01-14-2004 04:34 AM
It seems that I am having similar problems to a lot of others in connecting remote clients to a PIX 515E.
I currently have tried both the Cisco VPN client 3.6 and 4.03 with no success. The users are authenticated fine and within the client you can see that they have been allocated an address etc but they are unable to access the internal network. The sh crypto ipsec sa shows no encrypted traffic has hit the Pix for that sa...
within the Client status etc it does show that packets are being encrypted so I am at a bit of a loss.
I also have a problem with pptp connections - this seems to differ between OS on the client but Win2K machines can connect and get verified etc but again cannot connect to the inside networks. could these be related ?
My current config is: (addresses etc changed)
sh run
: Saved
:
PIX Version 6.2(1)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security10
enable password xxxx
passwd xxxx
hostname fw
domain-name
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol skinny 2000
no fixup protocol sip 5060
names
name 10.0.0.0 Inside_All
name 10.30.1.0 Ireland1_LAN
name 159.135.101.34 Ireland1_VPN
name 213.95.227.137 IrelandSt1_VPN
name 10.30.2.0 Cardiff_LAN
name 82.69.56.30 Cardiff_VPN
access-list 101 permit ip Inside_All 255.0.0.0 10.1.1.88 255.255.255.248
access-list 101 permit ip Inside_All 255.0.0.0 Ireland1_LAN 255.255.255.0
access-list 101 permit ip Inside_All 255.0.0.0 Cardiff_LAN 255.255.255.0
access-list 101 permit ip Inside_All 255.0.0.0 10.30.3.0 255.255.255.0
access-list 101 permit ip Inside_All 255.0.0.0 192.168.253.0 255.255.255.0
access-list outside_interface permit icmp any any echo
access-list outside_interface permit icmp any any echo-reply
access-list outside_interface permit icmp any any traceroute
access-list outside_interface permit tcp any host 212.36.237.99 eq smtp
access-list outside_interface permit ip any host 212.36.237.100
access-list outside_interface permit tcp host 212.241.168.236 host 212.36.237.101 eq telnet
access-list outside_interface permit tcp 192.188.69.0 255.255.255.0 host 212.36.237.101 eq telnet
access-list outside_interface permit tcp any any eq telnet
access-list outside_interface permit ip host 82.69.108.125 any
access-list 102 permit ip 10.1.1.0 255.255.255.0 Ireland1_LAN 255.255.255.0
access-list 103 permit ip 10.1.1.0 255.255.255.0 Cardiff_LAN 255.255.255.0
access-list 104 permit ip 10.1.1.0 255.255.255.0 10.30.3.0 255.255.255.0
pager lines 24
logging on
logging console debugging
logging monitor debugging
interface ethernet0 10baset
interface ethernet1 10baset
interface ethernet2 auto shutdown
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside 212.36.237.98 255.255.255.240
ip address inside 10.1.1.250 255.255.255.0
ip address intf2 127.0.0.1 255.255.255.255
ip audit info action alarm
ip audit attack action alarm
ip local pool ippool 10.1.1.88-10.1.1.95
ip local pool mspool 10.7.1.1-10.7.1.50
ip local pool mspools 192.168.253.1-192.168.253.50
pdm location Inside_All 255.255.255.0 inside
pdm location 82.69.108.125 255.255.255.255 outside
pdm location 10.55.1.0 255.255.255.0 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 212.36.237.100 10.1.1.50 netmask 255.255.255.255 0 0
static (inside,outside) 212.36.237.101 10.1.1.254 netmask 255.255.255.255 0 0
static (inside,outside) 212.36.237.99 10.1.1.208 netmask 255.255.255.255 0 0
access-group outside_interface in interface outside
route outside 0.0.0.0 0.0.0.0 212.36.237.97 1
route inside Inside_All 255.255.255.0 10.1.1.254 1
route inside 10.2.1.0 255.255.255.0 10.1.1.254 1
route inside 10.3.1.0 255.255.255.0 10.1.1.254 1
route inside 10.4.1.0 255.255.255.0 10.1.1.254 1
route inside 10.5.1.0 255.255.255.0 10.1.1.254 1
route inside 10.6.1.0 255.255.255.0 10.1.1.254 1
route inside 10.7.1.0 255.255.255.0 10.1.1.254 1
route inside 10.8.1.0 255.255.255.0 10.1.1.254 1
route inside 10.9.1.0 255.255.255.0 10.1.1.254 1
route inside 10.10.1.0 255.255.255.0 10.1.1.254 1
route inside 10.11.1.0 255.255.255.0 10.1.1.253 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:00:00 absolute uauth 0:30:00 inactivity
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa-server AuthInOut protocol tacacs+
aaa-server AuthInOut (inside) host 10.1.1.203 Kinder timeout 10
aaa authentication include http outside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 AuthInOut
aaa authentication include http inside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 AuthInOut
aaa accounting include http outside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 AuthInOut
aaa accounting include http inside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 AuthInOut
http server enable
http 82.69.108.125 255.255.255.255 outside
http 10.1.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community xxx
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
sysopt route dnat
crypto ipsec transform-set VPNAccess esp-des esp-md5-hmac
crypto ipsec transform-set VPNAccess2 esp-3des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set VPNAccess2
crypto map home 9 ipsec-isakmp dynamic dynmap
crypto map home 10 ipsec-isakmp
crypto map home 10 match address 102
crypto map home 10 set peer IrelandSt1_VPN
crypto map home 10 set transform-set VPNAccess
crypto map home 15 ipsec-isakmp
crypto map home 15 match address 103
crypto map home 15 set peer Cardiff_VPN
crypto map home 15 set transform-set VPNAccess
crypto map home 30 ipsec-isakmp
crypto map home 30 match address 104
crypto map home 30 set peer 212.242.143.147
crypto map home 30 set transform-set VPNAccess
crypto map home interface outside
isakmp enable outside
isakmp key ******** address IrelandSt1_VPN netmask 255.255.255.255
isakmp key ******** address Cardiff_VPN netmask 255.255.255.255
isakmp key ******** address 212.242.143.147 netmask 255.255.255.255
isakmp identity address
isakmp policy 5 authentication pre-share
isakmp policy 5 encryption 3des
isakmp policy 5 hash md5
isakmp policy 5 group 2
isakmp policy 5 lifetime 86400
isakmp policy 7 authentication pre-share
isakmp policy 7 encryption 3des
isakmp policy 7 hash sha
isakmp policy 7 group 2
isakmp policy 7 lifetime 28800
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 85000
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 85000
vpngroup client address-pool mspools
vpngroup client dns-server 194.153.0.18
vpngroup client wins-server 10.155.1.16
vpngroup client idle-time 1800
vpngroup client password ********
telnet 82.69.108.125 255.255.255.255 outside
telnet 10.55.1.0 255.255.255.0 inside
telnet 10.1.1.0 255.255.255.0 inside
telnet timeout 15
ssh 82.69.108.125 255.255.255.255 outside
ssh timeout 15
vpdn group 6 accept dialin pptp
vpdn group 6 ppp authentication pap
vpdn group 6 ppp authentication chap
vpdn group 6 ppp authentication mschap
vpdn group 6 ppp encryption mppe auto
vpdn group 6 client configuration address local mspools
vpdn group 6 pptp echo 60
vpdn group 6 client authentication local
vpdn username xxxx password *********
vpdn username xxx password *********
vpdn username xxx password *********
vpdn username xxx password *********
vpdn username xxxx password *********
vpdn enable outside
username xxx pass xxx
terminal width 80
Cryptochecksum:8f8ceca91c6652e3cc8086edc8ed62fa
: end
Solved! Go to Solution.
01-14-2004 07:21 AM
If you dont see decrypts on the Pix side then my thoughts are ESP (for IPSEC) and GRE (for PPTP) are not getting to your Pix (maybe ISP or other devices is blocking).
If you do a packet "capture" on the outside interface do you see any ESP or GRE traffic? Where is the client? If not dialup is ESP or GRE permitted?
01-14-2004 07:21 AM
If you dont see decrypts on the Pix side then my thoughts are ESP (for IPSEC) and GRE (for PPTP) are not getting to your Pix (maybe ISP or other devices is blocking).
If you do a packet "capture" on the outside interface do you see any ESP or GRE traffic? Where is the client? If not dialup is ESP or GRE permitted?
01-14-2004 08:57 AM
many thanks for the help -
I have a client dialing up with an ISP - I think that it should be allowing all parts of ipsec through as I regularly use it to VPN to a checkpoint etc with secureremote.
However i ran a capture on Pix the after I had connected the client and could see no traffic from my IP ??
I am currently trying to get a port scanner to test the access but what port do I scan for ESP etc.
I was thinking that i must have messed up the routing etc or nat but i can't see where.
I have actually pretty much copied the config in use from another Pix that works fine with cisco clients.
One thing that I am not sure of is that the client states that tunneling is inactive ?
As for the PPTP connection, from a win2k server here it connects and authenticates OK but can also not ping anything. However the PPTP from the dial up client hangs at the verrifying user/pass.
I simply need to get a few users on in some way as a temp measure - is it worth configuring for any other access ie l2tp ?
01-14-2004 11:39 AM
Jasobrown - You are a star !! I guess it just takes somebody to look with a different perspective...
I have changed dial up accounts and the cisco client works fine !! So I guess that they must have put a block on one of the ports.
I still have a problem with PPTP - same issue as before - but at least I have one working.
Again many many thanks. This is perhaps the same issue as seen in some other posts as there do seem to be alot with similar probs.It is confusing as the connection appeared to go through fine.
I owe you a beer ...
Jason
01-14-2004 12:14 PM
Have you tested this from multiple machines (Cisco Client) or just the dialup with Secure Remote/Client installed?
I have had issues with Secure Remote/Client installed with the Cisco Client and just have to disable the Checkpoint adapter in the Network Interface properties...
01-14-2004 01:43 PM
I was actually doing the testing on a different machine (no secure Remote) but using the account details from my laptop. I too have found some real problems with having the two running together and eventually gave up - hence the two machines.
But all does seem now to be OK with the Cisco client, I just used a different account and it worked straight away, I guess its been maybe a couple of weeks since I used the SR so the ISP may well have changed their allowed ports etc - this will be the second time I have had to change dial up for this reason....I should have known but I immediately doubted my config !
As for the PPTP - any ideas ? I will have another go at this in the next couple of days - I am just going to enjoy the fact that the client works after almost pulling my hair out over this one !!
Many Thanks
Jason
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: