Client software to PIX 501 VPN. Remote desktop not working

[ChrisH2]

I am trying to setup a PIX at home so I can use remote desktop over VPN to access my machine from work.
I am a newbie to the PIX but have managed to get a internet connection working, and the vpn connects.
After the vpn connects I cannot ping the pix or my xp pc and cannot get the remote desktop to work. XP firewall is switched off.
Im kind of thinking its something to do with the access-list.
I also would like to be able to access the pix over the vpn to mod the config, at the moment I can only do one test per day as I have to change the settings at home

Do I have to enter the computer name or ip (192.168.8.32) in the xp remote desktop connection on remote pc.

Can any of you gurus have a quick look at my script and point me in the right direction as i'm lost now.

PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ************ encrypted
passwd *********** encrypted
hostname pixfirewall
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 102 permit ip 192.168.8.0 255.255.255.0 10.10.8.0 255.255.255.0
access-list 100 permit tcp 10.10.8.0 255.255.255.0 192.168.8.0 255.255.255.0 eq
3389
pager lines 24
icmp deny any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 192.168.8.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnpool1 10.10.8.1-10.10.8.2
pdm location 10.10.8.0 255.255.255.0 outside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 102
nat (inside) 1 192.168.8.0 255.255.255.0 0 0
access-group 100 in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication http console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 192.168.8.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto dynamic-map map2 10 set transform-set ESP-AES-256-SHA
crypto map map1 10 ipsec-isakmp dynamic map2
crypto map map1 interface outside
isakmp enable outside
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes-256
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup testvpn address-pool vpnpool1
vpngroup testpn default-domain xxxx.com
vpngroup testvpn split-tunnel 102
vpngroup testvpn idle-time 1800
vpngroup testvpn password ********
telnet 192.168.8.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.8.32-192.168.8.63 inside
dhcpd dns 194.168.x.x 194.168.x.x
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd enable inside
username ******* password ************ encrypted privilege 15
terminal width 80

 

[boymarty24]

Add nat traversal support on your home pix. This feature is not activated by default

isakmp nat-traversal 20

 

[ChrisH2]

I added the command isakmp nat-traversal 20
I still cannot do anything once connected.

 

[colinT23]

Hi,

I just had exactly the same issue. The only thing I changed was the vpnpool . Like you, I tried to lock it down to 1 or 2 IP's (in your case 10.10.8.1 - 10.10.8.2)but this gave me a subnet mask of 255.255.255.248. I changed the ip pool to 192.168.2.1 - 192.168.2.254 (in my case)with a subnet mask of 255.255.255.0 and now everything works fine. I'm no networking expert and I don't know why this now works (perhaps someone could explain please ?) but it does. I hope this helps.

Regards Colin.

 

[ChrisH2]

Thanks guys but I still cannot get anything to work over vpn.
I have got ssh access to the pix now so I can change the script. I have been changing a few things as you recommended. Heres my latest script.
As anyone else any ideas?

PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ************** encrypted
passwd *********** encrypted
hostname pixfirewall
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 100 permit tcp 10.10.8.0 255.255.255.0 192.168.8.0 255.255.255.0 eq 3389
access-list acl_out permit ip 192.168.8.0 255.255.255.0 10.10.8.0 255.255.255.0
access-list acl_out2 permit ip 192.168.8.0 255.255.255.0 10.10.8.0 255.255.255.0
pager lines 24
icmp deny any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 192.168.8.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool aespool 10.10.8.1-10.10.8.254
pdm location 192.168.8.0 255.255.255.255 inside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list acl_out
nat (inside) 1 192.168.8.0 255.255.255.0 0 0
access-group 100 in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 192.168.8.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto dynamic-map map2 10 set transform-set ESP-AES-256-SHA
crypto map map1 10 ipsec-isakmp dynamic map2
crypto map map1 interface outside
isakmp enable outside
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes-256
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup testvpn address-pool aespool
vpngroup testvpn default-domain test.com
vpngroup testvpn split-tunnel acl_out2
vpngroup testvpn idle-time 1800
vpngroup testvpn password ********
telnet 192.168.8.0 255.255.255.0 inside
telnet timeout 5
ssh ********* 255.255.255.255 outside
ssh 192.168.8.0 255.255.255.255 inside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0
dhcpd address 192.168.8.32-192.168.8.63 inside
dhcpd dns 194.168.8.100 194.168.4.100
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd enable inside
username ******* password ************ encrypted privilege 15
terminal width 80

 

[boymarty24]

You dont need your access-list 100 statement, remove it.

After your vpn connects, what does the client logs tell you? What does the pix log tell you? The config seems ok except for the acl 100

I would recommend that you dont use so many adresses for your vpnpool. It dont make any difference if it only contains 10 or 100 ip numbers.

 

[ChrisH2]

I have removed the access-list 100 statement but still no joy this is the log at the client side if its any help.

Should I be able to ping the firewall 192.168.8.1 over vpn?


VPN CLIENT - version 4.8.00.0440

Adress Information
Client: 10.10.8.1
Server: **********

Crypto
Encryption 256-bit AES
Authentication: HMAC-SHA1

Transport
Transport Tunneling: Active on UPD port 4500
Local LAN: Disabled
Compression: None

Local LAN Routes is blank

Secured Routes
192.168.8.0 255.255.255.0



LOG Window
==========
Cisco Systems VPN Client Version 4.8.00.0440
Copyright (C) 1998-2005 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.1.2600 Service Pack 2

25 16:15:51.546 10/31/06 Sev=Info/4 CM/0x63100002
Begin connection process

26 16:15:51.546 10/31/06 Sev=Info/4 CM/0x63100004
Establish secure connection using Ethernet

27 16:15:51.546 10/31/06 Sev=Info/4 CM/0x63100024
Attempt connection with server "xx.xx.xx.xxx"

28 16:15:52.546 10/31/06 Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with xx.xx.xx.xxx.

29 16:15:52.546 10/31/06 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to xx.xx.xx.xxx

30 16:15:52.546 10/31/06 Sev=Info/4 IPSEC/0x63700008
IPSec driver successfully started

31 16:15:52.546 10/31/06 Sev=Info/4 IPSEC/0x63700014
Deleted all keys

32 16:15:53.687 10/31/06 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = xx.xx.xx.xxx

33 16:15:53.687 10/31/06 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (SA, VID(Xauth), VID(dpd), VID(Unity), VID(?), KE, ID, NON, VID(?), VID(Nat-T), NAT-D, NAT-D, HASH) from xx.xx.xx.xxx

34 16:15:53.687 10/31/06 Sev=Info/5 IKE/0x63000001
Peer supports XAUTH

35 16:15:53.687 10/31/06 Sev=Info/5 IKE/0x63000001
Peer supports DPD

36 16:15:53.687 10/31/06 Sev=Info/5 IKE/0x63000001
Peer is a Cisco-Unity compliant peer

37 16:15:53.687 10/31/06 Sev=Info/5 IKE/0x63000082
Received IOS Vendor ID with unknown capabilities flag 0x000000A5

38 16:15:53.687 10/31/06 Sev=Info/5 IKE/0x63000001
Peer supports NAT-T

39 16:15:53.687 10/31/06 Sev=Info/6 IKE/0x63000001
IOS Vendor ID Contruction successful

40 16:15:53.687 10/31/06 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, NAT-D, NAT-D, VID(?), VID(Unity)) to xx.xx.xx.xxx

41 16:15:53.687 10/31/06 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA

42 16:15:53.687 10/31/06 Sev=Info/4 IKE/0x63000083
IKE Port in use - Local Port = 0x1194, Remote Port = 0x1194

43 16:15:53.687 10/31/06 Sev=Info/5 IKE/0x63000072
Automatic NAT Detection Status:
Remote end is NOT behind a NAT device
This end IS behind a NAT device

44 16:15:53.687 10/31/06 Sev=Info/4 CM/0x6310000E
Established Phase 1 SA. 1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system

45 16:15:53.687 10/31/06 Sev=Info/4 CM/0x6310000E
Established Phase 1 SA. 1 Crypto Active IKE SA, 1 User Authenticated IKE SA in the system

46 16:15:53.703 10/31/06 Sev=Info/5 IKE/0x6300005E
Client sending a firewall request to concentrator

47 16:15:53.703 10/31/06 Sev=Info/5 IKE/0x6300005D
Firewall Policy: Product=Cisco Systems Integrated Client Firewall, Capability= (Centralized Protection Policy).

48 16:15:53.703 10/31/06 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to xx.xx.xx.xxx

49 16:15:53.750 10/31/06 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = xx.xx.xx.xxx

50 16:15:53.750 10/31/06 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:STATUS_RESP_LIFETIME) from xx.xx.xx.xxx

51 16:15:53.750 10/31/06 Sev=Info/5 IKE/0x63000045
RESPONDER-LIFETIME notify has value of 86400 seconds

52 16:15:53.750 10/31/06 Sev=Info/5 IKE/0x63000047
This SA has already been alive for 1 seconds, setting expiry to 86399 seconds from now

53 16:15:53.781 10/31/06 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = xx.xx.xx.xxx

54 16:15:53.781 10/31/06 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from xx.xx.xx.xxx

55 16:15:53.781 10/31/06 Sev=Info/5 IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_ADDRESS: , value = 10.10.8.1

56 16:15:53.781 10/31/06 Sev=Info/5 IKE/0x6300000E
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_DEFDOMAIN: , value = ch.com

57 16:15:53.781 10/31/06 Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SPLIT_INCLUDE (# of split_nets), value = 0x00000001

58 16:15:53.781 10/31/06 Sev=Info/5 IKE/0x6300000F
SPLIT_NET #1
subnet = 192.168.8.0
mask = 255.255.255.0
protocol = 0
src port = 0
dest port=0

59 16:15:53.781 10/31/06 Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_PFS: , value = 0x00000000

60 16:15:53.781 10/31/06 Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = Received and using NAT-T port number , value = 0x00001194

61 16:15:53.781 10/31/06 Sev=Info/4 CM/0x63100019
Mode Config data received

62 16:15:53.781 10/31/06 Sev=Info/4 IKE/0x63000056
Received a key request from Driver: Local IP = 10.10.8.1, GW IP = xx.xx.xx.xxx, Remote IP = 0.0.0.0

63 16:15:53.781 10/31/06 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK QM *(HASH, SA, NON, ID, ID) to xx.xx.xx.xxx

64 16:15:53.890 10/31/06 Sev=Info/4 IPSEC/0x63700014
Deleted all keys

65 16:15:53.953 10/31/06 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = xx.xx.xx.xxx

66 16:15:53.953 10/31/06 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK QM *(HASH, SA, NON, ID, ID, NOTIFY:STATUS_RESP_LIFETIME) from xx.xx.xx.xxx

67 16:15:53.953 10/31/06 Sev=Info/5 IKE/0x63000045
RESPONDER-LIFETIME notify has value of 28800 seconds

68 16:15:53.953 10/31/06 Sev=Info/5 IKE/0x63000046
RESPONDER-LIFETIME notify has value of 4608000 kb

69 16:15:53.953 10/31/06 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK QM *(HASH) to xx.xx.xx.xxx

70 16:15:53.953 10/31/06 Sev=Info/5 IKE/0x63000059
Loading IPsec SA (MsgID=0D8B5D89 OUTBOUND SPI = 0x79ECF6CE INBOUND SPI = 0xEDCFF8B3)

71 16:15:53.953 10/31/06 Sev=Info/5 IKE/0x63000025
Loaded OUTBOUND ESP SPI: 0x79ECF6CE

72 16:15:53.968 10/31/06 Sev=Info/5 IKE/0x63000026
Loaded INBOUND ESP SPI: 0xEDCFF8B3

73 16:15:54.593 10/31/06 Sev=Info/4 CM/0x63100034
The Virtual Adapter was enabled:
IP=10.10.8.1/255.0.0.0
DNS=0.0.0.0,0.0.0.0
WINS=0.0.0.0,0.0.0.0
Domain=test.com
Split DNS Names=

74 16:15:54.609 10/31/06 Sev=Info/4 CM/0x63100038
Successfully saved route changes to file.

75 16:15:54.609 10/31/06 Sev=Info/6 CM/0x63100036
The routing table was updated for the Virtual Adapter

76 16:15:54.687 10/31/06 Sev=Info/4 CM/0x6310001A
One secure connection established

77 16:15:54.765 10/31/06 Sev=Info/4 CM/0x6310003B
Address watch added for 192.168.42.122. Current hostname: program03, Current address(es): 10.10.8.1, 192.168.42.122.

78 16:15:54.765 10/31/06 Sev=Info/4 CM/0x6310003B
Address watch added for 10.10.8.1. Current hostname: program03, Current address(es): 10.10.8.1, 192.168.42.122.

79 16:15:54.765 10/31/06 Sev=Info/4 IPSEC/0x63700010
Created a new key structure

80 16:15:54.765 10/31/06 Sev=Info/4 IPSEC/0x6370000F
Added key with SPI=0xcef6ec79 into key list

81 16:15:54.765 10/31/06 Sev=Info/4 IPSEC/0x63700010
Created a new key structure

82 16:15:54.765 10/31/06 Sev=Info/4 IPSEC/0x6370000F
Added key with SPI=0xb3f8cfed into key list

83 16:15:54.765 10/31/06 Sev=Info/4 IPSEC/0x6370002F
Assigned VA private interface addr 10.10.8.1

84 16:16:03.890 10/31/06 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA

85 16:16:13.890 10/31/06 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA

 

[ChrisH2]

Ok, I have notice that when I connect to the pix the client software says Local LAN: Disabled
and there is nothing in the local lan routes.

We have a client that has a Cisco router and when I connect to that from the same machine using same software that the local lan is enabled and that Local Lan routes shows 192.168.42.0 255.255.255.0

Also when i connect to the pix bytes are being sent but nothing received. I am sure this is the problem.

Does anyone know why the pix config is causing local lan to be disabled?

 

[horus42]

You need to enable "split-tunnel

 

[ChrisH2]

I thought the the following lines in my config were all that was needed: -

access-list acl_out2 permit ip 192.168.8.0 255.255.255.0 10.10.8.0 255.255.255.0
vpngroup testvpn split-tunnel acl_out2

Is there something else that I need to set?

 

[horus42]

Sorry mate I missed the above lines when I quickly checked your config.

Can you please enable the logs on the firewall and them monitor those to see what might be the problem.

 

[ChrisH2]

I solved this. Firstly the client software did not seem to work properly with AES. 3DES was ok.
Secondly I could not ping the xp machine behind the pix because it had cisco client software installed on it. As soon as I removed that, it worked fine.