PIX 515E 3 Cards - VPN access Sample config Needed, NO Auth server.

[kenedmonds]

Hi,

I'm looking for a sample config for Dialup internet users to VPN into the local network (gateway PIX). I have no auth server. PIX 515e 6.22 , 3 NIC's, Outside,inside and DMZ

I have everything else working but the VPN wizard just does not work.

I've been through cisco's doc's lots, but they all seem to require Radius and Tactics+ auth.

I guess I'm looking for quick answers. Hence the request for a sample config.

cheers

 

[rubbaninja]

You may need to have the VPN license to do this but I have a 515ur with 6 interfaces. a whole different monster.

Licensed Features:
VPN-DES: Disabled
VPN-3DES: Disabled

To check if you do you would type " show tech "
It will most likely be on the first page if your pager lines is set around 25 (in other words it will be near the top)
Of course, this is through telnet. I don't know what wizard you are using but the best option is telnet when you need to *really* see what your doing.

And, I hate to do this but..

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_62/config/index.htm

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/config/sit2site.htm#10223

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/config/ipsecstd.htm

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_62/relnotes/pixrn622.htm#xtocid8

----


Turn on logging if all else fails.

bee

 

[yizhar]

HI.

You can use pixcript to generate a sample VPN config:

http://www.new-ofek.co.il/yizhar#pixcript

http://www.new-ofek.co.il/yizhar/files/pixcreen.htm

(Normaly you'll find it in my web site in the signature, but today the server is down so those links are for an alternate one).

If the VPN isn't working, you'll need to collect more details like syslog messages, configurartion, ip addressing ans so on.

IPSec VPN does not require RADIUS, but it is recommended because it gives you double authentication (vpngroup name/pass and in addition RADUIS user/pass), and it also gives you better logging and monitoring at the RADIUS side.

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[kenedmonds]

Hi All,

Well I have all the LIC's, the PIX came with a VPN bundle and 3des. Witch I installed and upgraded to OS 6.22.

I have used PIXSCRIPT and all the documentation I can find, seen sample/real config's and checked that off against mine.
Still VPN has no INBOUND sessions from the NIC facing the Internet. What am I missing?

Client says timeout no response from peer, I can ping the PIX when I enable ICMP from the dialup client. Is there any ports I need open on the external interface?

The wizard that comes with the PDM seems to put all the right entries in and I have used sysopt cmd to permit ipsec.

I think I'm missing a common, no so documented command that everyone knows but me.

Any ideas?
Anyone

Cheers

 

[yizhar]

HI.

For troubleshooting, you can try to connect a test client directly via Ethernet to the pix outside interface.

How exactly does your client connecto to the Interenet?
Is the client behind NAT?
Which is the ISP of the client and the pix?
Ask your ISP if they are blocking ESP or other VPN protocols.

Check the pix syslog messages and the client log viewer. Try also some "debug crypto" commands - you'll find info in some Cisco samples and in the command reference.

Is the VPN tunnel established but no access to hosts, or you cannot even establish the vpn. What are the exact errors you get?

After VPN tunnel is up, try TCP connections like telnet, http, ftp, etc.

Post here your relevant config if you can.

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[kenedmonds]

I would post a relevant config, but you all might laugh.
I will need to tidy it up alot before I post it.

The VPN does not even establish as far as I can tell, the client is dialup to the internet. All ISP's involved support the cisco PIX and VPN. There are other people with cisco pix using these IPS's fine, hence why we use them.

The client log says,


Sev=Warning/2 IKE/0xE300007C
Exceeded 3 IKE SA negotiation retransmits.... peer is not responding

Sev=Warning/3 DIALIER/0xE3300015
GI VPN start callback failed "CM_PEER_NOT_RESPONDING" (16h)


So the client cannot connect to the PIX, or the pix is not responding... witch seems to make sense.


What have I missed, a port? a route? or just eveything


Cheers

 

[kenedmonds]

Here is the config, A bit left out and a bit not so nice to look at. But here it is, It won't stay this way it's only for testing. A clean up is more than due I think. I assume it's all you need.

Let me know if it's not

PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security10
enable password 6lqvbvtsKTvX/XII encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname XXXXXXX
domain-name XXXXXXXXXXXXX
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names

access-list intf2_access_in permit ip 192.168.10.0 255.255.255.0 any
access-list acl_out permit tcp any host Extern_IP eq www
access-list acl_out permit tcp any host Extern_IP eq https
access-list Telco_splitTunnelAcl permit ip 192.168.4.0 255.255.255.0 any
access-list outside_cryptomap_dyn_20 permit ip any 192.168.254.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip any 192.168.254.0 255.255.255.0
pager lines 24
logging on
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside xxx.xxx.xxx.xxx 255.255.255.XXX
ip address inside 192.168.4.251 255.255.255.0
ip address intf2 192.168.10.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpn-pool 192.168.254.1-192.168.254.254

arp timeout 14400
global (outside) 2 xxx.xxx.xxx.xxx netmask 255.255.255.252
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 0 0.0.0.0 0.0.0.0 0 0
access-group acl_out in interface outside
access-group intf2 in interface intf2
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
route inside 192.168.0.0 255.255.0.0 192.168.4.1 1
route outside DMZ-Web 255.255.255.252 xxx.xxx.xxx.xxx 1
route outside xxx.xxx.xxx.xxx 255.255.255.255 xxx.xxx.xxx.xxx
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host xxx.xxx.xxx.xxx XXXXXXXX timeout 5
aaa-server LOCAL protocol local
http server enable
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable

sysopt connection permit-ipsec
no sysopt route dnat
auth-prompt prompt Please Authenticate to the Firewall
auth-prompt accept OK - you are authenticated.
auth-prompt reject Authentication Failed. Try Again.
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 60 match address outside_cryptomap_dyn_60
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication RADIUS
crypto map outside_map interface outside
crypto map TelcoUsers client configuration address initiate
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup vpn-group address-pool vpn-pool
vpngroup vpn-group dns-server 192.168.4.4 192.168.4.2
vpngroup vpn-group wins-server 192.168.4.1 192.168.4.5
vpngroup vpn-group default-domain XXXXX.com
vpngroup vpn-group idle-time 1800
vpngroup vpn-group max-time 7200
telnet 192.168.4.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
vpnclient vpngroup TestGroup password ********
vpnclient username USER_NAME password ********
vpnclient server Extern_IP
vpnclient mode client-mode
terminal width 80

 

[yizhar]

HI.

* This might be a conflict (I'm not sure):
ip local pool vpn-pool 192.168.254.1-192.168.254.254
route inside 192.168.0.0 255.255.0.0 192.168.4.1
I suggest setting a route only to class C subnets in that case.

* All the "vpnclient" statements are not needed unless your pix is acting as a vpn client (Easy VPN client connecting to a main office VPN server).

* I didn't find in your configuration a "isakmp key" and not a "vpngroup vpn-group password" for per-shared authentication.
Try to add the following:
vpngroup vpn-group password XXXX
and configure the client with "vpn-group" as user/group name and the needed password.

* What about syslog messages at the pix???

Bye


Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar