Re: VPN Sign in

david_c_reed · ‎10-16-2007

Ok, I thought that I had setup everything I would need for a user to access my network behind a PIX 515e but I guess not.

I basically gave inside and outside ports ip adds on their respective subnets. Created some ACL's applied these to a group and gave a user access to this group. Thats it.

I then pointed the VPN client towards the outside IP and it looks likes its about to connect but then I get a reason 412 error "remote peer no longer responding" I have seen some posts about a port 500 not being open but have no idea how to do this, I am still really new at all of this.

Any help would be appreciated.

nathancielieska · ‎10-16-2007

David,

Unfortunately there is a lot more too it.

I cannot find a good doc as well.. you need to add the following

** Indentify your transform set and Remote Access parameters

crypto ipsec transform-set myset esp-3des esp-md5-hmac

crypto dynamic-map dynmap 10 set transform-set myset

crypto map mymap 10 ipsec-isakmp dynamic dynmap

crypto map mymap interface outside

** enable an isakmp policy

isakmp enable outside

isakmp policy 10 authentication pre

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

** ip address given to your clients

ip local pool vpnpool 10.0.0.10-10.0.0.100

** you dont want to NAT connectivity to your remote clients

access-list 120 permit ip 10.1.1.0 255.255.255.0 10.0.0.0 255.255.255.0

nat (inside) 0 access-list 120

** actual parameters to type into your client

vpngroup vpncert address-pool vpnpool

vpngroup vpncert idle-time 1800

vpngroup vpncert password letmein

** In your Client

Group name : vpncert

password : letmein

This will get you 90% if not 100%..

nathancielieska · ‎10-16-2007

Also putting in

sysopt connection permit-vpn or sysopt connection permit-ipsec

This will allow you to not worry about Access lists botching up your vpn

david_c_reed · ‎10-22-2007

Nathan,

I finally have the connection up but am having some difficulty pinging across.

I connect and it gives local area connection 2 an IP address of the inside network. I can ping from inside PC to outside PC (outside PC's local area connection 2) but I can't ping in from outside. I have the ACL for the user as following:

access-l test ext permit ip 172.15.116.0 255.255.255.0 any

access-l test ext permit ip any 172.15.116.0 255.255.255.0

I am not sure if it is this or a NAT problem, thanks for the help.

Dave

mherald · ‎10-16-2007

It sounds as if you are relatively close.

I prefer to use the sysopt connection permit-ipsec option to accept ipsec connections from most anywhere, this keeps me from fowling up VPN connectivity should I mess up an ACL. As well as I do not have a lot of control where clients want to connect from. This does not allow any user without the correct credentials access to your network, just an opportunity to connect to the VPN server on the specific IPSec required ports.

This allows IP ports 50,51 (ESP and AH)and UDP 500 (IKE) to connect to the VPN server (PIX or ASA).

Did you set up a NAT pool for clients? You may want to do this if you need the IP traffic to return to the client via this VPN server in the event there may be some asymetric routing paths.

If you are running 7.x+ code and ASDM 6.x+, the VPN remote client wizard pretty much takes out any of the guess work with this.

Does this help?

Mike

david_c_reed · ‎10-17-2007

I will attempt to try out your ideas. I tried to use the GUI but I could connect only about 1 of 3 times and then when changes were to be updated it couldn't see the PIX for some reason.

Right now I have just have 2 PC's, one on the outside and one on the inside. I am just trying to set it up before I try to place it in the real network. I don't know why there are connection errors all the time with this thing, it just seems easier to use the CLI.