Solved: VPN client issue

ilyaskhan · ‎06-26-2005

Hi,

im trying to configure my friends firewall for accepting vpn client software connections from remote sites. I applied a configuration from a previous case i had done but this time when the client tries to connect, it comes to the point of 'Securing communications channel' and doesnt go further. Ive attached the running config of the pix and some debug and show command output.

Also, if i wanted to limit the remote client to using only port to one server, how would i go about doing that? In my case, i would want to give the client access to only one server on the dmz with port 25.

Thanks.

ehirsel · ‎06-28-2005

To limit access to only specific server and port from the vpn clients do the following:

1. Allow ipsec client traffic to be processed by an acl applied to the outside interface by running this command in global config mode:

no sysopt connection permit-ipsec

2. Add these statements to acl 2, which is applied to the outside interface:

access-list 2 permit tcp 172.16.1.0 255.255.255.0 host x eq 25

Notes:

ACL 2 has a explicit deny ip any any line which should be removed and then added back after all acl changes are done, otherwise it would block want you want to permit.

You may need to allow the vpn clients to connect to your dns and/or wins servers too, unless they will address your mail server by ip address instead of hostname.

What version of the vpn client are you using and what OS does it run on? You may need to add an isakmp policy that has a lifetime of less than 86400 seconds to get the client to connect.

Let me know what you find.

View solution in original post

ehirsel · ‎06-28-2005

To limit access to only specific server and port from the vpn clients do the following:

1. Allow ipsec client traffic to be processed by an acl applied to the outside interface by running this command in global config mode:

no sysopt connection permit-ipsec

2. Add these statements to acl 2, which is applied to the outside interface:

access-list 2 permit tcp 172.16.1.0 255.255.255.0 host x eq 25

Notes:

ACL 2 has a explicit deny ip any any line which should be removed and then added back after all acl changes are done, otherwise it would block want you want to permit.

You may need to allow the vpn clients to connect to your dns and/or wins servers too, unless they will address your mail server by ip address instead of hostname.

What version of the vpn client are you using and what OS does it run on? You may need to add an isakmp policy that has a lifetime of less than 86400 seconds to get the client to connect.

Let me know what you find.

ilyaskhan · ‎06-28-2005

Thanks for the reply.

Here is the info about the versions:

OS:Windows 2000 professional

VPN client version:3.6

PIX IOS:6.1(4)

But im just typing that since i bothered collecting it before i SOLVED the problem...YYIIPPEE!! :)

yup, got the dirty fish out of the pond. It wasnt the lifetime statement that was giving the problem. It was this one:

crypto dynamic-map jssmap 10 match address 111

I had this command applied before on a dynamic vpn configuration, but apparently you dont need it in this ezvpn scenario.

Anyway, Thanx a lot for the idea about limiting access for the remote client. I implemented that as well and things are working fine now.

My friends ppl need access to the server only thru IP not name, so i can skip the dns/wins statements.

thanks again.