Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1673
Views
0
Helpful
4
Replies

VPN 3.x clients with TACACS+ AAA, ACS 2.6 NT

rbirkin
Level 1
Level 1

‎12-24-2002 01:27 AM - edited ‎02-21-2020 10:05 AM

Hi

I'm trying to configure our PIX for dial-up vpn using ACS 2.6 NT and the TACACS+ protocol.

I have managed to configure the VPN user authentication OK, although once connected and the tunnel to the internal network is established, if I try to ping a host inside I only get one ICMP packet back out of four. Subsequent attempts to ping the host get absolutely no response. This happens with all hosts you try to ping...

...strange.

The Firewall itself is also configured to use TACACS+ for console and enable authentication, perhaps this config is causing a problem?

Here is a snippet of the pertinent config from the firewall.

access-list clients permit ip 172.17.0.0 255.255.0.0 172.17.50.0 255.255.255.0

access-list vpn permit ip 172.17.0.0 255.255.0.0 172.17.50.0 255.255.

ip local pool clients 172.17.50.10-172.17.50.254

nat (inside) 0 access-list vpn

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

conduit permit icmp any any

aaa-server TACSERVER protocol tacacs+

aaa-server TACSERVER (inside) host 172.17.0.x akey timeout 10

aaa authentication enable console TACSERVER

aaa authentication match clients outside TACSERVERsysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set vpn ah-md5-hmac esp-des

crypto ipsec transform-set clients esp-des esp-sha-hmac

crypto ipsec security-association lifetime seconds 86400 kilobytes 46080000

crypto dynamic-map vpnusers 50 set transform-set clientscrypto map gibpix client configuration address initiate

crypto map gibpix client configuration address respond

crypto map gibpix client authentication TACSERVER

crypto map gibpix interface outside

isakmp enable outside

isakmp identity address

isakmp client configuration address-pool local clients outside

vpngroup ras address-pool clients

vpngroup ras dns-server ns0

vpngroup ras default-domain mydomain.com

vpngroup ras split-tunnel clients

vpngroup ras idle-time 1800

vpngroup ras password ********

I can't see the wood for the trees as i've scoured many cisco docs, can anyone point me in the right direction?

Many thanks and merry christmas to all.

Labels:
0 Helpful
4 Replies 4

jfrahim
Level 5
Level 5

‎12-24-2002 09:27 AM

Hi rbirkin,

If you tunnel is coming up then I don't think you are running into any sort of authentication issues. It sounds more like a routing issue

If you want to be 100% sure, you can disable user authentication and see if you still run into this issue

Jazib

0 Helpful

rbirkin
Level 1
Level 1
In response to jfrahim

‎12-27-2002 02:59 AM

Hi Jazib,

If it is in fact a routing issue, where do I check this?

Thanks

R

0 Helpful

jfrahim
Level 5
Level 5
In response to rbirkin

‎12-27-2002 07:01 AM

rbirkin,

I don't have your complete config, but by going through the config you have in the forum, it looks like your private ip address is in 172.17.0.0/16 subnet

Your pool of addresses is also in the same subnet ( 172.17.50.0 ).

Is it possible for you to change the pool subnet to something different like 192.168.1.0/24 or something and then try

Let me know what happens

Jazib

0 Helpful

rbirkin
Level 1
Level 1
In response to jfrahim

‎12-27-2002 07:37 AM

Jazib

Thanks for you're feedback but I found the problem and it was this -:

crypto dynamic-map vpnusers 50 set security-association lifetime seconds 86400 kilobytes 46080000

That line had a '0' missing from the last number.

Cheers

Rowley

0 Helpful
Customers Also Viewed These Support Documents