Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Cisco 501 config for small office (What am I missing)

Status
Not open for further replies.
Rookcr

Rookcr

MIS
Aug 12, 2002
325
US
Good morning,

I am ready to pull out hair. I am trying to help a friend at a small office with a Pix 501. There are 3 users and a Small Business Server hosting web,ftp,e-mail. They have a single static IP address 216.51.xxx.xx3 and the route the current firewall is on is set to 216.51.xxx.xx4. They want to use IPSEC and the Cisco VPN client to VPN back into the business.

I am unable to get the VPN client to connect, it gives a remote peer no longer responding error and I am unable to get to the web from inside the network. I will say the acls to permit traffic in work as the FTP and website are accesible. What step am I missing? Thank you in advance.

PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 2qb3w7Qquh3X.N20 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname CSDPix
domain-name comsoftdev.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 172.16.1.0 vpnclient
name 192.168.168.0 someone.com
fixup protocol pptp 1723
access-list acl_in permit tcp any host 216.51.xxx.xx3 eq pop3
access-list acl_in permit tcp any host 216.51.xxx.xx3 eq smtp
access-list acl_in permit tcp any host 216.51.xxx.xx3 eq ftp
access-list acl_in permit tcp any host 216.51.xxx.xx3 eq pptp
access-list acl_in permit tcp any host 216.51.xxx.xx3 eq 1604
access-list acl_in permit tcp any host 216.51.xxx.xx3 eq www
access-list inside_nat0_outbound remark VPN Client
access-list outside_cryptomap_dyn_10 remark VPN Client
access-list outside_cryptomap_dyn_10 permit ip someone.com
access-list is_splitTunnelAcl permit ip someone.com 255.255.255.0 any
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 216.51.xxx.xx3 255.255.255.192
ip address inside 192.168.168.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.1.0 255.255.255.255 inside
pdm location 192.168.168.0 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 216.51.xxx.xx3 192.168.168.xxx netmask 255.255.255.255 0 0
route outside 0.0.0.0 0.0.0.0 216.51.xxx.xx4 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa-server partnerauth protocol radius
aaa-server partnerauth (inside) host 192.168.168.xx4 xxx timeout 5
aaa-server partnerauth (inside) host 192.168.168.xx3 xxx timeout 5
aaa authentication telnet console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.168.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection tcpmss 1100
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 10 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client configuration address initiate
crypto map outside_map client authentication partnerauth
crypto map outside_map interface outside
isakmp enable outside
isakmp identity address
isakmp keepalive 10 4
isakmp nat-traversal 10
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
telnet 192.168.1.0 255.255.255.0 inside
telnet 192.168.168.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
username username password xxxxxxxxxxxxxxxx encrypted privilege 15
terminal width 80


 
Sort by date Sort by votes
I dont believe you can VPN into a 501 series PIX. I think you must have a 515 or higher with a VPN card in it.
 
Upvote 0 Downvote
With the 3DES licensce it will act as an endpoint but I can not get it to work.
 
Upvote 0 Downvote
Try adding these

ip local pool <pool Name> 192.168.17.1-192.168.17.100
vpngroup vpnclient address-pool <pool Name>
vpngroup vpnclient dns-server 172.16.xxx.xxx 172.16.xxx.xxx
vpngroup vpnclient wins-server 172.16.xxx.xxx 172.16.xxx.xxx
vpngroup vpnclient default-domain your.com
vpngroup vpnclient idle-time 1800
vpngroup vpnclient password ********
 
Upvote 0 Downvote
Anything that is behind a ' is a comment.

1)
access-list outside_cryptomap_dyn_10 remark VPN Client
'an access-list with only a remark in it doesn't do anything.


2)
access-list outside_cryptomap_dyn_10 permit ip someone.com
access-list is_splitTunnelAcl permit ip someone.com 255.255.255.0 any
'what are you trying to do with these acls?



3)
access-list inside_nat0_outbound remark VPN Client
nat (inside) 0 access-list inside_nat0_outbound
'This NAT calls an acl with no infomation in it,
'only a remark, so you are not actually nat 0ing any traffic.

'try using this format:

access-list inside_nat0_outbound permit ip yyy.yyy.yyy.yyy 255.255.255.0 xxx.xxx.xxx.0 255.255.255.0
access-list inside_nat0_outbound remark VPN Client
'where yyy.yyy.yyy.yyy is the internal network you want to access
'and xxx.xxx.xxx.0 is the network of the IP addresses you are handing out
'with the "ip local pool" command and where the subnet masks match your network.



4)
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
'These will work, but I'd rename them to something that doesn't
'look like you are trying to call 3 sets in the same transform.
'Perhaps:
crypto ipsec transform-set SHA_Set esp-3des esp-sha-hmac
crypto ipsec transform-set MD5_Set esp-3des esp-md5-hmac



5)
crypto dynamic-map outside_dyn_map 10 set transform-set ESP-3DES-MD5
'a change above would require you to change this to:
crypto dynamic-map outside_dyn_map 10 set transform-set MD5_Set




6)
crypto map outside_map client configuration address initiate
'change this to
crypto map outside_map client configuration address respond




7)
'These are missing entirely from your config and need to be added.

ip local pool xxxpool xxx.xxx.xxx.1-xxx.xxx.xxx.5
'this will hand out up to 5 IP addresses to vpn clients when they connect
'you must do this unless you are using a site to site vpn and they can't
'be on the same subnet as the internal network.



vpngroup xxxvpn address-pool xxxpool
'This calls xxxpool as the IP pool for this vpngroup
vpngroup xxxVPN dns-server yyy.yyy.yyy.yyy
'this is your internal DNS server IP
vpngroup xxxvpn default-domain whatever.your.domain
'Tells the vpnpool what domain to use
vpngroup xxxvpn split-tunnel inside_nat0_outbound
'to split tunnel traffic matching ACL inside_nat0_outbound
vpngroup xxxvpn idle-time 10800
'how long can it remain idle before disconnecting--in seconds
vpngroup xxxvpn max-time 10800
'maximum allowed time for the tunnel to be open--in seconds
vpngroup xxxvpn password ********
'this is the password for the vpn connection




8)
isakmp keepalive 10 4
isakmp nat-traversal 10
'I've never used these commands, so I can't comment on them
'but they may not be necessary.


9)
'When you configure the client, you use the vpngroup name "xxxvpn" and the password.
'It is my understanding that you can use the vpngroup password along with AAA.




1) A robot may not injure a human being or, through inaction, allow a human being to come to harm.

2) A robot must obey orders given it by human beings except where such orders would conflict with the First Law.

3) A robot must protect its own existence as long as such protection does not conflict with the First or Second Law.
 
Upvote 0 Downvote
Thank you craig and Ixlepix, I will try these out but I am unable to test truley until next Tuesday. Will keep you posted. Again the help is appreciated!!
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
307
Johnkite
Johnkite
Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
292
Sameer258
Sameer258
XLNTech1
  • Locked
  • Question
iptables port forwarding
Replies
0
Views
258
XLNTech1
XLNTech1
MottoK
  • Locked
  • Question
Cisco ISE blank GUI
Replies
0
Views
251
MottoK
MottoK
WhosYourDiffie
  • Locked
  • Question
Cisco ASA 5506 VPN for Avaya Phones
Replies
0
Views
89
WhosYourDiffie
WhosYourDiffie

Part and Inventory Search

Sponsor

Back
Top