RE: PIX VPN Client Configuration - At my wit's end! [7:74363]
Hi James, First and foremost please make sure that the inside ip address of the pix and the VPN address pool are of different range since there is a BUG associated , i would recommend you to use an entirely different range of address pool. What is the client version you are using? If you are using Cisco VPN client 3.6.x and above then please change the hash type to md5 as Cisco VPN client 3.6.x doesnt support sha . isakmp policy 1 md5 Pls read check this link: http://www.cisco.com/warp/public/707/ipsec_debug.html#inability Just let me know if you have any queries. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=74636t=74363 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
RE: PIX VPN Client Configuration - At my wit's end! [7:74363]
Hmm, that's bizarre. I'm running 4.02B and I can use SHA. Where did you get the information that 3.6 and above don't support SHA??? Fred Reimer - CCNA Eclipsys Corporation, 200 Ashford Center North, Atlanta, GA 30338 Phone: 404-847-5177 Cell: 770-490-3071 Pager: 888-260-2050 NOTICE; This email contains confidential or proprietary information which may be legally privileged. It is intended only for the named recipient(s). If an addressing or transmission error has misdirected the email, please notify the author by replying to this message. If you are not the named recipient, you are not authorized to use, disclose, distribute, copy, print or rely on this email, and should immediately delete it from your computer. -Original Message- From: Deepali S [mailto:[EMAIL PROTECTED] Sent: Tuesday, September 02, 2003 3:14 AM To: [EMAIL PROTECTED] Subject: RE: PIX VPN Client Configuration - At my wit's end! [7:74363] Hi James, First and foremost please make sure that the inside ip address of the pix and the VPN address pool are of different range since there is a BUG associated , i would recommend you to use an entirely different range of address pool. What is the client version you are using? If you are using Cisco VPN client 3.6.x and above then please change the hash type to md5 as Cisco VPN client 3.6.x doesnt support sha . isakmp policy 1 md5 Pls read check this link: http://www.cisco.com/warp/public/707/ipsec_debug.html#inability Just let me know if you have any queries. **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html [GroupStudy removed an attachment of type application/octet-stream which had a name of vpn.PNG] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=74660t=74363 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Re: PIX VPN Client Configuration - At my wit's end! [7:74363]
Hi James, It would be nice to have the output of the show crypto ipsec sa on the PIX while pinging back and forth. It would be nice to get the output of the debug icmp trace and the sh access-list as well but in any case my suggestion is this: 1) If you are doing split-tunneling I will suggest and access-list like this: access-list VPNUser_splitTunnelAcl permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 and not: access-list VPNUser_splitTunnelAcl permit ip 192.168.1.0 255.255.255.0 any This is because you need to tell the PIX to creat a pair of SAs for Phase II so the VPN client will encrypt data destined to the 192.168.1.0/24 and PIX will encrypt traffic from the local LAN to the pool only. Lastly, if you need to communicate to the DMZ as well, you may add these lines to the access-list for nonat and interesting traffic: access-list nonat permit ip 10.0.1.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list VPNUser_splitTunnelAcl permit ip 10.0.1.0 255.255.255.0 192.168.2.0 255.255.255.0 I will recommend to use the same access-list nonat for the line below: nat (dmz) 0 access-l nonat This is in order to avoid some bugs surfing around 6.3.1. Hope this helps a little, and if you can send more details it would be nice to follow up in this a little more. Have a good one! My two cents, Frank Costa Rica - Original Message - From: James Willard To: Sent: Monday, August 25, 2003 5:17 PM Subject: PIX VPN Client Configuration - At my wit's end! [7:74363] Hi all, Thanks in advance for reading this message. I am completely boggled on an issue here that I have literally been trying to troubleshoot for some 12 hours now. I'm trying to configure a PIX 515E for Cisco VPN Client connectivity. Here are the relevant parts of my config: :PIX Version 6.3(1) interface ethernet0 auto interface ethernet1 auto interface ethernet2 auto nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 dmz security50 access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list VPNUser_splitTunnelAcl permit ip 192.168.1.0 255.255.255.0 any ip local pool vpnusers 192.168.2.100-192.168.2.254 nat (inside) 0 access-list nonat nat (inside) 10 0.0.0.0 0.0.0.0 0 0 sysopt connection permit-ipsec crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec transform-set vpn esp-3des esp-md5-hmac crypto ipsec security-association lifetime seconds 300 crypto dynamic-map dynmap 30 set transform-set vpn crypto map crypto-map-swa 20 ipsec-isakmp dynamic dynmap crypto map crypto-map-swa interface outside isakmp enable outside isakmp identity address isakmp nat-traversal 20 isakmp policy 1 authentication pre-share isakmp policy 1 encryption 3des isakmp policy 1 hash sha isakmp policy 1 group 2 isakmp policy 1 lifetime 300 vpngroup VPNUser address-pool vpnusers vpngroup VPNUser dns-server 192.168.1.23 192.168.1.22 vpngroup VPNUser wins-server 192.168.1.21 192.168.1.21 vpngroup VPNUser split-tunnel VPNUser_splitTunnelAcl vpngroup VPNUser idle-time 1800 vpngroup VPNUser password Let's say the outside interface is 100.100.100.28. These are the networks: 100.100.100.28 255.255.255.240(outside) 192.168.1.0255.255.255.0 (inside) 192.168.2.0255.255.255.0 (vpn IP pool) 10.0.1.0 255.255.255.0 (dmz) I can connect with the client just fine, but neither end can ping the other. Say the client machine gets the IP 192.168.2.100 from the pool, it cannot ping anything in 192.168.1.x. Conversely, nothing in 192.168.1.x can ping 192.168.2.100. The VPN Client side shows packets being encrypted but none decrypted. The IPSec SA on the PIX shows packets being encrypted and none decrypted. Also worth noting is that the VPN client status shows Transparent Tunneling: Inactive on the status page while connecting, even though isakmp nat-traversal is enabled. An ethereal capture shows the client sending ESP packets to the PIX but none are coming back. Please, if anyone has any ideas I would love to hear them. This has been driving me crazy! Thanks, James Willard [EMAIL PROTECTED] **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=74384t=74363 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Re: PIX VPN Client Configuration - At my wit's end! [7:74363]
James Your missing the command vpdn enable outside from your config. regards derek - Original Message - From: James Willard To: Sent: Tuesday, August 26, 2003 12:17 AM Subject: PIX VPN Client Configuration - At my wit's end! [7:74363] Hi all, Thanks in advance for reading this message. I am completely boggled on an issue here that I have literally been trying to troubleshoot for some 12 hours now. I'm trying to configure a PIX 515E for Cisco VPN Client connectivity. Here are the relevant parts of my config: :PIX Version 6.3(1) interface ethernet0 auto interface ethernet1 auto interface ethernet2 auto nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 dmz security50 access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list VPNUser_splitTunnelAcl permit ip 192.168.1.0 255.255.255.0 any ip local pool vpnusers 192.168.2.100-192.168.2.254 nat (inside) 0 access-list nonat nat (inside) 10 0.0.0.0 0.0.0.0 0 0 sysopt connection permit-ipsec crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec transform-set vpn esp-3des esp-md5-hmac crypto ipsec security-association lifetime seconds 300 crypto dynamic-map dynmap 30 set transform-set vpn crypto map crypto-map-swa 20 ipsec-isakmp dynamic dynmap crypto map crypto-map-swa interface outside isakmp enable outside isakmp identity address isakmp nat-traversal 20 isakmp policy 1 authentication pre-share isakmp policy 1 encryption 3des isakmp policy 1 hash sha isakmp policy 1 group 2 isakmp policy 1 lifetime 300 vpngroup VPNUser address-pool vpnusers vpngroup VPNUser dns-server 192.168.1.23 192.168.1.22 vpngroup VPNUser wins-server 192.168.1.21 192.168.1.21 vpngroup VPNUser split-tunnel VPNUser_splitTunnelAcl vpngroup VPNUser idle-time 1800 vpngroup VPNUser password Let's say the outside interface is 100.100.100.28. These are the networks: 100.100.100.28 255.255.255.240(outside) 192.168.1.0255.255.255.0 (inside) 192.168.2.0255.255.255.0 (vpn IP pool) 10.0.1.0 255.255.255.0 (dmz) I can connect with the client just fine, but neither end can ping the other. Say the client machine gets the IP 192.168.2.100 from the pool, it cannot ping anything in 192.168.1.x. Conversely, nothing in 192.168.1.x can ping 192.168.2.100. The VPN Client side shows packets being encrypted but none decrypted. The IPSec SA on the PIX shows packets being encrypted and none decrypted. Also worth noting is that the VPN client status shows Transparent Tunneling: Inactive on the status page while connecting, even though isakmp nat-traversal is enabled. An ethereal capture shows the client sending ESP packets to the PIX but none are coming back. Please, if anyone has any ideas I would love to hear them. This has been driving me crazy! Thanks, James Willard [EMAIL PROTECTED] **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=74391t=74363 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
RE: PIX VPN Client Configuration - At my wit's end! [7:74363]
Have you watched your access-list VPNUser_splitTunnelAcl permit ip 192.168.1.0 255.255.255.0 any very closely? It is meant to be mirrored at the client connection time so must be access-list VPNUser_splitTunnelAcl permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 A packet sent from the client is checked against this list. So must be more specific in my experience. Martijn -Oorspronkelijk bericht- Van: Derek Gaff [mailto:[EMAIL PROTECTED] Verzonden: dinsdag 26 augustus 2003 9:57 Aan: [EMAIL PROTECTED] Onderwerp: Re: PIX VPN Client Configuration - At my wit's end! [7:74363] James Your missing the command vpdn enable outside from your config. regards derek - Original Message - From: James Willard To: Sent: Tuesday, August 26, 2003 12:17 AM Subject: PIX VPN Client Configuration - At my wit's end! [7:74363] Hi all, Thanks in advance for reading this message. I am completely boggled on an issue here that I have literally been trying to troubleshoot for some 12 hours now. I'm trying to configure a PIX 515E for Cisco VPN Client connectivity. Here are the relevant parts of my config: :PIX Version 6.3(1) interface ethernet0 auto interface ethernet1 auto interface ethernet2 auto nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 dmz security50 access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list VPNUser_splitTunnelAcl permit ip 192.168.1.0 255.255.255.0 any ip local pool vpnusers 192.168.2.100-192.168.2.254 nat (inside) 0 access-list nonat nat (inside) 10 0.0.0.0 0.0.0.0 0 0 sysopt connection permit-ipsec crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec transform-set vpn esp-3des esp-md5-hmac crypto ipsec security-association lifetime seconds 300 crypto dynamic-map dynmap 30 set transform-set vpn crypto map crypto-map-swa 20 ipsec-isakmp dynamic dynmap crypto map crypto-map-swa interface outside isakmp enable outside isakmp identity address isakmp nat-traversal 20 isakmp policy 1 authentication pre-share isakmp policy 1 encryption 3des isakmp policy 1 hash sha isakmp policy 1 group 2 isakmp policy 1 lifetime 300 vpngroup VPNUser address-pool vpnusers vpngroup VPNUser dns-server 192.168.1.23 192.168.1.22 vpngroup VPNUser wins-server 192.168.1.21 192.168.1.21 vpngroup VPNUser split-tunnel VPNUser_splitTunnelAcl vpngroup VPNUser idle-time 1800 vpngroup VPNUser password Let's say the outside interface is 100.100.100.28. These are the networks: 100.100.100.28 255.255.255.240(outside) 192.168.1.0255.255.255.0 (inside) 192.168.2.0255.255.255.0 (vpn IP pool) 10.0.1.0 255.255.255.0 (dmz) I can connect with the client just fine, but neither end can ping the other. Say the client machine gets the IP 192.168.2.100 from the pool, it cannot ping anything in 192.168.1.x. Conversely, nothing in 192.168.1.x can ping 192.168.2.100. The VPN Client side shows packets being encrypted but none decrypted. The IPSec SA on the PIX shows packets being encrypted and none decrypted. Also worth noting is that the VPN client status shows Transparent Tunneling: Inactive on the status page while connecting, even though isakmp nat-traversal is enabled. An ethereal capture shows the client sending ESP packets to the PIX but none are coming back. Please, if anyone has any ideas I would love to hear them. This has been driving me crazy! Thanks, James Willard [EMAIL PROTECTED] **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=74397t=74363 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html