1. Home
  2. Cisco Systems
  3. PIX515 RA VPN just not working

PIX515 RA VPN just not working

Cisco PIX515 with 64MB of RAM, latest PIX and PDM (ASDM 5.22)

This is a PIX in a lab type setup. It will end up being in parallel mode with outside being directly on the Internet and DMZ in my other firewall's DMZ. Connections will terminate in the DMZ, long term. The PIX will not be used as a firewall, per say, but as a RA and Site to Site VPN.

Right now I'm just trying to get it to work. I have followed

formatting link
more times than I can count, but I can't make this work. My first problem was that I had "cache password on client" disabled. The wizard doesn't enable that, and Cisco VPN client requires it to be enabled. That took a while to figure out. I'm trying to connect using Xauth with just a shared key at the moment, no certificates - yet. I had an unlimited DES license, not 3DES nor AES.

The currently problem is when I try to connect, I get IKE Initiator unable to find policy: Intf outside, Src: IPADDR of my PIX, Dst: IP address of my VPN client.

I can't find anything on the Internet that helps me understand what is going on. I've spent several weeks trying to get Cisco VPN working, but I just can't get past this. I do have experience with other VPN devices, but nothing with PIX/Cisco. Most of the one's I've worked with are very simple to get working. Not the case here.

Below is my config with the IP addresses and such obscurated. The VPN client has the IP SEC service stopped, the Windows ICA/Firewall is stopped, and the 3rd party firewall disabled. The host name is hardcoded in the clients host table for testing. They are connected by means of a switch (or maybe a hub.)

I'm sure I'm doing something wrong, but I just can't figure it out. And I can't find any documentation to help me figure it out. Anyone help?

: Saved : PIX Version 7.2(2) ! hostname protect domain-name mydomain.com enable password * encrypted names name 201.100.200.182 mydevice name 201.100.200.180 pix.mydomain.com description PIX device dns-guard ! interface Ethernet0 nameif outside security-level 0 ip address pix.mydomain.com 255.255.255.240 ospf cost 10 ! interface Ethernet1 nameif inside security-level 100 ip address 172.30.3.125 255.255.0.0 ospf cost 10 rip send version 2 ! interface Ethernet2 nameif DMZ security-level 20 ip address 192.168.111.2 255.255.255.0 ospf cost 10 ! boot system flash:/image.bin ftp mode passive clock timezone CST -6 clock summer-time CDT recurring dns server-group DefaultDNS domain-name mydomain.com same-security-traffic permit intra-interface access-list inside_nat0_outbound extended permit ip any 172.30.223.0

255.255.255.0 access-list inside_nat0_outbound extended permit ip 201.100.200.176 255.255.255.240 any access-list inside_nat0_outbound extended permit ip any any access-list inside_nat0_outbound extended permit ip any 192.168.111.0 255.255.255.0 access-list outside_20_cryptomap extended permit ip 201.100.200.176 255.255.255.240 any access-list outside_nat0_outbound extended permit ip host mydevice host pix.mydomain.com access-list DMZ_nat0_outbound extended permit ip any any access-list outside_access_in extended permit ip 201.100.200.176 255.255.255.240 interface outside access-list outside_access_in extended permit ip host mydevice host pix.mydomain.com access-list outside_cryptomap_65535.1 extended permit ip host mydevice host pix.mydomain.com access-list DMZ_access_in extended permit tcp host 172.30.76.11 host 192.168.111.2 access-list NoNat extended permit ip host mydevice any access-list inside_access_out extended permit ip any any pager lines 24 logging enable logging console debugging logging asdm informational logging from-address snipped-for-privacy@mydomain.com logging recipient-address snipped-for-privacy@mydomain.com level errors mtu outside 1500 mtu inside 1500 mtu DMZ 1500 ip local pool DMZScope 192.168.111.10-192.168.111.254 mask 255.255.255.0 ip local pool PrivateScope 172.30.223.1-172.30.223.254 mask 255.255.0.0 icmp unreachable rate-limit 1 burst-size 1 asdm image flash:/asdm-522.bin asdm history enable arp timeout 14400 nat (outside) 0 access-list outside_nat0_outbound nat (inside) 0 access-list NoNat nat (DMZ) 0 access-list DMZ_nat0_outbound access-group outside_access_in in interface outside access-group inside_access_out out interface inside access-group DMZ_access_in in interface DMZ route outside 0.0.0.0 0.0.0.0 201.100.200.177 1 route inside 0.0.0.0 0.0.0.0 172.30.11.30 2 route DMZ 172.30.76.11 255.255.255.255 192.168.111.9 1 timeout xlate 8:00:00 timeout conn 8:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip- disconnect 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server myactivedirectory protocol kerberos aaa-server myactivedirectory host 172.30.3.191 kerberos-realm PRIME.COM aaa-server myactivedirectory host 172.30.3.31 kerberos-realm PRIME.COM group-policy DfltGrpPolicy attributes banner none wins-server none dns-server none dhcp-network-scope none vpn-access-hours none vpn-simultaneous-logins 3 vpn-idle-timeout 30 vpn-session-timeout none vpn-filter none vpn-tunnel-protocol IPSec l2tp-ipsec password-storage enable ip-comp disable re-xauth disable group-lock none pfs disable ipsec-udp enable ipsec-udp-port 10000 split-tunnel-policy tunnelall split-tunnel-network-list none default-domain none split-dns none intercept-dhcp 255.255.255.255 disable secure-unit-authentication disable user-authentication disable user-authentication-idle-timeout 30 ip-phone-bypass disable leap-bypass disable nem disable backup-servers keep-client-config msie-proxy server none msie-proxy method no-modify msie-proxy except-list none msie-proxy local-bypass disable nac disable nac-sq-period 300 nac-reval-period 36000 nac-default-acl none address-pools value DMZScope client-firewall none client-access-rule none group-policy 201.100.200.182 internal group-policy 201.100.200.182 attributes wins-server value 172.30.3.31 172.30.3.40 dns-server value 172.30.4.100 172.30.4.110 vpn-tunnel-protocol IPSec l2tp-ipsec password-storage enable default-domain value mydomain.com username myusername password * encrypted privilege 0 aaa authorization command LOCAL http server enable http 172.30.0.0 255.255.0.0 inside http 172.30.76.11 255.255.255.255 DMZ snmp-server location DMZ snmp-server contact myusername snmp-server community named snmp-server enable traps snmp authentication linkup linkdown coldstart sysopt noproxyarp inside sysopt noproxyarp DMZ crypto ipsec transform-set TRANS_ESP_DES_SHA esp-des esp-sha-hmac crypto ipsec transform-set TRANS_ESP_DES_SHA mode transport crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto dynamic-map outside_dyn_map 1 match address outside_cryptomap_65535.1 crypto dynamic-map outside_dyn_map 1 set pfs crypto dynamic-map outside_dyn_map 1 set transform-set TRANS_ESP_DES_SHA ESP-DES-SHA ESP-DES-MD5 crypto dynamic-map outside_dyn_map 20 set pfs crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-SHA crypto dynamic-map outside_dyn_map 40 set pfs crypto dynamic-map outside_dyn_map 40 set transform-set ESP-DES-SHA crypto dynamic-map outside_dyn_map 60 set pfs crypto dynamic-map outside_dyn_map 60 set transform-set ESP-DES-SHA crypto dynamic-map outside_dyn_map 80 set pfs crypto dynamic-map outside_dyn_map 80 set transform-set ESP-DES-SHA crypto map outside_map 20 match address outside_20_cryptomap crypto map outside_map 20 set pfs crypto map outside_map 20 set peer pix.mydomain.com crypto map outside_map 20 set transform-set ESP-DES-SHA crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map crypto map outside_map interface outside crypto ca trustpoint myca enrollment terminal password * keypair selfsignedkeypair crl configure crypto isakmp enable outside crypto isakmp policy 1 authentication pre-share encryption des hash sha group 2 lifetime 1000 crypto isakmp policy 10 authentication pre-share encryption des hash sha group 2 lifetime 86400 crypto isakmp policy 20 authentication pre-share encryption des hash sha group 1 lifetime 86400 crypto isakmp policy 30 authentication pre-share encryption des hash sha group 5 lifetime 86400 crypto isakmp policy 40 authentication pre-share encryption des hash sha group 7 lifetime 86400 crypto isakmp policy 50 authentication pre-share encryption des hash md5 group 2 lifetime 86400 crypto isakmp nat-traversal 20 crypto isakmp ipsec-over-tcp port 10000 crypto isakmp disconnect-notify group-delimiter @ tunnel-group DefaultL2LGroup ipsec-attributes pre-shared-key * tunnel-group DefaultRAGroup general-attributes address-pool DMZScope tunnel-group DefaultRAGroup ipsec-attributes pre-shared-key * tunnel-group DefaultRAGroup ppp-attributes authentication pap authentication ms-chap-v2 authentication eap-proxy tunnel-group 201.100.200.182 type ipsec-ra tunnel-group 201.100.200.182 general-attributes address-pool PrivateScope default-group-policy 201.100.200.182 tunnel-group 201.100.200.182 ipsec-attributes pre-shared-key * tunnel-group-map enable rules no vpn-addr-assign aaa no vpn-addr-assign dhcp telnet 172.30.0.0 255.255.0.0 inside telnet timeout 5 ssh 172.30.0.0 255.255.0.0 inside ssh 172.30.76.11 255.255.255.255 DMZ ssh timeout 30 console timeout 0 ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns migrated_dns_map_1 parameters message-length maximum 512 policy-map global_policy class inspection_default inspect dns migrated_dns_map_1 inspect ftp inspect h323 h225 inspect h323 ras inspect http inspect ils inspect netbios inspect rsh inspect rtsp inspect skinny inspect esmtp inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp inspect pptp ! service-policy global_policy global ntp server 172.30.3.50 source inside ntp server 172.30.1.59 source inside prefer tftp-server inside 172.30.76.11 /pix.bin smtp-server 172.30.76.100 172.30.1.41 privilege cmd level 5 mode exec command configure privilege cmd level 3 mode exec command ping privilege cmd level 3 mode exec command who privilege show level 5 mode exec command running-config privilege show level 3 mode exec command local-host privilege show level 3 mode exec command interface privilege show level 5 mode exec command clock privilege show level 3 mode exec command ip privilege show level 3 mode exec command isakmp privilege show level 3 mode exec command ipsec privilege show level 3 mode exec command ssh privilege show level 3 mode exec command vpdn privilege show level 3 mode exec command blocks privilege show level 5 mode exec command ntp privilege show level 3 mode configure command interface privilege show level 5 mode configure command clock privilege show level 3 mode configure command ip privilege show level 3 mode configure command isakmp privilege show level 3 mode configure command ipsec privilege show level 3 mode configure command ssh privilege show level 3 mode configure command vpdn privilege show level 5 mode configure command ntp privilege show level 5 mode configure command privilege prompt hostname context Cryptochecksum:* : end asdm image flash:/asdm-522.bin asdm location 172.30.3.126 255.255.255.255 inside asdm location 172.30.0.0 255.255.0.0 inside asdm history enable
Reply to
edavid3001
Loading thread data ...

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.