Another PIX 515 VPN question?

[quell]

I'm still having problems setting up a vpn with the PIX. I am useing PIX 515 Ver 6.1(1) I'm trying to get access to download the GUI from cisco thinking that might make things easier but no luck yet. I think I have all the right settings in the PIX but when I run the Cisco VPN Client on a XP machine it says remote host no longer responding. Does that mean it did respond then quit or what? Is there a special setting or something in XP that I have to make in order to connect to the PIX or am I missing something all together? I'm lost. Here is my configeration and network design
vpn client (XP machine)
|
Internet
|
Cisco 2620 Router
|
Cisco PIX 515
|
Network (LAN)

Here is the PIX config for VPN
isakmp enable outside
isakmp policy 10 group 2
isakmp policy 10 enc des
isakmp policy 10 life 86400
isakmp policy 10 auth pre-share
isakmp policy 10 hash md5
isakmp identity address

sysopt connection permit-ipsec
crypto ipsec transform-set steve esp-des esp-md5-hmac

crypto dynamic-map dyna-brett 10 set transform-set steve
crypto map larkin 99 ipsec-isakmp dynamic dyna-brett

ip local pool usipool 192.168.0.225-192.168.0.230
(can I change this to 192.168.0.225-any or is this for local ip access or internet access?)
crypto map larkin client config address initiate
crypto map larkin client config address respond

vpngroup usi address-pool usipool
vpngroup usi password -----
vpngroup usi idletimeout 1800

access-list nonat permit ip 192.168.0.0 255.255.255.0 192.168.0.0 255.255.255.0
nat (inside) 0 access-list nonat

crypto map larkin interface outside

 

[yizhar]

HI.

> I am useing PIX 515 Ver 6.1(1)
> I'm trying to get access to download the GUI
The PDM for version 6.1 does not has the VPN options, so it won't help you with this issue.

Can the remote client ping the pix outside interface and vice versa?

Is the 2620 doing NAT or any kind of filterring?

What is the Internet connection type at the workstation?
Try with different connections (dial-up, or directly connect the workstation to the pix outside with Ethernet for the test).

Make sure that the XP built in firewall ICF is disabled and any other software/hardware firewall at the client side.

> ip local pool usipool 192.168.0.225-192.168.0.230
> access-list nonat permit ip 192.168.0.0 255.255.255.0 192.168.0.0 255.255.255.0
The pool for VPN clients must NOT overlap with existing internal subnets. So if your internal network is 192.168.0.X also, you must use a different nonexisting subnet for VPN clients. (This is different then MS VPN servers).

Other then the above comment, the configuration seems fine but I don't see the whole. Anyway you can use Pixcript to generate a sample configuration and compare it to yours:

http://teachers.sivan.co.il/yizhar#pixcript

You can also find some VPN related links from here:

http://teachers.sivan.co.il/yizhar/files/pixlinks.htm

Once the VPN is working for you, the next step is to use XAUTH for dual authentication. Using group name and password only is less secure.

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[quell]

Thanx Yizhar for helping here is your answers.

>Can the remote client ping the pix outside interface and vice versa?
I have it so it denies ICMP traffic.

>Is the 2620 doing NAT or any kind of filterring?
No

>What is the Internet connection type at the workstation?
Cable Modem
The firewall is disabled on the XP machine.

> ip local pool usipool 192.168.0.225-192.168.0.230
> access-list nonat permit ip 192.168.0.0 255.255.255.0 192.168.0.0 255.255.255.0
The pool for VPN clients must NOT overlap with existing internal subnets. So if your internal network is 192.168.0.X also, you must use a different nonexisting subnet for VPN clients. (This is different then MS VPN servers).
My internal network is 192.168.0.x so what should I change this to? The ip addresses of the vpn clients are constantly changeing. Some will use dial up others cable or dsl. I am running a W2K platform. Do I need to do anything to the w2k servers or make any changes on the w2k servers?

 

[yizhar]

HI.

> Cable Modem
So there is NAT at the client side, right?
Can the client ping the perimeter router in front of the pix?
Does the workstation get a registered ip address or private one?
Try to connect the client using dial-up or Ethernet.
First make sure that you can ping, then try to VPN.

> My internal network is 192.168.0.x so what should I change this to?
Keep the internal LAN as is. Change the addresses you give to VPN clients. The pix will know better that way how to route and encrypt the traffic:

ip local pool usipool 192.168.123.1-192.168.123.10
access-list nonat permit ip 192.168.0.0 255.255.255.0 192.168.123.0 255.255.255.0

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[quell]

>So there is NAT at the client side, right?
Not for sure what nat is for but the only nat commands I have in my config are these:

access-list nonat permit ip 192.168.0.0 255.255.255.0 192.168.0.0 255.255.255.0
nat (inside) 0 access-list nonat
nat (inside) 1 192.168.0.0 255.255.255.0 0 0

Does this ip need to be chagned to 192.168.123.0?

>Can the client ping the perimeter router in front of the pix? yes

>Does the workstation get a registered ip address or private one? Not for sure on this it does change ever 3 months or when u ask them to change it. Does the address pool need to reflect that range of ip? This could be a problem cause there will be multiple ip ranges to add here.
however, I did make the changes you recommened.

>ip local pool usipool 192.168.123.1-192.168.123.10
>access-list nonat permit ip 192.168.0.0 255.255.255.0 >192.168.123.0 255.255.255.0
Tested this over a dial up and still the same response.

My goals are to
1: set up a VPN for remote users to access the network.
2: set up owa through pix.
3: Set up logging to computer through console port. Do I need some sort tftp software to do this?
4: deny telnet, http every access to pix except through console port I do not want to be able to change any settings except through console port
5: setup dmz to include web server and e-mail server.

It became my responsability to set this up. I never set up a vpn before or laid hands on a pix. so i'm slowly learning how to do this. Just a bunch of reading heheh The last admin left and was half way through this i guess. So I'm here to pick up the pieces.

Here is my config for the pix
Let me know what you think:

PIX Version 6.1(1)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password encrypted
passwd encrypted
hostname usipix
domain-name usi.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list 111 permit tcp any host 65.197.60.246 eq smtp
access-list 111 permit tcp any host 65.197.60.246 eq www
access-list nonat permit ip 192.168.0.0 255.255.255.0 192.168.0.0 255.255.255.0
interface ethernet0 auto
interface ethernet1 auto
mtu outside 1500
mtu inside 1500
ip address outside 65.197.60.243 255.255.255.240
ip address inside 192.168.0.253 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool usipool 192.168.0.225-192.168.0.230
pdm history enable
arp timeout 14400
global (outside) 1 65.197.60.244 netmask 255.255.255.255
nat (inside) 0 access-list nonat
nat (inside) 1 192.168.0.0 255.255.255.0 0 0
static (inside,outside) 65.197.60.246 192.168.0.6 netmask 255.255.255.255 0 0
access-group 111 in interface outside
route outside 0.0.0.0 0.0.0.0 65.197.60.241 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set steve esp-des esp-md5-hmac
crypto dynamic-map dyna-brett 10 set transform-set steve
crypto map larkin 99 ipsec-isakmp dynamic dyna-brett
crypto map larkin client configuration address initiate
crypto map larkin client configuration address respond
crypto map larkin interface outside
isakmp enable outside
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup usi address-pool usipool
vpngroup usi idle-time 1800
vpngroup usi password
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:
: end
[OK]

Do I need to make any ipsec changes or anything to the w2k servers?

Thanx for your help!!!!

 

[quell]

ok...Getting closer I hooked the client up to the ethernet port (via rj-45 cable) on the pix 515 and i was able to connect the client to the pix. The Cisco Client software made a little lock in the lower right hand corner by the clock. However I cannot browse the LAN. I have tried changing the settings on the client software and made sure the Allow Local LAN access box is checked. I also made sure the enable transparent tunneling to allow ipsec over udp was checked. I have checked and unchecked these boxes and it doesnt make a difference. I connect either way but still no LAN browsing. I checked the enable start before logon box on. That didnt help. Any ideas?

 

[quell]

This is what I get when I try and connect via the internet with a dial up client useing cisco vpn 3.5.2

usipix(config)# IPSEC(key_engine): got a queue event...
IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
IPSEC(key_engine_delete_sas): delete all SAs shared with 216.240.88.47


What does this mean?

 

[quell]

Yizhar,
Just wanted to say thank you for the help. I finally have it going. LAN Access and all. Without your help it wouldn't of been possable. I made the changes you recommened and it worked
Thank you!!

 

[yizhar]

Great.

Can you describe what was the main fix?

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[danclark]

Hi,
To get the 'GUI' to work, why not try the following?

http server enable

Regards
Dan