PIX Configuration Assitance

[GrizFan]

Hello,

I'm a novice to configuring PIX devices so I'm seeking some help from others.

I need to establish a remote VPN connection into my Windows Active Directory domain. I've configured my PIX 515e similar to another PIX that is working fine. I didn't get any errors when doing the configuration but when I try to connect with my VPN Client I get a user authentication error.

Here are the details of my equipment:

PIX 515e v6.3(5)
Connecting from Windows 7 computer with Cisco VPN Client 5.0.01.0600

When I connect using the client I enter my Windows user name and password but it fails with a "Reason 413: User Authentication Failed". My log shows the following error:

Cisco Systems VPN Client Version 5.0.01.0600
Copyright (C) 1998-2007 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 6.1.7600

295 20:32:19.287 11/07/09 Sev=Info/4 CM/0x63100002
Begin connection process

296 20:32:19.287 11/07/09 Sev=Info/4 CM/0x63100004
Establish secure connection

297 20:32:19.287 11/07/09 Sev=Info/4 CM/0x63100024
Attempt connection with server "209.128.xx.xxx"

298 20:32:19.287 11/07/09 Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with 209.128.xx.xxx.

299 20:32:19.302 11/07/09 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to 209.128.xx.xxx

300 20:32:19.443 11/07/09 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 209.128.xx.xxx

301 20:32:19.443 11/07/09 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (SA, VID(Xauth), VID(dpd), VID(Unity), VID(?), KE, ID, NON, VID(?), VID(Nat-T), NAT-D, NAT-D, HASH) from 209.128.xx.xxx

302 20:32:19.443 11/07/09 Sev=Info/5 IKE/0x63000001
Peer supports XAUTH

303 20:32:19.443 11/07/09 Sev=Info/5 IKE/0x63000001
Peer supports DPD

304 20:32:19.443 11/07/09 Sev=Info/5 IKE/0x63000001
Peer is a Cisco-Unity compliant peer

305 20:32:19.443 11/07/09 Sev=Info/5 IKE/0x63000082
Received IOS Vendor ID with unknown capabilities flag 0x000000A5

306 20:32:19.443 11/07/09 Sev=Info/5 IKE/0x63000001
Peer supports NAT-T

307 20:32:19.443 11/07/09 Sev=Info/6 IKE/0x63000001
IOS Vendor ID Contruction successful

308 20:32:19.443 11/07/09 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, NAT-D, NAT-D, VID(?), VID(Unity)) to 209.128.xx.xxx

309 20:32:19.443 11/07/09 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA

310 20:32:19.443 11/07/09 Sev=Info/4 IKE/0x63000083
IKE Port in use - Local Port = 0xD310, Remote Port = 0x1194

311 20:32:19.443 11/07/09 Sev=Info/5 IKE/0x63000072
Automatic NAT Detection Status:
Remote end is NOT behind a NAT device
This end IS behind a NAT device

312 20:32:19.443 11/07/09 Sev=Info/4 CM/0x6310000E
Established Phase 1 SA. 1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system

313 20:32:19.474 11/07/09 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 209.128.xx.xxx

314 20:32:19.474 11/07/09 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:STATUS_RESP_LIFETIME) from 209.128.xx.xxx

315 20:32:19.474 11/07/09 Sev=Info/5 IKE/0x63000045
RESPONDER-LIFETIME notify has value of 86400 seconds

316 20:32:19.474 11/07/09 Sev=Info/5 IKE/0x63000047
This SA has already been alive for 0 seconds, setting expiry to 86400 seconds from now

317 20:32:19.474 11/07/09 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 209.128.xx.xxx

318 20:32:19.474 11/07/09 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 209.128.xx.xxx

319 20:32:19.474 11/07/09 Sev=Info/4 CM/0x63100015
Launch xAuth application

320 20:32:19.583 11/07/09 Sev=Info/4 IPSEC/0x63700008
IPSec driver successfully started

321 20:32:19.583 11/07/09 Sev=Info/4 IPSEC/0x63700014
Deleted all keys

322 20:32:24.466 11/07/09 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 209.128.xx.xxx

323 20:32:24.466 11/07/09 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(Retransmission) from 209.128.xx.xxx

324 20:32:29.255 11/07/09 Sev=Info/4 CM/0x63100017
xAuth application returned

325 20:32:29.255 11/07/09 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 209.128.xx.xxx

326 20:32:29.286 11/07/09 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 209.128.xx.xxx

327 20:32:29.286 11/07/09 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 209.128.xx.xxx

328 20:32:29.286 11/07/09 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 209.128.xx.xxx

329 20:32:29.286 11/07/09 Sev=Info/4 IKE/0x63000017
Marking IKE SA for deletion (I_Cookie=DDFBCD1BEFD1DA0D R_Cookie=A425C1A3EA1F6A29) reason = DEL_REASON_WE_FAILED_AUTH

330 20:32:29.286 11/07/09 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, DEL) to 209.128.xx.xxx

331 20:32:29.848 11/07/09 Sev=Info/4 IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=DDFBCD1BEFD1DA0D R_Cookie=A425C1A3EA1F6A29) reason = DEL_REASON_WE_FAILED_AUTH

332 20:32:29.848 11/07/09 Sev=Info/4 CM/0x63100014
Unable to establish Phase 1 SA with server "209.128.xx.xxx" because of "DEL_REASON_WE_FAILED_AUTH"

333 20:32:29.879 11/07/09 Sev=Info/5 CM/0x63100025
Initializing CVPNDrv

334 20:32:29.895 11/07/09 Sev=Info/6 CM/0x63100046
Set tunnel established flag in registry to 0.

335 20:32:29.895 11/07/09 Sev=Info/4 IKE/0x63000001
IKE received signal to terminate VPN connection

336 20:32:30.369 11/07/09 Sev=Info/4 IPSEC/0x63700014
Deleted all keys

337 20:32:30.369 11/07/09 Sev=Info/4 IPSEC/0x63700014
Deleted all keys

338 20:32:30.369 11/07/09 Sev=Info/4 IPSEC/0x63700014
Deleted all keys

339 20:32:30.369 11/07/09 Sev=Info/4 IPSEC/0x6370000A
IPSec driver successfully stopped


Here is the config of my PIX 515E:

PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
enable password r31ME0CIhiUS4m2Q encrypted
passwd r31ME0CIhiUS4m2Q encrypted
hostname dwr-10405-515e
domain-name my-domain.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 101 permit ip 192.168.46.0 255.255.255.0 10.100.10.0 255.255.255.0
access-list 101 permit ip any 10.100.10.0 255.255.255.0
access-list outside_cryptomap_dyn_50 permit ip any 10.100.10.0 255.255.255.0
access-list outbound permit ip any any
access-list split permit ip 192.168.46.0 255.255.255.0 10.100.10.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside 209.128.xx.xxx 255.255.255.248
ip address inside 192.168.46.1 255.255.255.0
no ip address intf2
ip audit info action alarm
ip audit attack action alarm
ip local pool mypool 10.100.10.1-10.100.10.254
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 209.128.67.233 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa-server radius protocol radius
aaa-server radius max-failed-attempts 3
aaa-server radius deadtime 10
aaa-server radius (inside) host 192.168.46.2 xxxxxxxxxx timeout 10
http server enable
http 192.168.46.2 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto dynamic-map dynmap 50 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap client configuration address initiate
crypto map mymap client configuration address respond
crypto map mymap client authentication radius
crypto map mymap interface outside
isakmp enable outside
isakmp client configuration address-pool local mypool outside
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup remotevpn address-pool mypool
vpngroup remotevpn dns-server 192.168.46.2
vpngroup remotevpn wins-server 192.168.46.2
vpngroup remotevpn default-domain my-domain.com
vpngroup remotevpn split-tunnel split
vpngroup remotevpn idle-time 1800
vpngroup remotevpn password ********
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 192.168.46.0 255.255.255.0 inside
ssh 192.168.46.0 255.255.255.0 intf2
ssh timeout 60
console timeout 0
vpdn group 1 accept dialin pptp
vpdn group 1 ppp authentication pap
vpdn group 1 ppp authentication mschap
vpdn group 1 ppp encryption mppe 40
vpdn group 1 pptp echo 60
vpdn group 1 client authentication local
vpdn username widget password *********
vpdn enable outside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
terminal width 80
Cryptochecksum:c2c2d69d6329a9362b4b1645f471225d

If anyone could help me out or provide any suggestions I would be very appreciative.

Thank you.

 

[brianinms]

Do you have IAS installed on your AD box