12-24-2002 01:27 AM - edited 02-21-2020 10:05 AM
Hi
I'm trying to configure our PIX for dial-up vpn using ACS 2.6 NT and the TACACS+ protocol.
I have managed to configure the VPN user authentication OK, although once connected and the tunnel to the internal network is established, if I try to ping a host inside I only get one ICMP packet back out of four. Subsequent attempts to ping the host get absolutely no response. This happens with all hosts you try to ping...
...strange.
The Firewall itself is also configured to use TACACS+ for console and enable authentication, perhaps this config is causing a problem?
Here is a snippet of the pertinent config from the firewall.
access-list clients permit ip 172.17.0.0 255.255.0.0 172.17.50.0 255.255.255.0
access-list vpn permit ip 172.17.0.0 255.255.0.0 172.17.50.0 255.255.
ip local pool clients 172.17.50.10-172.17.50.254
nat (inside) 0 access-list vpn
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
conduit permit icmp any any
aaa-server TACSERVER protocol tacacs+
aaa-server TACSERVER (inside) host 172.17.0.x akey timeout 10
aaa authentication enable console TACSERVER
aaa authentication match clients outside TACSERVERsysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set vpn ah-md5-hmac esp-des
crypto ipsec transform-set clients esp-des esp-sha-hmac
crypto ipsec security-association lifetime seconds 86400 kilobytes 46080000
crypto dynamic-map vpnusers 50 set transform-set clientscrypto map gibpix client configuration address initiate
crypto map gibpix client configuration address respond
crypto map gibpix client authentication TACSERVER
crypto map gibpix interface outside
isakmp enable outside
isakmp identity address
isakmp client configuration address-pool local clients outside
vpngroup ras address-pool clients
vpngroup ras dns-server ns0
vpngroup ras default-domain mydomain.com
vpngroup ras split-tunnel clients
vpngroup ras idle-time 1800
vpngroup ras password ********
I can't see the wood for the trees as i've scoured many cisco docs, can anyone point me in the right direction?
Many thanks and merry christmas to all.
12-24-2002 09:27 AM
Hi rbirkin,
If you tunnel is coming up then I don't think you are running into any sort of authentication issues. It sounds more like a routing issue
If you want to be 100% sure, you can disable user authentication and see if you still run into this issue
Jazib
12-27-2002 02:59 AM
Hi Jazib,
If it is in fact a routing issue, where do I check this?
Thanks
R
12-27-2002 07:01 AM
rbirkin,
I don't have your complete config, but by going through the config you have in the forum, it looks like your private ip address is in 172.17.0.0/16 subnet
Your pool of addresses is also in the same subnet ( 172.17.50.0 ).
Is it possible for you to change the pool subnet to something different like 192.168.1.0/24 or something and then try
Let me know what happens
Jazib
12-27-2002 07:37 AM
Jazib
Thanks for you're feedback but I found the problem and it was this -:
crypto dynamic-map vpnusers 50 set security-association lifetime seconds 86400 kilobytes 46080000
That line had a '0' missing from the last number.
Cheers
Rowley
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide