsoft RAS server to send all traffic down the VPN pipe, and then route any non-local traffic out to the default gateway at the server. I assumed that the PIX was able to do the same thing.

Are you implying that at the PIX it's impossible to NAT any traffic not destined for 192.168.0.0. out to the outside interface?

Regards,

dpm

I added to my previous post. I think that answers at least one of your questions concerning NAT.

You got it. My mail server is at an internet address.

"There is an option in pix/asa version 7 which allows you to bounce vpn client internet traffic off the outside interface of the firewall, so in that case the traffic would be encrypted as far as the firwall, then the client would be nat'ed and the traffic would be cleartext to the internet. The return traffic would be encrypted from the firewall to the client."

This is EXACTLY what I want, but I bought a PIX-506e which is running version 6.3.

So, did I buy the wrong thing? Can version 7 be loaded onto a 506e?

Regards,

dpm

Sorry,

The PIX 501, PIX 506/506E, and PIX 520 security appliances are not supported in software Version 7.0.

http://cisco.com/en/US/products/sw/secursw/ps2120/prod_release_note09186a0080688c71.html#wp43534

http://cisco.com/en/US/products/sw/secursw/ps2120/products_upgrade_guides09186a0080369ee2.html#wp1032446

Another option you may have is to have an internal proxy server, not ideal probably, but an option.

OK, let's consider falling back to Microsoft RAS.

With my old router I just specified port forwarding to point connection requests on a specific port to a specific internal IP address. May I assume that this can also be done with the PIX? And if so, can you point me to the commands that I'd need to enable it? Access-list, perhaps?

Thanks,

dpm

static (inside,outside) netmask 255.255.255.255

access-list outside_in permit any host eq

access-group outside_in in interface outside

ex.

static (inside,outside) tcp 1.1.1.1 80 192.168.0.10 80 netmask 255.255.255.255

access-list outside_in permit tcp any host 1.1.1.1 eq 80

access-group outside_in in interface outside

If is the outside address of pix then you would substitute the keywork "interface" in your static statement like so...

static (inside,outside) tcp interface 80 192.168.0.10 80 netmask 255.255.255.255

or if you wanted to forward port 80 to inside port 8080

static (inside,outside) tcp 1.1.1.1 80 192.168.0.10 8080 netmask 255.255.255.255

Thanks - this was very helpful.

I had to add:

fixup protocol pptp 1723

Now it's working just like before.

Thanks again for your help. I can't say that the command reference is intuitive, so your advice really helped.

Regards,

dpm

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: