setting up PIX501 VPN

Dear All,

I am new to PIX and I have just recently purchased a PIX 501 and I am trying to get it to allow me to connect to my office network using the Cisco VPN Client.

At the office I have an ADSL line (dynamic IP). The modem connects to the PIX 501 (via cross over) and to the LAN port I have a small 4-port switch.

All clients from the internal network can connect to the Internet. I have used the VPN Wizard to setup the VPN connection (i have included configuration below). I try to connect via the Cisco VPN Client to the PIX from outside and not getting any reply from the VPN client.

Any suggestions?

PIX 501 PIX Version 6.3(1) PDM Version 3.0(1)

: Saved : PIX Version 6.3(1) interface ethernet0 auto interface ethernet1 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password ****** encrypted passwd ****** encrypted hostname pixfirewall domain-name home.local clock timezone GMT/BST 0 clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol ils 389 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 names access-list inside_outbound_nat0_acl permit ip any 192.168.1.48

255.255.255.248 access-list outside_cryptomap_dyn_20 permit ip any 192.168.1.48 255.255.255.248 pager lines 24 mtu outside 1500 mtu inside 1500 ip address outside dhcp setroute ip address inside 192.168.1.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm ip local pool home 192.168.1.50-192.168.1.55 pdm logging informational 100 pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list inside_outbound_nat0_acl nat (inside) 1 0.0.0.0 0.0.0.0 0 0 timeout xlate 0:05:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server LOCAL protocol local http server enable http 192.168.1.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20 crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 ESP-AES-128-SHA ESP-3DES-SHA ESP-AES-192-SHA ESP-AES-128-MD5 ESP-AES-192-MD5 ESP-AES-256-MD5 ESP-AES-256-SHA crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map crypto map outside_map client authentication LOCAL crypto map outside_map interface outside isakmp enable outside isakmp policy 20 authentication pre-share isakmp policy 20 encryption 3des isakmp policy 20 hash md5 isakmp policy 20 group 2 isakmp policy 20 lifetime 86400 vpngroup homevpn address-pool home vpngroup homevpn default-domain home.local vpngroup homevpn idle-time 1800 vpngroup homevpn password ******** telnet timeout 5 ssh timeout 5 console timeout 0 dhcpd address 192.168.1.2-192.168.1.33 inside dhcpd lease 3600 dhcpd ping_timeout 750 dhcpd auto_config outside dhcpd enable inside username tfql password ****** encrypted privilege 15 terminal width 80 Cryptochecksum:b5801449bc3a7cfa3df79786073b175d : end
Reply to
tiagoqlopes
Loading thread data ...

A newly purchased PIX would have PIX 6.3(5), not 6.3(1), unless it was purchased used. If it -was- purchased used, then unless you happen to be in a few select EU countries (e.g., Germany, Denmark) then you don't have the legal right to use the software unless you "re-license" the device... in which case you would have upgraded the software. There are several security problems in

6.3(1) and 6.3(3), so you should be using at least 6.3(4).

The ip address pool that you use for vpn clients must not be the same subnet as your inside network. You could, for example, use 192.168.2.50-192.168.2.55 but not anything in 192.168.1.x .

Reply to
Walter Roberson

Your VPN Client configuration file would be helpful here. Since your DSl connection is dynamic, what IP address is your client set to connect to. Other helpful information would be found from your Client log window Log -> Log Window. Is the Client even able to communicate with the device?

Reply to
DCS

Hi DCS,

Thanks for your message.

Although the connection is dynamic, the IP address hasn't changed.

Here it is the VPN CLient configuration:

[main] Description= Host=82.42.35.211 AuthType=1 GroupName=homevpn GroupPwd= enc_GroupPwd=92E1AC2A8AF298AE1EA6F3C210FC733B892515DF96553272A3B94A846A2F096397FA41E6AFB34B5E61DACBC62FCF73F8B164261645714F35 EnableISPConnect=0 ISPConnectType=0 ISPConnect=Tiscali ISPPhonebook=C:\\Documents and Settings\\tiago.lopes\\Application Data\\Microsoft\\Network\\Connections\\Pbk\\rasphone.pbk ISPCommand= Username= SaveUserPassword=0 UserPassword= enc_UserPassword= NTDomain= EnableBackup=0 BackupServer= EnableMSLogon=1 MSLogonType=0 EnableNat=1 TunnelingMode=0 TcpTunnelingPort=10000 CertStore=0 CertName= CertPath= CertSubjectName= CertSerialHash=00000000000000000000000000000000 SendCertChain=0 PeerTimeout=90 EnableLocalLAN=0

On the Log -> Log Windows nothing appears, and it doesn't seem that the Client is even "hitting" the PIX.

Any suggestions?

Reply to
tiagoqlopes

Hi DCS,

Forgot to change the log level - below if level 3 HIGH

Cisco Systems VPN Client Version 4.7.00.0533 Copyright (C) 1998-2005 Cisco Systems, Inc. All Rights Reserved. Client Type(s): Windows, WinNT Running on: 5.1.2600 Service Pack 2

24 22:51:51.697 02/02/06 Sev=Info/6 IKE/0x6300003B Attempting to establish a connection with 82.42.35.211.

25 22:51:51.727 02/02/06 Sev=Info/4 IKE/0x63000013 SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Nat-T), VID(Frag), VID(Unity)) to 82.42.35.211

26 22:51:57.135 02/02/06 Sev=Info/4 IKE/0x63000021 Retransmitting last packet!

27 22:51:57.135 02/02/06 Sev=Info/4 IKE/0x63000013 SENDING >>> ISAKMP OAK AG (Retransmission) to 82.42.35.211

28 22:52:02.142 02/02/06 Sev=Info/4 IKE/0x63000021 Retransmitting last packet!

29 22:52:02.142 02/02/06 Sev=Info/4 IKE/0x63000013 SENDING >>> ISAKMP OAK AG (Retransmission) to 82.42.35.211

30 22:52:07.149 02/02/06 Sev=Info/4 IKE/0x63000021 Retransmitting last packet!

31 22:52:07.149 02/02/06 Sev=Info/4 IKE/0x63000013 SENDING >>> ISAKMP OAK AG (Retransmission) to 82.42.35.211

32 22:52:12.156 02/02/06 Sev=Info/4 IKE/0x63000017 Marking IKE SA for deletion (I_Cookie=F420F8511DF664B4 R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING

33 22:52:12.677 02/02/06 Sev=Info/4 IKE/0x6300004B Discarding IKE SA negotiation (I_Cookie=F420F8511DF664B4 R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING

34 22:52:12.727 02/02/06 Sev=Info/4 IKE/0x63000001 IKE received signal to terminate VPN connection

35 22:52:12.737 02/02/06 Sev=Info/4 IKE/0x63000086 Microsoft IPSec Policy Agent service started successfully

Reply to
tiagoqlopes

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.