PIX 501 client VPN

Hi guys,

I have configured Client VPN with the following configuration:

PIX501(config)# wr term Building configuration... : Saved : PIX Version 6.2(2) nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password A2T0eYk/M7TyzGXX encrypted passwd A2T0eYk/M7TyzGXX encrypted domain-name ins-sa.com fixup protocol ftp 21 fixup protocol http 80 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol ils 389 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol sip 5060 fixup protocol skinny 2000 names access-list 101 permit icmp any any echo-reply access-list 101 permit icmp any any source-quench access-list 101 permit icmp any any unreachable access-list 101 permit icmp any any time-exceeded access-list 102 permit ip 172.16.32.0 255.255.255.0 172.16.10.0

255.255.255.0 pager lines 24 logging on logging timestamp logging console debugging logging monitor debugging interface ethernet0 10baset interface ethernet1 10full mtu outside 1500 mtu inside 1500 ip address outside pppoe setroute ip address inside 172.16.32.253 255.255.255.0 ip audit info action alarm ip audit attack action alarm ip local pool VPNPOOL 172.16.10.100-172.16.10.150 pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list 102 nat (inside) 1 10.10.10.0 255.255.255.0 0 0 access-group 101 in interface outside route inside 10.10.10.0 255.255.255.0 172.16.32.254 1 route inside 192.168.0.0 255.255.255.0 172.16.32.254 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server LOCAL protocol local aaa authentication ssh console LOCAL aaa authentication telnet console LOCAL no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec no sysopt route dnat crypto ipsec transform-set insset esp-des esp-md5-hmac crypto dynamic-map insmap 10 set transform-set insset crypto map mymap 10 ipsec-isakmp dynamic insmap crypto map mymap interface outside isakmp enable outside isakmp identity address isakmp policy 10 authentication pre-share isakmp policy 10 encryption des isakmp policy 10 hash md5 isakmp policy 10 group 2 isakmp policy 10 lifetime 86400 vpngroup INSVPN address-pool VPNPOOL vpngroup INSVPN dns-server 4.2.2.2 63.203.35.55 vpngroup INSVPN default-domain ins-sa.com vpngroup INSVPN idle-time 2800 vpngroup INSVPN password ******** telnet timeout 5 ssh 0.0.0.0 0.0.0.0 outside ssh 0.0.0.0 0.0.0.0 inside ssh 172.16.32.254 255.255.255.255 inside ssh timeout 30 vpdn group ISP request dialout pppoe vpdn group ISP localname snipped-for-privacy@512.awalnet.net.sa vpdn group ISP ppp authentication pap vpdn username ************************** password ********* store- local username **************** password **************** terminal width 80 : end [OK]

***********************************************************************************************

I recieved the following debug:

crypto_isakmp_process_block: src 77.30.202.109, dest 86.60.106.180 VPN Peer: ISAKMP: Added new peer: ip:77.30.202.109 Total VPN Peers:1 VPN Peer: ISAKMP: Peer ip:77.30.202.109 Ref cnt incremented to:1 Total VPN Peers:1 OAK_AG exchange ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy ISAKMP: encryption... What? 7? ISAKMP: hash SHA ISAKMP: default group 2 ISAKMP: extended auth pre-share ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b ISAKMP: attribute 3584 ISAKMP (0): atts are not acceptable. Next payload is 3 ISAKMP (0): Checking ISAKMP transform 2 against priority 10 policy ISAKMP: encryption... What? 7? ISAKMP: hash MD5 ISAKMP: default group 2 ISAKMP: extended auth pre-share ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b ISAKMP: attribute 3584 ISAKMP (0): atts are not acceptable. Next payload is 3 ISAKMP (0): Checking ISAKMP transform 3 against priority 10 policy ISAKMP: encryption... What? 7? ISAKMP: hash SHA ISAKMP: default group 2 ISAKMP: auth pre-share ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b ISAKMP: attribute 3584 ISAKMP (0): atts are not acceptable. Next payload is 3 ISAKMP (0): Checking ISAKMP transform 4 against priority 10 policy ISAKMP: encryption... What? 7? ISAKMP: hash MD5 ISAKMP: default group 2 ISAKMP: auth pre-share ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b ISAKMP: attribute 3584 ISAKMP (0): atts are not acceptable. Next payload is 3 ISAKMP (0): Checking ISAKMP transform 5 against priority 10 policy ISAKMP: encryption... What? 7? ISAKMP: hash SHA ISAKMP: default group 2 ISAKMP: extended auth pre-share ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b ISAKMP: attribute 3584 ISAKMP (0): atts are not acceptable. Next payload is 3 ISAKMP (0): Checking ISAKMP transform 6 against priority 10 policy ISAKMP: encryption... What? 7? ISAKMP: hash MD5 ISAKMP: default group 2 ISAKMP: extended auth pre-share ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b ISAKMP: attribute 3584 ISAKMP (0): atts are not acceptable. Next payload is 3 ISAKMP (0): Checking ISAKMP transform 7 against priority 10 policy ISAKMP: encryption... What? 7? ISAKMP: hash SHA ISAKMP: default group 2 ISAKMP: auth pre-share ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b ISAKMP: attribute 3584 ISAKMP (0): atts are not acceptable. Next payload is 3 ISAKMP (0): Checking ISAKMP transform 8 against priority 10 policy ISAKMP: encryption... What? 7? ISAKMP: hash MD5 ISAKMP: default group 2 ISAKMP: auth pre-share ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b ISAKMP: attribute 3584 ISAKMP (0): atts are not acceptable. Next payload is 3 ISAKMP (0): Checking ISAKMP transform 9 against priority 10 policy ISAKMP: encryption 3DES-CBC ISAKMP: hash SHA ISAKMP: default group 2 ISAKMP: extended auth pre-share ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 crypto_isakmp_process_block: src 77.30.202.109, dest 86.60.106.180 VPN Peer: ISAKMP: Peer ip:77.30.202.109 Ref cnt incremented to:2 Total VPN Peers:1 VPN Peer: ISAKMP: Peer ip:77.30.202.109 Ref cnt decremented to:1 Total VPN Peers:1 crypto_isakmp_process_block: src 77.30.202.109, dest 86.60.106.180 VPN Peer: ISAKMP: Peer ip:77.30.202.109 Ref cnt incremented to:2 Total VPN Peers:1 VPN Peer: ISAKMP: Peer ip:77.30.202.109 Ref cnt decremented to:1 Total VPN Peers:1 crypto_isakmp_process_block: src 77.30.202.109, dest 86.60.106.180 VPN Peer: ISAKMP: Peer ip:77.30.202.109 Ref cnt incremented to:2 Total VPN Peers:1 VPN Peer: ISAKMP: Peer ip:77.30.202.109 Ref cnt decremented to:1 Total VPN Peers:1 ISAKMP (0): retransmitting phase 1... ISAKMP (0): retransmitting phase 1... INS-Riyadh-PIX(config)# INS-Riyadh-PIX(config)# ISAKMP (0): deleting SA: src 77.30.202.109, dst 86.60.106.180 ISADB: reaper checking SA 0x80a8f2a8, conn_id = 0 DELETE IT!

VPN Peer: ISAKMP: Peer ip:77.30.202.109 Ref cnt decremented to:0 Total VPN Peers:1

************************************************************************

Your support is higly appreciated.

Regards, Andy

Reply to
Andy
Loading thread data ...

How about

vpngroup INSVPN split-tunnel 102

Reply to
Jyri Korhonen

I had the command added, but removed it later on, in both case i had the same problem.

Regards, Andy

Reply to
Andy

I upgraded to 6.3 and it is working just fine, i believe the problem had to do with transparency.

I have a routing problem now, i will update you with the config when i finalize.

Regards, Andy

Reply to
Andy

Hi,

I stand corrected, it is not fine; i can not ping my VPN GW

172.16.10.1 or any other internal IP, i can not access internet when i VPN, i am being authenticated with the local database, but do not seem to be able to communicate with anything once the VPN is up.

YOUR SUPPORT IS HIGHLY APPRECIATED

PIX Version 6.3(5) interface ethernet0 10baset interface ethernet1 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password A2T0eYk/M7TyzGXX encrypted passwd A2T0eYk/M7TyzGXX encrypted hostname *********** domain-name ins-sa.com fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol ils 389 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names access-list 101 permit icmp any any echo-reply access-list 101 permit icmp any any source-quench access-list 101 permit icmp any any unreachable access-list 101 permit icmp any any time-exceeded access-list 102 permit ip 172.16.32.0 255.255.255.0 172.16.10.0

255.255.255.0 access-list 103 permit ip 172.16.10.0 255.255.255.0 172.16.32.0 255.255.255.0 access-list 103 permit ip 172.16.10.0 255.255.255.0 10.10.10.0 255.255.255.0 access-list 103 permit ip 172.16.10.0 255.255.255.0 192.168.0.0 255.255.255.0 access-list 103 permit ip 172.16.10.0 255.255.255.0 10.10.4.0 255.255.255.0 access-list 103 permit ip 172.16.10.0 255.255.255.0 192.168.30.0 255.255.255.0 pager lines 24 logging on logging timestamp logging console debugging logging monitor debugging mtu outside 1500 mtu inside 1500 ip address outside pppoe setroute ip address inside 172.16.32.253 255.255.255.0 ip audit info action alarm ip audit attack action alarm ip local pool VPNPOOL 172.16.10.100-172.16.10.150 mask 255.255.255.0 pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list 102 nat (inside) 1 10.10.10.0 255.255.255.0 0 0 nat (inside) 1 172.16.32.0 255.255.255.0 0 0 nat (inside) 1 192.168.30.0 255.255.255.0 0 0 access-group 101 in interface outside route inside 10.10.10.0 255.255.255.0 172.16.32.254 1 route inside 192.168.0.0 255.255.255.0 172.16.32.254 1 route inside 192.168.30.0 255.255.255.0 172.16.32.254 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout sip-disconnect 0:02:00 sip-invite 0:03:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local aaa authentication ssh console LOCAL aaa authentication telnet console LOCAL no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec crypto ipsec transform-set insset esp-des esp-md5-hmac crypto dynamic-map insmap 10 set transform-set insset crypto map mymap 10 ipsec-isakmp dynamic insmap crypto map mymap client configuration address initiate crypto map mymap client configuration address respond crypto map mymap client authentication LOCAL crypto map mymap interface outside isakmp enable outside isakmp key ******** address 0.0.0.0 netmask 0.0.0.0 isakmp identity address isakmp client configuration address-pool local VPNPOOL outside isakmp policy 10 authentication pre-share isakmp policy 10 encryption des isakmp policy 10 hash md5 isakmp policy 10 group 2 isakmp policy 10 lifetime 86400 vpngroup INSVPN address-pool VPNPOOL vpngroup INSVPN dns-server 4.2.2.2 63.203.35.55 vpngroup INSVPN default-domain ins.com vpngroup INSVPN idle-time 2800 vpngroup INSVPN password ******** vpngroup INSVPN split-tunnel 102 vpngroup INSVPN idle-time 1800 telnet timeout 5 ssh *.*.*.* *.*.*.* outside ssh 0.0.0.0 0.0.0.0 inside ssh 172.16.32.254 255.255.255.255 inside ssh timeout 30 console timeout 0 vpdn group ISP request dialout pppoe vpdn group ISP localname ******************* vpdn group ISP ppp authentication pap vpdn username *****************************password ********* store- local username ciscopixuser password WMRF.lopZzw3jTFQ encrypted privilege 2 terminal width 80 Cryptochecksum:d0cd32c4e236061bab07ebbf6ee3600d : end
Reply to
Andy

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.