PIX vpn client can't terminal server

Hi gents I've been fighting two days with this and it seems the pix is winning this battle. I want to configure a vpn client so that I can join this network from one secondary router, so I had to do static routes and some special things. Now after cleaning a little my config the vpn client seems to connect, but I can't terminal server or ssh , maybe the problem is in the access list, or maybe the isakmp , but I have done lots of changes and none made it work .

so could you please take a look and tell me what do I have to allow to achieve this kind of configuration. thanks thanks thanks to you all

: PIX Version 6.3(4) interface ethernet0 100full interface ethernet1 100full interface ethernet2 auto nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 intf2 security4 enable password ZlGq2vBPmW8hXSpI encrypted passwd ZlGq2vBPmW8hXSpI encrypted hostname pixbcn domain-name vlsd.net fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names access-list outside_access_in permit icmp any any access-list nonat_acl permit ip 174.144.1.0 255.255.255.0 174.144.5.0

255.255.255.0 access-list nonat_acl permit icmp 174.144.1.0 255.255.255.0 174.144.5.0 255.255.255.0 access-list nonat_acl permit ip 174.144.1.0 255.255.255.0 174.144.3.0 255.255.255.0 access-list nonat_acl permit icmp 174.144.1.0 255.255.255.0 174.144.3.0 255.255.255.0 access-list nonat_acl permit ip 174.144.1.0 255.255.255.0 174.144.6.0 255.255.255.0 access-list nonat_acl permit icmp 174.144.1.0 255.255.255.0 174.144.6.0 255.255.255.0 access-list nonat_acl permit ip 174.144.1.0 255.255.255.0 174.144.4.0 255.255.255.0 access-list nonat_acl permit icmp 174.144.1.0 255.255.255.0 174.144.4.0 255.255.255.0 access-list nonat_acl permit ip 174.144.1.0 255.255.255.0 174.144.2.0 255.255.255.0 access-list nonat_acl permit icmp 174.144.1.0 255.255.255.0 174.144.2.0 255.255.255.0 access-list nonat_acl permit icmp 174.144.1.0 255.255.255.0 172.16.1.0 255.255.255.0 access-list nonat_acl permit ip 174.144.1.0 255.255.255.0 172.16.1.0 255.255.255.0 access-list nonat_acl permit ip 174.144.1.0 255.255.255.0 host 172.16.1.1 access-list remote_lond_acl permit ip 174.144.1.0 255.255.255.0 174.144.5.0 255.255.255.0 access-list remote_lond_acl permit icmp 174.144.1.0 255.255.255.0 174.144.5.0 255.255.255.0 access-list remote_pose_acl permit ip 174.144.1.0 255.255.255.0 174.144.3.0 255.255.255.0 access-list remote_pose_acl permit icmp 174.144.1.0 255.255.255.0 174.144.3.0 255.255.255.0 access-list remote_posi2_acl permit ip 174.144.1.0 255.255.255.0 174.144.6.0 255.255.255.0 access-list remote_posi2_acl permit icmp 174.144.1.0 255.255.255.0 174.144.6.0 255.255.255.0 access-list remote_gita_acl permit ip 174.144.1.0 255.255.255.0 174.144.4.0 255.255.255.0 access-list remote_gita_acl permit icmp 174.144.1.0 255.255.255.0 174.144.4.0 255.255.255.0 access-list remote_caus_acl permit ip 174.144.1.0 255.255.255.0 174.144.2.0 255.255.255.0 access-list remote_caus_acl permit icmp 174.144.1.0 255.255.255.0 174.144.2.0 255.255.255.0 access-list red_interna permit ip 174.144.1.0 255.255.255.0 any access-list outside_cryptomap_dyn_21 permit ip any 172.16.1.0 255.255.255.0 access-list split_tunnel_ac permit ip 174.144.1.0 255.255.255.0 172.16.1.0 255.255.255.0 access-list split_tunnel_ac permit icmp 174.144.1.0 255.255.255.0 172.16.1.0 255.255.255.0 access-list split_tunnel_ac permit ip any any access-list vlsd_tunnel_ac permit ip 174.144.1.0 255.255.255.0 any access-list vlsd_tunnel_ac permit icmp 174.144.1.0 255.255.255.0 any access-list vpn2dkm permit ip any any pager lines 24 logging timestamp logging trap debugging logging host inside 174.144.1.26 mtu outside 1500 mtu inside 1500 mtu intf2 1500 ip address outside 10.200.100.253 255.255.0.0 ip address inside 174.144.1.1 255.255.255.0 ip address intf2 174.144.20.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm ip local pool vpndkm_pool 172.16.1.1 ip local pool vlsd_pool 174.144.1.60 pdm location 0.0.0.0 0.0.0.0 outside pdm location 174.144.20.0 255.255.255.0 inside pdm location 10.200.0.0 255.255.0.0 inside pdm location 174.144.1.50 255.255.255.255 inside pdm location 174.144.20.20 255.255.255.255 intf2 pdm location 174.144.5.0 255.255.255.0 outside pdm location 80.38.105.29 255.255.255.255 outside pdm location 174.144.2.0 255.255.255.0 outside pdm location 174.144.3.0 255.255.255.0 outside pdm location 174.144.4.0 255.255.255.0 outside pdm location 174.144.6.0 255.255.255.0 outside pdm location 174.144.2.0 255.255.255.0 intf2 pdm location 174.144.3.0 255.255.255.0 intf2 pdm location 174.144.4.0 255.255.255.0 intf2 pdm location 174.144.5.0 255.255.255.0 intf2 pdm location 174.144.6.0 255.255.255.0 intf2 pdm location 174.144.1.26 255.255.255.255 inside pdm location 172.16.1.0 255.255.255.0 outside pdm location 62.43.200.194 255.255.255.255 outside pdm location 80.224.56.90 255.255.255.255 outside pdm logging informational 100 pdm history enable arp timeout 14400 global (outside) 1 interface global (intf2) 1 interface nat (inside) 0 access-list nonat_acl nat (inside) 1 0.0.0.0 0.0.0.0 0 0 nat (intf2) 1 0.0.0.0 0.0.0.0 0 0 access-group outside_access_in in interface outside route outside 0.0.0.0 0.0.0.0 10.200.100.250 1 route outside 62.43.200.194 255.255.255.255 10.200.100.190 1 route outside 80.38.105.29 255.255.255.255 10.200.100.190 1 route outside 80.224.56.90 255.255.255.255 10.200.100.190 1 timeout xlate 3:00:00 timeout conn 2:00:00 half-closed 0:10:00 udp 2:00:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 2:00:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local http server enable http 10.200.0.0 255.255.0.0 outside http 174.144.1.0 255.255.255.0 inside http 172.16.1.1 255.255.255.255 inside http 174.144.20.0 255.255.255.0 intf2 no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec crypto ipsec transform-set myset esp-des esp-md5-hmac crypto dynamic-map dynmap 30 set transform-set myset crypto map newmap 10 ipsec-isakmp crypto map newmap 10 match address remote_lond_acl crypto map newmap 10 set peer 10.201.100.253 crypto map newmap 10 set transform-set myset crypto map newmap 11 ipsec-isakmp crypto map newmap 11 match address remote_pose_acl crypto map newmap 11 set peer 10.202.100.253 crypto map newmap 11 set transform-set myset crypto map newmap 12 ipsec-isakmp crypto map newmap 12 match address remote_posi2_acl crypto map newmap 12 set peer 10.205.100.253 crypto map newmap 12 set transform-set myset crypto map newmap 13 ipsec-isakmp crypto map newmap 13 match address remote_gita_acl crypto map newmap 13 set peer 10.203.100.253 crypto map newmap 13 set transform-set myset crypto map newmap 20 ipsec-isakmp crypto map newmap 20 match address remote_caus_acl crypto map newmap 20 set peer 80.38.105.29 crypto map newmap 20 set transform-set myset crypto map newmap 21 ipsec-isakmp dynamic dynmap crypto map newmap interface outside isakmp enable outside isakmp key ******** address 80.38.105.29 netmask 255.255.255.255 no-xauth no-config-mode isakmp key ******** address 10.201.100.253 netmask 255.255.255.255 no-xauth no-config-mode isakmp key ******** address 10.203.100.253 netmask 255.255.255.255 no-xauth no-config-mode isakmp key ******** address 10.202.100.253 netmask 255.255.255.255 no-xauth no-config-mode isakmp key ******** address 10.205.100.253 netmask 255.255.255.255 no-xauth no-config-mode isakmp identity address isakmp policy 10 authentication pre-share isakmp policy 10 encryption des isakmp policy 10 hash md5 isakmp policy 10 group 2 isakmp policy 10 lifetime 86400 isakmp policy 20 authentication pre-share isakmp policy 20 encryption des isakmp policy 20 hash md5 isakmp policy 20 group 1 isakmp policy 20 lifetime 86400 vpngroup vpndkm address-pool vpndkm_pool vpngroup vpndkm dns-server 174.144.1.15 vpngroup vpndkm default-domain vlsd.net vpngroup vpndkm split-tunnel vpn2dkm vpngroup vpndkm idle-time 1800 vpngroup vpndkm password ******** vpngroup vlsd address-pool vlsd_pool vpngroup vlsd split-tunnel vlsd_tunnel_ac vpngroup vlsd idle-time 1800 vpngroup vlsd password ******** telnet timeout 5 ssh 10.200.0.0 255.255.0.0 outside ssh 172.16.1.1 255.255.255.255 outside ssh 174.144.1.0 255.255.255.0 inside ssh 174.144.20.0 255.255.255.0 intf2 ssh timeout 30 console timeout 0 dhcpd address 174.144.1.100-174.144.1.250 inside dhcpd dns 174.144.1.15 174.144.1.16 dhcpd lease 1048575 dhcpd ping_timeout 750 dhcpd domain vlsd.net dhcpd auto_config outside dhcpd enable inside terminal width 80 Cryptochecksum:ab2e9ab3f3b0a44b4d0f7a492a5281a4 : end
Reply to
Sako
Loading thread data ...

first, can you please clarify if the issue is not being able to access a machine for term services tcp 3389 and ssh tcp 22, on the network behind pixbcn, from a vpnclient connection terminating on pixbcn? if so, which vpngroup are you connecting to?

also, just, curious why you have tunnels to devices on a private network, i.e. 10.x.x.x outside addresses?

so I had to do static routes and some special

Reply to
lfnetworking

sorry , I'll try to explain better , my company has a private virtual network between different cities, in addition to this we use vpn tunnels with cisco PIX because one of the cities isn't on the other private network. so that's working propperly , the main building has 2 routers connected to interenet, so one connects to the virtual network and the other to internet . To the router connected to internet we have a route in the pix , so we can connect via vpn to other city.

So , the fact is : I wan't a person, who's public address I know, to connect tcp 3389 or 22 (any) to the inside interface of our pix, as the other vpn tunnels do. To achieve this I configured a vpn group, and I configured correctly the vpn client, and it closes the lock (it seems to connect) But I can't do anything to ping / connect 3389 to the inside hosts.

Any way to help me ? thanks

Reply to
Sako

Hey again, glad to see you RA tunnel works now. Are you getting any traffic across the interface? As previously asked, what remote profile are you using, vpndkm or vlsd? I noticed your SSH for 172.16.1.1 is set for the outside interface. There may be some issues with your access list but you need to see if you're getting traffic out and returned first. To do this, connect the VPN Client. Then right click on the icon (closed lock on the bottom right) and select "statistics". Try a ping, surf to an internal web page or anything to see how your traffic counters change. Report back and we can try to help more.

Reply to
DCS

I'm working hard on it! thanks gents, you give me HOPE! I spect to use the vpndkm because I want the pool to get bigger once I'm sure it works with one host .The other is using a free ip on my network. Unluckily I coudn't surf any internal web page or ssh when it pointed the inside interface (as you say that it should) , the client connects by the same router as crypto map newmap 20 ipsec-isakmp crypto map newmap 20 match address remote_caus_acl That is working correctly . I've tried to connect to the machine with the vpn client but I lost connection with terminal server ... I'll look the stadistics and report them as soon as I can.

I've tried to change the access-list wich take care of 172.16.1.1 but I can't ping from inside to the vpnclient or from the vpn client see anything from the inside.

I'll keep working hard a couple of hours to see if I can solve . Thanks very much indeed .

Reply to
Sako

Ok thanks to your indications, I can see , In the stadistics : Bytes recived: 0 ; Bytes Sent : 20974 Packets Encrypted 135, Decrypted :0 Discarded : 77 Encription DES , authentication HMAC-MD5 Local Lan Disabled (I don't know how to enable yet) Compression None.

So it seems I don't recive any information. I'm not quite sure of what does this mean, I'll try to look to the log but I report it to you to see if you can help. Thanks

This is the log of one connection Cisco Systems VPN Client Version 4.6.00.0045 Copyright (C) 1998-2004 Cisco Systems, Inc. All Rights Reserved. Client Type(s): Windows, WinNT Running on: 5.1.2600 Service Pack 2

167 11:25:13.011 02/01/06 Sev=Info/4 CM/0x63100002 Begin connection process

168 11:25:13.026 02/01/06 Sev=Info/4 CVPND/0xE3400001 Microsoft IPSec Policy Agent service stopped successfully

169 11:25:13.026 02/01/06 Sev=Info/4 CM/0x63100004 Establish secure connection using Ethernet

170 11:25:13.026 02/01/06 Sev=Info/4 CM/0x63100024 Attempt connection with server "83.175.207.82"

171 11:25:14.026 02/01/06 Sev=Info/4 IKE/0x63000013 SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Nat-T), VID(Frag), VID(Unity)) to 83.175.207.82

172 11:25:14.026 02/01/06 Sev=Info/4 IPSEC/0x63700008 IPSec driver successfully started

173 11:25:14.026 02/01/06 Sev=Info/4 IPSEC/0x63700014 Deleted all keys

174 11:25:14.307 02/01/06 Sev=Info/4 IKE/0x63000014 RECEIVING > ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, VID(?), VID(Unity)) to 83.175.207.82

176 11:25:14.307 02/01/06 Sev=Info/4 IKE/0x63000082 IKE Port in use - Local Port = 0x01F4, Remote Port = 0x01F4

177 11:25:14.307 02/01/06 Sev=Info/4 CM/0x6310000E Established Phase 1 SA. 1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system

178 11:25:14.307 02/01/06 Sev=Info/4 CM/0x6310000E Established Phase 1 SA. 1 Crypto Active IKE SA, 1 User Authenticated IKE SA in the system

179 11:25:14.323 02/01/06 Sev=Info/4 IKE/0x63000013 SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 83.175.207.82

180 11:25:14.417 02/01/06 Sev=Info/4 IKE/0x63000014 RECEIVING ISAKMP OAK QM *(HASH) to 83.175.207.82

189 11:25:15.120 02/01/06 Sev=Info/4 CM/0x63100034 The Virtual Adapter was enabled: IP=172.16.1.1/255.255.0.0 DNS=192.168.1.15,0.0.0.0 WINS=0.0.0.0,0.0.0.0 Domain=valdisme.net Split DNS Names=

190 11:25:15.229 02/01/06 Sev=Info/4 CM/0x6310001A One secure connection established

191 11:25:15.307 02/01/06 Sev=Info/4 CM/0x63100038 Address watch added for 192.168.3.114. Current address(es):

172.16.1.1, 192.168.3.114.

192 11:25:15.323 02/01/06 Sev=Info/4 CM/0x63100038 Address watch added for 172.16.1.1. Current address(es): 172.16.1.1,

192.168.3.114.

193 11:25:15.323 02/01/06 Sev=Info/4 IPSEC/0x63700014 Deleted all keys

194 11:25:15.323 02/01/06 Sev=Info/4 IPSEC/0x63700010 Created a new key structure

195 11:25:15.323 02/01/06 Sev=Info/4 IPSEC/0x6370000F Added key with SPI=0x3c962dbc into key list

196 11:25:15.323 02/01/06 Sev=Info/4 IPSEC/0x63700010 Created a new key structure

197 11:25:15.323 02/01/06 Sev=Info/4 IPSEC/0x6370000F Added key with SPI=0xe729bba9 into key list

198 11:25:15.323 02/01/06 Sev=Info/4 IPSEC/0x6370002E Assigned VA private interface addr 172.16.1.1

199 11:25:24.417 02/01/06 Sev=Info/4 IKE/0x63000013 SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to

83.175.207.82

200 11:25:24.526 02/01/06 Sev=Info/4 IKE/0x63000014 RECEIVING > ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to

83.175.207.82

202 11:25:35.573 02/01/06 Sev=Info/4 IKE/0x63000014 RECEIVING > ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to

83.175.207.82

204 11:25:46.026 02/01/06 Sev=Info/4 IKE/0x63000014 RECEIVING > ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to

83.175.207.82

206 11:26:01.619 02/01/06 Sev=Info/4 IKE/0x63000014 RECEIVING > ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to

83.175.207.82

208 11:26:12.932 02/01/06 Sev=Info/4 IKE/0x63000014 RECEIVING > ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to

83.175.207.82

210 11:26:23.525 02/01/06 Sev=Info/4 IKE/0x63000014 RECEIVING > ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to

83.175.207.82

212 11:26:34.088 02/01/06 Sev=Info/4 IKE/0x63000014 RECEIVING > ISAKMP OAK INFO *(HASH, DEL) to 83.175.207.82

216 11:26:44.103 02/01/06 Sev=Info/4 IKE/0x63000048 Discarding IPsec SA negotiation, MsgID=A74DB14B

217 11:26:44.103 02/01/06 Sev=Info/4 IKE/0x63000017 Marking IKE SA for deletion (I_Cookie=1DF97BFDFD3055A6 R_Cookie=4C694B7469F7AC26) reason = DEL_REASON_RESET_SADB

218 11:26:44.103 02/01/06 Sev=Info/4 IKE/0x63000013 SENDING >>> ISAKMP OAK INFO *(HASH, DEL) to 83.175.207.82

219 11:26:44.103 02/01/06 Sev=Info/4 IKE/0x6300004A Discarding IKE SA negotiation (I_Cookie=1DF97BFDFD3055A6 R_Cookie=4C694B7469F7AC26) reason = DEL_REASON_RESET_SADB

220 11:26:44.103 02/01/06 Sev=Info/4 CM/0x63100013 Phase 1 SA deleted cause by DEL_REASON_RESET_SADB. 0 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system

221 11:26:44.103 02/01/06 Sev=Info/4 IKE/0x63000085 Microsoft IPSec Policy Agent service started successfully

222 11:26:44.119 02/01/06 Sev=Warning/2 CVPND/0xA3400015 Error with call to IpHlpApi.DLL: DeleteIpForwardEntry, error 87

223 11:26:45.618 02/01/06 Sev=Info/4 CM/0x63100035 The Virtual Adapter was disabled

224 11:26:45.618 02/01/06 Sev=Info/4 IPSEC/0x63700013 Delete internal key with SPI=0xe729bba9

225 11:26:45.618 02/01/06 Sev=Info/4 IPSEC/0x6370000C Key deleted by SPI 0xe729bba9

226 11:26:45.618 02/01/06 Sev=Info/4 IPSEC/0x63700013 Delete internal key with SPI=0x3c962dbc

227 11:26:45.618 02/01/06 Sev=Info/4 IPSEC/0x6370000C Key deleted by SPI 0x3c962dbc

228 11:26:45.618 02/01/06 Sev=Info/4 IPSEC/0x63700014 Deleted all keys

229 11:26:45.618 02/01/06 Sev=Info/4 IPSEC/0x63700014 Deleted all keys

230 11:26:45.618 02/01/06 Sev=Info/4 IPSEC/0x6370000A IPSec driver successfully stopped

231 11:26:45.634 02/01/06 Sev=Info/4 IPSEC/0x63700014 Deleted all keys

Reply to
Sako

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.