PIX VPN client question

[hoinvip]

Hi there,

I have two PIX firewalls now working quite happily with a VPN between them. I have a PIX 515E which is the hub and in future plan more 501's as spokes off of it.

In the meantime, what I want to do is incorporate a number of laptops with the Cisco VPN client so they can access from home etc... Can anyone offer me some advice on this please?

Internal networks for VPN segments are 192.168.1.x and 192.168.10.x

I have tried getting the Cisco VPN client to work but I suspect my configurations of the 515 are wrong.

Thanks in advance,

Peter

My configuration for the 515E is below:

PIX Version 6.1(3)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password snipped encrypted
passwd snipped encrypted
hostname xxxxx
domain-name xxxxxxxxx.co.uk
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
no names
name 192.168.1.11 xxx02
name 192.168.1.13 xxx03
name 192.168.1.10 xxx01
access-list external permit tcp any host 62.xx.xx.xx4 eq smtp
access-list external permit tcp any host 62.xx.xx.xx5 eq xxxxx
access-list external permit udp any host 62.xx.xx.xx5 eq xxxxx
access-list external permit udp any host 62.xx.xx.xx4 eq xxxxx
access-list external permit tcp any host 62.xx.xx.xx4 eq xxxxx
access-list external permit tcp any host 62.xx.xx.xx6 eq xxxxx
access-list external permit udp any host 62.xx.xx.xx6 eq xxxxx
access-list external permit tcp any host 62.xx.xx.xx6 eq xxxx
access-list external permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0
pager lines 24
logging console notifications
interface ethernet0 auto
interface ethernet1 auto
mtu outside 1500
mtu inside 1500
ip address outside 62.xx.xx.xx2 255.255.255.xxx
ip address inside 192.168.1.211 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
pdm location 192.168.1.11 255.255.255.255 inside
pdm location 192.168.1.210 255.255.255.255 inside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list external
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 62.xx.xx.xx4 192.168.1.11 netmask 255.255.255.255 0 0
static (inside,outside) 62.xx.xx.xx5 192.168.1.10 netmask 255.255.255.255 0 0
static (inside,outside) 62.xx.xx.xx6 192.168.1.13 netmask 255.255.255.255 0 0
access-group external in interface outside
route outside 0.0.0.0 0.0.0.0 62.xx.xx.xx3 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http 192.168.1.210 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set 111111 esp-3des esp-md5-hmac
crypto map 2222222 1 ipsec-isakmp
crypto map 2222222 1 match address external
crypto map 2222222 1 set peer 62.yy.yyy.yy6
crypto map 2222222 1 set transform-set 111111
crypto map 2222222 interface outside
isakmp enable outside
isakmp key ******** address 62.yy.yyy.yy6 netmask 255.255.255.255
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 1000
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:snipped

 

[pdunlevy]

Peter,

You need to add the vpngroup commands along with a few other.
This is additional to your current config.


! The VPN client password is VPNGroupName here so
! change it to whatever suits you, but change it in
! all of these lines.
vpngroup VPNGroupName address-pool vpnpool
vpngroup VPNGroupName dns-server x.x.x.x
vpngroup VPNGroupName wins-server x.x.x.x
vpngroup VPNGroupName default-domain mydomain.com
vpngroup VPNGroupName idle-time 1800
vpngroup VPNGroupName password donttell

! This is the address pool from which
! the dial in client will get their address.
ip local pool vpnpool 10.1.1.1-10.1.1.200

crypto ipsec transform-set dialinvpn esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set dialinvpn
crypto map dialmap 10 ipsec-isakmp dynamic dynmap
crypto map dialmap interface outside
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400

I think that should work,
Paul.

 

[hoinvip]

Hi Paul,

Thanks for the help on this one! I have a couple of questions for you though:

1. Are these settings going to affect my existing VPN configuration? Or, am I right in thinking that you can have multiple VPN tunnels / crypto maps?

2. You've said to use an address pool based on the 10.1.1.x range - is this correct? We're using 192.168.x.x on our network here.

Finally, do I use VPNGroupName as my login ID on the cisco vpn client software?

Thanks again,

Peter

 

[pdunlevy]

Hi Peter,

Correct on all counts.

The "VPNGroupName" and "10.1.1.x" are only there as placeholder. You can change them to whatever suit you best. Just so long as you don't use subnets that overlap with something else, obviously! but that hardly needs saying ...

All the best,
Paul.

 

[hoinvip]

Great stuff - thanks!

I'll give it a go and let you know how it goes.

Cheers,
Peter

 

[hoinvip]

Paul,

Actually - another couple of questions have sprung to mind...

1. I assume I can use 3des for this? We have it enabled on the firewall....

2. I would like to use a completely separate ip range for the VPN clients, say 192.168.5.1-192.168.5.250 - would this be o.k. with the firewall or would I need additional config steps?

Thanks,

Peter
hoinvip@hotmail.com

 

[ecowarrior]

You can you any IP range you like as long as it doesnt conflict with the inside network subnet, so 192.168.5.x would be fine, the pix will route to your 192.168.x.x network.

for 3des, you need to change

crypto ipsec transform-set dialinvpn esp-des esp-md5-hmac

to

crypto ipsec transform-set dialinvpn esp-3des esp-md5-hmac

 

[hoinvip]

Paul / Ecowarrior,

Thanks for the assistance, I now have a VPN connection to my network from my laptop. Maybe I'm being dumb here but how do I now go about getting access to my network resources? I have enabled the check box for "Allow local LAN access" on my VPN dialer but despite that, the status is still "disabled".

I appear to have leased an IP Address of 192.168.9.1 according to the status page, but don't seem to be able to ping anything etc... I know I'm probably overlooking something really simple but I don't seem to be able to spot it!

Thanks in advance,

Peter.

 

[pdunlevy]

Peter,

Don't worry about the "disabled" it always says that. A bug I suppose. anyway that's for accessing the LAN local to your laptop. Which begs the question, are you dialing into an ISP and then kicking of the VPN client, or experimenting from your LAN?

As regards the ping problem, we've noticed a considerable lag between getting an VPN connection and being able to ping anything. 30 seconds or more!!

Let it sit there for a minute with a "ping -t" going to one of your servers. Also, try it with the "allow local LAN access" on and again with it off to rule that out.

One last check is to make sure the target device has an explicit or a default route that would tell it that you VPN subnet is via the PIX. (Just tracert from it to 192.168.9.1 and see if it tries to go via the PIX)

We'll get it sorted eventually
Paul.

 

[hoinvip]

Paul,

Thanks again for the help!

For info, I am currently sitting at home dialled into my ISP and attempting to access the firewall remotely from here.

I tried a ping -t as suggested in both LAN access modes but no joy I'm afraid.

I'm running a personal firewall on this laptop and did enable access for this app through it but don't know if it will affect things. I've tried disabling this as well but it doesn't seem to make any difference.

When you talk about a target device, are you referring to a server or the remote PIX? Ecowarrier's comment above kind of implies that the PIX will route things accordingly - is that correct?

Cheers,

Peter.

 

[pdunlevy]

Hi Peter,

I meant the Server itself. The PIX will install a route once a VPN connection establishes, but only for itself. It won't advertise the route to anyone else, so your server will have to know that it needs to send packet for 192.168.9.x to the PIX.

Other than that it should work.
I forgot to ask easlier if the CiscoVPN client was the latest (3.5.1, I think).

I'm just leaving for the day and won't be back until Monday. If you're not up and running by then, send me your full config and I'll see if I can get it working on my PIX here.

Paul.

 

[hoinvip]

Nope, tried everything you've said but still nothing.

I can't ping any of my servers behind the firewall and as far as I can tell by running IPCONFIG on my laptop, my DNS and WINS server has been set to use the server on my network, but my IP address and gateway is still one allocated by my ISP....

I can't ping or trace to my laptop from the firewall or any of the boxes behind it either. I can ping the internet facing IP address of the pix when I have the client connected but that's about it.

I was running version 3.6 of the client but have since downloaded 3.5.3 to try that instead but no difference.

My servers all have the PIX internal interface address set as their default gateway - it's a small network and everything is on a single subnet in the office so it all routes via the PIX - is that right?

Thanks,

Peter

 

[Adr3nalin]

Hi Peter,

try to use VPN Access list, below is the example:
the 172.26.10.0 is the vpn ip local-pool addresses.

access-list acl-vpn-int permit ip int-net 255.255.255.0 172.26.10.0 255.255.255.0
access-list acl-vpn-dmz permit ip dmz-net 255.255.255.0 172.26.10.0 255.255.255.0

nat (inside) 0 access-list acl-vpn-int
nat (dmz) 0 access-list acl-vpn-dmz

good luck

 

[hoinvip]

O.k, now I'm confused... ;0)

Why do I need a VPN access list? I thought that the "sysopt connection permit-ipsec" did everything I need?

I am already running an access-list for non-VPN traffic and also have NAT enabled as well. Won't this impact on my existing connections??

Thanks in advance,

Peter

 

[hoinvip]

o.k. actually set the client up on another PC over weekend using a broadband cable link and got the same (limited) results - it leases an address 192.168.9.2 but cannot ping anything behind my firewall on 192.168.1.x. I also then connected my laptop to my ISP and leased 192.168.9.1 at the same time and could not ping the other PC which was also connected.

I think that the problem lies with my PIX515 but the config looks fine to me....

 

[hoinvip]

Hi guys,

I'm still having problems with this one - have double checked my config and it all looks fine to me. But, still nothing more happening when I fire up my VPN client. The client is leasing a dynamic address from the correct pool and authenticates to the 515E but I can't see anything inside my main network, PINGs and Tracert's just time out....

Thanks in advance for any help you can offer....

Cheers,

Pete

 

[SooN2bCCIE]

You are having an intrnal resolution problem.
What version of Pix SW are you using.
This is what your vpn config should look like:

access-list VPN permit ip x.x.x.x 255.255.0.0 172.x.x.x 255.255.255.0

ip local pool agpool 172.x.x.x-172.x.x.x

nat (inside) 0 access-list VPN

sysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto dynamic-map dynmap 10 set transform-set myset

crypto map vpnmap 10 ipsec-isakmp dynamic dynmap

crypto map vpnmap interface outside

isakmp enable outside

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption des

isakmp policy 20 hash md5

isakmp policy 20 group 1

isakmp policy 20 lifetime 86400

vpngroup vpn address-pool agpool

vpngroup vpn dns-server x.x.x.x

vpngroup vpn wins-server x.x.x.x

vpngroup vpn default-domain xxx.com

vpngroup vpn idle-time 1800

vpngroup vpn password xxxxxx

vpngroup vpn split-tunnel VPN