Re: VPN connection

j.rounkles · ‎07-19-2005

At home I have a Pix 501. At work we use a VPN 3000. Everyone else can connect and work from home except the users who have a Pix (such as myself). The VPN client connects (or atleasts says it does) however I cannot use any terminal service (ie Remote Desktop Connection). We use this on several servers at work. I obtain all the Network settings from our DHCP server at work (IP, Gateway, DNS, etc.). What am I missing in the Pix that is keeping my from browsing the network? TIA for any help.

aacole · ‎07-20-2005

When you connect into your network from home are you using a PC with a VPN client or are you using a pix to concentrator VPN?

j.rounkles · ‎07-20-2005

Using the Cisco VPN Client (ver. 4.6.03.0021).

johnd2310 · ‎07-21-2005

what is your config?

I have the following config and remote desktop works fine:

-Internet-827(NAT overload)-PIX(NAT0)-PC(vpn client)

**Please rate posts you find helpful**

j.rounkles · ‎07-21-2005

Here is a copy of my config...if you see something I should have that is missing please advise...

I apologize for my ignorance but please be specific on what I am missing and what I should add.

jackko · ‎07-21-2005

try this command:

isakmp nat-traversal

j.rounkles · ‎07-22-2005

added lines and still not able to connect through RDP connection. (Trying to connect using IP address and not machine name.)

johnd2310 · ‎07-22-2005

quick question on your config. what is the ipsec config for? Are you using it to connect to another vpn device or is it to allow vpn into your home network?

try the following:

disable the ipsec stuff on the pix.

set your vpn client to connect using ipsec over tcp

port is usually 10000. check that the office vpn

concentrator is configured to support ipsec over tcp

port 10000

**Please rate posts you find helpful**

j.rounkles · ‎07-23-2005

Still no go...it doesn't seem that I am decrypting any packets on my end at home nor am I establishing any routes...see attachment screen capture

johnd2310 · ‎07-25-2005

try capture command on the pix to see what traffic is going through.

used any prsonal firewall on the pc?

is there any device between pix and internet? have you tried connecting pc directly, bypassing pix?

**Please rate posts you find helpful**

j.rounkles · ‎07-25-2005

I have the Win XP firewall disabled, Internet comes through my wireless antenna which has Pix's MAC address tied to it. If I want to test by going around Pix then I have to call ISP and have them enter another MAC address. All other users that are not using a Cisco PIX are able to access the Terminal Servers via VPN connection. We are all using the same VPN Client version.

jackko · ‎07-25-2005

having a look at the posted config.

the crypto map is matching acl 101, but acl 101 is missing. would you plesse re-post the config?

j.rounkles · ‎07-26-2005

: Written by enable_15 at 12:23:45.258 CDT Tue Jul 12 2005

PIX Version 6.3(4)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxx

passwd xxx

hostname jakepix

domain-name cmuonline.net

clock timezone CST -6

clock summer-time CDT recurring

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

name 172.30.5.5 Server

access-list 101 permit ip 172.30.5.0 255.255.255.0 192.168.100.0 255.255.255.0

access-list outside-in permit tcp any interface outside eq ftp

pager lines 24

logging on

logging host inside Server

mtu outside 1500

mtu inside 1500

ip address outside xx.xx.xxx.xx 255.255.255.192

ip address inside 172.30.5.x 255.255.255.0

ip verify reverse-path interface outside

ip audit info action alarm

ip audit attack action alarm

ip local pool ippool 10.1.1.1-10.1.1.254

pdm location 172.30.5.0 255.255.255.255 inside

pdm location Server 255.255.255.255 inside

pdm location 172.30.6.0 255.255.255.255 inside

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list 101

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp interface ftp Server ftp netmask 255.255.255.255 0 0

access-group outside-in in interface outside

route outside 0.0.0.0 0.0.0.0 xx.xx.xxx.x 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http 172.30.5.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

tftp-server inside 172.30.5.xx c:

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set aptset esp-3des esp-md5-hmac

crypto map aptmap 10 ipsec-isakmp

crypto map aptmap 10 match address 101

crypto map aptmap 10 set peer (work's ip address)

crypto map aptmap 10 set transform-set aptset

crypto map aptmap interface outside

isakmp enable outside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

telnet 172.30.5.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 3

terminal width 80

Cryptochecksum:xxxx