VPN Concentrator 3000 Setup with Cisco VPN Client

Muhammad Mubashir Ali Khan · ‎03-28-2011

I've the following scenario VPN Concentrator is connected to a router which is connected to a router and at the edge Cisco 515E PIX is connected to the internet. The problem is that the normal VPN Dial-up connection (a utility of windows) are getting connected but Cisco VPN Client throws error 412. Here's what I've tried (Initially groups and user were created): (1) Allowed port 10000 on PIX ( access-list from-outside-coming-in permit tcp any host <public ip> eq 10000) and checked IPSec over UDP on VPN Conc. under Mode Config tab. Also checked IPSec over TCP tab under tunneling panel at port 10000. Tried connecting through VPN Client but it threw error 412 (2) In the reference guide, I read that IPSec over NAT is allowed on ports ranging from 4000 something to 40000 something. I tried 33333, both on PIX and VPN Conc. under Mode Config tab but still no use. Same error 412. Please, guide me as maybe I'm missing something. Urgent help will highly be appreciated!

Jennifer Halim · ‎03-28-2011

NAT-T uses UDP/4500, so you might want to open that port as well.

Is your PIX firewall performing NAT for the VPN Concentrator public interface IP? How is the PIX configured?

You mention that your VPN Client is getting connected however then throw error 412. Can you please advise if it's connected on both Phase 1 (IKE) and Phase 2 (IPSec)? Can you share the logs from the vpn client as well as from the vpn concentrator to see exactly where it's failing?

Muhammad Mubashir Ali Khan · ‎03-29-2011

Here's the detailed overview of the scenario:

Access list mentioned in the question asked allows 10000 port but another access list with same credentials also allows pptp connections. NATing is done as:

static (inside,outside) netmask 255.255.255.255

route inside 1

I configured the connection on the client both with IPSec over UDP and IPSec over TCP (port: 10000), still unable to make connection and it throws me 412. It was never connected
On my VPN Conc. I've allowed 10000 ports both for IPSecoUDP and IPSecoTCP. Even after allowing it on PIX like:

access-list from-outside-coming-in permit tcp any host eq pptp

access-list from-outside-coming-in permit tcp any host eq 10000

access-list from-outside-coming-in deny ip any any

access-list from-outside-coming-in deny icmp any any

there's no connection, still. No logs are generated by VPN Client as there was no connection established. No key exchanged

Maybe I was in a rush that's why I couldn't explain well but still your response is well and truly regarded. I need urgent help from the community

Jennifer Halim · ‎03-29-2011

PPTP and IPSec are 2 different types of VPN.

Are you using PPTP client or IPSec client? If you are using the Cisco VPN Client software, then it's IPSec VPN, not PPTP VPN.

From the PIX, I don't see that you are allowing both TCP and UDP as the access-list only specify TCP. Also if you are using IPSec VPN, don't worry about the PPTP access-list.

You would need to configure the following:

access-list from-outside-coming-in permit udp any host eq 500

access-list from-outside-coming-in permit udp any host eq 4500

access-list from-outside-coming-in permit udp any host eq 10000

Also, please make sure that the above permit lines are configured above the current "access-list from-outside-coming-in deny ip any any" line.