PIX vpn client can't terminal server

Discussion in 'Cisco' started by Sako, Jan 31, 2006.

  1. Sako

    Sako Guest

    Hi gents I've been fighting two days with this and it seems the pix
    is winning this battle.
    I want to configure a vpn client so that I can join this network from
    one secondary router, so I had to do static routes and some special
    things.
    Now after cleaning a little my config the vpn client seems to
    connect, but I can't terminal server or ssh , maybe the problem is in
    the access list, or maybe the isakmp , but I have done lots of changes
    and none made it work .

    so could you please take a look and tell me what do I have to allow
    to achieve this kind of configuration.
    thanks thanks thanks to you all


    :
    PIX Version 6.3(4)
    interface ethernet0 100full
    interface ethernet1 100full
    interface ethernet2 auto
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    nameif ethernet2 intf2 security4
    enable password ZlGq2vBPmW8hXSpI encrypted
    passwd ZlGq2vBPmW8hXSpI encrypted
    hostname pixbcn
    domain-name vlsd.net
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    access-list outside_access_in permit icmp any any
    access-list nonat_acl permit ip 174.144.1.0 255.255.255.0 174.144.5.0
    255.255.255.0
    access-list nonat_acl permit icmp 174.144.1.0 255.255.255.0 174.144.5.0
    255.255.255.0
    access-list nonat_acl permit ip 174.144.1.0 255.255.255.0 174.144.3.0
    255.255.255.0
    access-list nonat_acl permit icmp 174.144.1.0 255.255.255.0 174.144.3.0
    255.255.255.0
    access-list nonat_acl permit ip 174.144.1.0 255.255.255.0 174.144.6.0
    255.255.255.0
    access-list nonat_acl permit icmp 174.144.1.0 255.255.255.0 174.144.6.0
    255.255.255.0
    access-list nonat_acl permit ip 174.144.1.0 255.255.255.0 174.144.4.0
    255.255.255.0
    access-list nonat_acl permit icmp 174.144.1.0 255.255.255.0 174.144.4.0
    255.255.255.0
    access-list nonat_acl permit ip 174.144.1.0 255.255.255.0 174.144.2.0
    255.255.255.0
    access-list nonat_acl permit icmp 174.144.1.0 255.255.255.0 174.144.2.0
    255.255.255.0
    access-list nonat_acl permit icmp 174.144.1.0 255.255.255.0 172.16.1.0
    255.255.255.0
    access-list nonat_acl permit ip 174.144.1.0 255.255.255.0 172.16.1.0
    255.255.255.0
    access-list nonat_acl permit ip 174.144.1.0 255.255.255.0 host
    172.16.1.1
    access-list remote_lond_acl permit ip 174.144.1.0 255.255.255.0
    174.144.5.0 255.255.255.0
    access-list remote_lond_acl permit icmp 174.144.1.0 255.255.255.0
    174.144.5.0 255.255.255.0
    access-list remote_pose_acl permit ip 174.144.1.0 255.255.255.0
    174.144.3.0 255.255.255.0
    access-list remote_pose_acl permit icmp 174.144.1.0 255.255.255.0
    174.144.3.0 255.255.255.0
    access-list remote_posi2_acl permit ip 174.144.1.0 255.255.255.0
    174.144.6.0 255.255.255.0
    access-list remote_posi2_acl permit icmp 174.144.1.0 255.255.255.0
    174.144.6.0 255.255.255.0
    access-list remote_gita_acl permit ip 174.144.1.0 255.255.255.0
    174.144.4.0 255.255.255.0
    access-list remote_gita_acl permit icmp 174.144.1.0 255.255.255.0
    174.144.4.0 255.255.255.0
    access-list remote_caus_acl permit ip 174.144.1.0 255.255.255.0
    174.144.2.0 255.255.255.0
    access-list remote_caus_acl permit icmp 174.144.1.0 255.255.255.0
    174.144.2.0 255.255.255.0
    access-list red_interna permit ip 174.144.1.0 255.255.255.0 any
    access-list outside_cryptomap_dyn_21 permit ip any 172.16.1.0
    255.255.255.0
    access-list split_tunnel_ac permit ip 174.144.1.0 255.255.255.0
    172.16.1.0 255.255.255.0
    access-list split_tunnel_ac permit icmp 174.144.1.0 255.255.255.0
    172.16.1.0 255.255.255.0
    access-list split_tunnel_ac permit ip any any
    access-list vlsd_tunnel_ac permit ip 174.144.1.0 255.255.255.0 any
    access-list vlsd_tunnel_ac permit icmp 174.144.1.0 255.255.255.0 any
    access-list vpn2dkm permit ip any any
    pager lines 24
    logging timestamp
    logging trap debugging
    logging host inside 174.144.1.26
    mtu outside 1500
    mtu inside 1500
    mtu intf2 1500
    ip address outside 10.200.100.253 255.255.0.0
    ip address inside 174.144.1.1 255.255.255.0
    ip address intf2 174.144.20.1 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool vpndkm_pool 172.16.1.1
    ip local pool vlsd_pool 174.144.1.60
    pdm location 0.0.0.0 0.0.0.0 outside
    pdm location 174.144.20.0 255.255.255.0 inside
    pdm location 10.200.0.0 255.255.0.0 inside
    pdm location 174.144.1.50 255.255.255.255 inside
    pdm location 174.144.20.20 255.255.255.255 intf2
    pdm location 174.144.5.0 255.255.255.0 outside
    pdm location 80.38.105.29 255.255.255.255 outside
    pdm location 174.144.2.0 255.255.255.0 outside
    pdm location 174.144.3.0 255.255.255.0 outside
    pdm location 174.144.4.0 255.255.255.0 outside
    pdm location 174.144.6.0 255.255.255.0 outside
    pdm location 174.144.2.0 255.255.255.0 intf2
    pdm location 174.144.3.0 255.255.255.0 intf2
    pdm location 174.144.4.0 255.255.255.0 intf2
    pdm location 174.144.5.0 255.255.255.0 intf2
    pdm location 174.144.6.0 255.255.255.0 intf2
    pdm location 174.144.1.26 255.255.255.255 inside
    pdm location 172.16.1.0 255.255.255.0 outside
    pdm location 62.43.200.194 255.255.255.255 outside
    pdm location 80.224.56.90 255.255.255.255 outside
    pdm logging informational 100
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    global (intf2) 1 interface
    nat (inside) 0 access-list nonat_acl
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    nat (intf2) 1 0.0.0.0 0.0.0.0 0 0
    access-group outside_access_in in interface outside
    route outside 0.0.0.0 0.0.0.0 10.200.100.250 1
    route outside 62.43.200.194 255.255.255.255 10.200.100.190 1
    route outside 80.38.105.29 255.255.255.255 10.200.100.190 1
    route outside 80.224.56.90 255.255.255.255 10.200.100.190 1
    timeout xlate 3:00:00
    timeout conn 2:00:00 half-closed 0:10:00 udp 2:00:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 2:00:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local
    http server enable
    http 10.200.0.0 255.255.0.0 outside
    http 174.144.1.0 255.255.255.0 inside
    http 172.16.1.1 255.255.255.255 inside
    http 174.144.20.0 255.255.255.0 intf2
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    crypto ipsec transform-set myset esp-des esp-md5-hmac
    crypto dynamic-map dynmap 30 set transform-set myset
    crypto map newmap 10 ipsec-isakmp
    crypto map newmap 10 match address remote_lond_acl
    crypto map newmap 10 set peer 10.201.100.253
    crypto map newmap 10 set transform-set myset
    crypto map newmap 11 ipsec-isakmp
    crypto map newmap 11 match address remote_pose_acl
    crypto map newmap 11 set peer 10.202.100.253
    crypto map newmap 11 set transform-set myset
    crypto map newmap 12 ipsec-isakmp
    crypto map newmap 12 match address remote_posi2_acl
    crypto map newmap 12 set peer 10.205.100.253
    crypto map newmap 12 set transform-set myset
    crypto map newmap 13 ipsec-isakmp
    crypto map newmap 13 match address remote_gita_acl
    crypto map newmap 13 set peer 10.203.100.253
    crypto map newmap 13 set transform-set myset
    crypto map newmap 20 ipsec-isakmp
    crypto map newmap 20 match address remote_caus_acl
    crypto map newmap 20 set peer 80.38.105.29
    crypto map newmap 20 set transform-set myset
    crypto map newmap 21 ipsec-isakmp dynamic dynmap
    crypto map newmap interface outside
    isakmp enable outside
    isakmp key ******** address 80.38.105.29 netmask 255.255.255.255
    no-xauth no-config-mode
    isakmp key ******** address 10.201.100.253 netmask 255.255.255.255
    no-xauth no-config-mode
    isakmp key ******** address 10.203.100.253 netmask 255.255.255.255
    no-xauth no-config-mode
    isakmp key ******** address 10.202.100.253 netmask 255.255.255.255
    no-xauth no-config-mode
    isakmp key ******** address 10.205.100.253 netmask 255.255.255.255
    no-xauth no-config-mode
    isakmp identity address
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption des
    isakmp policy 10 hash md5
    isakmp policy 10 group 2
    isakmp policy 10 lifetime 86400
    isakmp policy 20 authentication pre-share
    isakmp policy 20 encryption des
    isakmp policy 20 hash md5
    isakmp policy 20 group 1
    isakmp policy 20 lifetime 86400
    vpngroup vpndkm address-pool vpndkm_pool
    vpngroup vpndkm dns-server 174.144.1.15
    vpngroup vpndkm default-domain vlsd.net
    vpngroup vpndkm split-tunnel vpn2dkm
    vpngroup vpndkm idle-time 1800
    vpngroup vpndkm password ********
    vpngroup vlsd address-pool vlsd_pool
    vpngroup vlsd split-tunnel vlsd_tunnel_ac
    vpngroup vlsd idle-time 1800
    vpngroup vlsd password ********
    telnet timeout 5
    ssh 10.200.0.0 255.255.0.0 outside
    ssh 172.16.1.1 255.255.255.255 outside
    ssh 174.144.1.0 255.255.255.0 inside
    ssh 174.144.20.0 255.255.255.0 intf2
    ssh timeout 30
    console timeout 0
    dhcpd address 174.144.1.100-174.144.1.250 inside
    dhcpd dns 174.144.1.15 174.144.1.16
    dhcpd lease 1048575
    dhcpd ping_timeout 750
    dhcpd domain vlsd.net
    dhcpd auto_config outside
    dhcpd enable inside
    terminal width 80
    Cryptochecksum:ab2e9ab3f3b0a44b4d0f7a492a5281a4
    : end
     
    Sako, Jan 31, 2006
    #1
    1. Advertising

  2. Sako

    lfnetworking Guest

    Sako wrote:
    > Hi gents I've been fighting two days with this and it seems the pix
    > is winning this battle.
    > I want to configure a vpn client so that I can join this network from
    > one secondary router,


    first, can you please clarify if the issue is not being able to access a
    machine for term services tcp 3389 and ssh tcp 22, on the network behind
    pixbcn, from a vpnclient connection terminating on pixbcn? if so, which
    vpngroup are you connecting to?

    also, just, curious why you have tunnels to devices on a private
    network, i.e. 10.x.x.x outside addresses?

    so I had to do static routes and some special
    > things.
    > Now after cleaning a little my config the vpn client seems to
    > connect, but I can't terminal server or ssh , maybe the problem is in
    > the access list, or maybe the isakmp , but I have done lots of changes
    > and none made it work .
    >
    > so could you please take a look and tell me what do I have to allow
    > to achieve this kind of configuration.
    > thanks thanks thanks to you all
    >
    >
    > :
    > PIX Version 6.3(4)
    > interface ethernet0 100full
    > interface ethernet1 100full
    > interface ethernet2 auto
    > nameif ethernet0 outside security0
    > nameif ethernet1 inside security100
    > nameif ethernet2 intf2 security4
    > enable password ZlGq2vBPmW8hXSpI encrypted
    > passwd ZlGq2vBPmW8hXSpI encrypted
    > hostname pixbcn
    > domain-name vlsd.net
    > fixup protocol dns maximum-length 512
    > fixup protocol ftp 21
    > fixup protocol h323 h225 1720
    > fixup protocol h323 ras 1718-1719
    > fixup protocol http 80
    > fixup protocol rsh 514
    > fixup protocol rtsp 554
    > fixup protocol sip 5060
    > fixup protocol sip udp 5060
    > fixup protocol skinny 2000
    > fixup protocol smtp 25
    > fixup protocol sqlnet 1521
    > fixup protocol tftp 69
    > names
    > access-list outside_access_in permit icmp any any
    > access-list nonat_acl permit ip 174.144.1.0 255.255.255.0 174.144.5.0
    > 255.255.255.0
    > access-list nonat_acl permit icmp 174.144.1.0 255.255.255.0 174.144.5.0
    > 255.255.255.0
    > access-list nonat_acl permit ip 174.144.1.0 255.255.255.0 174.144.3.0
    > 255.255.255.0
    > access-list nonat_acl permit icmp 174.144.1.0 255.255.255.0 174.144.3.0
    > 255.255.255.0
    > access-list nonat_acl permit ip 174.144.1.0 255.255.255.0 174.144.6.0
    > 255.255.255.0
    > access-list nonat_acl permit icmp 174.144.1.0 255.255.255.0 174.144.6.0
    > 255.255.255.0
    > access-list nonat_acl permit ip 174.144.1.0 255.255.255.0 174.144.4.0
    > 255.255.255.0
    > access-list nonat_acl permit icmp 174.144.1.0 255.255.255.0 174.144.4.0
    > 255.255.255.0
    > access-list nonat_acl permit ip 174.144.1.0 255.255.255.0 174.144.2.0
    > 255.255.255.0
    > access-list nonat_acl permit icmp 174.144.1.0 255.255.255.0 174.144.2.0
    > 255.255.255.0
    > access-list nonat_acl permit icmp 174.144.1.0 255.255.255.0 172.16.1.0
    > 255.255.255.0
    > access-list nonat_acl permit ip 174.144.1.0 255.255.255.0 172.16.1.0
    > 255.255.255.0
    > access-list nonat_acl permit ip 174.144.1.0 255.255.255.0 host
    > 172.16.1.1
    > access-list remote_lond_acl permit ip 174.144.1.0 255.255.255.0
    > 174.144.5.0 255.255.255.0
    > access-list remote_lond_acl permit icmp 174.144.1.0 255.255.255.0
    > 174.144.5.0 255.255.255.0
    > access-list remote_pose_acl permit ip 174.144.1.0 255.255.255.0
    > 174.144.3.0 255.255.255.0
    > access-list remote_pose_acl permit icmp 174.144.1.0 255.255.255.0
    > 174.144.3.0 255.255.255.0
    > access-list remote_posi2_acl permit ip 174.144.1.0 255.255.255.0
    > 174.144.6.0 255.255.255.0
    > access-list remote_posi2_acl permit icmp 174.144.1.0 255.255.255.0
    > 174.144.6.0 255.255.255.0
    > access-list remote_gita_acl permit ip 174.144.1.0 255.255.255.0
    > 174.144.4.0 255.255.255.0
    > access-list remote_gita_acl permit icmp 174.144.1.0 255.255.255.0
    > 174.144.4.0 255.255.255.0
    > access-list remote_caus_acl permit ip 174.144.1.0 255.255.255.0
    > 174.144.2.0 255.255.255.0
    > access-list remote_caus_acl permit icmp 174.144.1.0 255.255.255.0
    > 174.144.2.0 255.255.255.0
    > access-list red_interna permit ip 174.144.1.0 255.255.255.0 any
    > access-list outside_cryptomap_dyn_21 permit ip any 172.16.1.0
    > 255.255.255.0
    > access-list split_tunnel_ac permit ip 174.144.1.0 255.255.255.0
    > 172.16.1.0 255.255.255.0
    > access-list split_tunnel_ac permit icmp 174.144.1.0 255.255.255.0
    > 172.16.1.0 255.255.255.0
    > access-list split_tunnel_ac permit ip any any
    > access-list vlsd_tunnel_ac permit ip 174.144.1.0 255.255.255.0 any
    > access-list vlsd_tunnel_ac permit icmp 174.144.1.0 255.255.255.0 any
    > access-list vpn2dkm permit ip any any
    > pager lines 24
    > logging timestamp
    > logging trap debugging
    > logging host inside 174.144.1.26
    > mtu outside 1500
    > mtu inside 1500
    > mtu intf2 1500
    > ip address outside 10.200.100.253 255.255.0.0
    > ip address inside 174.144.1.1 255.255.255.0
    > ip address intf2 174.144.20.1 255.255.255.0
    > ip audit info action alarm
    > ip audit attack action alarm
    > ip local pool vpndkm_pool 172.16.1.1
    > ip local pool vlsd_pool 174.144.1.60
    > pdm location 0.0.0.0 0.0.0.0 outside
    > pdm location 174.144.20.0 255.255.255.0 inside
    > pdm location 10.200.0.0 255.255.0.0 inside
    > pdm location 174.144.1.50 255.255.255.255 inside
    > pdm location 174.144.20.20 255.255.255.255 intf2
    > pdm location 174.144.5.0 255.255.255.0 outside
    > pdm location 80.38.105.29 255.255.255.255 outside
    > pdm location 174.144.2.0 255.255.255.0 outside
    > pdm location 174.144.3.0 255.255.255.0 outside
    > pdm location 174.144.4.0 255.255.255.0 outside
    > pdm location 174.144.6.0 255.255.255.0 outside
    > pdm location 174.144.2.0 255.255.255.0 intf2
    > pdm location 174.144.3.0 255.255.255.0 intf2
    > pdm location 174.144.4.0 255.255.255.0 intf2
    > pdm location 174.144.5.0 255.255.255.0 intf2
    > pdm location 174.144.6.0 255.255.255.0 intf2
    > pdm location 174.144.1.26 255.255.255.255 inside
    > pdm location 172.16.1.0 255.255.255.0 outside
    > pdm location 62.43.200.194 255.255.255.255 outside
    > pdm location 80.224.56.90 255.255.255.255 outside
    > pdm logging informational 100
    > pdm history enable
    > arp timeout 14400
    > global (outside) 1 interface
    > global (intf2) 1 interface
    > nat (inside) 0 access-list nonat_acl
    > nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    > nat (intf2) 1 0.0.0.0 0.0.0.0 0 0
    > access-group outside_access_in in interface outside
    > route outside 0.0.0.0 0.0.0.0 10.200.100.250 1
    > route outside 62.43.200.194 255.255.255.255 10.200.100.190 1
    > route outside 80.38.105.29 255.255.255.255 10.200.100.190 1
    > route outside 80.224.56.90 255.255.255.255 10.200.100.190 1
    > timeout xlate 3:00:00
    > timeout conn 2:00:00 half-closed 0:10:00 udp 2:00:00 rpc 0:10:00 h225
    > 1:00:00
    > timeout h323 0:05:00 mgcp 0:05:00 sip 2:00:00 sip_media 0:02:00
    > timeout uauth 0:05:00 absolute
    > aaa-server TACACS+ protocol tacacs+
    > aaa-server TACACS+ max-failed-attempts 3
    > aaa-server TACACS+ deadtime 10
    > aaa-server RADIUS protocol radius
    > aaa-server RADIUS max-failed-attempts 3
    > aaa-server RADIUS deadtime 10
    > aaa-server LOCAL protocol local
    > http server enable
    > http 10.200.0.0 255.255.0.0 outside
    > http 174.144.1.0 255.255.255.0 inside
    > http 172.16.1.1 255.255.255.255 inside
    > http 174.144.20.0 255.255.255.0 intf2
    > no snmp-server location
    > no snmp-server contact
    > snmp-server community public
    > no snmp-server enable traps
    > floodguard enable
    > sysopt connection permit-ipsec
    > crypto ipsec transform-set myset esp-des esp-md5-hmac
    > crypto dynamic-map dynmap 30 set transform-set myset
    > crypto map newmap 10 ipsec-isakmp
    > crypto map newmap 10 match address remote_lond_acl
    > crypto map newmap 10 set peer 10.201.100.253
    > crypto map newmap 10 set transform-set myset
    > crypto map newmap 11 ipsec-isakmp
    > crypto map newmap 11 match address remote_pose_acl
    > crypto map newmap 11 set peer 10.202.100.253
    > crypto map newmap 11 set transform-set myset
    > crypto map newmap 12 ipsec-isakmp
    > crypto map newmap 12 match address remote_posi2_acl
    > crypto map newmap 12 set peer 10.205.100.253
    > crypto map newmap 12 set transform-set myset
    > crypto map newmap 13 ipsec-isakmp
    > crypto map newmap 13 match address remote_gita_acl
    > crypto map newmap 13 set peer 10.203.100.253
    > crypto map newmap 13 set transform-set myset
    > crypto map newmap 20 ipsec-isakmp
    > crypto map newmap 20 match address remote_caus_acl
    > crypto map newmap 20 set peer 80.38.105.29
    > crypto map newmap 20 set transform-set myset
    > crypto map newmap 21 ipsec-isakmp dynamic dynmap
    > crypto map newmap interface outside
    > isakmp enable outside
    > isakmp key ******** address 80.38.105.29 netmask 255.255.255.255
    > no-xauth no-config-mode
    > isakmp key ******** address 10.201.100.253 netmask 255.255.255.255
    > no-xauth no-config-mode
    > isakmp key ******** address 10.203.100.253 netmask 255.255.255.255
    > no-xauth no-config-mode
    > isakmp key ******** address 10.202.100.253 netmask 255.255.255.255
    > no-xauth no-config-mode
    > isakmp key ******** address 10.205.100.253 netmask 255.255.255.255
    > no-xauth no-config-mode
    > isakmp identity address
    > isakmp policy 10 authentication pre-share
    > isakmp policy 10 encryption des
    > isakmp policy 10 hash md5
    > isakmp policy 10 group 2
    > isakmp policy 10 lifetime 86400
    > isakmp policy 20 authentication pre-share
    > isakmp policy 20 encryption des
    > isakmp policy 20 hash md5
    > isakmp policy 20 group 1
    > isakmp policy 20 lifetime 86400
    > vpngroup vpndkm address-pool vpndkm_pool
    > vpngroup vpndkm dns-server 174.144.1.15
    > vpngroup vpndkm default-domain vlsd.net
    > vpngroup vpndkm split-tunnel vpn2dkm
    > vpngroup vpndkm idle-time 1800
    > vpngroup vpndkm password ********
    > vpngroup vlsd address-pool vlsd_pool
    > vpngroup vlsd split-tunnel vlsd_tunnel_ac
    > vpngroup vlsd idle-time 1800
    > vpngroup vlsd password ********
    > telnet timeout 5
    > ssh 10.200.0.0 255.255.0.0 outside
    > ssh 172.16.1.1 255.255.255.255 outside
    > ssh 174.144.1.0 255.255.255.0 inside
    > ssh 174.144.20.0 255.255.255.0 intf2
    > ssh timeout 30
    > console timeout 0
    > dhcpd address 174.144.1.100-174.144.1.250 inside
    > dhcpd dns 174.144.1.15 174.144.1.16
    > dhcpd lease 1048575
    > dhcpd ping_timeout 750
    > dhcpd domain vlsd.net
    > dhcpd auto_config outside
    > dhcpd enable inside
    > terminal width 80
    > Cryptochecksum:ab2e9ab3f3b0a44b4d0f7a492a5281a4
    > : end
    >
     
    lfnetworking, Jan 31, 2006
    #2
    1. Advertising

  3. Sako

    Sako Guest

    sorry , I'll try to explain better , my company has a private virtual
    network between different cities, in addition to this we use vpn
    tunnels with cisco PIX because one of the cities isn't on the other
    private network.
    so that's working propperly , the main building has 2 routers connected
    to interenet, so one connects to the virtual network and the other to
    internet .
    To the router connected to internet we have a route in the pix , so we
    can connect via vpn to other city.

    So , the fact is : I wan't a person, who's public address I know, to
    connect tcp 3389 or 22 (any) to the inside interface of our pix, as the
    other vpn tunnels do. To achieve this I configured a vpn group, and I
    configured correctly the vpn client, and it closes the lock (it seems
    to connect)
    But I can't do anything to ping / connect 3389 to the inside hosts.

    Any way to help me ?
    thanks
     
    Sako, Jan 31, 2006
    #3
  4. Sako

    DCS Guest

    Hey again, glad to see you RA tunnel works now. Are you getting any
    traffic across the interface? As previously asked, what remote profile
    are you using, vpndkm or vlsd? I noticed your SSH for 172.16.1.1 is
    set for the outside interface. There may be some issues with your
    access list but you need to see if you're getting traffic out and
    returned first. To do this, connect the VPN Client. Then right click
    on the icon (closed lock on the bottom right) and select "statistics".
    Try a ping, surf to an internal web page or anything to see how your
    traffic counters change. Report back and we can try to help more.
     
    DCS, Jan 31, 2006
    #4
  5. Sako

    Sako Guest

    I'm working hard on it! thanks gents, you give me HOPE!
    I spect to use the vpndkm because I want the pool to get bigger once
    I'm sure it works with one host .The other is using a free ip on my
    network.
    Unluckily I coudn't surf any internal web page or ssh when it
    pointed the inside interface (as you say that it should) , the client
    connects by the same router as
    crypto map newmap 20 ipsec-isakmp
    crypto map newmap 20 match address remote_caus_acl
    That is working
    correctly . I've tried to connect to the machine with the vpn client
    but I lost connection with terminal server ... I'll look the stadistics
    and report them as soon as I can.

    I've tried to change the access-list wich take care of 172.16.1.1
    but I can't ping from inside to the vpnclient or from the vpn client
    see anything from the inside.

    I'll keep working hard a couple of hours to see if I can solve .
    Thanks very much indeed .
     
    Sako, Jan 31, 2006
    #5
  6. Sako

    Sako Guest

    Ok thanks to your indications, I can see , In the stadistics :
    Bytes recived: 0 ; Bytes Sent : 20974
    Packets
    Encrypted 135, Decrypted :0
    Discarded : 77
    Encription DES , authentication HMAC-MD5
    Local Lan Disabled (I don't know how to enable yet)
    Compression None.

    So it seems I don't recive any information.
    I'm not quite sure of what does this mean, I'll try to look to the log
    but I report it to you to see if you can help.
    Thanks

    This is the log of one connection
    Cisco Systems VPN Client Version 4.6.00.0045
    Copyright (C) 1998-2004 Cisco Systems, Inc. All Rights Reserved.
    Client Type(s): Windows, WinNT
    Running on: 5.1.2600 Service Pack 2

    167 11:25:13.011 02/01/06 Sev=Info/4 CM/0x63100002
    Begin connection process

    168 11:25:13.026 02/01/06 Sev=Info/4 CVPND/0xE3400001
    Microsoft IPSec Policy Agent service stopped successfully

    169 11:25:13.026 02/01/06 Sev=Info/4 CM/0x63100004
    Establish secure connection using Ethernet

    170 11:25:13.026 02/01/06 Sev=Info/4 CM/0x63100024
    Attempt connection with server "83.175.207.82"

    171 11:25:14.026 02/01/06 Sev=Info/4 IKE/0x63000013
    SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd),
    VID(Nat-T), VID(Frag), VID(Unity)) to 83.175.207.82

    172 11:25:14.026 02/01/06 Sev=Info/4 IPSEC/0x63700008
    IPSec driver successfully started

    173 11:25:14.026 02/01/06 Sev=Info/4 IPSEC/0x63700014
    Deleted all keys

    174 11:25:14.307 02/01/06 Sev=Info/4 IKE/0x63000014
    RECEIVING <<< ISAKMP OAK AG (SA, VID(Xauth), VID(dpd), VID(Unity),
    VID(?), KE, ID, NON, HASH) from 83.175.207.82

    175 11:25:14.307 02/01/06 Sev=Info/4 IKE/0x63000013
    SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT,
    VID(?), VID(Unity)) to 83.175.207.82

    176 11:25:14.307 02/01/06 Sev=Info/4 IKE/0x63000082
    IKE Port in use - Local Port = 0x01F4, Remote Port = 0x01F4

    177 11:25:14.307 02/01/06 Sev=Info/4 CM/0x6310000E
    Established Phase 1 SA. 1 Crypto Active IKE SA, 0 User Authenticated
    IKE SA in the system

    178 11:25:14.307 02/01/06 Sev=Info/4 CM/0x6310000E
    Established Phase 1 SA. 1 Crypto Active IKE SA, 1 User Authenticated
    IKE SA in the system

    179 11:25:14.323 02/01/06 Sev=Info/4 IKE/0x63000013
    SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 83.175.207.82

    180 11:25:14.417 02/01/06 Sev=Info/4 IKE/0x63000014
    RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:STATUS_RESP_LIFETIME) from
    83.175.207.82

    181 11:25:14.432 02/01/06 Sev=Info/4 IKE/0x63000014
    RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 83.175.207.82

    182 11:25:14.432 02/01/06 Sev=Info/4 IKE/0xA3000015
    MODE_CFG_REPLY: Received MODECFG_UNITY_SPLIT_INCLUDE attribute with no
    data

    183 11:25:14.432 02/01/06 Sev=Info/4 IKE/0xA3000015
    MODE_CFG_REPLY: Received MODECFG_UNITY_SPLIT_INCLUDE attribute with no
    data

    184 11:25:14.432 02/01/06 Sev=Info/4 CM/0x63100019
    Mode Config data received

    185 11:25:14.448 02/01/06 Sev=Info/4 IKE/0x63000055
    Received a key request from Driver: Local IP = 172.16.1.1, GW IP =
    83.175.207.82, Remote IP = 0.0.0.0

    186 11:25:14.448 02/01/06 Sev=Info/4 IKE/0x63000013
    SENDING >>> ISAKMP OAK QM *(HASH, SA, NON, ID, ID) to 83.175.207.82

    187 11:25:14.589 02/01/06 Sev=Info/4 IKE/0x63000014
    RECEIVING <<< ISAKMP OAK QM *(HASH, SA, NON, ID, ID,
    NOTIFY:STATUS_RESP_LIFETIME) from 83.175.207.82

    188 11:25:14.589 02/01/06 Sev=Info/4 IKE/0x63000013
    SENDING >>> ISAKMP OAK QM *(HASH) to 83.175.207.82

    189 11:25:15.120 02/01/06 Sev=Info/4 CM/0x63100034
    The Virtual Adapter was enabled:
    IP=172.16.1.1/255.255.0.0
    DNS=192.168.1.15,0.0.0.0
    WINS=0.0.0.0,0.0.0.0
    Domain=valdisme.net
    Split DNS Names=

    190 11:25:15.229 02/01/06 Sev=Info/4 CM/0x6310001A
    One secure connection established

    191 11:25:15.307 02/01/06 Sev=Info/4 CM/0x63100038
    Address watch added for 192.168.3.114. Current address(es):
    172.16.1.1, 192.168.3.114.

    192 11:25:15.323 02/01/06 Sev=Info/4 CM/0x63100038
    Address watch added for 172.16.1.1. Current address(es): 172.16.1.1,
    192.168.3.114.

    193 11:25:15.323 02/01/06 Sev=Info/4 IPSEC/0x63700014
    Deleted all keys

    194 11:25:15.323 02/01/06 Sev=Info/4 IPSEC/0x63700010
    Created a new key structure

    195 11:25:15.323 02/01/06 Sev=Info/4 IPSEC/0x6370000F
    Added key with SPI=0x3c962dbc into key list

    196 11:25:15.323 02/01/06 Sev=Info/4 IPSEC/0x63700010
    Created a new key structure

    197 11:25:15.323 02/01/06 Sev=Info/4 IPSEC/0x6370000F
    Added key with SPI=0xe729bba9 into key list

    198 11:25:15.323 02/01/06 Sev=Info/4 IPSEC/0x6370002E
    Assigned VA private interface addr 172.16.1.1

    199 11:25:24.417 02/01/06 Sev=Info/4 IKE/0x63000013
    SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to
    83.175.207.82

    200 11:25:24.526 02/01/06 Sev=Info/4 IKE/0x63000014
    RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:DPD_ACK) from
    83.175.207.82

    201 11:25:35.416 02/01/06 Sev=Info/4 IKE/0x63000013
    SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to
    83.175.207.82

    202 11:25:35.573 02/01/06 Sev=Info/4 IKE/0x63000014
    RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:DPD_ACK) from
    83.175.207.82

    203 11:25:45.916 02/01/06 Sev=Info/4 IKE/0x63000013
    SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to
    83.175.207.82

    204 11:25:46.026 02/01/06 Sev=Info/4 IKE/0x63000014
    RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:DPD_ACK) from
    83.175.207.82

    205 11:26:01.416 02/01/06 Sev=Info/4 IKE/0x63000013
    SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to
    83.175.207.82

    206 11:26:01.619 02/01/06 Sev=Info/4 IKE/0x63000014
    RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:DPD_ACK) from
    83.175.207.82

    207 11:26:11.916 02/01/06 Sev=Info/4 IKE/0x63000013
    SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to
    83.175.207.82

    208 11:26:12.932 02/01/06 Sev=Info/4 IKE/0x63000014
    RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:DPD_ACK) from
    83.175.207.82

    209 11:26:23.416 02/01/06 Sev=Info/4 IKE/0x63000013
    SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to
    83.175.207.82

    210 11:26:23.525 02/01/06 Sev=Info/4 IKE/0x63000014
    RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:DPD_ACK) from
    83.175.207.82

    211 11:26:33.916 02/01/06 Sev=Info/4 IKE/0x63000013
    SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to
    83.175.207.82

    212 11:26:34.088 02/01/06 Sev=Info/4 IKE/0x63000014
    RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:DPD_ACK) from
    83.175.207.82

    213 11:26:44.087 02/01/06 Sev=Info/4 CM/0x6310000A
    Secure connections terminated

    214 11:26:44.087 02/01/06 Sev=Info/4 IKE/0x63000001
    IKE received signal to terminate VPN connection

    215 11:26:44.103 02/01/06 Sev=Info/4 IKE/0x63000013
    SENDING >>> ISAKMP OAK INFO *(HASH, DEL) to 83.175.207.82

    216 11:26:44.103 02/01/06 Sev=Info/4 IKE/0x63000048
    Discarding IPsec SA negotiation, MsgID=A74DB14B

    217 11:26:44.103 02/01/06 Sev=Info/4 IKE/0x63000017
    Marking IKE SA for deletion (I_Cookie=1DF97BFDFD3055A6
    R_Cookie=4C694B7469F7AC26) reason = DEL_REASON_RESET_SADB

    218 11:26:44.103 02/01/06 Sev=Info/4 IKE/0x63000013
    SENDING >>> ISAKMP OAK INFO *(HASH, DEL) to 83.175.207.82

    219 11:26:44.103 02/01/06 Sev=Info/4 IKE/0x6300004A
    Discarding IKE SA negotiation (I_Cookie=1DF97BFDFD3055A6
    R_Cookie=4C694B7469F7AC26) reason = DEL_REASON_RESET_SADB

    220 11:26:44.103 02/01/06 Sev=Info/4 CM/0x63100013
    Phase 1 SA deleted cause by DEL_REASON_RESET_SADB. 0 Crypto Active IKE
    SA, 0 User Authenticated IKE SA in the system

    221 11:26:44.103 02/01/06 Sev=Info/4 IKE/0x63000085
    Microsoft IPSec Policy Agent service started successfully

    222 11:26:44.119 02/01/06 Sev=Warning/2 CVPND/0xA3400015
    Error with call to IpHlpApi.DLL: DeleteIpForwardEntry, error 87

    223 11:26:45.618 02/01/06 Sev=Info/4 CM/0x63100035
    The Virtual Adapter was disabled

    224 11:26:45.618 02/01/06 Sev=Info/4 IPSEC/0x63700013
    Delete internal key with SPI=0xe729bba9

    225 11:26:45.618 02/01/06 Sev=Info/4 IPSEC/0x6370000C
    Key deleted by SPI 0xe729bba9

    226 11:26:45.618 02/01/06 Sev=Info/4 IPSEC/0x63700013
    Delete internal key with SPI=0x3c962dbc

    227 11:26:45.618 02/01/06 Sev=Info/4 IPSEC/0x6370000C
    Key deleted by SPI 0x3c962dbc

    228 11:26:45.618 02/01/06 Sev=Info/4 IPSEC/0x63700014
    Deleted all keys

    229 11:26:45.618 02/01/06 Sev=Info/4 IPSEC/0x63700014
    Deleted all keys

    230 11:26:45.618 02/01/06 Sev=Info/4 IPSEC/0x6370000A
    IPSec driver successfully stopped

    231 11:26:45.634 02/01/06 Sev=Info/4 IPSEC/0x63700014
    Deleted all keys
     
    Sako, Feb 1, 2006
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. GVB
    Replies:
    1
    Views:
    2,843
    Martin Bilgrav
    Feb 6, 2004
  2. Al
    Replies:
    0
    Views:
    5,225
  3. Nick
    Replies:
    2
    Views:
    2,430
  4. Svenn
    Replies:
    3
    Views:
    745
    Svenn
    Mar 13, 2006
  5. Stephen M
    Replies:
    1
    Views:
    671
    mcaissie
    Nov 14, 2006
Loading...

Share This Page