[c-nsp] PIX VPN Problem
Paul Stewart
pauls at nexicom.net
Mon Jan 24 20:07:35 EST 2005
Hi there... thanks for the feedback...
I was actually hoping to use split-tunnel and thought that below had
configured it... obviously not...:) The users who are coming in remote are
also people who work in the office during normal hours.. this VPN is for after
hours work basically so I don't see as much security concern (but I do
understand your concern)...
Thanks,
Paul
On Mon, 24 Jan 2005 16:47:39 -0700, Charlie Winckless wrote
> On Mon, 2005-01-24 at 13:27 -0500, Paul Stewart wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > Thanks for the replies. That did the trick...
> >
> > Now, one final piece is allowing the client to browse the internal
> > network (which I think is working - still have to get the WINS server
> > running however)... but also reach the outside world.
> >
> > I thought I had configured it as per below to allow both but I can't
> > reach out external DNS or even ping our core router...?
>
> That'd be hairpinning on the interface, which the PIX won't allow.
>
> One option, though far from my favourite, is to use a split tunnel.
> This has relatively serious security implications, but will allow
> it.
>
> Otherwise terminating the tunnel on the PIX will just not work.
>
> -- Charlie
> >
> > Thanks again for all your help...
> > Paul
> >
> >
> > Koen Peetermans wrote:
> > | Hi Paul,
> > |
> > | Try using "username" instead of "vpdn username" for creating your local
> > | accounts.
> > |
> > | I think only pptp (and maybe L2tp) uses vpdn username, Ipsec remote access
> > | uses "username"
> > |
> > | Kind regards,
> > |
> > | Koen.
> > |
> > | -----Original Message-----
> > | From: cisco-nsp-bounces at puck.nether.net
> > | [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Paul Stewart
> > | Sent: maandag 24 januari 2005 17:57
> > | To: cisco-nsp at puck.nether.net
> > | Subject: [c-nsp] PIX VPN Problem
> > |
> > | Hi there...
> > |
> > | I hope the list can help me out...:)
> > |
> > | I've got a 515E PIX box that I'm trying to get remote access VPN running
> > | to. Below is the config... what's happening is 413-user auth failed
> > |
> > | The config is setup to use local username/passwords and I've recreated
> > | my own login just to make sure the password is correct.. what am I
> > | missing here?
> > |
> > | Thanks,
> > |
> > | Paul
> > |
> > | PIX Version 6.3(4)
> > | interface ethernet0 100full
> > | interface ethernet1 100full
> > | interface ethernet2 auto shutdown
> > | nameif ethernet0 outside security0
> > | nameif ethernet1 inside security100
> > | nameif ethernet2 intf2 security10
> > | enable password XXXXXXXXXXXXXXX encrypted
> > | passwd XXXXXXXXXXXXXXXXX encrypted
> > | hostname fw
> > | domain-name XXX.NET
> > | clock timezone EST -5
> > | clock summer-time EDT recurring
> > | fixup protocol dns maximum-length 512
> > | fixup protocol ftp 21
> > | fixup protocol h323 h225 1720
> > | fixup protocol h323 ras 1718-1719
> > | no fixup protocol http 80
> > | fixup protocol ils 389
> > | fixup protocol rsh 514
> > | fixup protocol rtsp 554
> > | fixup protocol sip 5060
> > | fixup protocol sip udp 5060
> > | fixup protocol skinny 2000
> > | no fixup protocol smtp 25
> > | fixup protocol sqlnet 1521
> > | fixup protocol tftp 69
> > | names
> > | access-list compiled
> > | access-list 100 permit icmp any any echo-reply
> > | access-list 100 permit icmp any any time-exceeded
> > | access-list 100 permit icmp any any unreachable
> > | access-list 101 permit ip 192.192.61.0 255.255.255.0 10.1.1.0
> > 255.255.255.0
> > | access-list 101 permit ip any 172.30.230.0 255.255.255.0
> > | access-list Nexicom_splitTunnelAcl permit ip any any
> > | access-list outside_cryptomap_dyn_20 permit ip any 172.30.230.0
> > | 255.255.255.0
> > | pager lines 24
> > | logging on
> > | logging trap warnings
> > | logging facility 23
> > | logging queue 0
> > | logging host outside XXX.XXX.XXX.XXX
> > | mtu outside 1500
> > | mtu inside 1500
> > | mtu intf2 1500
> > | ip address outside XXX.XXX.XXX.XXX 255.255.255.0
> > | ip address inside 192.192.61.224 255.255.255.0
> > | ip address intf2 127.0.0.1 255.255.255.255
> > | ip verify reverse-path interface outside
> > | ip audit info action alarm
> > | ip audit attack action alarm
> > | ip local pool VPN 172.30.230.1-172.30.230.254
> > | pdm history enable
> > | arp timeout 14400
> > | global (outside) 10 interface
> > | nat (inside) 0 access-list 101
> > | nat (inside) 10 0.0.0.0 0.0.0.0 dns 0 0
> > | access-group 100 in interface outside
> > | route outside 0.0.0.0 0.0.0.0 216.168.96.1 1
> > | timeout xlate 3:00:00
> > | timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
> > | 1:00:00
> > | timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
> > | timeout uauth 0:05:00 absolute
> > | aaa-server TACACS+ protocol tacacs+
> > | aaa-server TACACS+ max-failed-attempts 3
> > | aaa-server TACACS+ deadtime 10
> > | aaa-server RADIUS protocol radius
> > | aaa-server RADIUS max-failed-attempts 3
> > | aaa-server RADIUS deadtime 10
> > | aaa-server LOCAL protocol local
> > | aaa authentication telnet console LOCAL
> > | aaa authentication ssh console LOCAL
> > | ntp server 130.126.24.44 source outside prefer
> > | http server enable
> > | http 192.192.61.0 255.255.255.0 inside
> > | no snmp-server enable traps
> > | no floodguard enable
> > | sysopt connection tcpmss 0
> > | sysopt connection permit-ipsec
> > | crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
> > | crypto dynamic-map outside_dyn_map 20 match address
> > outside_cryptomap_dyn_20
> > | crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
> > | crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
> > | crypto map outside_map client authentication LOCAL
> > | crypto map outside_map interface outside
> > | isakmp enable outside
> > | isakmp identity address
> > | isakmp policy 20 authentication pre-share
> > | isakmp policy 20 encryption 3des
> > | isakmp policy 20 hash md5
> > | isakmp policy 20 group 2
> > | isakmp policy 20 lifetime 86400
> > | vpngroup Nexicom address-pool VPN
> > | vpngroup Nexicom dns-server 216.168.96.10 216.168.96.13
> > | vpngroup Nexicom wins-server 192.192.61.246
> > | vpngroup Nexicom default-domain nexicom.net
> > | vpngroup Nexicom split-tunnel Nexicom_splitTunnelAcl
> > | vpngroup Nexicom idle-time 1800
> > | vpngroup Nexicom password ********
> > | telnet timeout 5
> > | ssh 192.192.61.0 255.255.255.0 inside
> > | ssh timeout 5
> > | console timeout 0
> > | vpdn username harvey password ********
> > | vpdn username tom password ********
> > | vpdn username mike password ********
> > | vpdn username billr password ********
> > | vpdn username amhalliday password ********
> > | vpdn username paul password **********
> > | vpdn enable outside
> > | dhcpd address 192.192.61.32-192.192.61.99 inside
> > | dhcpd dns 216.168.96.10 216.168.96.13
> > | dhcpd lease 50400
> > | dhcpd ping_timeout 750
> > | dhcpd domain nexicom.net
> > | dhcpd enable inside
> > | username admin password XXXXXXXXXXXXXXXX encrypted privilege 15
> > | terminal width 80
> > |
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1.4.0 (MingW32)
> >
> > iD8DBQFB9T4EqMetgU57IuQRAvfbAJ4hJvRZY0J2R+l7/WFillVW2rT/bQCffrrl
> > ORddzyqDqEJh9Kn6Cqz25ZY=
> > =p+bT
> > -----END PGP SIGNATURE-----
> > _______________________________________________
> > cisco-nsp mailing list cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> --
> - --
> Charlie Winckless, CCIE #7331 | |
> Senior Consulting Engineer | |
> Network Architechs ||| |||
> u: http://www.netarch.com .|||||. .|||||.
> e: charliew at netarch.com .:|||||||||:.:|||||||||:.
> p: (505) 256-9047 Cisco Systems Partner
> f: (505) 256-9091 Gold Certified
> PGP ID: 0xC07A7E5C
> PGP: 09DE 5C1A 6984 01C4 152F 3ED0 CAED 17A1 C07A 7E5C
> - -----------------------------------------------------------
> "Serenity through viciousness"
--
More information about the cisco-nsp
mailing list