[c-nsp] PIX VPN Problem

Koen Peetermans K.Peetermans at chello.be
Tue Jan 25 04:01:31 EST 2005


Paul,

You would want to configure your split tunnel like this :

access-list Nexicom_splitTunnelAcl permit ip 192.192.61.0 255.255.255.0

With this line you'll tell the VPN Clients to ONLY tunnel this range of
address (which are your inside addresses).

You can change the range if you have a bigger internal network (Doesn't look
like it in your config).

Kind regards,

Koen.

From: Paul Stewart [mailto:pauls at nexicom.net] 
Sent: dinsdag 25 januari 2005 2:08
To: charliew at netarch.com
Cc: Koen Peetermans; cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] PIX VPN Problem

Hi there... thanks for the feedback...


I was actually hoping to use split-tunnel and thought that below had
configured it... obviously not...:)  The users who are coming in remote are
also people who work in the office during normal hours.. this VPN is for
after
hours work basically so I don't see as much security concern (but I do
understand your concern)...

Thanks,

Paul


On Mon, 24 Jan 2005 16:47:39 -0700, Charlie Winckless wrote
> On Mon, 2005-01-24 at 13:27 -0500, Paul Stewart wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> > 
> > Thanks for the replies.  That did the trick...
> > 
> > Now, one final piece is allowing the client to browse the internal
> > network (which I think is working - still have to get the WINS server
> > running however)... but also reach the outside world.
> > 
> > I thought I had configured it as per below to allow both but I can't
> > reach out external DNS or even ping our core router...?
> 
> That'd be hairpinning on the interface, which the PIX won't allow.
> 
> One option, though far from my favourite, is to use a split tunnel.
> This has relatively serious security implications, but will allow
> it.
> 
> Otherwise terminating the tunnel on the PIX will just not work.
> 
> -- Charlie
> > 
> > Thanks again for all your help...
> > Paul
> > 
> > 
> > Koen Peetermans wrote:
> > | Hi Paul,
> > |
> > | Try using "username" instead of "vpdn username" for creating your
local
> > | accounts.
> > |
> > | I think only pptp (and maybe L2tp) uses vpdn username, Ipsec remote
access
> > | uses "username"
> > |
> > | Kind regards,
> > |
> > | Koen.
> > |
> > | -----Original Message-----
> > | From: cisco-nsp-bounces at puck.nether.net
> > | [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Paul Stewart
> > | Sent: maandag 24 januari 2005 17:57
> > | To: cisco-nsp at puck.nether.net
> > | Subject: [c-nsp] PIX VPN Problem
> > |
> > | Hi there...
> > |
> > | I hope the list can help me out...:)
> > |
> > | I've got a 515E PIX box that I'm trying to get remote access VPN
running
> > | to.  Below is the config... what's happening is 413-user auth failed
> > |
> > | The config is setup to use local username/passwords and I've recreated
> > | my own login just to make sure the password is correct.. what am I
> > | missing here?
> > |
> > | Thanks,
> > |
> > | Paul
> > |
> > | PIX Version 6.3(4)
> > | interface ethernet0 100full
> > | interface ethernet1 100full
> > | interface ethernet2 auto shutdown
> > | nameif ethernet0 outside security0
> > | nameif ethernet1 inside security100
> > | nameif ethernet2 intf2 security10
> > | enable password XXXXXXXXXXXXXXX encrypted
> > | passwd XXXXXXXXXXXXXXXXX encrypted
> > | hostname fw
> > | domain-name XXX.NET
> > | clock timezone EST -5
> > | clock summer-time EDT recurring
> > | fixup protocol dns maximum-length 512
> > | fixup protocol ftp 21
> > | fixup protocol h323 h225 1720
> > | fixup protocol h323 ras 1718-1719
> > | no fixup protocol http 80
> > | fixup protocol ils 389
> > | fixup protocol rsh 514
> > | fixup protocol rtsp 554
> > | fixup protocol sip 5060
> > | fixup protocol sip udp 5060
> > | fixup protocol skinny 2000
> > | no fixup protocol smtp 25
> > | fixup protocol sqlnet 1521
> > | fixup protocol tftp 69
> > | names
> > | access-list compiled
> > | access-list 100 permit icmp any any echo-reply
> > | access-list 100 permit icmp any any time-exceeded
> > | access-list 100 permit icmp any any unreachable
> > | access-list 101 permit ip 192.192.61.0 255.255.255.0 10.1.1.0
> > 255.255.255.0
> > | access-list 101 permit ip any 172.30.230.0 255.255.255.0
> > | access-list Nexicom_splitTunnelAcl permit ip any any
> > | access-list outside_cryptomap_dyn_20 permit ip any 172.30.230.0
> > | 255.255.255.0
> > | pager lines 24
> > | logging on
> > | logging trap warnings
> > | logging facility 23
> > | logging queue 0
> > | logging host outside XXX.XXX.XXX.XXX
> > | mtu outside 1500
> > | mtu inside 1500
> > | mtu intf2 1500
> > | ip address outside XXX.XXX.XXX.XXX 255.255.255.0
> > | ip address inside 192.192.61.224 255.255.255.0
> > | ip address intf2 127.0.0.1 255.255.255.255
> > | ip verify reverse-path interface outside
> > | ip audit info action alarm
> > | ip audit attack action alarm
> > | ip local pool VPN 172.30.230.1-172.30.230.254
> > | pdm history enable
> > | arp timeout 14400
> > | global (outside) 10 interface
> > | nat (inside) 0 access-list 101
> > | nat (inside) 10 0.0.0.0 0.0.0.0 dns 0 0
> > | access-group 100 in interface outside
> > | route outside 0.0.0.0 0.0.0.0 216.168.96.1 1
> > | timeout xlate 3:00:00
> > | timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
> > | 1:00:00
> > | timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
> > | timeout uauth 0:05:00 absolute
> > | aaa-server TACACS+ protocol tacacs+
> > | aaa-server TACACS+ max-failed-attempts 3
> > | aaa-server TACACS+ deadtime 10
> > | aaa-server RADIUS protocol radius
> > | aaa-server RADIUS max-failed-attempts 3
> > | aaa-server RADIUS deadtime 10
> > | aaa-server LOCAL protocol local
> > | aaa authentication telnet console LOCAL
> > | aaa authentication ssh console LOCAL
> > | ntp server 130.126.24.44 source outside prefer
> > | http server enable
> > | http 192.192.61.0 255.255.255.0 inside
> > | no snmp-server enable traps
> > | no floodguard enable
> > | sysopt connection tcpmss 0
> > | sysopt connection permit-ipsec
> > | crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
> > | crypto dynamic-map outside_dyn_map 20 match address
> > outside_cryptomap_dyn_20
> > | crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
> > | crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
> > | crypto map outside_map client authentication LOCAL
> > | crypto map outside_map interface outside
> > | isakmp enable outside
> > | isakmp identity address
> > | isakmp policy 20 authentication pre-share
> > | isakmp policy 20 encryption 3des
> > | isakmp policy 20 hash md5
> > | isakmp policy 20 group 2
> > | isakmp policy 20 lifetime 86400
> > | vpngroup Nexicom address-pool VPN
> > | vpngroup Nexicom dns-server 216.168.96.10 216.168.96.13
> > | vpngroup Nexicom wins-server 192.192.61.246
> > | vpngroup Nexicom default-domain nexicom.net
> > | vpngroup Nexicom split-tunnel Nexicom_splitTunnelAcl
> > | vpngroup Nexicom idle-time 1800
> > | vpngroup Nexicom password ********
> > | telnet timeout 5
> > | ssh 192.192.61.0 255.255.255.0 inside
> > | ssh timeout 5
> > | console timeout 0
> > | vpdn username harvey password ********
> > | vpdn username tom password ********
> > | vpdn username mike password ********
> > | vpdn username billr password ********
> > | vpdn username amhalliday password ********
> > | vpdn username paul password **********
> > | vpdn enable outside
> > | dhcpd address 192.192.61.32-192.192.61.99 inside
> > | dhcpd dns 216.168.96.10 216.168.96.13
> > | dhcpd lease 50400
> > | dhcpd ping_timeout 750
> > | dhcpd domain nexicom.net
> > | dhcpd enable inside
> > | username admin password XXXXXXXXXXXXXXXX encrypted privilege 15
> > | terminal width 80
> > |
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1.4.0 (MingW32)
> > 
> > iD8DBQFB9T4EqMetgU57IuQRAvfbAJ4hJvRZY0J2R+l7/WFillVW2rT/bQCffrrl
> > ORddzyqDqEJh9Kn6Cqz25ZY=
> > =p+bT
> > -----END PGP SIGNATURE-----
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> -- 
> - --
> Charlie Winckless, CCIE #7331           |           |
> Senior Consulting Engineer              |           |
> Network Architechs                     |||         |||     
> u: http://www.netarch.com            .|||||.     .|||||.
> e:   charliew at netarch.com         .:|||||||||:.:|||||||||:.
> p:         (505) 256-9047           Cisco Systems Partner           
> f:         (505) 256-9091              Gold Certified
> PGP ID:        0xC07A7E5C
> PGP:     09DE 5C1A 6984 01C4 152F  3ED0 CAED 17A1 C07A 7E5C
> - -----------------------------------------------------------
>                "Serenity through viciousness"


--




More information about the cisco-nsp mailing list