Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
654
Views
0
Helpful
2
Replies

Cannot access PIX VPN

bachma0507
Level 1
Level 1

‎04-15-2011 11:53 AM

I have two PIX 501 devices with virtually the same configuration (except with different outisde and inside IP addresses, VPN pool IPs, etc). I can get to the outside on both from within the inside network. I have VPN connectivity set up on both. However, I can only access the VPN through one of the devices. I compared the configuration on the working PIX to the one on the non-working one but cannot see what the issue can be. I also cannot ping the outside interface on the problem pix, which I think may the cause of the issue since when I try to connect to the VPN it gives an error indicating that the PPTP-VPN server is not responding. I have PAT set up on both for the outside interface and that works fine. The config of the problem PIX is below. Any help is greatly appreciated.

Building configuration...

: Saved

:

PIX Version 6.3(3)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password tdkuTUSh53d2MT6B encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

hostname attdslpix2

domain-name mycompany.com

clock timezone EST -5

clock summer-time EDT recurring

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list inside_outbound_nat0_acl permit ip any 172.26.0.192 255.255.255.248

access-list outside_access_in permit udp any any eq 4500

access-list outside_access_in permit udp any any eq isakmp

access-list outside_access_in permit icmp any any

access-list splittunnel permit ip 172.26.0.0 255.255.0.0 172.26.0.0 255.255.0.0

access-list TLC_splitTunnelAcl permit ip 172.26.0.0 255.255.0.0 any

pager lines 24

logging on

logging standby

mtu outside 1500

mtu inside 1500

ip address outside 70.xxx.xx.158 255.255.255.248

ip address inside 172.26.0.249 255.255.0.0

ip audit info action alarm

ip audit attack action alarm

ip local pool pptp-client-ip 172.26.5.195-172.26.5.199

pdm location 172.26.5.192 255.255.255.248 outside

pdm location 172.26.0.192 255.255.255.248 outside

pdm logging alerts 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 70.xxx.xx.153 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 172.26.0.0 255.255.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

tftp-server inside 172.26.0.54 /pix549

floodguard enable

sysopt connection permit-pptp

sysopt connection permit-l2tp

crypto ipsec transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set TRANS_ESP_3DES_MD5 mode transport

crypto dynamic-map outside_dyn_map 20 set transform-set TRANS_ESP_3DES_MD5

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

isakmp enable outside

isakmp key ******** address 0.0.0.0 netmask 0.0.0.0

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup TLC address-pool pptp-client-ip

vpngroup TLC dns-server 172.26.0.250 172.26.0.251

vpngroup TLC wins-server 172.26.0.250 172.26.0.251

vpngroup TLC split-tunnel splittunnel

vpngroup TLC idle-time 1800

vpngroup TLC password ********

telnet 172.26.0.0 255.255.0.0 inside

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 5

ssh timeout 5

management-access inside

console timeout 0

vpdn group PPTP-VPDN-GROUP accept dialin pptp

vpdn group PPTP-VPDN-GROUP ppp authentication chap

vpdn group PPTP-VPDN-GROUP ppp authentication mschap

vpdn group PPTP-VPDN-GROUP ppp encryption mppe auto required

vpdn group PPTP-VPDN-GROUP client configuration address local pptp-client-ip

vpdn group PPTP-VPDN-GROUP client configuration dns 172.26.0.250 172.26.0.251

vpdn group PPTP-VPDN-GROUP pptp echo 60

vpdn group PPTP-VPDN-GROUP client authentication local

vpdn username bjulien password *********

vpdn enable outside

vpdn enable inside

dhcpd address 172.26.5.100-172.26.5.130 inside

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

dhcpd enable inside

terminal width 80

Cryptochecksum:696e36174e523ef7b16b20cd9532d111

: end

[OK]

Labels:
0 Helpful
2 Replies 2

andamani
Cisco Employee
Cisco Employee

‎04-16-2011 10:38 AM

Hi,

What kind of VPN tunnel are you trying to connect?

Also you have mentioned "I also cannot ping the outside interface on the problem pix, which I  think may the cause of the issue since when I try to connect to the VPN  it gives an error indicating that the PPTP-VPN server is not responding"

Form where are you trying to ping the outside interface?

Also please paste the exact error message that you receive along with the working PIX config.

Regards,

Anisha

P.S.: please mark this thread as answered if you feel your query is resolved. Do rate helpful posts.

0 Helpful

bachma0507
Level 1
Level 1
In response to andamani

‎04-17-2011 07:43 AM

It's a PPTP vpn tunnel.

I get no response when I ping the IP of the outside interface from home or anywhere outside of the physical office location. I can ping the IP address of the outside interface of the working PIX successfully.

The error message I get is:

"The PPTP-VPN server did not respond. Please contact your systems administrator. Try reconnecting. If the problem continues, verify your settings and contact your Administator."

Here is the config of the working PIX:

Building configuration...

: Saved

:

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password tdkuTUSh53d2MT6B encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

hostname dslpix

domain-name mycompany.com

clock timezone EST -5

clock summer-time EDT recurring

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

no fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

no names

name 172.26.0.238 tlc042

name 172.26.0.250 tlc001

name 172.26.0.251 tlc002

name 172.26.0.41 lkm-srv-dcs-01

name 172.26.5.20 TLCXCH01

name 172.26.0.11 TLCXCH01_Web_Mail

access-list outside_access_in permit tcp any host 172.26.0.11 eq imap4

access-list outside_access_in permit tcp any host 68.xxx.xxx.10 eq ssh

access-list outside_access_in permit tcp any host 172.26.0.11 eq www

access-list outside_access_in permit tcp any host 172.26.0.11 eq smtp

access-list outside_access_in permit udp any any eq 4500

access-list outside_access_in permit udp any any eq isakmp

access-list outside_access_in permit icmp any any

access-list inside_outbound_nat0_acl permit ip any 172.26.0.192 255.255.255.248

access-list splittunnel permit ip 172.26.0.0 255.255.0.0 172.26.0.0 255.255.0.0

access-list TLC_splitTunnelAcl permit ip 172.26.0.0 255.255.0.0 any

pager lines 24

logging on

mtu outside 1500

mtu inside 1500

ip address outside 68.xxx.xxx.14 255.255.255.248

ip address inside 172.26.0.253 255.255.0.0

ip audit info action alarm

ip audit attack action alarm

ip local pool pptp-client-ip 172.26.0.195-172.26.0.199

pdm location 172.26.0.238 255.255.255.255 inside

pdm location 172.26.0.250 255.255.255.255 inside

pdm location 172.26.0.251 255.255.255.255 inside

pdm location 172.26.0.41 255.255.255.255 inside

pdm location 192.168.5.0 255.255.255.0 inside

pdm location 172.26.0.192 255.255.255.248 outside

pdm location 172.26.5.20 255.255.255.255 inside

pdm location 172.26.0.11 255.255.255.255 inside

pdm location 172.26.0.54 255.255.255.255 inside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) 68.xxx.xxx.12 172.26.0.251 netmask 255.255.255.255 0 0

static (inside,outside) 68.xxx.xxx.10 172.26.0.250 netmask 255.255.255.255 0 0

static (inside,outside) 172.26.5.20 172.26.5.20 netmask 255.255.255.255 0 0

static (inside,outside) 172.26.0.11 172.26.0.11 netmask 255.255.255.255 0 0

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 68.xxx.xxx.9 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http 172.26.0.0 255.255.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server community my-public

no snmp-server enable traps

floodguard enable

sysopt connection permit-pptp

sysopt connection permit-l2tp

crypto ipsec transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set TRANS_ESP_3DES_MD5 mode transport

crypto dynamic-map outside_dyn_map 20 set transform-set TRANS_ESP_3DES_MD5

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

isakmp enable outside

isakmp key ******** address 0.0.0.0 netmask 0.0.0.0

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption 3des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

vpngroup TLC address-pool pptp-client-ip

vpngroup TLC dns-server 172.26.0.250 172.26.0.251

vpngroup TLC wins-server 172.26.0.250 172.26.0.251

vpngroup TLC default-domain TLCUSA.mycompany.com

vpngroup TLC split-tunnel splittunnel

vpngroup TLC idle-time 1800

vpngroup TLC password ********

telnet 172.26.0.0 255.255.0.0 inside

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 5

ssh timeout 5

management-access inside

console timeout 0

vpdn group PPTP-VPDN-GROUP accept dialin pptp

vpdn group PPTP-VPDN-GROUP ppp authentication chap

vpdn group PPTP-VPDN-GROUP ppp authentication mschap

vpdn group PPTP-VPDN-GROUP ppp encryption mppe auto required

vpdn group PPTP-VPDN-GROUP client configuration address local pptp-client-ip

vpdn group PPTP-VPDN-GROUP client configuration dns 172.26.0.250 172.26.0.251

vpdn group PPTP-VPDN-GROUP pptp echo 60

vpdn group PPTP-VPDN-GROUP client authentication local

vpdn username yyyyy password *********

vpdn enable outside

vpdn enable inside

dhcpd address 172.26.0.254-172.26.1.29 inside

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

username xxxx password eNFScgcUsDOLFsBQ encrypted privilege 2

username zzzzz password HKVV2E67LcaGEJHY encrypted privilege 2

terminal width 80

Cryptochecksum:455e098afea58a4aa09d4c05896e7924

: end

[OK]

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents