[c-nsp] PIX VPN Problem
Serguei Bezverkhi
sbezverkhi at hotmail.com
Mon Jan 24 12:43:12 EST 2005
Did you try to connect with admin as a username??
I think the problem is that you have only one user defined in LOCAL
database, which is admin. Other users are defined as VPDN users, it is not
the same and from my past experience these users could not be used for LOCAL
authentication.
Try to define them the same way as admin.
HTH
Serguei
-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Paul Stewart
Sent: Monday, January 24, 2005 11:57 AM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] PIX VPN Problem
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi there...
I hope the list can help me out...:)
I've got a 515E PIX box that I'm trying to get remote access VPN running
to. Below is the config... what's happening is 413-user auth failed
The config is setup to use local username/passwords and I've recreated
my own login just to make sure the password is correct.. what am I
missing here?
Thanks,
Paul
PIX Version 6.3(4)
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security10
enable password XXXXXXXXXXXXXXX encrypted
passwd XXXXXXXXXXXXXXXXX encrypted
hostname fw
domain-name XXX.NET
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
no fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list compiled
access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any time-exceeded
access-list 100 permit icmp any any unreachable
access-list 101 permit ip 192.192.61.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list 101 permit ip any 172.30.230.0 255.255.255.0
access-list Nexicom_splitTunnelAcl permit ip any any
access-list outside_cryptomap_dyn_20 permit ip any 172.30.230.0
255.255.255.0
pager lines 24
logging on
logging trap warnings
logging facility 23
logging queue 0
logging host outside XXX.XXX.XXX.XXX
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside XXX.XXX.XXX.XXX 255.255.255.0
ip address inside 192.192.61.224 255.255.255.0
ip address intf2 127.0.0.1 255.255.255.255
ip verify reverse-path interface outside
ip audit info action alarm
ip audit attack action alarm
ip local pool VPN 172.30.230.1-172.30.230.254
pdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list 101
nat (inside) 10 0.0.0.0 0.0.0.0 dns 0 0
access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0 216.168.96.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
ntp server 130.126.24.44 source outside prefer
http server enable
http 192.192.61.0 255.255.255.0 inside
no snmp-server enable traps
no floodguard enable
sysopt connection tcpmss 0
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication LOCAL
crypto map outside_map interface outside
isakmp enable outside
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup Nexicom address-pool VPN
vpngroup Nexicom dns-server 216.168.96.10 216.168.96.13
vpngroup Nexicom wins-server 192.192.61.246
vpngroup Nexicom default-domain nexicom.net
vpngroup Nexicom split-tunnel Nexicom_splitTunnelAcl
vpngroup Nexicom idle-time 1800
vpngroup Nexicom password ********
telnet timeout 5
ssh 192.192.61.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
vpdn username harvey password ********
vpdn username tom password ********
vpdn username mike password ********
vpdn username billr password ********
vpdn username amhalliday password ********
vpdn username paul password **********
vpdn enable outside
dhcpd address 192.192.61.32-192.192.61.99 inside
dhcpd dns 216.168.96.10 216.168.96.13
dhcpd lease 50400
dhcpd ping_timeout 750
dhcpd domain nexicom.net
dhcpd enable inside
username admin password XXXXXXXXXXXXXXXX encrypted privilege 15
terminal width 80
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (MingW32)
iD8DBQFB9SjyqMetgU57IuQRAoTtAJ9hKfW5O2PgXdBAUVbZNH9JF/KLzQCfSvYL
VTHKE1aUA6vyB8d+yImZ5Wc=
=ht8t
-----END PGP SIGNATURE-----
More information about the cisco-nsp
mailing list