cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
952
Views
4
Helpful
5
Replies

VPN client-to-PIX

fadisodah
Level 1
Level 1

subject:

VPN client-to-PIX VPN connections

Network:

VPNClient----ADSLRouter----Internet---Router---PIX---LAN(DB/Radius)

AND

CiscoVPN Client---DialupModem----Internet---Router---PIX---LAN(DB/Radius)

Requested:

1- PIX should accept remote access from vpn clients through ADSL to access services

such as Database smtp http etc.

2- PIX should accept remote access from vpn clients through Dial up connection

to access services such as Database smtp http etc.

3- Authentication through external Radius server,

Given:

VPN Client: Cisco VPN CLient 4.8

Pix : Ver. 6.3

Office Router Real IP X.Y.Z.1 255.255.255.240

Office PIX Real IP X.Y.Z.2 255.255.255.240

Office LAN Server: 10.5.1.x/16

Office Client PC 10.6.10.x-10.6.20.x-10.6.30.x-10.6.40.x-10.6.50.x-10.6.60.x/24

Radius Server: 10.5.1.102

DB Server: 10.5.1.110/16

ADSL Remote LAN: 10.0.0.0/24

DialupConncetion: obtain Real IP through ISP

Pix Configuration:

Pix# sh run

PIX Version 6.3(4)

hostname Pix

domain-name my.com

fixup protocol dns maximum-length 512

access-list inside-access permit tcp any any eq smtp

access-list inside-access deny ip any any

no pager

logging on

logging history informational

mtu outside 1500

mtu inside 1500

mtu dmz-app-server 1500

mtu failover-link 1500

ip address outside X.Y.Z.2 255.255.255.240

ip address inside 10.6.70.5 255.255.255.0

ip address dmz-app-server 192.168.10.1 255.255.255.0

ip address failover-link 10.6.170.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

failover

failover timeout 0:00:00

failover poll 15

failover link failover-link

pdm location 10.5.0.20 255.255.255.255 inside

pdm history enable

arp timeout 14400

global (outside) 1 X.Y.Z.14

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (dmz-app-server,outside) X.Y.Z.10 192.168.10.3 netmask 255.255.255.255 0 0

access-group outside_access_in in interface outside

access-group inside-access in interface inside

route outside 0.0.0.0 0.0.0.0 X.Y.Z.1 1

route inside 10.4.100.10 255.255.255.255 10.6.70.1 1

route inside 10.5.0.0 255.255.0.0 10.6.70.1 1

route inside 10.6.0.0 255.255.0.0 10.6.70.1 1

timeout xlate 3:00:00

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

floodguard enable

console timeout 0

terminal width 80

Suggested solution:

the following am planning to add to my pix to enable vpn connection

sysopt connection permit-ipsec

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server RADIUS (inside) host 10.5.1.102 password timeout 10

access-list nonat permit ip 10.5.1.0 255.255.255.0 10.0.0.0 255.255.255.0

ip local pool ippool 10.5.2.1-10.5.2.254

nat (inside) 0 access-list nonat

crypto ipsec transform-set mobileset esp-3des esp-md5-hmac

crypto dynamic-map mobiledynmap 20 set transform-set mobileset

crypto map mobilemap 20 ipsec-isakmp dynamic mobiledynmap

crypto map mobilemap client authentication RADIUS

crypto map mobilemap interface outside

isakmp enable outside

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption 3des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

vpngroup mobilegroup address-pool ippool

vpngroup mobilegroup dns-server 10.5.1.111

vpngroup mobilegroup idle-time 1800

vpngroup mobilegroup password <password>

5 Replies 5

jmia
Level 7
Level 7

Fadi

The only command missing is:

isakmp nat-traversal

Apart from that looks OK.

Please rate posts if it helps!!

Regards,

not working, I added the above

i am getting the following message:

Secure vpn connection terminated locally

by the client reaseon: user authentication failed.

Fadi

The error message your seeing is related to RADIUS authentication failur. For sanity, take out the RADIUS authentication and check to see if it works - I bet it will! keep the isakmp nat-traversal command, if you need explanation on this command then let me know.

Also for reference, read this document:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00800b6099.shtml

Let me know how you get on,

Please rate post if it helps!

Regards,

I have this:

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server RADIUS (inside) host 10.5.1.102 password timeout 10

aaa-server LOCAL protocol local

crypto map mobilemap client authentication RADIUS

it works now

added isakmp nat-traversal

changed my accesslist to have access-list nonat permit ip 10.6.70.0 255.255.255.0 ........

changed ippool to 11.1.1.1-11.1.1.254 to avoid any conflicts