Cisco VPN Client V 4 connection issue within PIX 515

[hihal1]

Hello,
We have a PIX 515 with Ver 6.3(5)
Our 3 Nurses connect outside of the office to area hosptals via the Cisco VPN client ver4. Before installation of our PIX the nurses had no trouble connecting. Now however, the VPN client does connect, but does not receive any decrypted packets! Therefore the associated software to be used after VPN establishment times out or fails; no access screen appears.

Below is my config file; Please provide much needed advice.

:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security10
enable password 6j3VCQt.orhKNopD encrypted
passwd io/.oSUh3JA.szYI encrypted
hostname ########
domain-name ##########.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol smtp 110
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 105 permit ip 10.100.10.0 255.255.255.0 192.168.254.0 255.255.255.0

access-list permit_in permit tcp any host 66.xx.xx.194 eq smtp
access-list permit_in permit tcp any host 66.xx.xx.194 eq pop3
access-list permit_in permit tcp any host 66.xx.xx.194 eq https
access-list permit_in permit tcp any host 66.xx.xx.194 eq domain
access-list permit_in permit tcp any host 10.100.10.20 eq smtp
access-list permit_in permit tcp any host 10.100.10.20 eq pop3
access-list permit_in permit tcp any host 10.100.10.20 eq https
access-list permit_in permit tcp any host 10.100.10.20 eq domain
access-list permit_in permit udp any host 66.xx.xx.194
access-list permit_in permit esp any host 66.xx.xx.194 access-list permit_in permit esp any any
access-list permit_in permit udp any any
access-list permit_in permit icmp any any echo-reply
access-list permit_in permit tcp any host 66.xx.xx.194 eq www
access-list permit_in permit tcp any host 66.xx.xx.194 eq 3389
access-list permit_in permit tcp any host 66.xx.xx.194 eq 1731
access-list permit_in permit tcp any host 66.xx.xx.194 eq 522
access-list permit_in permit tcp any host 66.xx.xx.194 eq ldap
access-list permit_in permit tcp any host 66.xx.xx.194 eq 1503
access-list permit_in permit tcp any host 66.xx.xx.194 eq h323
access-list permit_in permit tcp any host 66.xx.xx.194 eq 1000
access-list permit_in permit tcp any host 66.xx.xx.194 eq ssh
pager lines 24
logging on
logging timestamp
logging buffered alerts
logging trap alerts
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside 66.xx.xx.194 255.255.255.252
ip address inside 10.100.10.1 255.255.255.0
ip address intf2 127.0.0.1 255.255.255.255
ip audit info action alarm
ip audit attack action alarm
pdm location 10.100.10.13 255.255.255.255 inside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 105
nat (inside) 1 10.100.10.0 255.255.255.0 0 0
static (inside,outside) tcp 66.xx.xx.194 smtp 10.100.10.20 smtp netmask 255.255
.255.255 0 0
static (inside,outside) tcp interface pop3 10.100.10.20 pop3 netmask 255.255.255
.255 0 0
static (inside,outside) tcp 66.xx.xx.194 domain 10.100.10.20 domain netmask 255
.255.255.255 0 0
static (inside,outside) tcp 66.xx.xx.194 https 10.100.10.20 https netmask 255.2
55.255.255 0 0
static (inside,outside) tcp interface h323 10.100.10.1 h323 netmask 255.255.255.
255 0 0
static (inside,outside) tcp interface 1503 10.100.10.1 1503 netmask 255.255.255.
255 0 0
static (inside,outside) tcp interface ldap 10.100.10.1 ldap netmask 255.255.255.
255 0 0
static (inside,outside) tcp interface 522 10.100.10.1 522 netmask 255.255.255.25
5 0 0
static (inside,outside) tcp interface 3389 10.100.10.1 3389 netmask 255.255.255.
255 0 0
static (inside,outside) tcp interface

http://www 10.100.10.1

http://www netmask

255.255.255.25
5 0 0
access-group permit_in in interface outside
route outside 0.0.0.0 0.0.0.0 66.xx.xx.193 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication telnet console LOCAL
http server enable
http 10.100.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
sysopt ipsec pl-compatible
sysopt nodnsalias inbound
sysopt nodnsalias outbound
crypto ipsec transform-set tran3DES esp-3des esp-md5-hmac
crypto ipsec transform-set VPN3DES esp-3des esp-sha-hmac
crypto ipsec transform-set

http://WWWset

esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 3600
crypto dynamic-map cisco 1 set security-association lifetime seconds 28800 kilob
ytes 4608000
crypto dynamic-map dynmap 1 set transform-set

http://WWWset

crypto map dyn-map 20 ipsec-isakmp dynamic cisco
crypto map VPN 2 ipsec-isakmp
crypto map VPN 2 match address 105
crypto map VPN 2 set peer 69.xx.xx.195
crypto map VPN 2 set transform-set tran3DES
crypto map

http://WWWmap

1 ipsec-isakmp dynamic dynmap
crypto map

http://WWWmap

interface outside
isakmp enable outside
isakmp key ******** address 69.xx.xx.195 netmask 255.255.255.255
isakmp identity address
isakmp nat-traversal 20
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash sha
isakmp policy 1 group 2
isakmp policy 1 lifetime 86000
telnet 10.100.10.0 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 10.100.10.0 255.255.255.0 inside
ssh 10.100.10.0 255.255.255.0 intf2
ssh timeout 5
console timeout 0
dhcpd address 10.100.10.200-10.100.10.250 inside
dhcpd dns 66.xx.xx.15 66.xx.xx.16
dhcpd wins 10.100.10.30
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd enable inside
username admin password NVyHV4UyNHin4koa encrypted privilege 15
terminal width 80
banner exec
banner exec WARNING!
banner exec You must be authorized to access this network and equipment
banner exec Unauthorized use of these systems, networks, equipment and unauthor
ized access to computerized data is prohibited by LAW.
Cryptochecksum:cb9217f6486e1f9b33ef5729a1e9c484
: end



hihal1

 

[NetworkGhost]

On the PIX if you do a "show crypto ipsec sa" when the hosts are connected, what do you see? Post the results here.

http://www.wr-mem.com

 

[hihal1]

Hello,

Thank you so much for the reply. I have read 2 books and talked with 4 Cisco reps to no avail. I had thought that it might be the 2 Cisco Switches blocking the incomming traffic, bu they have just the default configurations and are being used as dump switches for now. I hooked up each Switch directly into the Cable modem and the to laptop and the Cisco VPN client works/ receiving and sending and obtaining decrypted Packs.

But when hooked up to the PIX, then receiving fails and no decrypted packs incoming.

The reults of your question:

show crypto ipsec sa
interface: outside
Crypto map tag: mymap, local addr. 66.x.x.194 which is the outside address.

hihal1

 

[brianinms]

What are you trying to VPN to? If that is your configuration for your pix you are missing the majority of the VPN configuration if your VPN is suppose to terminate on it.

 

[kwing112000]

Brianinms
The way i read it he has workstations behind the pix that VPN out to another site. It is just going thru the pix that is the issue.

 

[brianinms]

Gotcha Kwing, that makes more sense.

Sounds like the place they connect to needs to enable nat-traversal.

 

[hihal1]

Thank you guys, I will have the Hospitals that we VPN to check their configs.

Will let you all know!

Merry Christmas

hihal1

 

[hihal1]

Hello Happy New year,

Well So far no luck with any of the above.

What I need is to simply allow the the VPN clients from a laptop or workstation connectivity to a customer site.

If we do not use the PIX we can connect and perform OK, however via the PIX we do not receive the decrypted packets which allow an app to run from the remote server.

How do I allow the VPN clients to pass through without going through the NAT/PAT?

THanks,
Hal

hihal1

 

[NetworkGhost]

You cant. So to recap. Your clients are making VPN connections to a remote site.

You are having problems allowing this traffic through the pix.

Is that right? If so then please answer the following:



1. What type of VPN are they using? PPTP? IPSEC?

2. Is NAT-T supported on the remote end?

3. What type of VPN Client are they using?

http://www.wr-mem.com

 

[hihal1]

Hey thanks for the fast reply!

We both are using the Cisco VPN client Version 4.8.01.0300

We are still awaiting word wether NAT-T is supported on the other end.

The client is using ipsec/UDP


hihal1

 

[hihal1]

NAT-T is not in use on the other end!

So is there a way for me to isolate the client software to bypass NAT?

hihal1

 

[brianinms]

Yeah, you could give each client a public ip address.

 

[hihal1]

I thought so thanks


hihal1

 

[brianinms]

Additionally I am not sure why they just won't configure NAT-T for you.

 

[hihal1]

Well I agree but there are those that are set in their ways if you know what I mean. I am receiving 16 new additional public ips by the end of the month. So what do you recommend as best practice. If I use the IP's for the 3 nurses it will still have to go via the PIX.

So how do I isolate the 3 VPN clients via the new ip's?

Would I set up a pool of the 3 then include in a no nat list?

If that was the case then I should be able to use a static Ip from my network to do the same.

My mind is shot!

hihal1