Solved: VPN to Pix problem

sharpkings · ‎01-14-2004

It seems that I am having similar problems to a lot of others in connecting remote clients to a PIX 515E.

I currently have tried both the Cisco VPN client 3.6 and 4.03 with no success. The users are authenticated fine and within the client you can see that they have been allocated an address etc but they are unable to access the internal network. The sh crypto ipsec sa shows no encrypted traffic has hit the Pix for that sa...

within the Client status etc it does show that packets are being encrypted so I am at a bit of a loss.

I also have a problem with pptp connections - this seems to differ between OS on the client but Win2K machines can connect and get verified etc but again cannot connect to the inside networks. could these be related ?

My current config is: (addresses etc changed)

sh run

: Saved

:

PIX Version 6.2(1)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 intf2 security10

enable password xxxx

passwd xxxx

hostname fw

domain-name

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol skinny 2000

no fixup protocol sip 5060

names

name 10.0.0.0 Inside_All

name 10.30.1.0 Ireland1_LAN

name 159.135.101.34 Ireland1_VPN

name 213.95.227.137 IrelandSt1_VPN

name 10.30.2.0 Cardiff_LAN

name 82.69.56.30 Cardiff_VPN

access-list 101 permit ip Inside_All 255.0.0.0 10.1.1.88 255.255.255.248

access-list 101 permit ip Inside_All 255.0.0.0 Ireland1_LAN 255.255.255.0

access-list 101 permit ip Inside_All 255.0.0.0 Cardiff_LAN 255.255.255.0

access-list 101 permit ip Inside_All 255.0.0.0 10.30.3.0 255.255.255.0

access-list 101 permit ip Inside_All 255.0.0.0 192.168.253.0 255.255.255.0

access-list outside_interface permit icmp any any echo

access-list outside_interface permit icmp any any echo-reply

access-list outside_interface permit icmp any any traceroute

access-list outside_interface permit tcp any host 212.36.237.99 eq smtp

access-list outside_interface permit ip any host 212.36.237.100

access-list outside_interface permit tcp host 212.241.168.236 host 212.36.237.101 eq telnet

access-list outside_interface permit tcp 192.188.69.0 255.255.255.0 host 212.36.237.101 eq telnet

access-list outside_interface permit tcp any any eq telnet

access-list outside_interface permit ip host 82.69.108.125 any

access-list 102 permit ip 10.1.1.0 255.255.255.0 Ireland1_LAN 255.255.255.0

access-list 103 permit ip 10.1.1.0 255.255.255.0 Cardiff_LAN 255.255.255.0

access-list 104 permit ip 10.1.1.0 255.255.255.0 10.30.3.0 255.255.255.0

pager lines 24

logging on

logging console debugging

logging monitor debugging

interface ethernet0 10baset

interface ethernet1 10baset

interface ethernet2 auto shutdown

mtu outside 1500

mtu inside 1500

mtu intf2 1500

ip address outside 212.36.237.98 255.255.255.240

ip address inside 10.1.1.250 255.255.255.0

ip address intf2 127.0.0.1 255.255.255.255

ip audit info action alarm

ip audit attack action alarm

ip local pool ippool 10.1.1.88-10.1.1.95

ip local pool mspool 10.7.1.1-10.7.1.50

ip local pool mspools 192.168.253.1-192.168.253.50

pdm location Inside_All 255.255.255.0 inside

pdm location 82.69.108.125 255.255.255.255 outside

pdm location 10.55.1.0 255.255.255.0 inside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list 101

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) 212.36.237.100 10.1.1.50 netmask 255.255.255.255 0 0

static (inside,outside) 212.36.237.101 10.1.1.254 netmask 255.255.255.255 0 0

static (inside,outside) 212.36.237.99 10.1.1.208 netmask 255.255.255.255 0 0

access-group outside_interface in interface outside

route outside 0.0.0.0 0.0.0.0 212.36.237.97 1

route inside Inside_All 255.255.255.0 10.1.1.254 1

route inside 10.2.1.0 255.255.255.0 10.1.1.254 1

route inside 10.3.1.0 255.255.255.0 10.1.1.254 1

route inside 10.4.1.0 255.255.255.0 10.1.1.254 1

route inside 10.5.1.0 255.255.255.0 10.1.1.254 1

route inside 10.6.1.0 255.255.255.0 10.1.1.254 1

route inside 10.7.1.0 255.255.255.0 10.1.1.254 1

route inside 10.8.1.0 255.255.255.0 10.1.1.254 1

route inside 10.9.1.0 255.255.255.0 10.1.1.254 1

route inside 10.10.1.0 255.255.255.0 10.1.1.254 1

route inside 10.11.1.0 255.255.255.0 10.1.1.253 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:00:00 absolute uauth 0:30:00 inactivity

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

aaa-server AuthInOut protocol tacacs+

aaa-server AuthInOut (inside) host 10.1.1.203 Kinder timeout 10

aaa authentication include http outside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 AuthInOut

aaa authentication include http inside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 AuthInOut

aaa accounting include http outside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 AuthInOut

aaa accounting include http inside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 AuthInOut

http server enable

http 82.69.108.125 255.255.255.255 outside

http 10.1.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community xxx

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

sysopt connection permit-pptp

sysopt route dnat

crypto ipsec transform-set VPNAccess esp-des esp-md5-hmac

crypto ipsec transform-set VPNAccess2 esp-3des esp-md5-hmac

crypto dynamic-map dynmap 10 set transform-set VPNAccess2

crypto map home 9 ipsec-isakmp dynamic dynmap

crypto map home 10 ipsec-isakmp

crypto map home 10 match address 102

crypto map home 10 set peer IrelandSt1_VPN

crypto map home 10 set transform-set VPNAccess

crypto map home 15 ipsec-isakmp

crypto map home 15 match address 103

crypto map home 15 set peer Cardiff_VPN

crypto map home 15 set transform-set VPNAccess

crypto map home 30 ipsec-isakmp

crypto map home 30 match address 104

crypto map home 30 set peer 212.242.143.147

crypto map home 30 set transform-set VPNAccess

crypto map home interface outside

isakmp enable outside

isakmp key ******** address IrelandSt1_VPN netmask 255.255.255.255

isakmp key ******** address Cardiff_VPN netmask 255.255.255.255

isakmp key ******** address 212.242.143.147 netmask 255.255.255.255

isakmp identity address

isakmp policy 5 authentication pre-share

isakmp policy 5 encryption 3des

isakmp policy 5 hash md5

isakmp policy 5 group 2

isakmp policy 5 lifetime 86400

isakmp policy 7 authentication pre-share

isakmp policy 7 encryption 3des

isakmp policy 7 hash sha

isakmp policy 7 group 2

isakmp policy 7 lifetime 28800

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 1

isakmp policy 10 lifetime 85000

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 85000

vpngroup client address-pool mspools

vpngroup client dns-server 194.153.0.18

vpngroup client wins-server 10.155.1.16

vpngroup client idle-time 1800

vpngroup client password ********

telnet 82.69.108.125 255.255.255.255 outside

telnet 10.55.1.0 255.255.255.0 inside

telnet 10.1.1.0 255.255.255.0 inside

telnet timeout 15

ssh 82.69.108.125 255.255.255.255 outside

ssh timeout 15

vpdn group 6 accept dialin pptp

vpdn group 6 ppp authentication pap

vpdn group 6 ppp authentication chap

vpdn group 6 ppp authentication mschap

vpdn group 6 ppp encryption mppe auto

vpdn group 6 client configuration address local mspools

vpdn group 6 pptp echo 60

vpdn group 6 client authentication local

vpdn username xxxx password *********

vpdn username xxx password *********

vpdn username xxxx password *********

vpdn enable outside

username xxx pass xxx

terminal width 80

Cryptochecksum:8f8ceca91c6652e3cc8086edc8ed62fa

: end

jasobrown · ‎01-14-2004

If you dont see decrypts on the Pix side then my thoughts are ESP (for IPSEC) and GRE (for PPTP) are not getting to your Pix (maybe ISP or other devices is blocking).

If you do a packet "capture" on the outside interface do you see any ESP or GRE traffic? Where is the client? If not dialup is ESP or GRE permitted?

View solution in original post

jasobrown · ‎01-14-2004

If you dont see decrypts on the Pix side then my thoughts are ESP (for IPSEC) and GRE (for PPTP) are not getting to your Pix (maybe ISP or other devices is blocking).

If you do a packet "capture" on the outside interface do you see any ESP or GRE traffic? Where is the client? If not dialup is ESP or GRE permitted?

sharpkings · ‎01-14-2004

many thanks for the help -

I have a client dialing up with an ISP - I think that it should be allowing all parts of ipsec through as I regularly use it to VPN to a checkpoint etc with secureremote.

However i ran a capture on Pix the after I had connected the client and could see no traffic from my IP ??

I am currently trying to get a port scanner to test the access but what port do I scan for ESP etc.

I was thinking that i must have messed up the routing etc or nat but i can't see where.

I have actually pretty much copied the config in use from another Pix that works fine with cisco clients.

One thing that I am not sure of is that the client states that tunneling is inactive ?

As for the PPTP connection, from a win2k server here it connects and authenticates OK but can also not ping anything. However the PPTP from the dial up client hangs at the verrifying user/pass.

I simply need to get a few users on in some way as a temp measure - is it worth configuring for any other access ie l2tp ?

sharpkings · ‎01-14-2004

Jasobrown - You are a star !! I guess it just takes somebody to look with a different perspective...

I have changed dial up accounts and the cisco client works fine !! So I guess that they must have put a block on one of the ports.

I still have a problem with PPTP - same issue as before - but at least I have one working.

Again many many thanks. This is perhaps the same issue as seen in some other posts as there do seem to be alot with similar probs.It is confusing as the connection appeared to go through fine.

I owe you a beer ...

Jason

jasobrown · ‎01-14-2004

Have you tested this from multiple machines (Cisco Client) or just the dialup with Secure Remote/Client installed?

I have had issues with Secure Remote/Client installed with the Cisco Client and just have to disable the Checkpoint adapter in the Network Interface properties...

sharpkings · ‎01-14-2004

I was actually doing the testing on a different machine (no secure Remote) but using the account details from my laptop. I too have found some real problems with having the two running together and eventually gave up - hence the two machines.

But all does seem now to be OK with the Cisco client, I just used a different account and it worked straight away, I guess its been maybe a couple of weeks since I used the SR so the ISP may well have changed their allowed ports etc - this will be the second time I have had to change dial up for this reason....I should have known but I immediately doubted my config !

As for the PPTP - any ideas ? I will have another go at this in the next couple of days - I am just going to enjoy the fact that the client works after almost pulling my hair out over this one !!

Many Thanks

Jason