Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Help to re-enable VPN connectivity since external IP change

Status
Not open for further replies.

neonrh

IS-IT--Management
Aug 8, 2002
23
US
Hello,

Yesterday evening I migrated our company to a new ISP. I changed the PIX config without issue and everything worked great. The only component that broke during the transition was VPN. When I try to connect in from the Cisco VPN client, I receive a logon prompt, but afterwards it hangs on "securing communications channel". I tested VPN connectivity directly from the external interface to rule out the new ISP (same result when I try to connect). Attached below is my config. Could anyone offer some advice? Thanks!

PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxxxxxxxxxx encrypted
hostname xxxxxxxxxxxxxx
domain-name xxxxxxxxxxxxxx
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
names
object-group service xxxxx tcp
description Port for xxxxx phone system administration
port-object range 4000 4000
access-list 10 deny ip 0.0.0.0 255.0.0.0 any
access-list 10 deny ip 10.0.0.0 255.0.0.0 any
access-list 10 deny ip 127.0.0.0 255.0.0.0 any
access-list 10 deny ip 131.107.0.0 255.255.0.0 any
access-list 10 deny ip 169.254.0.0 255.255.0.0 any
access-list 10 deny ip 172.16.0.0 255.240.0.0 any
access-list 10 deny ip 192.168.0.0 255.255.0.0 any
access-list 10 deny ip 224.0.0.0 224.0.0.0 any
access-list 10 permit tcp any host xxx.xxx.xxx.xxx eq smtp
access-list 10 permit icmp any any
access-list 100 permit ip 10.39.54.0 255.255.255.0 192.168.16.0 255.255.255.0
access-list 11 deny ip 0.0.0.0 255.0.0.0 any
access-list 11 deny ip 10.0.0.0 255.0.0.0 any
access-list 11 deny ip 127.0.0.0 255.0.0.0 any
access-list 11 deny ip 131.107.0.0 255.255.0.0 any
access-list 11 deny ip 169.254.0.0 255.255.0.0 any
access-list 11 deny ip 172.16.0.0 255.240.0.0 any
access-list 11 deny ip 192.168.0.0 255.255.0.0 any
access-list 11 deny ip 224.0.0.0 224.0.0.0 any
access-list 11 deny ip host 60.217.228.198 any
access-list 11 deny ip host 221.192.133.39 any
access-list 11 deny ip host 218.21.71.134 any
access-list 11 deny ip host 211.152.50.100 any
access-list 11 deny ip host 222.197.188.37 any
access-list 11 deny ip host 125.248.142.162 any
access-list 11 deny ip host 58.211.0.113 any
access-list 11 deny ip host 193.19.212.4 any
access-list 11 deny ip host 202.108.12.145 any
access-list 11 deny ip host 202.102.7.133 any
access-list 11 deny ip host 190.40.253.121 any
access-list 11 deny ip host 190.64.41.196 any
access-list 11 deny ip host 82.46.193.98 any
access-list 11 permit tcp any host xxx.xxx.xxx.xxx eq smtp
access-list 11 permit tcp any host xxx.xxx.xxx.xxx eq pop3
access-list 11 permit tcp any host xxx.xxx.xxx.xxx eq www
access-list 11 permit tcp any host xxx.xxx.xxx.xxx eq https
access-list 11 permit icmp any any time-exceeded
access-list 11 remark Rule to allow xxxxxx techs to access xxxxx phone system
access-list 11 permit tcp any host xxxxxxx object-group xxxxx
pager lines 50
logging on
logging timestamp
logging buffered debugging
logging trap debugging
no logging message 106015
no logging message 305012
no logging message 305011
no logging message 302010
no logging message 302015
no logging message 302014
no logging message 302013
no logging message 302012
no logging message 609002
no logging message 609001
no logging message 302016
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside xxx.xxx.xxx.xxx 255.255.255.248
ip address inside 10.39.54.1 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip audit name jab attack action alarm drop reset
ip audit name probe info action alarm drop reset
ip audit interface outside probe
ip audit interface outside jab
ip audit interface inside probe
ip audit interface inside jab
ip audit info action alarm drop reset
ip audit attack action alarm drop reset
ip audit signature 2000 disable
ip audit signature 2001 disable
ip audit signature 2004 disable
ip audit signature 2005 disable
ip local pool vpnpool 192.168.16.1-192.168.16.50
pdm location 10.39.54.0 255.255.255.255 inside
pdm location 10.39.54.181 255.255.255.255 inside
pdm location 0.0.0.0 255.0.0.0 outside
pdm location 10.0.0.0 255.0.0.0 outside
pdm location 127.0.0.0 255.0.0.0 outside
pdm location 131.107.0.0 255.255.0.0 outside
pdm location 169.254.0.0 255.255.0.0 outside
pdm location 172.16.0.0 255.240.0.0 outside
pdm location 192.168.16.0 255.255.255.0 outside
pdm location 192.168.0.0 255.255.0.0 outside
pdm location 205.147.229.0 255.255.255.0 outside
pdm location 224.0.0.0 224.0.0.0 outside
pdm location 10.39.54.183 255.255.255.255 inside
pdm location 58.211.0.113 255.255.255.255 outside
pdm location 60.217.228.198 255.255.255.255 outside
pdm location 82.46.193.98 255.255.255.255 outside
pdm location 125.248.142.162 255.255.255.255 outside
pdm location 190.40.253.121 255.255.255.255 outside
pdm location 190.64.41.196 255.255.255.255 outside
pdm location 193.19.212.4 255.255.255.255 outside
pdm location 202.102.7.133 255.255.255.255 outside
pdm location 202.108.12.145 255.255.255.255 outside
pdm location 211.152.50.100 255.255.255.255 outside
pdm location 218.21.71.134 255.255.255.255 outside
pdm location 221.192.133.39 255.255.255.255 outside
pdm location 222.197.188.37 255.255.255.255 outside
pdm location 10.39.54.250 255.255.255.255 inside
pdm logging notifications 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 100
nat (inside) 1 10.39.54.0 255.255.255.0 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface smtp 10.39.54.183 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 255.255.255.255 0 0
static (inside,outside) tcp interface https 10.39.54.181 https netmask 255.255.255.255 0 0
static (inside,outside) tcp interface pop3 10.39.54.181 pop3 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 4000 10.39.54.250 4000 netmask 255.255.255.255 0 0
access-group 11 in interface outside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa-server 10.39.54.181 protocol radius
aaa-server ias protocol radius
aaa-server ias (inside) host 10.39.54.181 passpass timeout 10
http server enable
http 10.39.54.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community N3v3rG0nnaGu3sTh1s0n3#
no snmp-server enable traps
tftp-server inside 10.39.54.72 /
floodguard enable
sysopt connection permit-ipsec
sysopt ipsec pl-compatible
crypto ipsec transform-set strong esp-3des esp-md5-hmac
crypto dynamic-map xxxxxdyn 15 set transform-set strong
crypto map xxxxxvpn 10 ipsec-isakmp dynamic xxxxxdyn
crypto map xxxxxvpn client configuration address initiate
crypto map xxxxxvpn client configuration address respond
crypto map xxxxxvpn client authentication ias
crypto map xxxxxvpn interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 255.255.255.255
isakmp identity address
isakmp keepalive 15 5
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup xxxxxgroup address-pool vpnpool
vpngroup xxxxxgroup dns-server 10.39.54.180 10.39.54.181
vpngroup xxxxxgroup wins-server 10.39.54.180 10.39.54.181
vpngroup xxxxxgroup default-domain xxxxxinc.com
vpngroup xxxxxgroup idle-time 86400
vpngroup xxxxxgroup password ********
telnet 10.39.54.0 255.255.255.0 inside
telnet timeout 30
ssh 205.147.229.0 255.255.255.0 outside
ssh timeout 60
console timeout 0
terminal width 80
Cryptochecksum:3832a9d2503ddb629aa6bbd98935c028
: end
xxxxx-pix506#
 
You will need to run these two commands to gen a new key

config t
ca gen rsa key 1024
ca save all

 
Try this first -
no isakmp enable outside
isakmp enable outside

If that doesn't do it, remove all your vpn config and re enter it. I have had problems in the past where just changing the ip and re-enabling isakmp didn't fix it and rebuilding it exactly the same worked. Weird but it worked a few times.


Brent
Systems Engineer / Consultant
CCNP, CCSP
 
Thanks guys, I had to fix the problem fast so I ended up rebuilding the VPN config. On the plus side, it resolved some name resolution problems for VPN clients, so that's a plus as well.

Thanks again!
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top