Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Westi on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Pix 501 VPN Client Access 1

Status
Not open for further replies.
WNelson28

WNelson28

IS-IT--Management
May 21, 2003
70
GB
I'm very new to the Pix firewall side of things and I'm finding it increasingly difficult to find a standard step by step configuration I can use to setup VPN client (v3.x) access to the network via the Pix. Thing is I do not know what the IP addresses of the connecting hosts will be.

I have tried folowing the items on the cisco website but they all seem to contradict each other!

Any help would be great, better still if any nice kind person could copy and paste a config i can use!

Thanks all
 
Sort by date Sort by votes
Try this

ip local pool clientpool IPADDRESSPOOL
aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host RADIUSSERVERIP RADIUSSHAREDKEYPASSWORD timeout 5
crypto dynamic-map clientvpnmap 10 set transform-set myset
crypto map newmap 100 ipsec-isakmp dynamic clientvpnmap
crypto map newmap client authentication RADIUS
crypto map newmap interface outside
vpngroup clientgroup address-pool clientpool
vpngroup clientgroup dns-server DNSSERVERS
vpngroup clientgroup default-domain SOMETHING.COM
vpngroup clientgroup idle-time 1800
vpngroup clientgroup password PASSWORDCLIENTWILLUSE
 
Upvote 0 Downvote
 
Upvote 0 Downvote
I've tried following various instructions but can't seem to get a connection. I'm using a pix 501 and have pasted the config here for you all to laugh at! But after that if somebody could let me know what is missing....I'm using vpn client ver 3.6 and the IP address of the connecting system(s)is not known (adsl), I do get issued an IP address when i connect but then get this error in the client log...
1 09:07:37.867 06/01/03 Sev=Warning/3 IKE/0xA3000058
Received malformed message or negotiation no longer active (message id: 0x53CD595A)

Can't open the config capture so can't paste it! Any help on the error??
 
Upvote 0 Downvote
As promised here is the config, (don't laugh) Can anybody tell me what I'm missing? I can connect (ish) and get issued an IP address but the connection then seems to fail with the error in my last post but I still seem to remain connected.

I can't ping anything on the inside or connect/see anything either. This has been sending me mad as I'm not too hot when it comes to these types of things so before more of my hair falls out.....


I'm using VPN Client 3.6 and I need to set it up to accept connections from unknown hosts. One thing I have noticed is that I can't seem to tell the VPN client what the pre-shared key is, only what the vpngroup password is!

PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname mypix
domain-name mycompany.co.uk
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
no names
name 192.168.10.x myserver1
access-list external permit tcp any host 217.x.x.186 eq smtp
pager lines 24
interface ethernet0 10baset
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address outside 217.x.x.185 255.255.255.248
ip address inside 192.168.10.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool test 192.168.10.70-192.168.10.80
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
global (outside) 1 217.x.x.187
nat (inside) 1 192.168.10.0 255.255.255.0 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 217.x.x.186 192.168.10.x netmask 255.255.255.255 0 0
access-group external in interface outside
route outside 0.0.0.0 0.0.0.0 217.x.x.190 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap client configuration address initiate
crypto map mymap client configuration address respond
crypto map mymap interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp identity address
isakmp client configuration address-pool local test outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup unityclient address-pool test
vpngroup unityclient dns-server 192.168.10.x
vpngroup unityclient default-domain mycompany.co.uk
vpngroup unityclient idle-time 1800
vpngroup unityclient password ********
telnet timeout 5
ssh timeout 5
terminal width 80

 
Upvote 0 Downvote
I can now connect without any problems....don't know why! But I can't ping any of the inside IP addresses and can't log on to the domain as a result. i can map a drive to the DC but only if I use the external IP address for it which has a static inside,outside mapping (see config)so what am I missing if i want to grant those coming in full access to network resources? i assume I must be missing some kind of no-nat rule or access-list

Any help would be great...

Thanks..
 
Upvote 0 Downvote
HI.

> I can't seem to tell the VPN client what the pre-shared key is, only what the vpngroup password is!
> isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
The vpngroup password is used as the preshared key.
You should remove the above "isakmp key ..." from your config because it is not needed.

> ... But I can't ping any of the inside IP addresses ...
> ip address inside 192.168.10.254 255.255.255.0
> ip local pool test 192.168.10.70-192.168.10.80
You should use a different pool for vpn clients, that way the pix will know better how to handle and route the traffic:
ip local pool test 192.168.111.1-192.168.111.10
Then you also need to add access-list for interesting VPN traffic, for split tunnel, and for no-nat.

You'll find sample configs in Cisco web site, and you can use PDM or PIXCRIPT to generate basic config for you, so you don't have to it the hard way unless you like it that way.

Maybe you didn't find the correct sample in Cisco web site.
Try the following one:
But you can ignore the part that is for the older client:
"!--- ISAKMP Policy for VPN 3000 Client running 2.5 code"

Bye


Yizhar Hurwitz
 
Upvote 0 Downvote
All working now!

Many thanks Yizhar...
 
Upvote 0 Downvote
Just thought of another question. Should I use XAUTH or something like that? I have full access to the domain at present so is it really needed?
 
Upvote 0 Downvote
HI.

> Should I use XAUTH or something like that?
Yes, you should.
Using XAUTH gives you better security because:
* An attacker will need much more info to break in (pix auth+NT auth).
* A VPN client user cannot save the XAUTH password locally, so an attacker needs to work harder to steal it.
* You can log VPN authentication attempts (success and fail) on the RADIUS server.
* You can manage and enforce VPN access policy at the RADIUS server.

Bye


Yizhar Hurwitz
 
Upvote 0 Downvote
Don't suppose you know of a good cisco doc like the last one that explains how to conigure the PIX??
 
Upvote 0 Downvote
Me again! You'll get sick of me! I have followed the instructions at the above link but when I enable Xauth using IAS on win 2k the clients can't access anything on the inside. The ones dialing in have been given access to dial in and it does say it's authenticated correctly but nothing happens. The config has been posted here: There are also some strange ones on here, you will notice the isakmp policy 20 commands and the two odd vpngroup commands, neither of which I can get rid of! Any ideas what's wrong?

Again, thatnks in advance!
PIX Version 6.1(4)

nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname mypix
domain-name mydom.co.uk
fixup protocol ftp 21
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
no fixup protocol http 80
no names
name 192.168.10.10 mynewdc1
access-list external permit tcp any host 217.x.x.10 eq smtp
access-list external permit tcp any host 217.x.x.10 eq 443
access-list 101 permit ip 192.168.10.0 255.255.255.0 192.168.11.0 255.255.255.0
pager lines 24
logging console notifications
interface ethernet0 10baset
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address outside 217.x.x.9 255.255.255.248
ip address inside 192.168.10.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool ippool 192.168.11.1-192.168.11.10
pdm history enable
arp timeout 14400
global (outside) 1 interface
global (outside) 1 217.x.x.12
nat (inside) 0 access-list 101
nat (inside) 1 192.168.10.0 255.255.255.0 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 217.x.x.10 192.168.10.10 netmask 255.255.255.255 0 0
static (inside,outside) 217.x.x.11 192.168.10.11 netmask 255.255.255.255 0 0
access-group external in interface outside
route outside 0.0.0.0 0.0.0.0 217.x.x.14 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server partnerauth protocol radius
aaa-server partnerauth (inside) host 192.168.10.10 ****** timeout 5
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap client authentication partnerauth
crypto map mymap interface outside
isakmp enable outside
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 21600
isakmp policy 20 authentication rsa-sig
isakmp policy 20 encryption des
isakmp policy 20 hash sha
isakmp policy 20 group 1
isakmp policy 20 lifetime 86400
vpngroup mynewvpn idle-time 1800
vpngroup dns-server idle-time 1800
vpngroup sdays address-pool ippool
vpngroup sdays dns-server 192.168.10.10
vpngroup sdays default-domain mydom.co.uk
vpngroup sdays split-tunnel 101
vpngroup sdays idle-time 1800
vpngroup sdays password ********
telnet timeout 5
ssh timeout 5
terminal width 80

 
Upvote 0 Downvote
HI.

I don't see relevant errors in the pix config.

Can you ping any host via the VPN tunnel?
Try using syslog messages at the pix.
Check configuration of client and server.
If the client has a software hardware firewall, try disabling it and use dial-up connection.

Bye


Yizhar Hurwitz
 
Upvote 0 Downvote
Can't ping anything while connected and the clients have no firewall either. The client configuration is the same as mine. The only difference being the ISP we use, could it be they are not allowing encrypted traffic to pass?
 
Upvote 0 Downvote
HI.

> The only difference being the ISP we use, could it be they are not allowing encrypted traffic to pass
It could be, but could also be a NAT device at remote client connection to Internet, or at the ISP devices.

Can the pix ping the remote VPN client? (Direct ping before establishing the tunnel)?

Ask the remote client to test with analog dial-up connection (remind him not to enable software firewall).



Yizhar Hurwitz
 
Upvote 0 Downvote
I have tried pinging the client when we were both connected and I can't. Get request timed out, how ever they can ping me and make any outbound connection they wish, but it will not accept any inbound ping's or connections. They do not have any firewall and the ISP are claiming they do not use NAT, but surely they must be???
 
Upvote 0 Downvote
HI.

> They do not have any firewall and the ISP are claiming they do not use NAT...
But what about devices at the client side (at the client home or whereever).
What type of connection, is it ADSL?
Ask the client to type IPCONFIG/WINIPCFG, does it get private or public address?
Compare the results with what the CLIENT gets here:



Yizhar Hurwitz
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Shmid
  • Locked
  • Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
791
Shmid
Shmid
intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
644
intel233
intel233
ISDPCMAN
  • Locked
  • Question
RDP fails over VPN
Replies
1
Views
229
gkittelson
gkittelson
WhosYourDiffie
  • Locked
  • Question
Cisco ASA 5506 VPN for Avaya Phones
Replies
0
Views
175
WhosYourDiffie
WhosYourDiffie
xwray
  • Locked
  • Question
PIX 501 DHCP Server function
Replies
0
Views
120
xwray
xwray

Part and Inventory Search

Sponsor

Back
Top