PIX 501 PPTP VPN RADIUS authentication problem

Discussion in 'Cisco' started by oly, Aug 2, 2005.

  1. oly

    oly Guest

    I am having a problem getting RADIUS authentication to work with a
    CISCO PIX 501 (version 6.3(4)).

    My network is configured like this:

    RADIUS Server <---> PIX <---> NETGEAR DG834 Router <---> DSL Provider

    The PIX'S External_IF is connected to the routers LAN port and are on
    the same IP network. The router has one Public IP address assigned to
    it's external_IF.
    Everything else works fine with my configuration (web, dns, etc...) but
    incoming VPN connections fail. An outside user is able to connect to
    the PIX but I believe authentication fails. When at the PIX console I
    can see an outside user connect but shortly later they will be
    disconnected. The users see a windows dialog saying "authenticating
    username and password" but that eventually fails. Now I am able to get
    everything working in a test enviroment if I remove the router from the
    picture and directly connect a simulated external client directly to
    the PIX's outside interface. Authentication and everything works fine.
    I know there are issues with PAT and PPTP so my guess is that the
    extra NATing (or PATing in PIX terms) the router is doing with the
    PIX's outside IF is causing the problems. Is there a workaround or
    does anyone see any problems with the way I am doing things. Hopefully
    I included all the info you need.

    Below are samples of my PIX's config:

    PIX Version 6.3(4)
    interface ethernet0 auto
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100

    hostname xxxxxx
    domain-name xxxx.local
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69

    access-list nat0-acl permit ip any 192.168.100.0 255.255.255.0

    pager lines 10
    icmp deny any outside
    mtu outside 1500
    mtu inside 1500
    ip address outside 192.168.1.1 255.255.255.0
    ip address inside 192.168.100.3 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool pptp-pool 192.168.100.208-192.168.100.240
    pdm logging informational 100
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list nat0-acl
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    static (inside,outside) tcp interface smtp server3 smtp netmask
    255.255.255.255
    0 0
    access-group acl-outside-if in interface outside
    access-group acl-inside-if in interface inside
    route outside 0.0.0.0 0.0.0.0 192.168.1.4 1
    timeout xlate 0:05:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server RADIUS (inside) host server3 xxxxxxxx timeout 10
    aaa-server LOCAL protocol local
    aaa-server LOCAL protocol local
    ntp server server3 source inside
    http server enable
    http 192.168.100.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-pptp
    telnet timeout 5
    console timeout 0
    vpdn group pptp-group accept dialin pptp
    vpdn group pptp-group ppp authentication mschap
    vpdn group pptp-group ppp encryption mppe auto required
    vpdn group pptp-group client configuration address local pptp-pool
    vpdn group pptp-group client configuration dns server3
    vpdn group pptp-group client configuration wins server3
    vpdn group pptp-group client authentication aaa RADIUS
    vpdn group pptp-group client accounting RADIUS
    vpdn group pptp-group pptp echo 60
    vpdn enable outside
    terminal width 80
    : end
     
    oly, Aug 2, 2005
    #1
    1. Advertisements

  2. oly

    Scott Lowe Guest

    I suppose it is not possible to hook your PIX up to the DSL provider?
    That would certainly make things easier. If I recall, PIX OS 6.3(4)
    does provide support for PPPoE. (I could be mistaken on that point.)
    Have you forwarded TCP port 1723 through the NetGear to the PIX? This
    is the PPTP control channel and has to be passed through. I'm not
    familiar with that particular model of NetGear, but you may also need
    to enable "VPN passthrough" or similar in order for it to work. Some
    models refer to a "DMZ host," which you could also use to point to the
    PIX.

    HTH.
     
    Scott Lowe, Aug 3, 2005
    #2
    1. Advertisements

  3. :If I recall, PIX OS 6.3(4)
    :does provide support for PPPoE. (I could be mistaken on that point.)

    Yes, PPPoE support was added somewhere around PIX 6.2.
     
    Walter Roberson, Aug 3, 2005
    #3
  4. oly

    oly Guest

    I dont think running PPPoE on my PIX is possible because I am using my
    PIX as PPTP server also and the two dont jive from what I have
    researched.

    As far as my router goes. I have a rule set to forward all traffic to
    the PIX, so port 1723 should be included. I havnt tried putting the
    PIX on the DMZ port so I will have to try that. I see a setting on the
    NetGear router that allows you to disable nating, I am not sure what
    affect this will have on the PIX though.

    Thanks for the replys
     
    oly, Aug 3, 2005
    #4
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.