Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

VPN client-to-PIX

subject:

VPN client-to-PIX VPN connections

Network:

VPNClient----ADSLRouter----Internet---Router---PIX---LAN(DB/Radius)

AND

CiscoVPN Client---DialupModem----Internet---Router---PIX---LAN(DB/Radius)

Requested:

1- PIX should accept remote access from vpn clients through ADSL to access services

such as Database smtp http etc.

2- PIX should accept remote access from vpn clients through Dial up connection

to access services such as Database smtp http etc.

3- Authentication through external Radius server,

Given:

VPN Client: Cisco VPN CLient 4.8

Pix : Ver. 6.3

Office Router Real IP X.Y.Z.1 255.255.255.240

Office PIX Real IP X.Y.Z.2 255.255.255.240

Office LAN Server: 10.5.1.x/16

Office Client PC 10.6.10.x-10.6.20.x-10.6.30.x-10.6.40.x-10.6.50.x-10.6.60.x/24

Radius Server: 10.5.1.102

DB Server: 10.5.1.110/16

ADSL Remote LAN: 10.0.0.0/24

DialupConncetion: obtain Real IP through ISP

Pix Configuration:

Pix# sh run

PIX Version 6.3(4)

hostname Pix

domain-name my.com

fixup protocol dns maximum-length 512

access-list inside-access permit tcp any any eq smtp

access-list inside-access deny ip any any

no pager

logging on

logging history informational

mtu outside 1500

mtu inside 1500

mtu dmz-app-server 1500

mtu failover-link 1500

ip address outside X.Y.Z.2 255.255.255.240

ip address inside 10.6.70.5 255.255.255.0

ip address dmz-app-server 192.168.10.1 255.255.255.0

ip address failover-link 10.6.170.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

failover

failover timeout 0:00:00

failover poll 15

failover link failover-link

pdm location 10.5.0.20 255.255.255.255 inside

pdm history enable

arp timeout 14400

global (outside) 1 X.Y.Z.14

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (dmz-app-server,outside) X.Y.Z.10 192.168.10.3 netmask 255.255.255.255 0 0

access-group outside_access_in in interface outside

access-group inside-access in interface inside

route outside 0.0.0.0 0.0.0.0 X.Y.Z.1 1

route inside 10.4.100.10 255.255.255.255 10.6.70.1 1

route inside 10.5.0.0 255.255.0.0 10.6.70.1 1

route inside 10.6.0.0 255.255.0.0 10.6.70.1 1

timeout xlate 3:00:00

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

floodguard enable

console timeout 0

terminal width 80

Suggested solution:

the following am planning to add to my pix to enable vpn connection

sysopt connection permit-ipsec

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server RADIUS (inside) host 10.5.1.102 password timeout 10

access-list nonat permit ip 10.5.1.0 255.255.255.0 10.0.0.0 255.255.255.0

ip local pool ippool 10.5.2.1-10.5.2.254

nat (inside) 0 access-list nonat

crypto ipsec transform-set mobileset esp-3des esp-md5-hmac

crypto dynamic-map mobiledynmap 20 set transform-set mobileset

crypto map mobilemap 20 ipsec-isakmp dynamic mobiledynmap

crypto map mobilemap client authentication RADIUS

crypto map mobilemap interface outside

isakmp enable outside

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption 3des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

vpngroup mobilegroup address-pool ippool

vpngroup mobilegroup dns-server 10.5.1.111

vpngroup mobilegroup idle-time 1800

vpngroup mobilegroup password <password>

5 REPLIES
Gold

Re: VPN client-to-PIX

Fadi

The only command missing is:

isakmp nat-traversal

Apart from that looks OK.

Please rate posts if it helps!!

Regards,

New Member

Re: VPN client-to-PIX

not working, I added the above

i am getting the following message:

Secure vpn connection terminated locally

by the client reaseon: user authentication failed.

Gold

Re: VPN client-to-PIX

Fadi

The error message your seeing is related to RADIUS authentication failur. For sanity, take out the RADIUS authentication and check to see if it works - I bet it will! keep the isakmp nat-traversal command, if you need explanation on this command then let me know.

Also for reference, read this document:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00800b6099.shtml

Let me know how you get on,

Please rate post if it helps!

Regards,

New Member

Re: VPN client-to-PIX

I have this:

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server RADIUS (inside) host 10.5.1.102 password timeout 10

aaa-server LOCAL protocol local

crypto map mobilemap client authentication RADIUS

New Member

Re: VPN client-to-PIX

it works now

added isakmp nat-traversal

changed my accesslist to have access-list nonat permit ip 10.6.70.0 255.255.255.0 ........

changed ippool to 11.1.1.1-11.1.1.254 to avoid any conflicts

252
Views
4
Helpful
5
Replies