PIX501 and VPN Client 4.0 config problem

Discussion in 'Cisco' started by Jens Meyer, Dec 18, 2003.

  1. Jens Meyer

    Jens Meyer Guest

    I've configured a basic PIX501 setup as outlined below. Essentially, I
    have a network behind the PIX with one-to-one mappings of private IP
    addresses to public IP addresses. Right now, I have no access-lists
    set whatsoever as I'm just trying to get the VPN part working.

    I used the VPN Wizard in PDM to set up a simple VPN config allowing
    outside hosst to connect ot the PIX via the Cisco VPN Client 4.0.3(A).
    However, when trying to actually establish a connection, I only get an
    error message "Reason 412: The remote peer is no longer responding".
    At the moment I don't care about AAA authentication, though
    ultimately, AAA authentication eeds to be provided by an NT4 DC.

    I'm still learning (struggling) with the PIX, so any help with regards
    ot what I did wrong or what needs to be done to correct the settings
    are greatly appreciated.

    Thanks,
    Jens

    PIX501 config:

    PIX Version 6.3(1)
    interface ethernet0 auto
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password 8Ry2YjIyt7RRXU24 encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    hostname pixfirewall
    domain-name loc.domain.com
    clock timezone EST -5
    clock summer-time EDT recurring
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol ils 389
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    names
    access-list inside_outbound_nat0_acl permit ip any 192.168.2.0
    255.255.255.240
    access-list outside_cryptomap_dyn_20 permit ip any 192.168.2.0
    255.255.255.240
    pager lines 24
    logging on
    logging buffered debugging
    mtu outside 1500
    mtu inside 1500
    ip address outside xxx.yyy.zzz.238 255.255.255.0
    ip address inside 192.168.1.238 255.255.255.240
    ip audit info action alarm
    ip audit attack action alarm drop
    ip local pool OutsideVPN 192.168.2.1-192.168.2.10
    pdm location 192.168.1.0 255.255.255.0 inside
    pdm logging informational 100
    pdm history enable
    arp timeout 14400
    nat (inside) 0 access-list inside_outbound_nat0_acl
    static (inside,outside) xxx.yyy.zzz.224 192.168.1.224 netmask
    255.255.255.240 0 0
    route outside 0.0.0.0 0.0.0.0 xxx.yyy.zzz.1 1
    timeout xlate 0:05:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server LOCAL protocol local
    ntp server 18.26.4.105 source outside prefer
    ntp server 128.252.19.1 source outside
    http server enable
    http 192.168.1.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto dynamic-map outside_dyn_map 20 match address
    outside_cryptomap_dyn_20
    crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
    crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
    crypto map outside_map interface outside
    isakmp enable outside
    isakmp identity address
    isakmp policy 20 authentication pre-share
    isakmp policy 20 encryption 3des
    isakmp policy 20 hash md5
    isakmp policy 20 group 2
    isakmp policy 20 lifetime 86400
    vpngroup OutsideVPN address-pool OutsideVPN
    vpngroup OutsideVPN dns-server 128.197.20.40 128.197.2.62
    vpngroup OutsideVPN default-domain loc.domain.com
    vpngroup OutsideVPN idle-time 1800
    vpngroup OutsideVPN password ********
    telnet timeout 5
    ssh 192.168.1.0 255.255.255.0 inside
    ssh timeout 5
    management-access inside
    console timeout 0
    dhcpd address 192.168.1.230-192.168.1.235 inside
    dhcpd dns 128.197.20.40 128.197.2.62
    dhcpd lease 3600
    dhcpd ping_timeout 750
    dhcpd domain loc.domain.com
    dhcpd auto_config outside
    dhcpd enable inside
    terminal width 80
    Jens Meyer, Dec 18, 2003
    #1
    1. Advertising

  2. Jens Meyer

    Jens Meyer Guest

    On Thu, 18 Dec 2003 17:15:37 -0500, Jens Meyer <>
    wrote:

    >I've configured a basic PIX501 setup as outlined below. Essentially, I
    >have a network behind the PIX with one-to-one mappings of private IP
    >addresses to public IP addresses. Right now, I have no access-lists
    >set whatsoever as I'm just trying to get the VPN part working.
    >
    >I used the VPN Wizard in PDM to set up a simple VPN config allowing
    >outside hosst to connect ot the PIX via the Cisco VPN Client 4.0.3(A).
    >However, when trying to actually establish a connection, I only get an
    >error message "Reason 412: The remote peer is no longer responding".
    >At the moment I don't care about AAA authentication, though
    >ultimately, AAA authentication eeds to be provided by an NT4 DC.
    >
    >I'm still learning (struggling) with the PIX, so any help with regards
    >ot what I did wrong or what needs to be done to correct the settings
    >are greatly appreciated.
    >
    >Thanks,
    >Jens
    >
    >PIX501 config:
    >
    >PIX Version 6.3(1)
    >interface ethernet0 auto
    >interface ethernet1 100full
    >nameif ethernet0 outside security0
    >nameif ethernet1 inside security100
    >enable password 8Ry2YjIyt7RRXU24 encrypted
    >passwd 2KFQnbNIdI.2KYOU encrypted
    >hostname pixfirewall
    >domain-name loc.domain.com
    >clock timezone EST -5
    >clock summer-time EDT recurring
    >fixup protocol ftp 21
    >fixup protocol h323 h225 1720
    >fixup protocol h323 ras 1718-1719
    >fixup protocol http 80
    >fixup protocol ils 389
    >fixup protocol rsh 514
    >fixup protocol rtsp 554
    >fixup protocol sip 5060
    >fixup protocol sip udp 5060
    >fixup protocol skinny 2000
    >fixup protocol smtp 25
    >fixup protocol sqlnet 1521
    >names
    >access-list inside_outbound_nat0_acl permit ip any 192.168.2.0
    >255.255.255.240
    >access-list outside_cryptomap_dyn_20 permit ip any 192.168.2.0
    >255.255.255.240
    >pager lines 24
    >logging on
    >logging buffered debugging
    >mtu outside 1500
    >mtu inside 1500
    >ip address outside xxx.yyy.zzz.238 255.255.255.0
    >ip address inside 192.168.1.238 255.255.255.240
    >ip audit info action alarm
    >ip audit attack action alarm drop
    >ip local pool OutsideVPN 192.168.2.1-192.168.2.10
    >pdm location 192.168.1.0 255.255.255.0 inside
    >pdm logging informational 100
    >pdm history enable
    >arp timeout 14400
    >nat (inside) 0 access-list inside_outbound_nat0_acl
    >static (inside,outside) xxx.yyy.zzz.224 192.168.1.224 netmask
    >255.255.255.240 0 0
    >route outside 0.0.0.0 0.0.0.0 xxx.yyy.zzz.1 1
    >timeout xlate 0:05:00
    >timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    >1:00:00
    >timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    >timeout uauth 0:05:00 absolute
    >aaa-server TACACS+ protocol tacacs+
    >aaa-server RADIUS protocol radius
    >aaa-server LOCAL protocol local
    >ntp server 18.26.4.105 source outside prefer
    >ntp server 128.252.19.1 source outside
    >http server enable
    >http 192.168.1.0 255.255.255.0 inside
    >no snmp-server location
    >no snmp-server contact
    >snmp-server community public
    >no snmp-server enable traps
    >floodguard enable
    >sysopt connection permit-ipsec
    >crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    >crypto dynamic-map outside_dyn_map 20 match address
    >outside_cryptomap_dyn_20
    >crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
    >crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
    >crypto map outside_map interface outside
    >isakmp enable outside
    >isakmp identity address
    >isakmp policy 20 authentication pre-share
    >isakmp policy 20 encryption 3des
    >isakmp policy 20 hash md5
    >isakmp policy 20 group 2
    >isakmp policy 20 lifetime 86400
    >vpngroup OutsideVPN address-pool OutsideVPN
    >vpngroup OutsideVPN dns-server 128.197.20.40 128.197.2.62
    >vpngroup OutsideVPN default-domain loc.domain.com
    >vpngroup OutsideVPN idle-time 1800
    >vpngroup OutsideVPN password ********
    >telnet timeout 5
    >ssh 192.168.1.0 255.255.255.0 inside
    >ssh timeout 5
    >management-access inside
    >console timeout 0
    >dhcpd address 192.168.1.230-192.168.1.235 inside
    >dhcpd dns 128.197.20.40 128.197.2.62
    >dhcpd lease 3600
    >dhcpd ping_timeout 750
    >dhcpd domain loc.domain.com
    >dhcpd auto_config outside
    >dhcpd enable inside
    >terminal width 80


    Hmm, I've enabled full logging to an internal syslog server for the
    PIX. I then tried to connect two different computers via the VPN
    Client 4.0.3(A) to the PIX501. Both comps sit on the same subnet as
    the outside interface of the PIX.

    The log tells me for both connection attemps:
    "Deny inbound UDP from xxx.yyy.zzz.102/500 to xxx.yyy.zzz.238/500 on
    interface outside"

    What would be UDP500 be blocked. I specified "sysopt connection
    permit-ipsec" and assumed this is all I need to do.

    So, my next question is: How do I open UDP 500 on the outside
    interface in order to get my VPN connection establshed?
    Jens Meyer, Dec 19, 2003
    #2
    1. Advertising

  3. Jens Meyer

    Rik Bain Guest

    On Fri, 19 Dec 2003 11:21:20 -0600, Jens Meyer wrote:


    >
    > Hmm, I've enabled full logging to an internal syslog server for the PIX.
    > I then tried to connect two different computers via the VPN Client
    > 4.0.3(A) to the PIX501. Both comps sit on the same subnet as the outside
    > interface of the PIX.
    >
    > The log tells me for both connection attemps: "Deny inbound UDP from
    > xxx.yyy.zzz.102/500 to xxx.yyy.zzz.238/500 on interface outside"
    >
    > What would be UDP500 be blocked. I specified "sysopt connection
    > permit-ipsec" and assumed this is all I need to do.
    >
    > So, my next question is: How do I open UDP 500 on the outside interface
    > in order to get my VPN connection establshed?



    That would make me think that you are not entering the pix ip address as
    the peer in the client. The pix will always accepts ISAKMP connections
    if ISAKMP is enabled, and would not produce that message if traffic was
    destined to the pix itself.

    Verify that you are entering the pix outside ip address in your client.
    Rik Bain, Dec 19, 2003
    #3
  4. Jens Meyer

    Jens Meyer Guest

    On Fri, 19 Dec 2003 11:49:00 -0600, Rik Bain <>
    wrote:

    >On Fri, 19 Dec 2003 11:21:20 -0600, Jens Meyer wrote:
    >
    >
    >>
    >> Hmm, I've enabled full logging to an internal syslog server for the PIX.
    >> I then tried to connect two different computers via the VPN Client
    >> 4.0.3(A) to the PIX501. Both comps sit on the same subnet as the outside
    >> interface of the PIX.
    >>
    >> The log tells me for both connection attemps: "Deny inbound UDP from
    >> xxx.yyy.zzz.102/500 to xxx.yyy.zzz.238/500 on interface outside"
    >>
    >> What would be UDP500 be blocked. I specified "sysopt connection
    >> permit-ipsec" and assumed this is all I need to do.
    >>
    >> So, my next question is: How do I open UDP 500 on the outside interface
    >> in order to get my VPN connection establshed?

    >
    >
    >That would make me think that you are not entering the pix ip address as
    >the peer in the client. The pix will always accepts ISAKMP connections
    >if ISAKMP is enabled, and would not produce that message if traffic was
    >destined to the pix itself.
    >
    >Verify that you are entering the pix outside ip address in your client.



    I think I've solve the problem why i could not establish VPN
    connections.
    In the original configuration I've used "static (inside,outside)
    xxx,yyy,zzz,224 192.168.1.224 netmask 255.255.255.0 0 0" which created
    a static map between the firewall's outside and inside address. I'm
    now using "nat (inside) 1 0.0.0.0 0.0.0.0 0 0" and it works fine. I
    think that if I limit static IP mappings to a subset of internal IP
    addresses without including the firewall's internal address, I should
    be fine.

    Jens
    Jens Meyer, Dec 22, 2003
    #4
  5. Jens Meyer

    Rik Bain Guest

    On Mon, 22 Dec 2003 14:11:27 -0600, Jens Meyer wrote:

    > On Fri, 19 Dec 2003 11:49:00 -0600, Rik Bain <>
    > wrote:
    >
    >>On Fri, 19 Dec 2003 11:21:20 -0600, Jens Meyer wrote:
    >>
    >>
    >>
    >>> Hmm, I've enabled full logging to an internal syslog server for the
    >>> PIX. I then tried to connect two different computers via the VPN
    >>> Client 4.0.3(A) to the PIX501. Both comps sit on the same subnet as
    >>> the outside interface of the PIX.
    >>>
    >>> The log tells me for both connection attemps: "Deny inbound UDP from
    >>> xxx.yyy.zzz.102/500 to xxx.yyy.zzz.238/500 on interface outside"
    >>>
    >>> What would be UDP500 be blocked. I specified "sysopt connection
    >>> permit-ipsec" and assumed this is all I need to do.
    >>>
    >>> So, my next question is: How do I open UDP 500 on the outside
    >>> interface in order to get my VPN connection establshed?

    >>
    >>
    >>That would make me think that you are not entering the pix ip address as
    >>the peer in the client. The pix will always accepts ISAKMP connections
    >>if ISAKMP is enabled, and would not produce that message if traffic was
    >>destined to the pix itself.
    >>
    >>Verify that you are entering the pix outside ip address in your client.

    >
    >
    > I think I've solve the problem why i could not establish VPN
    > connections.
    > In the original configuration I've used "static (inside,outside)
    > xxx,yyy,zzz,224 192.168.1.224 netmask 255.255.255.0 0 0" which created a
    > static map between the firewall's outside and inside address. I'm now
    > using "nat (inside) 1 0.0.0.0 0.0.0.0 0 0" and it works fine. I think
    > that if I limit static IP mappings to a subset of internal IP addresses
    > without including the firewall's internal address, I should be fine.
    >
    > Jens


    I missed that in the config, but you are correct.
    Rik Bain, Dec 22, 2003
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. MP
    Replies:
    2
    Views:
    12,261
  2. GVB
    Replies:
    1
    Views:
    2,793
    Martin Bilgrav
    Feb 6, 2004
  3. Tom
    Replies:
    4
    Views:
    663
  4. Martin
    Replies:
    2
    Views:
    685
    BoBraxton
    Dec 19, 2007
  5. rdie77
    Replies:
    0
    Views:
    907
    rdie77
    Sep 9, 2010
Loading...

Share This Page