Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

VPN question for brent :)

Status
Not open for further replies.
RRTier3

RRTier3

Technical User
Jun 7, 2006
18
US
Im sure you can answer this... my inside network is 10.25.19.x and my vpn pool is 172.15.38.x. I can log in with cisco vpn client, but i cant get to my shares on the inside network, sounds like a access lists issue, but can u take a look. Also is there anything else in this config that u see i should change ??

PIX Version 6.3(5)
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 auto shutdown
interface ethernet3 auto shutdown
interface ethernet4 auto shutdown
interface ethernet5 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
nameif ethernet3 intf3 security6
nameif ethernet4 intf4 security8
nameif ethernet5 intf5 security10
enable password VKKa1d/R9Lng.i7d encrypted
passwd VKKa1d/R9Lng.i7d encrypted
hostname pix
domain-name mysubnetzone.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside_in permit ip any host x.x.x.x
access-list outside_in permit tcp any host x.x.x.x eq www
access-list VPN_splitTunnelAcl permit ip interface inside any
access-list inside_outbound_nat0_acl permit ip interface inside 172.15.38.96 255
.255.255.224
access-list outside_cryptomap_dyn_20 permit ip any 172.15.38.96 255.255.255.224
access-list outside_cryptomap_dyn_20 deny ip interface inside 172.15.38.96 255.2
55.255.224
pager lines 24
mtu outside 1500
mtu inside 1500
mtu intf2 1500
mtu intf3 1500
mtu intf4 1500
mtu intf5 1500
ip address outside x.x.x.x 255.255.255.248
ip address inside 10.25.19.1 255.255.240.0
no ip address intf2
no ip address intf3
no ip address intf4
no ip address intf5
ip audit info action alarm
ip audit attack action alarm
ip local pool VPN 172.15.38.100-172.15.38.125
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address intf2
no failover ip address intf3
no failover ip address intf4
no failover ip address intf5
pdm location 10.25.19.2 255.255.255.255 inside
pdm location 10.25.19.0 255.255.255.240 inside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 10.25.19.0 255.255.255.240 0 0
static (inside,outside) tcp x.x.x.x 255.255.255.2
55 0 0
static (inside,outside) tcp x.x.x.x ftp 10.25.19.2 ftp netmask 255.255.255.2
55 0 0
static (inside,outside) tcp x.x.x.x 3389 10.25.19.2 3389 netmask 255.255.255
.255 0 0
static (inside,outside) tcp x.x.x.x ftp-data 10.25.19.2 ftp-data netmask 255
.255.255.255 0 0
static (inside,outside) tcp x.x.x.x smtp 10.25.19.2 smtp netmask 255.255.255
.255 0 0
static (inside,outside) tcp x.x.x.x pop3 10.25.19.2 pop3 netmask 255.255.255
.255 0 0
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 10.25.19.2 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication LOCAL
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup VPN address-pool VPN
vpngroup VPN split-tunnel VPN_splitTunnelAcl
vpngroup VPN idle-time 1800
vpngroup VPN password ********
telnet 10.25.19.0 255.255.255.240 inside
telnet timeout 5
ssh timeout 5
console timeout 30
vpdn group VPN accept dialin pptp
vpdn group VPN ppp authentication mschap
vpdn group VPN ppp encryption mppe 128 required
vpdn group VPN client configuration address local VPN
vpdn group VPN pptp echo 60
vpdn group VPN client authentication local
vpdn username ruben password *********
vpdn username jason password *********
vpdn username thisisalex02 password *********
vpdn enable outside
dhcpd address 10.25.19.3-10.25.19.14 inside
dhcpd dns x.x.x.x
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd enable inside
username thisisalex02 password 5RXdwS/M0QcGzTbj encrypted privilege 15
terminal width 80
Cryptochecksum:cffb1997e55a61b2b4985fbd1f524450
: end
[OK]
pix#
 
Sort by date Sort by votes
pix(config)# access-list nonat permit ip 10.25.19.0 255.255.255.240 172.15.0.0 255.255.0.0 nat (inside) 0 access-list nonat
ERROR: extra command argument(s)
Usage: [no] access-list compiled
[no] access-list deny-flow-max <n>
[no] access-list alert-interval <secs>
[no] access-list <id> object-group-search
[no] access-list <id> compiled
[no] access-list <id> [line <line-num>] remark <text>
[no] access-list <id> [line <line-num>] deny|permit
<protocol>|object-group <protocol_obj_grp_id>
<sip> <smask> | interface <if_name> | object-group <network_obj_grp_id>
[<operator> <port> [<port>] | object-group <service_obj_grp_id>]
<dip> <dmask> | interface <if_name> | object-group <network_obj_grp_id>
[<operator> <port> [<port>] | object-group <service_obj_grp_id>]
[log [disable|default] | [<level>] [interval <secs>]]
[no] access-list <id> [line <line-num>] deny|permit icmp
<sip> <smask> | interface <if_name> | object-group <network_obj_grp_id>
<dip> <dmask> | interface <if_name> | object-group <network_obj_grp_id>
[<icmp_type> | object-group <icmp_type_obj_grp_id>]
[log [disable|default] | [<level>] [interval <secs>]]
Restricted ACLs for route-map use:
[no] access-list <id> deny|permit {any | <prefix> <mask> | host <address>}
pix(config)#
 
Upvote 0 Downvote
Wow, called out by name - I'm flattered. Community is what makes this board so great and there are others with far more experience than me but I am glad to take a stab.

I'll go on the assumption that you are concerned with the ipsec and not the pptp -
Take out
access-list outside_cryptomap_dyn_20 deny ip interface inside 172.15.38.96 255.255.255.224
and
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20 (I am betting this is the major cause)
and the split tunnel for now - until we have traffic passing and then add that part back in.

Add in
vpngroup VPN dns-server [IP] (so you can have hostname resolution)
vpngroup VPN wins-server [IP] (so you can have hostname resolution for netbios dependent apps)

I would change your VPN ip pool to a private address scheme
ip local pool VPN 172.16.38.100-172.16.38.125
then change
access-list inside_outbound_nat0_acl permit ip interface inside 172.16.38.96 255.255.255.224
to
access-list inside_outbound_nat0_acl permit ip 10.25.16.0 255.255.240.0 172.16.38.96 255.255.255.224

Give those a try and fire it back up.


Brent
Systems Engineer / Consultant
CCNP, CCSP
 
Upvote 0 Downvote
Also,
I just noticed this -
ip address inside 10.25.19.1 255.255.240.0
did you mean this or
ip address inside 10.25.19.1 255.255.255.240 (it is flipped in a few cases during the config)
If the later that changes that last access-list to
access-list inside_outbound_nat0_acl permit ip 10.25.19.0 255.255.255.240 172.16.38.96 255.255.255.224


Brent
Systems Engineer / Consultant
CCNP, CCSP
 
Upvote 0 Downvote
Thanks for the reply dude.. i tried those steps, but still nada.. what else u think it might be ?


pix(config)# wr term
Building configuration...
: Saved
:
PIX Version 6.3(5)
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 auto shutdown
interface ethernet3 auto shutdown
interface ethernet4 auto shutdown
interface ethernet5 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
nameif ethernet3 intf3 security6
nameif ethernet4 intf4 security8
nameif ethernet5 intf5 security10
enable password VKKa1d/R9Lng.i7d encrypted
passwd VKKa1d/R9Lng.i7d encrypted
hostname pix
domain-name mysubnetzone.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside_in permit ip any host x.x.x.x
access-list outside_in permit tcp any host x.x.x.x eq www
access-list VPN_splitTunnelAcl permit ip interface inside any
access-list inside_outbound_nat0_acl permit ip interface inside 172.15.38.96 255
.255.255.224
access-list inside_outbound_nat0_acl permit ip 10.25.16.0 255.255.240.0 172.16.3
8.96 255.255.255.224
access-list inside_outbound_nat0_acl permit ip 10.25.16.0 255.255.255.240 172.16
.38.96 255.255.255.224
access-list outside_cryptomap_dyn_20 permit ip any 172.15.38.96 255.255.255.224
pager lines 24
mtu outside 1500
mtu inside 1500
mtu intf2 1500
mtu intf3 1500
mtu intf4 1500
mtu intf5 1500
ip address outside x.x.x.x 255.255.255.248
ip address inside 10.25.19.1 255.255.255.240
no ip address intf2
no ip address intf3
no ip address intf4
no ip address intf5
ip audit info action alarm
ip audit attack action alarm
ip local pool SubnetZone 172.16.38.100-172.16.38.125 mask 255.255.255.224
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address intf2
no failover ip address intf3
no failover ip address intf4
no failover ip address intf5
pdm location 10.25.19.2 255.255.255.255 inside
pdm location 10.25.19.0 255.255.255.240 inside
pdm location 10.25.19.3 255.255.255.255 inside
pdm location 172.15.38.96 255.255.255.224 outside
pdm location 10.25.16.0 255.255.255.240 inside
pdm location 10.25.16.0 255.255.240.0 inside
pdm location 172.16.38.96 255.255.255.224 outside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 10.25.19.0 255.255.255.240 0 0
static (inside,outside) tcp x.x.x.x 255.255.255.2
55 0 0
static (inside,outside) tcp x.x.x.x ftp 10.25.19.2 ftp netmask 255.255.255.2
55 0 0
static (inside,outside) tcp x.x.x.x 3389 10.25.19.2 3389 netmask 255.255.255
.255 0 0
static (inside,outside) tcp x.x.x.xftp-data 10.25.19.2 ftp-data netmask 255
.255.255.255 0 0
static (inside,outside) tcp x.x.x.x smtp 10.25.19.2 smtp netmask 255.255.255
.255 0 0
static (inside,outside) tcp x.x.x.x pop3 10.25.19.2 pop3 netmask 255.255.255
.255 0 0
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 71.42.130.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 10.25.19.3 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication LOCAL
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup VPN address-pool SubnetZone
vpngroup VPN dns-server 24.93.41.125
vpngroup VPN split-tunnel VPN_splitTunnelAcl
vpngroup VPN idle-time 1800
vpngroup VPN password ********
telnet 10.25.19.0 255.255.255.240 inside
telnet timeout 5
ssh timeout 5
console timeout 60
vpdn username ruben password *********
vpdn username jason password *********
vpdn username thisisalex02 password *********
vpdn enable outside
dhcpd address 10.25.19.3-10.25.19.14 inside
dhcpd dns 24.93.41.125
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd enable inside
username thisisalex02 password 5RXdwS/M0QcGzTbj encrypted privilege 15
terminal width 80
Cryptochecksum:5c94f85e7bdbd12e64c1533d654d6988
: end
[OK]
pix(config)#
 
Upvote 0 Downvote
Take these lines out by putting "no " in front of each.
vpngroup VPN split-tunnel VPN_splitTunnelAcl
access-list inside_outbound_nat0_acl permit ip interface inside 172.15.38.96 255.255.255.224
access-list inside_outbound_nat0_acl permit ip 10.25.16.0 255.255.240.0 172.16.38.96 255.255.255.224
access-list inside_outbound_nat0_acl permit ip 10.25.16.0 255.255.255.240 172.16.38.96 255.255.255.224
access-list outside_cryptomap_dyn_20 permit ip any 172.15.38.96 255.255.255.224
access-list VPN_splitTunnelAcl permit ip interface inside any

Now add this line
access-list inside_outbound_nat0_acl permit ip 10.25.19.0 255.255.255.240 172.16.38.96 255.255.255.224


Brent
Systems Engineer / Consultant
CCNP, CCSP
 
Upvote 0 Downvote
I would also add nat-traversal support since the problem you have is related to that command.

isakmap nat-traversal 20
 
Upvote 0 Downvote
Were getting closer !! But still cant ping my 03 server on 10.25.19.x subnet :(

pix(config)# wr term
Building configuration...
: Saved
:
PIX Version 6.3(5)
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 auto shutdown
interface ethernet3 auto shutdown
interface ethernet4 auto shutdown
interface ethernet5 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
nameif ethernet3 intf3 security6
nameif ethernet4 intf4 security8
nameif ethernet5 intf5 security10
enable password VKKa1d/R9Lng.i7d encrypted
passwd VKKa1d/R9Lng.i7d encrypted
hostname pix
domain-name mysubnetzone.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside_in permit ip any host 71.42.130.3
access-list outside_in permit tcp any host 71.42.130.3 eq www
access-list inside_outbound_nat0_acl permit ip 10.25.19.0 255.255.255.240 172.16
.38.96 255.255.255.224
pager lines 24
mtu outside 1500
mtu inside 1500
mtu intf2 1500
mtu intf3 1500
mtu intf4 1500
mtu intf5 1500
ip address outside 71.42.130.3 255.255.255.248
ip address inside 10.25.19.1 255.255.255.240
no ip address intf2
no ip address intf3
no ip address intf4
no ip address intf5
ip audit info action alarm
ip audit attack action alarm
ip local pool VPN 172.15.38.100-172.15.38.125
ip local pool SubnetZone 172.16.38.100-172.16.38.125 mask 255.255.255.224
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address intf2
no failover ip address intf3
no failover ip address intf4
no failover ip address intf5
pdm location 10.25.19.2 255.255.255.255 inside
pdm location 10.25.19.0 255.255.255.240 inside
pdm location 10.25.19.3 255.255.255.255 inside
pdm location 172.15.38.96 255.255.255.224 outside
pdm location 10.25.16.0 255.255.255.240 inside
pdm location 10.25.16.0 255.255.240.0 inside
pdm location 172.16.38.96 255.255.255.224 outside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 10.25.19.0 255.255.255.240 0 0
static (inside,outside) tcp 71.42.130.3 255.255.255.2
55 0 0
static (inside,outside) tcp 71.42.130.3 ftp 10.25.19.2 ftp netmask 255.255.255.2
55 0 0
static (inside,outside) tcp 71.42.130.3 3389 10.25.19.2 3389 netmask 255.255.255
.255 0 0
static (inside,outside) tcp 71.42.130.3 ftp-data 10.25.19.2 ftp-data netmask 255
.255.255.255 0 0
static (inside,outside) tcp 71.42.130.3 smtp 10.25.19.2 smtp netmask 255.255.255
.255 0 0
static (inside,outside) tcp 71.42.130.3 pop3 10.25.19.2 pop3 netmask 255.255.255
.255 0 0
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 71.42.130.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 10.25.19.3 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication LOCAL
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup VPN address-pool SubnetZone
vpngroup VPN dns-server 24.93.41.125
vpngroup VPN idle-time 1800
vpngroup VPN password ********
telnet 10.25.19.0 255.255.255.240 inside
telnet timeout 5
ssh timeout 5
console timeout 60
vpdn username ruben password *********
vpdn username jason password *********
vpdn username thisisalex02 password *********
vpdn enable outside
dhcpd address 10.25.19.3-10.25.19.14 inside
dhcpd dns 24.93.41.125
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd enable inside
username thisisalex02 password 5RXdwS/M0QcGzTbj encrypted privilege 15
terminal width 80
Cryptochecksum:5c94f85e7bdbd12e64c1533d654d6988
: end
[OK]
pix(config)#
 
Upvote 0 Downvote
Windows IP Configuration


Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 71.42.130.6
Subnet Mask . . . . . . . . . . . : 255.255.255.248
Default Gateway . . . . . . . . . :

Ethernet adapter Local Area Connection 3:

Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 172.16.38.100
Subnet Mask . . . . . . . . . . . : 255.255.255.224
Default Gateway . . . . . . . . . : 172.16.38.100

C:\Documents and Settings\ALeX_Ocho>ping 10.25.19.2

Pinging 10.25.19.2 with 32 bytes of data:

Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 10.25.19.2:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
 
Upvote 0 Downvote
I cant see that you added nat traversal support. If you try to connect and you are behind a box running nat you need to enable that feature.

I saw that i did a typo...

isakmp nat-traversal 20
 
Upvote 0 Downvote
isakmp enable outside
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400


i added it and still same result. Hmmmmm
 
Upvote 0 Downvote
What do the logs say on the pix and the vpn client?

debug crypto isakmp
debug crypto ipsec

and then try to start a connection.

Be sure to remove these after -
no debug all

Have you tried it from a remote site (not directly outside the pix?)


Brent
Systems Engineer / Consultant
CCNP, CCSP
 
Upvote 0 Downvote

User Access Verification

Password:
Type help or '?' for a list of available commands.
pix> ena
Password: ********
pix#
crypto_isakmp_process_block:src:71.42.130.6, dest:71.42.130.3 spt:500 dpt:500
OAK_AG exchange
ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 20 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: extended auth pre-share (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 2 against priority 20 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: extended auth pre-share (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 3 against priority 20 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 4 against priority 20 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 5 against priority 20 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: extended auth pre-share (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 128
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 6 against priority 20 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: extended auth pre-share (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 128
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 7 against priority 20 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 128
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 8 against priority 20 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 128
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 9 against priority 20 policy
ISAKMP: encryption 3DES-CBC
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: extended auth pre-share (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP (0): atts are not acceptable.
crypto_isakmp_process_block:src:71.42.130.6, dest:71.42.130.3 spt:500 dpt:500
OAK_AG exchange
ISAKMP (0): processing HASH payload. message ID = 0
ISAKMP (0): processing NOTIFY payload 24578 protocol 1
spi 0, message ID = 0
ISAKMP (0): processing notify INITIAL_CONTACTIPSEC(key_engine): got a queue eve
t...
IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
IPSEC(key_engine_delete_sas): delete all SAs shared with 71.42.130.6

ISADB: reaper checking SA 0x10493f4, conn_id = 0
ISAKMP (0:0): Detected NAT-D payload
ISAKMP (0:0): recalc my hash for NAT-D
ISAKMP (0:0): NAT match MINE hash
ISAKMP (0:0): Detected NAT-D payload
ISAKMP (0:0): recalc his hash for NAT-D
ISAKMP (0:0): NAT match HIS hash
ISAKMP (0): processing vendor id payload

ISAKMP (0): speaking to another IOS box!

ISAKMP (0): processing vendor id payload

ISAKMP (0): speaking to a Unity client

ISAKMP (0): SA has been authenticated
ISAKMP: Created a peer struct for 71.42.130.6, peer port 62465
return status is IKMP_NO_ERROR
ISAKMP (0): sending phase 1 RESPONDER_LIFETIME notify
ISAKMP (0): sending NOTIFY message 24576 protocol 1
VPN Peer: ISAKMP: Added new peer: ip:71.42.130.6/500 Total VPN Peers:1
VPN Peer: ISAKMP: Peer ip:71.42.130.6/500 Ref cnt incremented to:1 Total VPN Pe
rs:1
ISAKMP: peer is a remote access client
ISAKMP/xauth: request attribute XAUTH_TYPE
ISAKMP/xauth: request attribute XAUTH_USER_NAME
ISAKMP/xauth: request attribute XAUTH_USER_PASSWORD
ISAKMP (0:0): initiating peer config to 71.42.130.6. ID = 2034640178 (0x7946253
)
ISAKMP (0): retransmitting Config Mode Request...
)
return status is IKMP_ERR_NO_RETRANS
crypto_isakmp_process_block:src:71.42.130.6, dest:71.42.130.3 spt:500 dpt:500
ISAKMP_TRANSACTION exchange
ISAKMP (0:0): processing transaction payload from 71.42.130.6. message ID = 1862
8540
ISAKMP: Config payload CFG_ACK
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:71.42.130.6, dest:71.42.130.3 spt:500 dpt:500
ISAKMP_TRANSACTION exchange
ISAKMP (0:0): processing transaction payload from 71.42.130.6. message ID = 1862
8540
ISAKMP: Config payload CFG_REQUEST
ISAKMP (0:0): checking request:
ISAKMP: attribute IP4_ADDRESS (1)
ISAKMP: attribute IP4_NETMASK (2)
ISAKMP: attribute IP4_DNS (3)
ISAKMP: attribute IP4_NBNS (4)
ISAKMP: attribute ADDRESS_EXPIRY (5)
Unsupported Attr: 5
ISAKMP: attribute UNKNOWN (28672)
Unsupported Attr: 28672
ISAKMP: attribute UNKNOWN (28673)
Unsupported Attr: 28673
ISAKMP: attribute ALT_DEF_DOMAIN (28674)
ISAKMP: attribute ALT_SPLIT_INCLUDE (28676)
ISAKMP: attribute ALT_SPLITDNS_NAME (28675)
ISAKMP: attribute ALT_PFS (28679)
ISAKMP: attribute UNKNOWN (28683)
Unsupported Attr: 28683
ISAKMP: attribute ALT_BACKUP_SERVERS (28681)
ISAKMP: attribute APPLICATION_VERSION (7)
ISAKMP: attribute UNKNOWN (28680)
Unsupported Attr: 28680
ISAKMP: attribute UNKNOWN (28682)
Unsupported Attr: 28682
ISAKMP: attribute UNKNOWN (28677)
Unsupported Attr: 28677
ISAKMP: attribute UNKNOWN (28678)
Unsupported Attr: 28678
ISAKMP (0:0): responding to peer config from 71.42.130.6. ID = 2691703163
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:71.42.130.6, dest:71.42.130.3 spt:500 dpt:500
OAK_QM exchange
oakley_process_quick_mode:
OAK_QM_IDLE
ISAKMP (0): processing SA payload. message ID = 967596734

ISAKMP : Checking IPSec proposal 1

ISAKMP: transform 1, ESP_AES
ISAKMP: attributes in transform:
ISAKMP: authenticator is HMAC-MD5
ISAKMP: key length is 256
ISAKMP: encaps is 1
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (VPI) of 0x0 0x20 0xc4 0x9b IPSEC(validate_propos
al): transform proposal (prot 3, trans 12, hmac_alg 1) not supported

ISAKMP (0): atts not acceptable. Next payload is 0
ISAKMP (0): skipping next ANDed proposal (1)
ISAKMP : Checking IPSec proposal 2

ISAKMP: transform 1, ESP_AES
ISAKMP: attributes in transform:
ISAKMP: authenticator is HMAC-SHA
ISAKMP: key length is 256
ISAKMP: encaps is 1
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (VPI) of 0x0 0x20 0xc4 0x9b IPSEC(validate_propos
al): transform proposal (prot 3, trans 12, hmac_alg 2) not supported

ISAKMP (0): atts not acceptable. Next payload is 0
ISAKMP (0): skipping next ANDed proposal (2)
ISAKMP : Checking IPSec proposal 3

ISAKMP: transform 1, ESP_AES
ISAKMP: attributes in transform:
ISAKMP: authenticator is HMAC-MD5
ISAKMP: key length is 128
ISAKMP: encaps is 1
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (VPI) of 0x0 0x20 0xc4 0x9b IPSEC(validate_propos
al): transform proposal (prot 3, trans 12, hmac_alg 1) not supported

ISAKMP (0): atts not acceptable. Next payload is 0
ISAKMP (0): skipping next ANDed proposal (3)
ISAKMP : Checking IPSec proposal 4

ISAKMP: transform 1, ESP_AES
ISAKMP: attributes in transform:
ISAKMP: authenticator is HMAC-SHA
ISAKMP: key length is 128
ISAKMP: encaps is 1
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (VPI) of 0x0 0x20 0xc4 0x9b IPSEC(validate_propos
al): transform proposal (prot 3, trans 12, hmac_alg 2) not supported

ISAKMP (0): atts not acceptable. Next payload is 0
ISAKMP (0): skipping next ANDed proposal (4)
ISAKMP : Checking IPSec proposal 5

ISAKMP: transform 1, ESP_AES
ISAKMP: attributes in transform:
ISAKMP: authenticator is HMAC-MD5
ISAKMP: key length is 256
ISAKMP: encaps is 1
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (VPI) of 0x0 0x20 0xc4 0x9b IPSEC(validate_propos
al): transform proposal (prot 3, trans 12, hmac_alg 1) not supported

ISAKMP (0): atts not acceptable. Next payload is 0
ISAKMP : Checking IPSec proposal 6

ISAKMP: transform 1, ESP_AES
ISAKMP: attributes in transform:
ISAKMP: authenticator is HMAC-SHA
ISAKMP: key length is 256
ISAKMP: encaps is 1
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (VPI) of 0x0 0x20 0xc4 0x9b IPSEC(validate_propos
al): transform proposal (prot 3, trans 12, hmac_alg 2) not supported

ISAKMP (0): atts not acceptable. Next payload is 0
ISAKMP : Checking IPSec proposal 7

ISAKMP: transform 1, ESP_AES
ISAKMP: attributes in transform:
ISAKMP: authenticator is HMAC-MD5
ISAKMP: key length is 128
ISAKMP: encaps is 1
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (VPI) of 0x0 0x20 0xc4 0x9b IPSEC(validate_propos
al): transform proposal (prot 3, trans 12, hmac_alg 1) not supported

ISAKMP (0): atts not acceptable. Next payload is 0
ISAKMP : Checking IPSec proposal 8

ISAKMP: transform 1, ESP_AES
ISAKMP: attributes in transform:
ISAKMP: authenticator is HMAC-SHA
ISAKMP: key length is 128
ISAKMP: encaps is 1
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (VPI) of 0x0 0x20 0xc4 0x9b IPSEC(validate_propos
al): transform proposal (prot 3, trans 12, hmac_alg 2) not supported
crypto_isakmp_process_block:src:71.42.130.6, dest:71.42.130.3 spt:500 dpt:500
OAK_QM exchange
oakley_process_quick_mode:
OAK_QM_AUTH_AWAIT
ISAKMP (0): Creating IPSec SAs
inbound SA from 71.42.130.6 to 71.42.130.3 (proxy 172.16.38.10
0 to 0.0.0.0)
has spi 3416152957 and conn_id 1 and flags 4
lifetime of 2147483 seconds
outbound SA from 71.42.130.3 to 71.42.130.6 (proxy 0.0.0
.0 to 172.16.38.100)
has spi 1278150409 and conn_id 2 and flags 4
lifetime of 2147483 secondsIPSEC(key_engine): got a queue event...
IPSEC(initialize_sas): ,
(key eng. msg.) dest= 71.42.130.3, src= 71.42.130.6,
dest_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
src_proxy= 172.16.38.100/0.0.0.0/0/0 (type=1),
protocol= ESP, transform= esp-3des esp-md5-hmac ,
lifedur= 2147483s and 0kb,
spi= 0xcb9e5b7d(3416152957), conn_id= 1, keysize= 0, flags= 0x4
IPSEC(initialize_sas): ,
(key eng. msg.) src= 71.42.130.3, dest= 71.42.130.6,
src_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
dest_proxy= 172.16.38.100/0.0.0.0/0/0 (type=1),
protocol= ESP, transform= esp-3des esp-md5-hmac ,
lifedur= 2147483s and 0kb,
spi= 0x4c2f0709(1278150409), conn_id= 2, keysize= 0, flags= 0x4

VPN Peer: IPSEC: Peer ip:71.42.130.6/500 Ref cnt incremented to:2 Total VPN Peer
s:1
VPN Peer: IPSEC: Peer ip:71.42.130.6/500 Ref cnt incremented to:3 Total VPN Peer
s:1
return status is IKMP_NO_ERROR
ISAKMP (0): sending NOTIFY message 11 protocol 3
crypto_isakmp_process_block:src:71.42.130.6, dest:71.42.130.3 spt:500 dpt:500
ISAKMP (0): processing NOTIFY payload 36136 protocol 1
spi 0, message ID = 2652464022
ISAMKP (0): received DPD_R_U_THERE from peer 71.42.130.6
ISAKMP (0): sending NOTIFY message 36137 protocol 1
return status is IKMP_NO_ERR_NO_TRANS
crypto_isakmp_process_block:src:71.42.130.6, dest:71.42.130.3 spt:500 dpt:500
ISAKMP (0): processing NOTIFY payload 36136 protocol 1
spi 0, message ID = 538201380
ISAMKP (0): received DPD_R_U_THERE from peer 71.42.130.6
ISAKMP (0): sending NOTIFY message 36137 protocol 1
return status is IKMP_NO_ERR_NO_TRANS
crypto_isakmp_process_block:src:71.42.130.6, dest:71.42.130.3 spt:500 dpt:500
ISAKMP (0): processing NOTIFY payload 36136 protocol 1
spi 0, message ID = 145706721
ISAMKP (0): received DPD_R_U_THERE from peer 71.42.130.6
ISAKMP (0): sending NOTIFY message 36137 protocol 1
return status is IKMP_NO_ERR_NO_TRANS
ISADB: reaper checking SA 0x10493f4, conn_id = 0
crypto_isakmp_process_block:src:71.42.130.6, dest:71.42.130.3 spt:500 dpt:500
ISAKMP (0): processing NOTIFY payload 36136 protocol 1
spi 0, message ID = 3897961888
ISAMKP (0): received DPD_R_U_THERE from peer 71.42.130.6
ISAKMP (0): sending NOTIFY message 36137 protocol 1
return status is IKMP_NO_ERR_NO_TRANS
crypto_isakmp_process_block:src:71.42.130.6, dest:71.42.130.3 spt:500 dpt:500
ISAKMP (0): processing NOTIFY payload 36136 protocol 1
spi 0, message ID = 287105062
ISAMKP (0): received DPD_R_U_THERE from peer 71.42.130.6
ISAKMP (0): sending NOTIFY message 36137 protocol 1
return status is IKMP_NO_ERR_NO_TRANS
crypto_isakmp_process_block:src:71.42.130.6, dest:71.42.130.3 spt:500 dpt:500
ISAKMP (0): processing NOTIFY payload 36136 protocol 1
spi 0, message ID = 3603075783
ISAMKP (0): received DPD_R_U_THERE from peer 71.42.130.6
ISAKMP (0): sending NOTIFY message 36137 protocol 1
return status is IKMP_NO_ERR_NO_TRANS
crypto_isakmp_process_block:src:71.42.130.6, dest:71.42.130.3 spt:500 dpt:500
ISAKMP (0): processing NOTIFY payload 36136 protocol 1
spi 0, message ID = 1945568105
ISAMKP (0): received DPD_R_U_THERE from peer 71.42.130.6
ISAKMP (0): sending NOTIFY message 36137 protocol 1
return status is IKMP_NO_ERR_NO_TRANS
 
Upvote 0 Downvote
i have a /29 at home so i have my pix on one static and from the other static im trying to vpn in. i need to learn more about pix..lol
 
Upvote 0 Downvote
Does the pc have a default gateway set? (Is it the outside address of the pix?)


Brent
Systems Engineer / Consultant
CCNP, CCSP
 
Upvote 0 Downvote
yes it does.. but when i connect to the VPN, the default gateway is not present and i cannot get on the web. Once i disconnect the vpn client, default gateway is back, and i can surf the web.
 
Upvote 0 Downvote
Set the default gateway as the outside pix address and not the router to the internet.
You would not have internet access with the vpn because we took out the split tunnel.


Brent
Systems Engineer / Consultant
CCNP, CCSP
 
Upvote 0 Downvote
Any software firewalls activated on the pc? Turn it off, even ms builtin and try again.
 
Upvote 0 Downvote
So you want me to statically assign which interface with oustide pix ip?? I want to use split tunnel, and i want ip info to be automatic. What do u all think we need to add?? There are no firewalls on the client pc's. :(
 
Upvote 0 Downvote
Connect the vpn and check the log from the vpn client. Also, do a route print and see if the routes are on the client.

If you are using ping for your test you should also add
fixup proto icmp error


Brent
Systems Engineer / Consultant
CCNP, CCSP
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
653
Johnkite
Johnkite
intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
651
intel233
intel233
Shmid
  • Locked
  • Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
798
Shmid
Shmid
WhosYourDiffie
  • Locked
  • Question
Cisco ASA 5506 VPN for Avaya Phones
Replies
0
Views
181
WhosYourDiffie
WhosYourDiffie
XLNTech1
  • Locked
  • Question
iptables port forwarding
Replies
0
Views
588
XLNTech1
XLNTech1

Part and Inventory Search

Sponsor

Back
Top