VPN Access with New PIX ADSM 5.0

[rangerman]

We have upgraded our PIx to to the latest ADSM 5.0 and since this we are havbing issues with VPN via Cisco ACS ver 3.*

I can get in along with other Power user types at level 15 privelage but ordinary users cannot get in.

I have looked into the logs on the PIX and i get various errors.

1st part of the log on the PIX

Session disconnected. Session Type: IPSec, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: crypto map policy not found
3|Nov 13 2006 16:16:29|713902: Group = VPN_2, Username = hossi, IP = 81.*.*.*, Removing peer from correlator table failed, no match!
3|Nov 13 2006 16:16:29|713902: Group = VPN_2, Username = hossi, IP = 81.*.*.*, QM FSM error (P2 struct &0x1e8f508, mess id 0x221b539f)!

2. AAA user authorization Rejected : reason = Invalid password : server = 10.20.*.* : user = hossi

3. AAA user authentication Successful : server = 10.20.*.* : user = hossi

But he is a valid user and is able to login via AD!!

I have tried new users, old user but no joy.

Any ideas ??

Thanks Steve

 

[Supergrrover]

Can you post your config?


Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[rangerman]

Brent

Thanks for having a look, driving me nuts!!


User Access Verification

Username: road
Password: *****
Type help or '?' for a list of available commands.
PIX-1> en
Password: *****
PIX-1# sh run
: Saved
:
PIX Version 7.0(6)
!
hostname PIX-1
domain-name cart.co.uk
enable password LYx7Yy1bS5jFHsXQ encrypted
names
name 10.0.0.0 Ten-Internal
name *.*.*.* OWA
name *.*.*.* eu
name *.*.*.* Server
dns-guard
!
interface Ethernet0
speed 100
duplex full
nameif outside
security-level 0
ip address *.*.*.* 255.255.255.248
!
interface Ethernet1
nameif inside
security-level 100
ip address *.*.*.* 255.255.255.0
!
interface Ethernet2
nameif DMZ
security-level 50
no ip address
!
passwd LYx7Yy1bS5jFHsXQ encrypted
boot system flash:/image.bin
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
access-list inside_access_in extended permit ip 192.0.0.0 255.0.0.0 any
access-list inside_access_in extended permit ip Ten-Internal 255.0.0.0 any
access-list inside_access_in extended permit ip 194.74.34.0 255.255.255.0 any
access-list outside_access_in extended permit ip host eur host *.*.*.*
32
access-list outside_access_in extended permit ip host eur host *.*.*.*
31
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in remark inbound owa
access-list outside_access_in extended permit tcp any host 194.70.242.131 eq htt
ps
access-list inside_outbound_nat0_acl extended permit ip 192.10.200.0 255.255.255
.0 192.168.40.0 255.255.255.0
access-list inside_outbound_nat0_acl extended permit ip 192.10.200.0 255.255.255
.0 host 80.176.0.98
access-list inside_outbound_nat0_acl extended permit ip 10.20.0.0 255.255.0.0 19
2.168.40.0 255.255.255.0
access-list inside_outbound_nat0_acl extended permit ip 10.20.0.0 255.255.0.0 ho
st 80.176.0.98
access-list inside_outbound_nat0_acl extended permit ip any 10.1.1.0 255.255.255
.0
access-list inside_outbound_nat0_acl extended permit ip any 10.1.2.0 255.255.255
.0
access-list outside_cryptomap_20 extended permit ip 192.10.200.0 255.255.255.0 1
92.168.40.0 255.255.255.0
access-list outside_cryptomap_20 extended permit tcp 192.10.200.0 255.255.255.0
host 80.176.0.98 eq telnet
access-list outside_cryptomap_20 extended permit ip 10.20.0.0 255.255.0.0 192.16
8.40.0 255.255.255.0
access-list outside_cryptomap_20 extended permit tcp 10.20.0.0 255.255.0.0 host
80.176.0.98 eq telnet
access-list outside_cryptomap_dyn_20 extended permit ip any 10.1.1.0 255.255.255
.0
access-list outside_cryptomap_dyn_40 extended permit ip any 10.1.1.0 255.255.255
.0
access-list outside_cryptomap_dyn_60 extended permit ip any 10.1.2.0 255.255.255
.0
pager lines 24
logging enable
logging buffered debugging
logging device-id hostname
logging host inside 10.20.100.31
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
ip local pool VPN_Pool2 10.1.2.1-10.1.2.254
ip verify reverse-path interface outside
asdm image flash:/asdm-506.bin
asdm history enable
arp timeout 14400
nat-control
global (outside) 2 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 0 192.168.3.1 255.255.255.255
nat (inside) 0 192.168.101.0 255.255.255.0
nat (inside) 2 Ten-Internal 255.0.0.0
nat (inside) 2 192.0.0.0 255.0.0.0
static (inside,outside) 194.70.242.131 OWA netmask 255.255.255.255
static (inside,outside) 194.70.242.132 ISAServer netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 194.70.242.129 1
route inside 192.168.100.0 255.255.255.0 Server 1
route inside 192.168.3.1 255.255.255.255 Server 1
route inside 192.168.2.0 255.255.255.0 Server 1
route inside 192.10.200.0 255.255.255.0 Server 1
route inside 192.9.200.0 255.255.255.0 Server 1
route inside 10.20.0.0 255.255.0.0 Server 1
route inside Ten-Internal 255.0.0.0 Server 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ host 10.20.1.2
key steve
aaa-server TACACS+ host 192.10.200.16
key steve
aaa-server RADIUS protocol radius
aaa-server RADIUSVPN protocol radius
aaa-server RADIUSVPN host 10.20.1.2
key steve
aaa-server RADIUSVPN host 192.10.200.16
key steve
group-policy VPN_2 internal
group-policy VPN_2 attributes
wins-server value 192.10.200.1 10.20.100.17
dns-server value 192.10.200.1 10.20.100.17
vpn-idle-timeout 30
default-domain value uk.k.net
username eurodata password *.*.*.* encrypted privilege 15
username administrator password *.*.*.* encrypted privilege 15
aaa authentication ssh console TACACS+ LOCAL
aaa authentication telnet console TACACS+ LOCAL
aaa authentication enable console TACACS+ LOCAL
aaa authentication http console TACACS+ LOCAL
aaa accounting enable console RADIUSVPN
http server enable
http eur *.*.*.* outside
http 192.10.200.71 255.255.255.255 inside
http 10.20.0.0 255.255.0.0 inside
http 192.10.200.0 255.255.255.0 inside
http 192.168.40.0 255.255.255.0 inside
http 192.168.50.1 255.255.255.255 inside
http 194.74.34.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 40 match address outside_cryptomap_dyn_40
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 60 match address outside_cryptomap_dyn_60
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-MD5
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 80.176.0.98
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
isakmp policy 65535 authentication pre-share
isakmp policy 65535 encryption 3des
isakmp policy 65535 hash sha
isakmp policy 65535 group 2
isakmp policy 65535 lifetime 86400
tunnel-group DefaultRAGroup general-attributes
authentication-server-group (outside) RADIUSVPN
tunnel-group 80.176.0.98 type ipsec-l2l
tunnel-group 80.176.0.98 ipsec-attributes
pre-shared-key *
tunnel-group VPN_2 type ipsec-ra
tunnel-group VPN_2 general-attributes
address-pool (outside) VPN_Pool2
address-pool VPN_Pool2
authentication-server-group RADIUSVPN
authentication-server-group (outside) RADIUSVPN
authorization-server-group RADIUSVPN
accounting-server-group RADIUSVPN
default-group-policy VPN_2
tunnel-group VPN_2 ipsec-attributes
pre-shared-key *
telnet 80.176.0.98 255.255.255.255 outside
telnet eur 255.255.255.255 outside
telnet 10.20.0.0 255.255.0.0 inside
telnet 192.168.40.0 255.255.255.0 inside
telnet 192.10.200.0 255.255.255.0 inside
telnet 194.74.34.0 255.255.255.0 inside
telnet timeout 20
ssh 80.176.0.98 255.255.255.255 outside
ssh eur 255.255.255.255 outside
ssh 81.137.240.92 255.255.255.255 outside
ssh 192.168.40.0 255.255.255.0 inside
ssh timeout 20
ssh version 1
console timeout 0
management-access inside
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect http
inspect ils
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
ntp server *.*.*.* source inside prefer
Cryptochecksum:d05d811989fdd7b4b81283766c6ac76b
: end
PIX-1#

 

[Supergrrover]

Buch of questions -
but just to clarify - you have the pix doing AAA to an ACS box and then the AAA box is using an Active Directory db.
1. How is the topology laid out? (AD, AAA, PIX, LANs)
2. Do the l2l vpn's work?

You can go to the vpn client and
Select Log > Log settings adn set them to the highest so that you can see what is happening on the clients end.

I am not sure how this worked before. There are some strange settings in there. Is the upgrade the only thing that was changed?



Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[rangerman]

Yes.
The pix doing AAA to an ACS box and then the AAA box is using an Active Directory db.

PIX, then AAA then AD - As far as I am aware

The user logs in and gets authenticated via the pix and then checks to see if in ACS and then goes to AD to see if they have remote access in.

Do the l2l vpn's work ? Not sure what you mean here

I havve Level 15 and I can get in but not a level 2 person.

I have done a logging on the VPN and

THIS IS THE LOG

Cisco Systems VPN Client Version 4.8.01.0300
Copyright (C) 1998-2005 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.1.2600 Service Pack 2

143 10:22:55.506 11/17/06 Sev=Info/4 CM/0x63100002
Begin connection process

144 10:22:55.516 11/17/06 Sev=Info/4 CVPND/0xE3400001
Microsoft IPSec Policy Agent service stopped successfully

145 10:22:55.526 11/17/06 Sev=Info/4 CM/0x63100004
Establish secure connection using Ethernet

146 10:22:55.526 11/17/06 Sev=Info/4 CM/0x63100024
Attempt connection with server "194.*.*.*"

147 10:23:07.543 11/17/06 Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with 194.*.*.*

148 10:23:07.553 11/17/06 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to 194.*.*.*

149 10:23:07.553 11/17/06 Sev=Info/4 IPSEC/0x63700008
IPSec driver successfully started

150 10:23:07.553 11/17/06 Sev=Info/4 IPSEC/0x63700014
Deleted all keys

151 10:23:07.553 11/17/06 Sev=Info/6 IPSEC/0x6370002C
Sent 160 packets, 0 were fragmented.

152 10:23:07.723 11/17/06 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 194.*.*.*

153 10:23:07.723 11/17/06 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (SA, KE, NON, ID, HASH, VID(Unity), VID(Xauth), VID(dpd), VID(Frag), VID(?)) from 194.*.*.*

Thats it !!!

I am not a PIX fan so the weird lines will have to stay there as I do not know!!!

Thanks again