[c-nsp] PIX VPN Problem

Paul Stewart pauls at nexicom.net
Mon Jan 24 13:27:16 EST 2005


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Thanks for the replies.  That did the trick...

Now, one final piece is allowing the client to browse the internal
network (which I think is working - still have to get the WINS server
running however)... but also reach the outside world.

I thought I had configured it as per below to allow both but I can't
reach out external DNS or even ping our core router...?

Thanks again for all your help...
Paul


Koen Peetermans wrote:
| Hi Paul,
|
| Try using "username" instead of "vpdn username" for creating your local
| accounts.
|
| I think only pptp (and maybe L2tp) uses vpdn username, Ipsec remote access
| uses "username"
|
| Kind regards,
|
| Koen.
|
| -----Original Message-----
| From: cisco-nsp-bounces at puck.nether.net
| [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Paul Stewart
| Sent: maandag 24 januari 2005 17:57
| To: cisco-nsp at puck.nether.net
| Subject: [c-nsp] PIX VPN Problem
|
| Hi there...
|
| I hope the list can help me out...:)
|
| I've got a 515E PIX box that I'm trying to get remote access VPN running
| to.  Below is the config... what's happening is 413-user auth failed
|
| The config is setup to use local username/passwords and I've recreated
| my own login just to make sure the password is correct.. what am I
| missing here?
|
| Thanks,
|
| Paul
|
| PIX Version 6.3(4)
| interface ethernet0 100full
| interface ethernet1 100full
| interface ethernet2 auto shutdown
| nameif ethernet0 outside security0
| nameif ethernet1 inside security100
| nameif ethernet2 intf2 security10
| enable password XXXXXXXXXXXXXXX encrypted
| passwd XXXXXXXXXXXXXXXXX encrypted
| hostname fw
| domain-name XXX.NET
| clock timezone EST -5
| clock summer-time EDT recurring
| fixup protocol dns maximum-length 512
| fixup protocol ftp 21
| fixup protocol h323 h225 1720
| fixup protocol h323 ras 1718-1719
| no fixup protocol http 80
| fixup protocol ils 389
| fixup protocol rsh 514
| fixup protocol rtsp 554
| fixup protocol sip 5060
| fixup protocol sip udp 5060
| fixup protocol skinny 2000
| no fixup protocol smtp 25
| fixup protocol sqlnet 1521
| fixup protocol tftp 69
| names
| access-list compiled
| access-list 100 permit icmp any any echo-reply
| access-list 100 permit icmp any any time-exceeded
| access-list 100 permit icmp any any unreachable
| access-list 101 permit ip 192.192.61.0 255.255.255.0 10.1.1.0
255.255.255.0
| access-list 101 permit ip any 172.30.230.0 255.255.255.0
| access-list Nexicom_splitTunnelAcl permit ip any any
| access-list outside_cryptomap_dyn_20 permit ip any 172.30.230.0
| 255.255.255.0
| pager lines 24
| logging on
| logging trap warnings
| logging facility 23
| logging queue 0
| logging host outside XXX.XXX.XXX.XXX
| mtu outside 1500
| mtu inside 1500
| mtu intf2 1500
| ip address outside XXX.XXX.XXX.XXX 255.255.255.0
| ip address inside 192.192.61.224 255.255.255.0
| ip address intf2 127.0.0.1 255.255.255.255
| ip verify reverse-path interface outside
| ip audit info action alarm
| ip audit attack action alarm
| ip local pool VPN 172.30.230.1-172.30.230.254
| pdm history enable
| arp timeout 14400
| global (outside) 10 interface
| nat (inside) 0 access-list 101
| nat (inside) 10 0.0.0.0 0.0.0.0 dns 0 0
| access-group 100 in interface outside
| route outside 0.0.0.0 0.0.0.0 216.168.96.1 1
| timeout xlate 3:00:00
| timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
| 1:00:00
| timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
| timeout uauth 0:05:00 absolute
| aaa-server TACACS+ protocol tacacs+
| aaa-server TACACS+ max-failed-attempts 3
| aaa-server TACACS+ deadtime 10
| aaa-server RADIUS protocol radius
| aaa-server RADIUS max-failed-attempts 3
| aaa-server RADIUS deadtime 10
| aaa-server LOCAL protocol local
| aaa authentication telnet console LOCAL
| aaa authentication ssh console LOCAL
| ntp server 130.126.24.44 source outside prefer
| http server enable
| http 192.192.61.0 255.255.255.0 inside
| no snmp-server enable traps
| no floodguard enable
| sysopt connection tcpmss 0
| sysopt connection permit-ipsec
| crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
| crypto dynamic-map outside_dyn_map 20 match address
outside_cryptomap_dyn_20
| crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
| crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
| crypto map outside_map client authentication LOCAL
| crypto map outside_map interface outside
| isakmp enable outside
| isakmp identity address
| isakmp policy 20 authentication pre-share
| isakmp policy 20 encryption 3des
| isakmp policy 20 hash md5
| isakmp policy 20 group 2
| isakmp policy 20 lifetime 86400
| vpngroup Nexicom address-pool VPN
| vpngroup Nexicom dns-server 216.168.96.10 216.168.96.13
| vpngroup Nexicom wins-server 192.192.61.246
| vpngroup Nexicom default-domain nexicom.net
| vpngroup Nexicom split-tunnel Nexicom_splitTunnelAcl
| vpngroup Nexicom idle-time 1800
| vpngroup Nexicom password ********
| telnet timeout 5
| ssh 192.192.61.0 255.255.255.0 inside
| ssh timeout 5
| console timeout 0
| vpdn username harvey password ********
| vpdn username tom password ********
| vpdn username mike password ********
| vpdn username billr password ********
| vpdn username amhalliday password ********
| vpdn username paul password **********
| vpdn enable outside
| dhcpd address 192.192.61.32-192.192.61.99 inside
| dhcpd dns 216.168.96.10 216.168.96.13
| dhcpd lease 50400
| dhcpd ping_timeout 750
| dhcpd domain nexicom.net
| dhcpd enable inside
| username admin password XXXXXXXXXXXXXXXX encrypted privilege 15
| terminal width 80
|
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (MingW32)

iD8DBQFB9T4EqMetgU57IuQRAvfbAJ4hJvRZY0J2R+l7/WFillVW2rT/bQCffrrl
ORddzyqDqEJh9Kn6Cqz25ZY=
=p+bT
-----END PGP SIGNATURE-----


More information about the cisco-nsp mailing list