Help w/pix 501 config & vpn client setup w/radius

Discussion in 'Cisco' started by tmlee44@yahoo.com, Sep 9, 2006.

  1. Guest

    Hi folks,

    I'm very new at Cisco stuff. I bought a Pix 501 for a home setup w/a
    Windows 2003 server/IAS. I can access my LAN remotely via http, ftp
    ,etc but I'm stuck when attempting to setup VPN. I have a dynamic
    outside IP because I cannot get a static IP but I get around that with
    dydns.org.

    I have 2 issues...my NAS-PORT-AUTH is missing & even if I modify my
    remote access policy in IAS to exclude this, when I connect via my
    Cisco Client, I cannot connect to my network nor the internet.

    ------------------------

    Event log:

    Event Type: Warning
    Event Source: IAS
    Event Category: None
    Event ID: 2
    Date: 9/8/2006
    Time: 7:26:04 PM
    User: N/A
    Computer: DC01
    Description:
    User tmlee was denied access.
    Fully-Qualified-User-Name = MYDOMAIN\user3
    NAS-IP-Address = 192.168.1.1
    NAS-Identifier = <not present>
    Called-Station-Identifier = <not present>
    Calling-Station-Identifier = external_ip
    Client-Friendly-Name = friendlyname
    Client-IP-Address = 192.168.1.1
    NAS-Port-Type = <not present>
    NAS-Port = 67
    Proxy-Policy-Name = Use Windows authentication for all users
    Authentication-Provider = Windows
    Authentication-Server = <undetermined>
    Policy-Name = <undetermined>
    Authentication-Type = PAP
    EAP-Type = <undetermined>
    Reason-Code = 48
    Reason = The connection attempt did not match any remote access
    policy.



    : Saved
    :
    PIX Version 6.3(5)
    interface ethernet0 auto
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    <snip>
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    access-list inbound permit icmp any any
    access-list inbound permit tcp any any eq www
    access-list inbound permit tcp any any eq 3389
    access-list inbound permit tcp any any eq ftp-data
    access-list inbound permit tcp any any eq ftp
    access-list inbound permit tcp any any eq smtp
    access-list inbound permit tcp any any eq pop3
    access-list inbound permit tcp any any eq https
    access-list inbound permit tcp any any eq 902
    access-list seenet permit ip 192.168.0.0 255.255.255.0 172.16.1.0
    255.255.255.0
    access-list seenet permit ip 192.168.0.0 255.255.255.0 192.168.1.0
    255.255.255.0
    pager lines 24
    logging timestamp
    logging trap notifications
    mtu outside 1500
    mtu inside 1500
    ip address outside dhcp setroute
    ip address inside 192.168.1.1 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool vpnpool1 172.16.1.1-172.16.1.255
    pdm location 0.0.0.0 255.255.255.255 outside
    pdm location 192.168.1.192 255.255.255.192 inside
    pdm location 192.168.1.192 255.255.255.192 outside
    pdm location 192.168.1.0 255.255.255.0 outside
    pdm location 192.168.1.5 255.255.255.255 inside
    pdm location 192.168.0.0 255.255.255.0 inside
    pdm logging informational 100
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list seenet
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    static (inside,outside) tcp interface www 192.168.1.5 www netmask
    255.255.255.255 0 0
    static (inside,outside) tcp interface 3389 192.168.1.5 3389 netmask
    255.255.255.255 0 0
    static (inside,outside) tcp interface ftp-data 192.168.1.5 ftp-data
    netmask 255.255.255.255 0 0
    static (inside,outside) tcp interface ftp 192.168.1.5 ftp netmask
    255.255.255.255 0 0
    static (inside,outside) tcp interface smtp 192.168.1.5 smtp netmask
    255.255.255.255 0 0
    static (inside,outside) tcp interface pop3 192.168.1.5 pop3 netmask
    255.255.255.255 0 0
    static (inside,outside) tcp interface https 192.168.1.5 https netmask
    255.255.255.255 0 0
    static (inside,outside) tcp interface 902 192.168.1.5 902 netmask
    255.255.255.255 0 0
    access-group inbound in interface outside
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout sip-disconnect 0:02:00 sip-invite 0:03:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local
    aaa-server AuthInbound protocol radius
    aaa-server AuthInbound max-failed-attempts 3
    aaa-server AuthInbound deadtime 10
    aaa-server AuthInbound (inside) host 192.168.1.5 somesecret timeout 10
    aaa authorization command LOCAL
    ntp authenticate
    ntp server 131.107.1.10 source outside prefer
    ntp server 129.6.15.28 source outside
    http server enable
    http 192.168.1.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    tftp-server inside 192.168.1.5 c:\proga~1\ciscos~1\vpncli~1
    floodguard enable
    sysopt connection permit-ipsec
    auth-prompt prompt Enter network login
    auth-prompt reject Authorization Rejected
    crypto ipsec transform-set myset esp-3des esp-sha-hmac
    crypto dynamic-map dynmap 10 set transform-set myset
    crypto map mymap 10 ipsec-isakmp dynamic dynmap
    crypto map mymap client configuration address initiate
    crypto map mymap client authentication RADIUS
    crypto map mymap interface outside
    isakmp enable outside
    isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
    isakmp identity address
    isakmp nat-traversal 20
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption 3des
    isakmp policy 10 hash sha
    isakmp policy 10 group 2
    isakmp policy 10 lifetime 86400
    vpngroup vpngroup address-pool vpnpool1
    vpngroup vpngroup dns-server 192.168.1.5
    vpngroup vpngroup wins-server 192.168.1.5
    vpngroup vpngroup idle-time 1800
    vpngroup vpngroup password ********
    telnet 192.168.1.0 255.255.255.0 inside
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    vpdn enable outside
    dhcpd lease 3600
    dhcpd ping_timeout 750
    username user1 password ****************** encrypted privilege 15
    username user2 password ************* encrypted privilege 5
    vpnclient server 192.168.1.1
    vpnclient mode network-extension-mode
    vpnclient vpngroup vpngroup password ********
    terminal width 80
    : end
    , Sep 9, 2006
    #1
    1. Advertising

  2. <> wrote in message
    news:...
    > Hi folks,


    Hiya

    > Reason = The connection attempt did not match any remote access
    > policy.


    Look like your ISA have not got any policies to match.

    What I normally do is to create a global group and add users in here, that
    are allowed to use VPN
    Then create a policy that "Match windows group" = the group you created.

    >
    >
    > PIX Version 6.3(5)



    > aaa-server RADIUS protocol radius
    > aaa-server RADIUS max-failed-attempts 3
    > aaa-server RADIUS deadtime 10


    > aaa-server AuthInbound protocol radius
    > aaa-server AuthInbound max-failed-attempts 3
    > aaa-server AuthInbound deadtime 10
    > aaa-server AuthInbound (inside) host 192.168.1.5 somesecret timeout 10
    > aaa authorization command LOCAL


    > crypto map mymap client authentication RADIUS


    Also I hope you see what is wrong in the above.
    8=)

    (Hint: the AAA ref are wrong . change to crypto map mymap client
    authentication AuthInbound)


    HTH
    Martin


    > crypto map mymap interface outside
    > isakmp enable outside
    > isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
    > isakmp identity address
    > isakmp nat-traversal 20
    > isakmp policy 10 authentication pre-share
    > isakmp policy 10 encryption 3des
    > isakmp policy 10 hash sha
    > isakmp policy 10 group 2
    > isakmp policy 10 lifetime 86400
    > vpngroup vpngroup address-pool vpnpool1
    > vpngroup vpngroup dns-server 192.168.1.5
    > vpngroup vpngroup wins-server 192.168.1.5
    > vpngroup vpngroup idle-time 1800
    > vpngroup vpngroup password ********
    > telnet 192.168.1.0 255.255.255.0 inside
    > telnet timeout 5
    > ssh timeout 5
    > console timeout 0
    > vpdn enable outside
    > dhcpd lease 3600
    > dhcpd ping_timeout 750
    > username user1 password ****************** encrypted privilege 15
    > username user2 password ************* encrypted privilege 5
    > vpnclient server 192.168.1.1
    > vpnclient mode network-extension-mode
    > vpnclient vpngroup vpngroup password ********
    > terminal width 80
    > : end
    >
    Martin Bilgrav, Sep 9, 2006
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. tejlor
    Replies:
    2
    Views:
    2,277
    tejlor
    Nov 25, 2003
  2. GVB
    Replies:
    1
    Views:
    2,801
    Martin Bilgrav
    Feb 6, 2004
  3. Nick
    Replies:
    2
    Views:
    2,395
  4. DCS
    Replies:
    2
    Views:
    5,076
    eshan_amiran
    Mar 26, 2009
  5. cdoc
    Replies:
    2
    Views:
    5,000
Loading...

Share This Page