Re: VPN client and 501

wharrison2000 · ‎01-31-2006

OK I give up! Help

My vpn client 4.0.5 is not connect to the network. I'm using ISA and radius to authenticate. However client is not connecting. So the setup is ISP---Pix---ISA/Exchange/file server (windows 2000)

Here is the 501 config.

PIX Version 6.2(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxxxx

passwd xxxx

hostname pixfirewall

domain-name hshd.loc

clock timezone CST -6

clock summer-time CDT recurring

fixup protocol http 80

fixup protocol smtp 25

fixup protocol ftp 21

no fixup protocol h323 h225 1720

no fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

no fixup protocol sip 5060

no fixup protocol skinny 2000

no fixup protocol sqlnet 1521

names

access-list outbound permit ip any 192.168.101.192 255.255.255.248

access-list outside_cryptomap_dyn_20 permit ip any 192.168.101.192 255.255.255.248

pager lines 24

logging on

logging timestamp

logging trap errors

logging host inside 192.168.101.125

interface ethernet0 10baset

interface ethernet1 10full

icmp permit any echo inside

mtu outside 1500

mtu inside 1500

ip address outside 69.x.x.x.x.255.248

ip address inside 192.168.101.1 255.255.0.0

multicast interface outside

multicast interface inside

ip audit info action alarm

ip audit attack action alarm

ip local pool hshd 192.168.101.193-192.168.101.197

pdm location 192.168.101.125 255.255.255.255 inside

pdm logging errors 100

pdm history enable

arp timeout 14400

global (outside) 1 69.53.120.26

nat (inside) 0 access-list outbound

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

conduit permit icmp any any

route outside 0.0.0.0 0.x.x.x.x.120.27 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip

0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server RADIUS protocol radius

aaa-server RADIUS (inside) host 192.168.101.125 XXXXXXX timeout 10

ntp server 192.168.101.125 source inside

http server enable

http 192.168.101.125 255.255.255.255 inside

no snmp-server location

no snmp-server contact

no snmp-server enable traps

tftp-server inside 192.168.101.125 \ciscosystems\pix

floodguard enable

sysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map client authentication inside

crypto map outside_map interface outside

isakmp enable outside

isakmp identity address

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

vpngroup HSHD address-pool hshd

vpngroup HSHD dns-server 192.168.101.125

vpngroup HSHD default-domain hshd.hom

vpngroup HSHD idle-time 1800

vpngroup HSHD password ********

telnet 192.168.101.125 255.255.255.255 inside

telnet timeout 5

ssh timeout 5

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

terminal width 80

Any help or thoughts would be welcome. Concerns is that network subnet may not proper for nat .192-.224

Thanks

Bill

Patrick Laidlaw · ‎02-02-2006

Bill,

First off What is the actual problem is it the client isn't connecting or is there a problem with authentication.

Here are the steps I would take to troubleshoot your problems.

First change your Authentication to using local user accounts on your PIX temporarily or set it up to fallback to the pix for authentication. Then create an identical user account on the pix with a different password try to login using the first password on your server if no go then try using the second password. If it connects then you know your vpn setup is right just your aaa is haveing a problem.

config example:

crypto map outside_map client authentication inside local

aaa-server LOCAL protocol local

username someone password somewhere

PS, Turn you logging setting in your vpn client to high for isakmp ipsec to discovery problems with your actual vpn configuration.

Hth

Patrick

bbacola · ‎02-02-2006

What OS is the client installed on? If its XP SP2 you have to have 4.6 or better.

mheusinger · ‎02-03-2006

Hello,

it will be worth to look at the explanations and configurations given in: "Configuring IPSec Between Two PIXes With VPN Client 4.x Access"

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00800948b8.shtml

Just skip the commented configuration part for PIX-to-PIX communication. Another document which can help you is: "How to Configure the Cisco VPN Client to PIX with AES" found at

http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_configuration_example09186a00801e71c0.shtml

For troubleshooting purposes have a look at:

"Resolving Microsoft Routing Problems on Cisco VPN Clients"

http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_tech_note09186a00801b7615.shtml

and

"Troubleshooting Microsoft Network Neighborhood After Establishing a VPN Tunnel With the Cisco VPN Client" at

http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_tech_note09186a0080194b4a.shtml

Hope this helps! Please rate all posts.

Regards, Martin