Cannot Establish VPN Connection

[RMurr34]

Good morning,

I've run through the Cisco remote VPN setup guide I have but I'm still unable to establish a VPN session.

I have a PIX 515E with ver 6.2(2)

Here is my config:

PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security10
nameif ethernet3 intf3 security15
nameif ethernet4 intf4 security20
nameif ethernet5 intf5 security25
enable password xxxxxxxxxxx encrypted
passwd xxxxxxxxx encrypted
hostname PIX-515E
domain-name MYDOMAIN.COM
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list 101 permit ip 192.168.45.0 255.255.255.0 10.100.10.0 255.255.255.0
access-list 102 permit tcp any host 209.xxx.xxx.xxx eq 3389
access-list 102 permit tcp any any eq https
access-list 102 permit ip 192.168.45.0 255.255.255.0 10.10.10.0 255.255.255.0
pager lines 24
logging on
logging timestamp
logging trap errors
logging host inside 192.168.45.3
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
interface ethernet3 auto shutdown
interface ethernet4 auto shutdown
interface ethernet5 auto shutdown
mtu outside 1500
mtu inside 1500
mtu intf2 1500
mtu intf3 1500
mtu intf4 1500
mtu intf5 1500
ip address outside 209.xxx.xxx.xxx 255.255.255.240
ip address inside 192.168.45.1 255.255.255.0
ip address intf2 127.0.0.1 255.255.255.255
ip address intf3 127.0.0.1 255.255.255.255
ip address intf4 127.0.0.1 255.255.255.255
ip address intf5 127.0.0.1 255.255.255.255
ip audit info action alarm
ip audit attack action alarm
ip local pool myvpnpool 10.100.10.1-10.100.10.100
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
failover ip address intf2 0.0.0.0
failover ip address intf3 0.0.0.0
failover ip address intf4 0.0.0.0
failover ip address intf5 0.0.0.0
pdm location 192.168.45.3 255.255.255.255 inside
pdm location 192.168.45.7 255.255.255.255 inside
pdm location 192.168.45.2 255.255.255.255 inside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 209.xxx.xxx.xxx 192.168.45.3 netmask 255.255.255.255 0 0
access-group 102 in interface outside
route outside 0.0.0.0 0.0.0.0 209.xxx.xxx.xxx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host 192.168.45.2 xxxxxxxxx timeout 10
aaa-server LOCAL protocol local
http server enable
http 192.168.45.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community goaway
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt route dnat
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap client configuration address initiate
crypto map mymap client configuration address respond
crypto map mymap interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup 1 idle-time 1800
vpngroup myvpnall address-pool myvpnpool
vpngroup myvpnall dns-server 192.168.45.2
vpngroup myvpnall wins-server 192.168.45.2
vpngroup myvpnall default-domain mydomain.com
vpngroup myvpnall idle-time 1800
vpngroup myvpnall password ********
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 192.168.45.0 255.255.255.0 inside
ssh timeout 45
username myvpn password xxxxxxxxxxxxxxxxx encrypted privilege 2
terminal width 80
Cryptochecksum:4141b566c2332533244b8d6fd2ec51d2

Here is the error from my version 5 Cisco VPN client log:


Cisco Systems VPN Client Version 5.0.01.0600
Copyright (C) 1998-2007 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 6.0.6001 Service Pack 1
Config file directory: C:\Program Files\Cisco Systems\VPN Client\

1 11:23:30.922 08/27/09 Sev=Info/4 CM/0x63100002
Begin connection process

2 11:23:30.929 08/27/09 Sev=Info/4 CM/0x63100004
Establish secure connection

3 11:23:30.929 08/27/09 Sev=Info/4 CM/0x63100024
Attempt connection with server "209.xxx.xxx.xxx"

4 11:23:31.057 08/27/09 Sev=Info/6 CM/0x6310002F
Allocated local TCP port 60074 for TCP connection.

5 11:23:31.345 08/27/09 Sev=Info/4 IPSEC/0x63700008
IPSec driver successfully started

6 11:23:31.345 08/27/09 Sev=Info/4 IPSEC/0x63700014
Deleted all keys

7 11:23:31.345 08/27/09 Sev=Info/6 IPSEC/0x63700020
TCP SYN sent to 209.xxx.xxx.xxx, src port 60074, dst port 10000

8 11:23:36.416 08/27/09 Sev=Info/6 IPSEC/0x63700020
TCP SYN sent to 209.xxx.xxx.xxx, src port 60074, dst port 10000

9 11:23:41.486 08/27/09 Sev=Info/6 IPSEC/0x63700020
TCP SYN sent to 209.xxx.xxx.xxx, src port 60074, dst port 10000

10 11:23:47.071 08/27/09 Sev=Info/6 IPSEC/0x63700020
TCP SYN sent to 209.xxx.xxx.xxx, src port 60074, dst port 10000

11 11:23:51.627 08/27/09 Sev=Info/4 CM/0x6310002A
Unable to establish TCP connection on port 10000 with server "209.xxx.xxx.xxx"

12 11:23:51.627 08/27/09 Sev=Info/5 CM/0x63100025
Initializing CVPNDrv

13 11:23:51.631 08/27/09 Sev=Info/4 CM/0x6310002D
Resetting TCP connection on port 10000

14 11:23:51.631 08/27/09 Sev=Info/6 CM/0x63100030
Removed local TCP port 60074 for TCP connection.

15 11:23:51.642 08/27/09 Sev=Info/6 CM/0x63100046
Set tunnel established flag in registry to 0.

16 11:23:51.704 08/27/09 Sev=Info/6 IPSEC/0x63700023
TCP RST sent to 209.xxx.xxx.xxx, src port 60074, dst port 10000

17 11:23:51.704 08/27/09 Sev=Info/4 IPSEC/0x63700014
Deleted all keys

18 11:23:51.704 08/27/09 Sev=Info/4 IPSEC/0x63700014
Deleted all keys

19 11:23:51.704 08/27/09 Sev=Info/4 IPSEC/0x6370000A
IPSec driver successfully stopped

Any help would be greatly appreciated! Thanks!

 

[North323]

your access list does not permit tcp 10000

 

[RMurr34]

Thanks for the reply North323. I have several other PIXs that work and none of them have an acl for allowing tcp 10000.

So should I add:

access-list 102 permit tcp any host 209.xxx.xxx.xxx eq 10000

 

[RMurr34]

I also added...

access-list 101 permit tcp any 10.100.10.0 255.255.255.0

...and I'm getting the same error

 

[North323]

so this is a vpn client not a peer? and you have other clients able to connect to this vpn? where is this machine you are trying to connect. in the logs i dont see a return route for this traffic...you see the syn syn syn syn:
TCP SYN sent to 209.xxx.xxx.xxx, src port 60074, dst port 10000

8 11:23:36.416 08/27/09 Sev=Info/6 IPSEC/0x63700020
TCP SYN sent to 209.xxx.xxx.xxx, src port 60074, dst port 10000

9 11:23:41.486 08/27/09 Sev=Info/6 IPSEC/0x63700020
TCP SYN sent to 209.xxx.xxx.xxx, src port 60074, dst port 10000

10 11:23:47.071 08/27/09 Sev=Info/6 IPSEC/0x63700020
TCP SYN sent to 209.xxx.xxx.xxx, src port 60074, dst port 10000

you should see a syn/ack make sure that type of traffic is allowed in/out from this source pc as well.

 

[RMurr34]

Sorry, I have several other PIXs that have VPN working that do not have an acl allowing 10000. I was using them as an example.

I'm trying to connect to this PIX using a Cisco VPN Client (version 5).

 

[Supergrrover]

is there a natting in the middle somewhere?

Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[unclerico]

SuperG, are you thinking NAT-Traversal??

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[Supergrrover]

port 1000 is not nat friendly.

Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[burtsbees]

You're missing "crypto map xxxxx isakmp author list LOCAL" and "crypto map xxxx authentication list LOCAL", or something like that.

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!