11-21-2002 10:26 AM - edited 02-21-2020 12:11 PM
I know about Microsoft VPN, but I am new to Cisco PIX firewalls and need help.
The scenario looks like this:
VPN-Client
|
|
Internet
|
|
Cisco 827 Router, IP outside: public IP
|
PIX 501 firewall, IP inside: 192.168.1.1
|
Windows 2000 IAS-Server (RADIUS), 192.168.1.2
The ISP has configured the 827 router and PIX 501 firewall.
I have configured the RADIUS server.
The VPN-client is authenticated by the IAS-Server, but is not able to connect to any network resources on network 192.168.1.0
On the VPN-client I se that the client IP is: 172.16.1.1 and the Server IP is: Cisco 827 router outside public IP.
I suppose that the error is the client and server IP that is not part of the internal network.
11-21-2002 11:03 AM
Here's link for what you are trying to do: http://www.cisco.com/warp/public/110/cvpn3k_pix_ias.html
"I suppose that the error is the client and server IP that is not part of the internal network. " Actually this is the way it should be as the pix will not proxy arp for assigned clients ip address when they are on the same subnet. So you need to have them on different ranges. If you are getting an ip address, I guess you are connected. If not we can take a diff approach. But thinking that you are, you need to test your connectivity by for ie pinging. So ping the IAS server or something else, take a look at your encrypts on your client to see if you are getting any. If you are, take a look at the pix to see if you are getting decrypts/encrypts with command "show crypto ipsec sa". You might have to weed through the info to find your connection. If you got encrypts on the client and decrypts on the pix but no encrypts, then you have a nat issue or a routing issue(like wrong default gateway). Usually the nat is the issue. Feel free to post your "show crypto ipsec sa" from the pix if you need help reading it.
Kurtis Durrett
11-21-2002 11:28 AM
Hi Kurtis Durrett
Thanks for your response.
I get connected, encryption 3DES
I cant ping anything, nor IAS-Server or Cisco 827 Router while connected. I can ping Cisco 827 Router while not connected.
I am at home at the moment, local time: 20:26, so I am not able to post any "show crypto ipsec sa" before tomorrow.
Regards
Thomas Olsen
11-21-2002 12:16 PM
Warm and fuzzies. So are you getting encrypts at least on your client side?? Double click with your mouse on the connection icon it creates when you connect to bring up the stats for your session. Do you see packets being encrytped at least on your client when you ping?
11-21-2002 12:32 PM
I can't make any client connections from my current location. I will return tomorrow.
Regards
Thomas Olsen
11-21-2002 11:56 PM
Hi here is some "print out" from the VPN Client.
VPN Client version 3.5.3 (Rel)
Initializing the connection...
Contacting the gateway at 62.79.x.x...
Authenticating user...
Negotiating security policies...
Securing communication channel...
Your link is now secure...
Logging onto the network....
No domain server available to validate your password.
You may not be able to gain access to some network resources.
C:\>ping 62.79.x.x /t
Pinger 62.79.xx med 32 byte data:
Svar fra 62.79.x.x: byte=32 tid=34ms TTL=255
Svar fra 62.79.x.x: byte=32 tid=41ms TTL=255
Svar fra 62.79.x.x: byte=32 tid=34ms TTL=255
VPN Client Statistics:
Bytes in: 720
Bytes out: 11882
Packets decrypted: 12
Packets encrypted: 84
Packets bypased: 29
Packets discared: 27
Secured routes:
Netvork Subnet Mask Bytes
0.0.0.0 0.0.0.0 6840
62.79.x.x 255.255.255.255 1608
Local LAN routes:
Grayet out.
Regards
Thomas Olsen
11-22-2002 10:40 AM
So its looks like you are connecting, but you will to test by pinging your internal network of 192.168.1.0/24 and not the outside address.
Svar fra 62.79.x.x: byte=32 tid=34ms TTL=255
Svar fra 62.79.x.x: byte=32 tid=41ms TTL=255
Svar fra 62.79.x.x: byte=32 tid=34ms TTL=255
Try pinging your PDC. You are getting packets encrypted and decrypted:
Packets decrypted: 12
Packets encrypted: 84
which means you client is sending and receiving traffic from your destination network. Once we settle that you can/cannot ping the internal network, we can work on your real problem which is:
No domain server available to validate your password.
You may not be able to gain access to some network resources.
Which means you didnt log on to the domain and you will not be able to access your domain resources which is what your original problem was. Which was "not able to connect to any network resources on network ". If you settle that you can ping your PDC, then move on to logging onto the domain. If you are on XP,NT4 or WIN2k you will need to use start before login. So before you log on to your pc, you will need to bring up your vpn connection. Once thats established, you can then log on to your pc. This is the fix, you need to get logged on. There are several reasons why you cant, but one step at a time or you can call tac and get someone to walk you over the phone with it.
Kurtis Durrett
11-22-2002 11:05 AM
Hi Kurtis Durrett
I can't ping anything on network 192.168.1.0 thats the main problem.
Regards
Thomas Olsen
11-22-2002 11:17 AM
What we need to determine is which side the problem is on. When you ping 192.168.1.2, not the pix inside ip, does your encrypted packets on the client go up? Do you get decrypted packets on the pix? Issue a "show crypto ipsec sa" on the pix. If you are getting decrypted packets on the pix and the counter is going up as you ping, not in real time-reissue the command, then you have a nat or routing issue and we can focus on the pix side. If you aren't getting decrypted packets on the pix we can focus on the client side going from the pc-isp-pix and track the issue down. Some isp's out there actually block esp protocol, which is what ipsec uses to communicate, considering it a business service and a additional charge. Geez. Like I said though, if you getting decrypts on the pix we can eliminate all that and go straight to the pix side.
Kurtis
11-26-2002 03:21 AM
Hi Kurtis
I can't ping the internal network (192.168.1.0).
Take a look at this:
Senario:
Cisco VPN Client 3.5
|
|
|
Internet
|
|
|
Cisco 827 router. IP Inside: 62.79.93.x
|
|
Cisco PIX 501. IP Inside: 192.168.1.1 /24. IP Outside: 62.79.93.y
|
|
------- 192.168.1.0 -------- (I want VPN access to this network)
|
Windows 2000 Server, IAS (RADIUS), DC, WINS, DNS. IP: 192.168.1.2 /24
PIX configuration: (write terminal)
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxx encrypted
passwd xxx encrypted
hostname xxx
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list acl_out permit icmp any any
access-list 101 permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0
pager lines 24
interface ethernet0 10baset
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address outside 62.79.93.y 255.255.255.252
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool ippool 172.16.1.1-172.16.1.5
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group acl_out in interface outside
route outside 0.0.0.0 0.0.0.0 62.79.93.x 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa-server radius protocol radius
aaa-server sbs.sbs.local protocol radius
aaa-server sbs.sbs.local (inside) host 192.168.1.2 xxx timeout 5
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set super esp-3des esp-m
crypto dynamic-map dynmap 10 set transform-set
crypto map tiscali 10 ipsec-isakmp dynamic dynm
crypto map tiscali client configuration address
crypto map tiscali client authentication sbs.sb
crypto map tiscali interface outside
isakmp enable outside
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup vpn3000 address-pool ippool
vpngroup vpn3000 dns-server 212.54.64.170
vpngroup vpn3000 idle-time 1800
vpngroup vpn3000 password ********
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:xxx
Can you se anything wrong?
Regards
Thomas Olsen
11-26-2002 08:07 AM
Thomas,
The configuration looks fine other than some part of the config got chopped a little but probably just from the cut and paste.
Do a clear xlate, write mem, reload on the pix, reboot your microsoft server. Connect to the pix. Ping from the client to 192.168.1.2. Do a "show crypto ipsec sa" on the pix, post that information.
Kurtis Durrett
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide