01-05-2011 09:56 AM
Greetings,
I am new to cisco and vpn networks. The issue could be clear to some; however, it is evading me (non ccna) and the tech who setup the network (ccna). I was hoping someone could point out the issue.
Problem: Network/VPN worked perfectly until the ISP changed the modem to a gateway. Currently everything inside the network is working perfectly; however, users cannot connect to the VPN.
Verification Steps Taken: Verified the new IP was entered into pix. Verified new IP was entered into VPN Clients.
Setup:
[internet cloud]
|
[SMC8014 Cable Gateway] - 70.62.13.50 - (firewall disabled, ISP verifies device is functional and publishing ip)
|
[Cisco PIX 501] - 70.62.13.51 - (configuration below)
|
[Eznet-8sw]
login as: *****
Sent username *****
*****@192.168.0.1's password:
Type help or '?' for a list of available commands.
Cochran-PIX>
Cochran-PIX> enable
Password: *****
Cochran-PIX# show configure
: Saved
: Written by enable_15 at 15:14:57.119 UTC Thu Dec 16 2010
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ***** encrypted
passwd ***** encrypted
hostname Cochran-PIX
domain-name *****
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list NONAT permit ip 192.168.0.0 255.255.255.0 192.168.0.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 70.62.13.51 255.255.255.248
ip address inside 192.168.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool cochranvpnpool 192.168.0.25-192.168.0.50
no pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NONAT
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 70.62.13.49 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server inside 192.168.0.51 /cochran-pix051605
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set CochranVPNSET esp-aes-256 esp-sha-hmac
crypto dynamic-map DYNCochranVPNMAP 10 set transform-set CochranVPNSET
crypto map CochranMAP 10 ipsec-isakmp dynamic DYNCochranVPNMAP
crypto map CochranMAP client configuration address initiate
crypto map CochranMAP client configuration address respond
crypto map CochranMAP interface outside
isakmp enable outside
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes-256
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup CochranCPA address-pool cochranvpnpool
vpngroup CochranCPA dns-server 192.168.0.150 209.18.47.61
vpngroup CochranCPA split-tunnel NONAT
vpngroup CochranCPA idle-time 1800
vpngroup CochranCPA password *****
vpngroup CochranMAP idle-time 1800
telnet timeout 5
ssh 192.168.0.0 255.255.0.0 inside
ssh timeout 30
console timeout 0
dhcpd address 192.168.0.51-192.168.0.99 inside
dhcpd dns 192.168.0.150 209.18.47.61
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain rr.com
dhcpd enable inside
terminal width 80
banner login WARNING!
banner login This is a private computer facility to be accessed
banner login and used for company business only. Access to it
banner login any reason must be specifically authorized.
banner login Violators will be prosecuted to the fullest extent
banner login of local, state and federal laws.
Cryptochecksum:c62070b682ddee189e2fe66090f18284
Cochran-PIX#
Any suggestions would be appreciated and if you need any additional information just let me know.
Edit: I forgot to mention the error code 403 by the client. The users complain of 3 different error codes; however, when I used their system and attempted to connect I only had a 403 error.
Message was edited by: Joe Tate (added error)
01-05-2011 10:38 AM
Hi Joe,
Can you post the outputs from the execution of the following commands in the PIX:
debug crypto isakmp
debug crypto ipsec
debug crypto vpnclient
The users fail to connect because the user is rejected or you they can't establish phase 1 connection?
A few questions more:
you put in the diagram 70.62.13.50 like gateway but you configure a default route to the outside using this other gateway 70.62.13.49, is this correct?
Can the users navigate to the Internet from the inside through the PIX after the change of gateway?
Regards,
Guzmán
01-05-2011 10:59 AM
The users fail to connect because the user is rejected or you they can't establish phase 1 connection?
Cannot establish connection.
A few questions more:
you put in the diagram 70.62.13.50 like gateway but you configure a default route to the outside using this other gateway 70.62.13.49, is this correct?
That's possibly the issue... 50 is the gateway not 49 and I didn't even notice that setting as incorrect. I wasn't the technician to setup the device but the original tech hasn't solved the issue in over four months so they asked me to take a look. Thanks for pointing this out.
Can the users navigate to the Internet from the inside through the PIX after the change of gateway
Yes they can. The internet is working perfectly inside, everything is working perfectly inside.
As to the publish of those commands I will have to grab them later this afternoon and post them. I will post back in the next few hours. Do you know the command for changing this or should I lookup the command with the utility on this site?
Message was edited by: Joe Tate (typos)
01-05-2011 11:15 AM
Joe, the command to change the route in the PIX is:
FW>ena
FW#configure terminal
FW(config)#route outside 0.0.0.0 0.0.0.0 70.62.13.50
FW(config)#no route outside 0.0.0.0 0.0.0.0 70.62.13.49
To collect the information you need to log the session in your terminal emulation software.
Regards,
Guzmán
01-05-2011 01:39 PM
Cochran-PIX# configure terminal
Cochran-PIX(config)# route outside 0.0.0.0 0.0.0.0 70.62.13.50
cannot add route entry. possible conflict with existing routes
Usage: [no] route
Cochran-PIX(config)# no route outside 0.0.0.0 0.0.0.0 70.62.13.49
Cochran-PIX(config)# route outside 0.0.0.0 0.0.0.0 70.62.13.50
doing this disabled the internet from working inside the network. I went ahead and did this:
Cochran-PIX(config)# no route outside 0.0.0.0 0.0.0.0 70.62.13.50
Cochran-PIX(config)# route outside 0.0.0.0 0.0.0.0 70.62.13.49
p.s. I attached a graphic of the error I receive when trying to connect. When I use an incorrect IP I receive a 412 error; however, using the correct IP it seams as if it attempts to contact the gateway and it just isn't responding.
Message was edited by: Joe Tate (attached screenshot of error)
01-06-2011 01:00 PM
I've scraped this device due to age. I picked up a new cisco firewall and the system is working perfectly
01-06-2011 06:11 PM
Good decision Joe
Regards,
Guzmán
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: