Re: PIX VPN Client Configuration - At my wit's end! [7:74363]

2003-08-26 Thread Francisco Gomez
Hi James,



It would be nice to have the output of the "show crypto ipsec sa" on the PIX
while pinging back and forth. It would be nice to get the output of the
"debug icmp trace" and the "sh access-list" as well but in any case my
suggestion is this:



1) If you are doing split-tunneling I will suggest and access-list like
this:



access-list VPNUser_splitTunnelAcl permit ip 192.168.1.0 255.255.255.0
192.168.2.0 255.255.255.0



and not:



 access-list VPNUser_splitTunnelAcl permit ip 192.168.1.0 255.255.255.0 any



This is because you need to tell the PIX to creat a pair of SAs for Phase II
so the VPN client will encrypt data destined to the 192.168.1.0/24 and PIX
will encrypt traffic from the local LAN to the pool only.



Lastly, if you need to communicate to the DMZ as well, you may add these
lines to the access-list for nonat and interesting traffic:



access-list nonat permit ip 10.0.1.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list VPNUser_splitTunnelAcl permit ip 10.0.1.0 255.255.255.0
192.168.2.0 255.255.255.0



I will recommend to use the same access-list nonat for the line below:



nat (dmz) 0 access-l nonat



This is in order to avoid some "bugs" surfing around 6.3.1. Hope this helps
a little, and if you can send more details it would be nice to follow up in
this a little more. Have a good one!



My two cents,



Frank

Costa Rica

- Original Message -
From: "James Willard" 
To: 
Sent: Monday, August 25, 2003 5:17 PM
Subject: PIX VPN Client Configuration - At my wit's end! [7:74363]


> Hi all,
>
> Thanks in advance for reading this message. I am completely boggled on an
> issue here that I have literally been trying to troubleshoot for some 12
> hours now.
>
> I'm trying to configure a PIX 515E for Cisco VPN Client connectivity.
>
> Here are the relevant parts of my config:
>
> :PIX Version 6.3(1)
> interface ethernet0 auto
> interface ethernet1 auto
> interface ethernet2 auto
> nameif ethernet0 outside security0
> nameif ethernet1 inside security100
> nameif ethernet2 dmz security50
> access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.2.0
> 255.255.255.0
> access-list VPNUser_splitTunnelAcl permit ip 192.168.1.0 255.255.255.0 any
> ip local pool vpnusers 192.168.2.100-192.168.2.254
> nat (inside) 0 access-list nonat
> nat (inside) 10 0.0.0.0 0.0.0.0 0 0
> sysopt connection permit-ipsec
> crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
> crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
> crypto ipsec transform-set vpn esp-3des esp-md5-hmac
> crypto ipsec security-association lifetime seconds 300
> crypto dynamic-map dynmap 30 set transform-set vpn
> crypto map crypto-map-swa 20 ipsec-isakmp dynamic dynmap
> crypto map crypto-map-swa interface outside
> isakmp enable outside
> isakmp identity address
> isakmp nat-traversal 20
> isakmp policy 1 authentication pre-share
> isakmp policy 1 encryption 3des
> isakmp policy 1 hash sha
> isakmp policy 1 group 2
> isakmp policy 1 lifetime 300
> vpngroup VPNUser address-pool vpnusers
> vpngroup VPNUser dns-server 192.168.1.23 192.168.1.22
> vpngroup VPNUser wins-server 192.168.1.21 192.168.1.21
> vpngroup VPNUser split-tunnel VPNUser_splitTunnelAcl
> vpngroup VPNUser idle-time 1800
> vpngroup VPNUser password 
>
> Let's say the outside interface is 100.100.100.28. These are the networks:
>
> 100.100.100.28 255.255.255.240(outside)
> 192.168.1.0255.255.255.0  (inside)
> 192.168.2.0255.255.255.0  (vpn IP pool)
> 10.0.1.0   255.255.255.0  (dmz)
>
> I can connect with the client just fine, but neither end can ping the
other.
> Say the client machine gets the IP 192.168.2.100 from the pool, it cannot
> ping anything in 192.168.1.x. Conversely, nothing in 192.168.1.x can ping
> 192.168.2.100. The VPN Client side shows packets being encrypted but none
> decrypted. The IPSec SA on the PIX shows packets being encrypted and none
> decrypted.
>
> Also worth noting is that the VPN client status shows "Transparent
> Tunneling: Inactive" on the status page while connecting, even though
isakmp
> nat-traversal is enabled. An ethereal capture shows the client sending ESP
> packets to the PIX but none are coming back.
>
> Please, if anyone has any ideas I would love to hear them. This has been
> driving me crazy!
>
> Thanks,
>
> James Willard
> [EMAIL PROTECTED]
> **Please support GroupStudy by purchasing from the GroupStudy Store:
> http://shop.groupstudy.com
> FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=74384&t=74363
--
**Please support GroupStudy by purchasing from the GroupStudy Store:
http://shop.groupstudy.com
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html


Re: PIX VPN Client Configuration - At my wit's end! [7:74363]

2003-08-26 Thread Derek Gaff
James

Your missing the command "vpdn enable outside" from your config.

regards
derek

- Original Message -
From: "James Willard" 
To: 
Sent: Tuesday, August 26, 2003 12:17 AM
Subject: PIX VPN Client Configuration - At my wit's end! [7:74363]


> Hi all,
>
> Thanks in advance for reading this message. I am completely boggled on an
> issue here that I have literally been trying to troubleshoot for some 12
> hours now.
>
> I'm trying to configure a PIX 515E for Cisco VPN Client connectivity.
>
> Here are the relevant parts of my config:
>
> :PIX Version 6.3(1)
> interface ethernet0 auto
> interface ethernet1 auto
> interface ethernet2 auto
> nameif ethernet0 outside security0
> nameif ethernet1 inside security100
> nameif ethernet2 dmz security50
> access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.2.0
> 255.255.255.0
> access-list VPNUser_splitTunnelAcl permit ip 192.168.1.0 255.255.255.0 any
> ip local pool vpnusers 192.168.2.100-192.168.2.254
> nat (inside) 0 access-list nonat
> nat (inside) 10 0.0.0.0 0.0.0.0 0 0
> sysopt connection permit-ipsec
> crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
> crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
> crypto ipsec transform-set vpn esp-3des esp-md5-hmac
> crypto ipsec security-association lifetime seconds 300
> crypto dynamic-map dynmap 30 set transform-set vpn
> crypto map crypto-map-swa 20 ipsec-isakmp dynamic dynmap
> crypto map crypto-map-swa interface outside
> isakmp enable outside
> isakmp identity address
> isakmp nat-traversal 20
> isakmp policy 1 authentication pre-share
> isakmp policy 1 encryption 3des
> isakmp policy 1 hash sha
> isakmp policy 1 group 2
> isakmp policy 1 lifetime 300
> vpngroup VPNUser address-pool vpnusers
> vpngroup VPNUser dns-server 192.168.1.23 192.168.1.22
> vpngroup VPNUser wins-server 192.168.1.21 192.168.1.21
> vpngroup VPNUser split-tunnel VPNUser_splitTunnelAcl
> vpngroup VPNUser idle-time 1800
> vpngroup VPNUser password 
>
> Let's say the outside interface is 100.100.100.28. These are the networks:
>
> 100.100.100.28 255.255.255.240(outside)
> 192.168.1.0255.255.255.0  (inside)
> 192.168.2.0255.255.255.0  (vpn IP pool)
> 10.0.1.0   255.255.255.0  (dmz)
>
> I can connect with the client just fine, but neither end can ping the
other.
> Say the client machine gets the IP 192.168.2.100 from the pool, it cannot
> ping anything in 192.168.1.x. Conversely, nothing in 192.168.1.x can ping
> 192.168.2.100. The VPN Client side shows packets being encrypted but none
> decrypted. The IPSec SA on the PIX shows packets being encrypted and none
> decrypted.
>
> Also worth noting is that the VPN client status shows "Transparent
> Tunneling: Inactive" on the status page while connecting, even though
isakmp
> nat-traversal is enabled. An ethereal capture shows the client sending ESP
> packets to the PIX but none are coming back.
>
> Please, if anyone has any ideas I would love to hear them. This has been
> driving me crazy!
>
> Thanks,
>
> James Willard
> [EMAIL PROTECTED]
> **Please support GroupStudy by purchasing from the GroupStudy Store:
> http://shop.groupstudy.com
> FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=74391&t=74363
--
**Please support GroupStudy by purchasing from the GroupStudy Store:
http://shop.groupstudy.com
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html


RE: PIX VPN Client Configuration - At my wit's end! [7:74363]

2003-08-26 Thread [EMAIL PROTECTED]
Have you watched your

access-list VPNUser_splitTunnelAcl permit ip 192.168.1.0 255.255.255.0 any

very closely?

It is meant to be "mirrored" at the client connection time so must be 

access-list VPNUser_splitTunnelAcl permit ip 192.168.1.0 255.255.255.0
192.168.2.0 255.255.255.0 

A packet sent from the client is checked against this list. So must be more
specific in my experience. 

Martijn 

-Oorspronkelijk bericht-
Van: Derek Gaff [mailto:[EMAIL PROTECTED]
Verzonden: dinsdag 26 augustus 2003 9:57
Aan: [EMAIL PROTECTED]
Onderwerp: Re: PIX VPN Client Configuration - At my wit's end! [7:74363]


James

Your missing the command "vpdn enable outside" from your config.

regards
derek

- Original Message -
From: "James Willard" 
To: 
Sent: Tuesday, August 26, 2003 12:17 AM
Subject: PIX VPN Client Configuration - At my wit's end! [7:74363]


> Hi all,
>
> Thanks in advance for reading this message. I am completely boggled on an
> issue here that I have literally been trying to troubleshoot for some 12
> hours now.
>
> I'm trying to configure a PIX 515E for Cisco VPN Client connectivity.
>
> Here are the relevant parts of my config:
>
> :PIX Version 6.3(1)
> interface ethernet0 auto
> interface ethernet1 auto
> interface ethernet2 auto
> nameif ethernet0 outside security0
> nameif ethernet1 inside security100
> nameif ethernet2 dmz security50
> access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.2.0
> 255.255.255.0
> access-list VPNUser_splitTunnelAcl permit ip 192.168.1.0 255.255.255.0 any
> ip local pool vpnusers 192.168.2.100-192.168.2.254
> nat (inside) 0 access-list nonat
> nat (inside) 10 0.0.0.0 0.0.0.0 0 0
> sysopt connection permit-ipsec
> crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
> crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
> crypto ipsec transform-set vpn esp-3des esp-md5-hmac
> crypto ipsec security-association lifetime seconds 300
> crypto dynamic-map dynmap 30 set transform-set vpn
> crypto map crypto-map-swa 20 ipsec-isakmp dynamic dynmap
> crypto map crypto-map-swa interface outside
> isakmp enable outside
> isakmp identity address
> isakmp nat-traversal 20
> isakmp policy 1 authentication pre-share
> isakmp policy 1 encryption 3des
> isakmp policy 1 hash sha
> isakmp policy 1 group 2
> isakmp policy 1 lifetime 300
> vpngroup VPNUser address-pool vpnusers
> vpngroup VPNUser dns-server 192.168.1.23 192.168.1.22
> vpngroup VPNUser wins-server 192.168.1.21 192.168.1.21
> vpngroup VPNUser split-tunnel VPNUser_splitTunnelAcl
> vpngroup VPNUser idle-time 1800
> vpngroup VPNUser password 
>
> Let's say the outside interface is 100.100.100.28. These are the networks:
>
> 100.100.100.28 255.255.255.240(outside)
> 192.168.1.0255.255.255.0  (inside)
> 192.168.2.0255.255.255.0  (vpn IP pool)
> 10.0.1.0   255.255.255.0  (dmz)
>
> I can connect with the client just fine, but neither end can ping the
other.
> Say the client machine gets the IP 192.168.2.100 from the pool, it cannot
> ping anything in 192.168.1.x. Conversely, nothing in 192.168.1.x can ping
> 192.168.2.100. The VPN Client side shows packets being encrypted but none
> decrypted. The IPSec SA on the PIX shows packets being encrypted and none
> decrypted.
>
> Also worth noting is that the VPN client status shows "Transparent
> Tunneling: Inactive" on the status page while connecting, even though
isakmp
> nat-traversal is enabled. An ethereal capture shows the client sending ESP
> packets to the PIX but none are coming back.
>
> Please, if anyone has any ideas I would love to hear them. This has been
> driving me crazy!
>
> Thanks,
>
> James Willard
> [EMAIL PROTECTED]
> **Please support GroupStudy by purchasing from the GroupStudy Store:
> http://shop.groupstudy.com
> FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
**Please support GroupStudy by purchasing from the GroupStudy Store:
http://shop.groupstudy.com
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=74397&t=74363
--
**Please support GroupStudy by purchasing from the GroupStudy Store:
http://shop.groupstudy.com
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html


RE: PIX VPN Client Configuration - At my wit's end! [7:74363]

2003-09-02 Thread Deepali S
Hi James,

 First and foremost please make sure that the inside ip address of the pix
and the VPN address pool are of different range since there is a BUG
associated , i would recommend you to use an entirely different range of
address pool.

 What is the client version you are using? If you are using Cisco VPN client
3.6.x and above then please change the hash type to md5 as Cisco VPN client
3.6.x doesnt support sha .

  isakmp policy 1 md5

 Pls read check this link:

 http://www.cisco.com/warp/public/707/ipsec_debug.html#inability

 Just let me know if you have any queries.

 


Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=74636&t=74363
--
**Please support GroupStudy by purchasing from the GroupStudy Store:
http://shop.groupstudy.com
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html


RE: PIX VPN Client Configuration - At my wit's end! [7:74363]

2003-09-02 Thread Reimer, Fred
Hmm, that's bizarre.  I'm running 4.02B and I can use SHA.  Where did you
get the information that 3.6 and above don't support SHA???



Fred Reimer - CCNA


Eclipsys Corporation, 200 Ashford Center North, Atlanta, GA 30338
Phone: 404-847-5177  Cell: 770-490-3071  Pager: 888-260-2050


NOTICE; This email contains confidential or proprietary information which
may be legally privileged. It is intended only for the named recipient(s).
If an addressing or transmission error has misdirected the email, please
notify the author by replying to this message. If you are not the named
recipient, you are not authorized to use, disclose, distribute, copy, print
or rely on this email, and should immediately delete it from your computer.


-Original Message-
From: Deepali S [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, September 02, 2003 3:14 AM
To: [EMAIL PROTECTED]
Subject: RE: PIX VPN Client Configuration - At my wit's end! [7:74363]

Hi James,

 First and foremost please make sure that the inside ip address of the pix
and the VPN address pool are of different range since there is a BUG
associated , i would recommend you to use an entirely different range of
address pool.

 What is the client version you are using? If you are using Cisco VPN client
3.6.x and above then please change the hash type to md5 as Cisco VPN client
3.6.x doesnt support sha .

  isakmp policy 1 md5

 Pls read check this link:

 http://www.cisco.com/warp/public/707/ipsec_debug.html#inability

 Just let me know if you have any queries.
**Please support GroupStudy by purchasing from the GroupStudy Store:
http://shop.groupstudy.com
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html

[GroupStudy removed an attachment of type application/octet-stream which had
a name of vpn.PNG]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=74660&t=74363
--
**Please support GroupStudy by purchasing from the GroupStudy Store:
http://shop.groupstudy.com
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html