Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Pix 506e VPN Error

Status
Not open for further replies.
schroednic

schroednic

IS-IT--Management
Nov 18, 2008
21
US
Hi;

Yes this an old 506 vpn question.

My old 506e running version 6.2(1) failed and was able to find another one. I had the config file so I just dropped it into the other 506e (version 6.3(4)) and was up and running in no time.

However I cannot connect to work via a VPN connection on the firewall, keep getting the Windows error:

"Unable to establish a connection with the VPN server. Unreachable or security parameters are incorrect."


The config is identical except the new one has 3 more aaa-server TACACS+ statements.

AND

the vpdn group inet1 command:


vpdn group inte1 ppp authentication chapnam HAD TO BE changed to vpdn group inte1 ppp authentication chap.....as we use clear unencrypted PAP.


Any ideas, thanks in advance.


 
Sort by date Sort by votes
Hello,

You'll need to post a scrubbed config and any logs from the pix so that we can understand your network setup.

-Viconsul
 
Upvote 0 Downvote
Viconsul, thanks for the reply.

Here is my config minus some private info:

PIX Version 6.3(4)
interface ethernet0 100full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password
passwd
hostname <HOST>
domain-name <DOMAIN>
no fixup protocol dns
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
no fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
no fixup protocol tftp 69
names
access-list outside_in permit tcp any any eq 500
access-list outside_in permit tcp any host <PUBLIC IP> eq www
access-list outside_in permit tcp any host <PUBLIC IP> eq 5651
access-list outside_in permit tcp any host <PUBLIC IP> eq 5652
access-list outside_in permit tcp any host <PUBLIC IP> eq 6000
access-list outside_in permit tcp any host <PUBLIC IP> range 30000 30030
access-list outside_in permit tcp any host <PUBLIC IP> range 9000 9001
access-list outside_in permit tcp any host <PUBLIC IP>5 eq https
access-list outside_in permit icmp any any
access-list outside_in permit tcp 192.168.200.0 255.255.255.0 eq 192.168.100.220 eq www
access-list outside_in permit tcp 192.168.200.0 255.255.255.0 eq 192.168.100.5 eq www
access-list outside_in permit tcp 192.168.200.0 255.255.255.0 eq access-list outside_in permit ip 192.168.200.0 255.255.255.0 host 192.168.100.220
access-list outside_in permit tcp 192.168.200.0 255.255.255.0 eq 192.168.100.2 eq www
access-list outside_in permit ip 192.168.200.0 255.255.255.0 host 192.168.100.2



access-list outside_in permit tcp any host <PUBLIC IP> eq www
access-list outside_in permit tcp any host <PUBLIC IP> eq https
access-list outside_in permit tcp any host <PUBLIC IP> eq www
access-list outside_in permit tcp any host <PUBLIC IP> eq https
access-list outside_in permit tcp any host <PUBLIC IP> eq www
access-list outside_in permit tcp any host <PUBLIC IP> eq https
access-list outside_in permit tcp any host <PUBLIC IP> eq www
access-list outside_in permit tcp any host <PUBLIC IP> eq https
access-list outside_in permit tcp any host <PUBLIC IP> eq www
access-list outside_in permit tcp any host <PUBLIC IP> eq https
access-list outside_in permit ip host <PUBLIC IP> any
access-list outside_in permit ip host <PUBLIC IP> any
access-list inside_out permit tcp any any
access-list inside_out permit ip any any
access-list inside_out permit udp any any
access-list inside_out permit icmp any any



access-list 102 permit ip 192.168.100.0 255.255.255.0 192.168.200.0 255.255.255.0
access-list 102 permit ip 192.168.200.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list 102 permit tcp 192.168.200.0 255.255.255.0 eq telnet host 192.168.100.254 eq telnet
access-list 102 permit tcp 192.168.100.0 255.255.255.0 eq telnet host 192.168.100.254 eq telnet

access-list 102 permit ip 192.168.100.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list 102 permit ip 192.168.100.0 255.255.255.0 192.168.10.0 255.255.255.0

access-list 102 permit ip host 192.168.100.220 192.168.0.0 255.255.255.0
access-list 102 permit ip host 192.168.100.220 192.168.10.0 255.255.255.0
access-list PROTECT permit ip 192.168.100.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list PROTECT permit ip 192.168.100.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list PROTECT permit ip 192.168.100.0 255.255.255.0 192.168.10.0 255.255.255.0


pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside <PUBLIC IP> 255.255.255.0
ip address inside <NAT IP> 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnpool <NAT IP RANGE 192.>
pdm history enable
arp timeout 14400
global (outside) 1 <PUBLIC IP RANGE>
nat (inside) 0 access-list 102
nat (inside) 1 0.0.0.0 0.0.0.0 0 0



static (inside,outside) <PUBLIC IP> 192.168.100.43 netmask 255.255.255.255 0 0

static (inside,outside) <PUBLIC IP> 192.168.100.41 netmask 255.255.255.255 0 0

static (inside,outside) <PUBLIC IP> 192.168.100.42 netmask 255.255.255.255 0 0

static (inside,outside) <PUBLIC IP> 192.168.100.8 netmask 255.255.255.255 0 0
static (inside,outside) <PUBLIC IP> 192.168.100.12 netmask 255.255.255.255 0 0
static (inside,outside) <PUBLIC IP> 192.168.100.5 netmask 255.255.255.255 0 0
static (inside,outside) <PUBLIC IP> 192.168.100.14 netmask 255.255.255.255 0 0
static (inside,outside) <PUBLIC IP> 192.168.100.6 netmask 255.255.255.255 0 0

access-group outside_in in interface outside
access-group inside_out in interface inside
route outside 0.0.0.0 0.0.0.0 <PUBLIC IP> 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server RADIUS (inside) host 192.168.100.7 test1234 timeout 30
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set myset esp-des
crypto ipsec transform-set strong esp-des esp-sha-hmac
crypto ipsec transform-set router-set esp-des esp-md5-hmac
crypto dynamic-map cisco 1 set transform-set router-set
crypto map VPNCONNECTION 10 ipsec-isakmp
crypto map VPNCONNECTION 10 match address PROTECT
crypto map VPNCONNECTION 10 set pfs group2
crypto map VPNCONNECTION 10 set peer <PUBLIC IP>
crypto map VPNCONNECTION 10 set peer <PUBLIC IP>
crypto map VPNCONNECTION 10 set transform-set strong
crypto map dyn-map 10 ipsec-isakmp dynamic cisco
crypto map dyn-map interface outside
isakmp enable outside
isakmp key ******** address <PUBLIC IP> netmask 255.255.255.255
isakmp key ******** address <PUBLIC IP> netmask 255.255.255.255
isakmp key ******** address <PUBLIC IP> netmask 255.255.255.255
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 28800
isakmp policy 10 lifetime 28800
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 1
isakmp policy 20 lifetime 86400
telnet 192.168.200.0 255.255.255.0 outside
telnet 192.168.100.0 255.255.255.0 inside
telnet <PUBLIC IP> 255.255.255.255 inside
telnet 192.168.200.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group inet1 accept dialin pptp
vpdn group inet1 ppp authentication pap
vpdn group inet1 ppp authentication chap
vpdn group inet1 client configuration dns 192.168.100.9 192.168.100.10
vpdn group inet1 client configuration wins 192.168.100.1
vpdn group inet1 client authentication aaa RADIUS
vpdn group inet1 pptp echo 60
vpdn enable outside
terminal width 80




LEFT OUT OF NEW CONFIG:



These lines below were left out of the new config as they could/would not be entered correctly.



crypto map sprint-map 20 ipsec-isakmp
crypto map sprint-map 20 set peer sprint_fw
crypto map sprint-map 20 set transform-set myset



vpdn group inet1 ppp authentication chapnam



sh cry isa sa
Total : 0
Embryonic : 0
dst src state pending created


sh cry ips sa
interface: outside
Crypto map tag: dyn-map, local addr. <My correct OUTSIDE PUBLIC IP Address>
 
Upvote 0 Downvote
Ok here are the CLI commands for the PIX 506e ver 6.3, looks like they changed from the older 6.2 ver. Just want to help out those who can benefit from it. Bottom line up and running with the internet and VPN.
Thanks again all.


vpdn group inet1 client configuration address local vpnpool
vpdn group inet1 ppp authentication mschap
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

quazimotto
  • Locked
  • Question
Cisco ASA_5505 VPN to Juniper_SRX210 VPN IS UP_ No Traffic!!!!!!
Replies
0
Views
67
quazimotto
quazimotto
tviman
  • Locked
  • Question
Same subnet on each side of a VPN 1
Replies
2
Views
82
tviman
tviman
DigitalG
  • Locked
  • Question
cisco rv180 vpn tunnel between a rv130
Replies
0
Views
54
DigitalG
DigitalG
hall5942
  • Locked
  • Question
Site to Site VPN with Cisco 881 and PIX
Replies
0
Views
55
hall5942
hall5942
napoleao
  • Locked
  • Question
IPSec VPN
Replies
3
Views
106
napoleao
napoleao

Part and Inventory Search

Sponsor

Back
Top