crypto map mymap interface outside

[cpeloso]

I'm trying to put on my pix515 a vpn config to connect a vpn client but when I apply crypto map with "crypto map mymap interface outside" all "normal" incoming traffic is blocked with "%PIX-4-402106: Rec'd packet not an IPSEC packet. (ip) dest_addr= xxx.xxx.xxx.xxx, src_addr= yyy.yyy.yyy.yyy, prot= tcp.

WHY?

tanks a lot
Chris

 

[mtashiro]

Can you post the config? Sounds like an ACL problem.

 

[cpeloso]

I've only copied the example (

http://www.cisco.com/warp/public/110/pptpcrypto3.html)

..
what do You think could it be?

 

[cchipman]

sounds like you need a

"sysopt connection permit-pptp"

do you have that one?

and please post your full config, unless you truly mean that you 100% copied the configuration in the example.

 

[e46mpwr]

Sounds like an ACL problem to me too.

Question, why would you want clear text traffic from the outside going through your pix anyways? Is it for a mapped server (mail?, web?) If so, check your inbound access lists and remember that they go in order.

 

[yizhar]

HI.

> I've only copied the example (

http://www.cisco.com/warp/public/110/pptpcrypto3.html)

Why should you?
It's better to configure only 1 type of VPN that you're going to use.

Here are more samples:

http://www.cisco.com/pcgi-bin/Support/browse/psp_view.pl?p=Hardware:PIX&s=Software_Configuration

And you can also use GUI tools like PDM or PIXCRIPT to help you with the basic configuration.

> Sounds like an ACL problem to me too.
I agree.
The ACL bound to crypto map should be specific only to VPN traffic. If that ACL is missing (not configurred at all) then you can also experience such problems.



Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[cpeloso]

I've put the suggested acl...
access-list 101 permit ip 10.99.99.0 255.255.255.0
nat (inside) 0 access-list 101

Anyone could help me having a PDM?

 

[yizhar]

HI.

You can learn here about PDM:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pdm/index.htm

Only version 2.x for PIX OS 6.2x supports VPN.
For older version you have to use other method for VPN configuration.



Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[cpeloso]

Hi everyone,
i've tried to make a VPN using PDM but the cisco denies access to the ip of the windows vpn client pc.
I post the conf (removing unnecessary)so maybe someone could help me..
thankyou

PIX Version 6.3(1)
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security10

fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
no fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names

access-list 101 permit ip 192.168.3.0 255.255.255.0 10.99.99.0 255.255.255.0
access-list 101 permit ip any host 192.168.3.200
access-list outside_cryptomap_dyn_20 permit ip any host 192.168.3.200
pager lines 24
logging on
logging buffered informational
logging trap warnings
logging host inside 192.168.3.10 17/1025
no logging message 106014
mtu outside 1500
mtu inside 1500
mtu intf2 1500

ip address inside 192.168.3.254 255.255.255.0
ip address intf2 192.168.4.254 255.255.255.0
ip verify reverse-path interface outside
ip audit name provaids attack action alarm
ip audit name provaids2 info action alarm
ip audit interface outside provaids2
ip audit interface outside provaids
ip audit info action alarm
ip audit attack action alarm
ip local pool pool 192.168.3.200-192.168.3.210

arp timeout 14400
global (outside) 1 interface

nat (inside) 0 access-list 101
nat (inside) 1 192.168.3.0 255.255.255.0 0 0

route outside 0.0.0.0 0.0.0.0 80.206.187.193 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.3.10 255.255.255.255 inside

sysopt connection permit-ipsec
sysopt connection permit-l2tp
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_DES_SHA esp-des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_DES_SHA mode transport
crypto dynamic-map outside_dyn_map 20 set transform-set TRANS_ESP_DES_SHA
crypto dynamic-map outside_dyn_map_1 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map_1 20 set transform-set TRANS_ESP_DES_SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map_1 65535 ipsec-isakmp dynamic outside_dyn_map_1
crypto map outside_map_1 interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400


vpdn group L2TP-VPDN-GROUP accept dialin l2tp
vpdn group L2TP-VPDN-GROUP ppp authentication mschap
vpdn group L2TP-VPDN-GROUP client configuration address local pool
vpdn group L2TP-VPDN-GROUP client authentication local
vpdn group L2TP-VPDN-GROUP l2tp tunnel hello 60

vpdn username xxxxxxx password *********
vpdn enable outside

[OK]

 

[yizhar]

HI.

> but the cisco denies access to the ip of the windows vpn client pc
Next time please provide the exact syslog error message you get.

> ip address inside 192.168.3.254 255.255.255.0
> ip local pool pool 192.168.3.200-192.168.3.210
Use different addresses for VPN client, for example:
ip local pool pool 192.168.77.200-192.168.77.210
Reconfigure access-lists and other statements as needed, then try again.

Bye


Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[cpeloso]

hi Yizhar,
I've tried your changes but....
this is the log:

2003-05-14 09.34.42 Local4.Warning 192.168.3.254 %PIX-4-106023: Deny tcp src outside:xxx.xxx.xxx.xxx/3016 dst intf2:yyy.yyy.yyy.yyy/1723 by access-group "1"

I've also tried to change the "cryptomap" access-list with the
public address of the vpn client (..I don't know what's wrong) and this is the error log

2003-05-14 09.43.18 Local4.Warning 192.168.3.254 %PIX-4-402106: Rec'd packet not an IPSEC packet. (ip) dest_addr= yyy.yyy.yyy.yyy, src_addr= xxx.xxx.xxx.xxx, prot= tcp

 

[yizhar]

HI.

> dst intf2:yyy.yyy.yyy.yyy/1723 by access-group "1"
The VPN client should connect to the pix outside interface.
The above messsage tells us that you are trying to connect to a different address which is mapped (STATIC) to a host in "intf2".
This is wrong - configuration error.
Or is yyy.yyy.yyy.yyy the actual pix interface and I got something wrong here?

> access-group "1"
You did not post the actual current config you have...

> I've also tried to change the "cryptomap" access-list ...
What VPN solution are you going to use?
MS-PPTP?
MS-L2TP?
CISCO-IPSEC?

I suggest that you do not try to establish a complex solution, before you can establish a simple one.

Bye


Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[cpeloso]

> dst intf2:yyy.yyy.yyy.yyy/1723 by access-group "1"
<The VPN client should connect to the pix outside interface.
<The above messsage tells us that you are trying to connect <to a different address which is mapped (STATIC) to a host in &quot;intf2&quot;.
Since i've a load-balancer after the PIX i need to route all
outside connection to dmz(intf2)..
maybe this is the problem... how could i solve this problem?



> I've also tried to change the &quot;cryptomap&quot; access-list ...
<What VPN solution are you going to use?
<MS-PPTP?
<MS-L2TP?
<CISCO-IPSEC?

i'm trying to connect with the windows vpn client so MS-L2TP