Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations wOOdy-Soft on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Pix 7.1 VPN problems

Status
Not open for further replies.
aramsay

aramsay

Technical User
Oct 31, 2004
113
GB
I have a Pix 515UR running 7.0.2 for a while now, with few or little problems, however one of them requires us to upgrade to 7.1.2.

Without making any config changes other than:
no boot system flash:/pix712.bin
boot system flash:/pix702.bin

when the system comes back up, internet access is fine, people can access our servers, however we can no longer connect from outside by using Cisco VPN client 4.8.00.0440 (or various other versions).

Has anyone else come across any problem like this, or know if there is a problem with 7.1.2 accepting VPN connections?

I've pasted a (slightly modified to protect it) configuration from the system. Its enclosed below.

config said:
: Saved

PIX Version 7.0(2)
no names
!
interface Ethernet0
nameif Outside
security-level 0
ip address 195.*.*.* 255.255.255.0 standby 195.*.*.*
!
interface Ethernet1
nameif inside
security-level 100
ip address 192.168.*.1 255.255.252.0 standby 192.168.*.2
!
interface Ethernet2
nameif DMZ
security-level 50
ip address 192.168.*.2 255.255.255.0 standby 192.168.*.3
!
interface Ethernet3
nameif Hosting
security-level 10
ip address 192.168.*.2 255.255.255.0 standby 192.168.*.3
!
interface Ethernet4
nameif MNAWAN
security-level 60
ip address 126.5.0.2 255.0.0.0
!
interface Ethernet5
description LAN/STATE Failover Interface
!
enable password * encrypted
passwd * encrypted
hostname pixfirewall
domain-name *.com
boot system flash:/pix702.bin
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns retries 2
dns timeout 2
dns domain-lookup inside
dns name-server 192.168.*.202
dns name-server 192.168.*.204
dns name-server 192.168.*.200
object-group service Incoming_******_TCP tcp
port-object eq 8080
port-object eq 1755
port-object eq smtp
port-object eq 30777
port-object eq ftp-data
port-object eq rtsp
port-object eq www
port-object eq https
port-object eq ftp
object-group service Incoming_******_UDP udp
port-object eq 1755
port-object eq 5005
object-group service Incoming_ tcp
port-object eq www
port-object eq https
object-group network DMZ_WebHosts
network-object 192.168.*.12 255.255.255.255
network-object 192.168.*.18 255.255.255.255
network-object 192.168.*.19 255.255.255.255
network-object 192.168.*.21 255.255.255.255
network-object 192.168.*.20 255.255.255.255
object-group network Outside_WebHosts
network-object *.*.*.19 255.255.255.255
network-object *.*.*.20 255.255.255.255
network-object *.*.*.21 255.255.255.255
network-object *.*.*.12 255.255.255.255
network-object *.*.*.18 255.255.255.255
network-object *.*.*.15 255.255.255.255
network-object *.*.*.13 255.255.255.255
object-group icmp-type icmp-grp
icmp-object echo
icmp-object echo-reply
access-list *****splitTunnelAcl standard permit any
access-list inside_cryptomap_dyn_20 extended permit ip any 172.16.31.0 255.255.255.0
access-list inside_cryptomap_dyn_20 extended permit ip any 172.31.0.0 255.255.248.0
access-list Outside_access_in extended permit icmp any any
access-list Outside_access_in extended permit tcp any *.*.*.128 255.255.255.128 object-group Incoming_******_TCP
access-list Outside_access_in extended permit udp any *.*.*.128 255.255.255.128 object-group Incoming_******_UDP
access-list Outside_access_in extended permit tcp any object-group Outside_WebHosts object-group Incoming_access-list Outside_access_in extended permit tcp any host *.*.*.18 eq ssh
access-list Outside_access_in extended permit tcp any host *.*.*.10 eq smtp
access-list Outside_access_in extended permit gre any any
access-list Outside_access_in extended permit icmp any any time-exceeded
access-list Outside_access_in extended permit tcp any host *.*.*.15 eq www
access-list Outside_access_in extended permit tcp any host *.*.*.162 eq 7099
access-list Outside_access_in extended permit tcp any host *.*.*.12 eq imap4
access-list Outside_access_in extended permit tcp any host *.*.*.10 eq 1812
access-list Outside_access_in extended permit tcp any host *.*.*.66 eq www
access-list Outside_access_in extended permit tcp any host *.*.*.66 eq 8080
access-list Outside_access_in extended permit tcp any host *.*.*.66 eq smtp
access-list Outside_access_in extended permit tcp any host *.*.*.67 eq www
access-list Outside_access_in extended permit tcp any host *.*.*.67 eq imap4
access-list Outside_access_in extended permit tcp any host *.*.*.15 eq imap4
access-list Outside_access_in extended permit tcp host 82.X.X.X host *.*.*.12 eq 3389
access-list Outside_access_in extended permit tcp host 70.X.X.X any
access-list Inside_access_out extended deny tcp any any eq nntp
access-list Inside_access_out extended deny tcp any any eq 6969
access-list Inside_access_out extended deny tcp any any range 6881 6999
access-list Inside_access_out extended permit icmp any any
access-list Inside_access_out extended permit tcp any any
access-list Inside_access_out extended permit udp any any
access-list Inside_access_out extended permit gre any any
access-list split_tunnel extended permit ip 172.31.0.0 255.255.248.0 126.0.0.0 255.0.0.0
access-list split_tunnel extended permit ip 172.31.0.0 255.255.248.0 192.168.*.0 255.255.255.0
access-list split_tunnel extended permit ip 172.31.0.0 255.255.248.0 192.168.*.0 255.255.255.0
access-list split_tunnel extended permit ip 172.31.0.0 255.255.248.0 192.168.*.0 255.255.252.0
access-list DMZ_VPN extended permit ip 192.168.*.0 255.255.255.0 172.31.1.0 255.255.255.0
access-list DMZ_VPN extended permit ip 192.168.*.0 255.255.255.0 172.31.3.0 255.255.255.0
access-list HOSTING_VPN extended permit ip 192.168.*.0 255.255.255.0 172.31.1.0 255.255.255.0
access-list HOSTING_VPN extended permit ip 192.168.*.0 255.255.255.0 172.31.2.0 255.255.255.0
access-list INSIDE_VPN extended permit ip 192.168.*.0 255.255.252.0 172.31.3.0 255.255.255.0
access-list INSIDE_VPN extended permit ip 192.168.*.0 255.255.252.0 172.31.1.0 255.255.255.0
access-list ICMPACL extended permit icmp any any
access-list DMZ_access_out extended permit icmp any any
access-list DMZ_access_out extended permit tcp any any
access-list DMZ_access_out extended permit udp any any
access-list DMZ_access_out extended permit icmp any any echo-reply
access-list DMZ_access_out extended permit icmp any any echo
access-list DMZ_access_out extended permit icmp any any information-request
access-list DMZ_access_out extended permit icmp any any information-reply
access-list Hosting_access_out extended permit icmp any any
access-list Hosting_access_out extended permit tcp any any
access-list Hosting_access_out extended permit udp any any
access-list MNAWAN_VPN extended permit ip 126.0.0.0 255.0.0.0 172.31.1.0 255.255.255.0
access-list MNAWAN_in extended deny tcp any 192.168.*.0 255.255.252.0
access-list MNAWAN_in extended deny udp any 192.168.*.0 255.255.252.0
access-list MNAWAN_in extended permit icmp any any
access-list MNAWAN_in extended permit tcp any any
access-list MNAWAN_in extended permit udp any any
pager lines 24
logging asdm informational
mtu Outside 1500
mtu inside 1500
mtu DMZ 1500
mtu Hosting 1500
mtu MNAWAN 1500
ip local pool aaa-pool 172.31.3.1-172.31.3.255
ip local pool bbb-pool 172.31.2.1-172.31.2.255
ip local pool ccc-pool 172.31.1.1-172.31.1.5
failover
failover lan unit primary
failover lan interface FailOverInt Ethernet5
failover lan enable
failover polltime unit 5 holdtime 15
failover polltime interface 5
failover replication http
failover mac address Ethernet0 0003.6bf6.6ff8 0003.6bf6.925f
failover mac address Ethernet1 0003.6bf6.6ff9 0003.6bf6.9260
failover mac address Ethernet2 00e0.b603.5fa4 00e0.b606.1b83
failover mac address Ethernet3 00e0.b603.5fa3 00e0.b606.1b82
failover mac address Ethernet4 00e0.b603.5fa2 00e0.b606.1b81
failover link FailOverInt Ethernet5
failover interface ip FailOverInt 192.168.4.1 255.255.255.252 standby 192.168.4.2
monitor-interface Outside
monitor-interface inside
monitor-interface DMZ
monitor-interface Hosting
icmp permit any Outside
icmp permit any inside
icmp permit any DMZ
icmp permit any Hosting
icmp permit any MNAWAN
asdm image flash:/asdm-501.bin
asdm location 192.168.*.128 255.255.255.128 DMZ
asdm location 192.168.*.128 255.255.255.128 Hosting
asdm location 192.168.*.12 255.255.255.255 DMZ
asdm location 192.168.*.18 255.255.255.255 DMZ
asdm location 192.168.*.10 255.255.255.255 DMZ
asdm group DMZ_WebHosts DMZ
asdm group Outside_WebHosts Outside
asdm history enable
arp timeout 14400
nat-control
global (Outside) 1 *.*.*.9
global (Outside) 2 *.*.*.8
global (Outside) 3 *.*.*.7
global (Outside) 4 *.*.*.6
nat (inside) 0 access-list INSIDE_VPN
nat (inside) 1 192.168.*.0 255.255.252.0
nat (DMZ) 0 access-list DMZ_VPN
nat (DMZ) 2 192.168.*.0 255.255.255.0
nat (Hosting) 0 access-list HOSTING_VPN
nat (Hosting) 3 192.168.*.0 255.255.255.0
nat (MNAWAN) 0 access-list MNAWAN_VPN
nat (MNAWAN) 4 126.0.0.0 255.0.0.0
static (DMZ,Outside) *.*.*.15 192.168.*.15 netmask 255.255.255.255
static (DMZ,Outside) *.*.*.18 192.168.*.18 netmask 255.255.255.255
static (DMZ,Outside) *.*.*.19 192.168.*.19 netmask 255.255.255.255
static (DMZ,Outside) *.*.*.12 192.168.*.12 netmask 255.255.255.255
static (DMZ,Outside) *.*.*.13 192.168.*.13 netmask 255.255.255.255
static (DMZ,Outside) *.*.*.10 192.168.*.10 netmask 255.255.255.255
static (DMZ,Outside) *.*.*.21 192.168.*.21 netmask 255.255.255.255
static (Hosting,Outside) *.*.*.128 192.168.*.128 netmask 255.255.255.128
static (DMZ,Hosting) *.*.*.18 192.168.*.18 netmask 255.255.255.255
static (Hosting,inside) *.*.*.128 192.168.*.128 netmask 255.255.255.128
static (DMZ,inside) *.*.*.18 192.168.*.18 netmask 255.255.255.255
static (DMZ,inside) *.*.*.19 192.168.*.19 netmask 255.255.255.255
static (DMZ,inside) *.*.*.20 192.168.*.20 netmask 255.255.255.255
static (DMZ,inside) *.*.*.21 192.168.*.21 netmask 255.255.255.255
static (DMZ,inside) *.*.*.13 192.168.*.13 netmask 255.255.255.255
static (DMZ,inside) *.*.*.12 192.168.*.12 netmask 255.255.255.255
static (DMZ,inside) *.*.*.10 192.168.*.10 netmask 255.255.255.255
static (DMZ,inside) *.*.*.15 192.168.*.15 netmask 255.255.255.255
static (Outside,DMZ) *.*.*.40 192.168.*.40 netmask 255.255.255.255
static (DMZ,Outside) *.*.*.66 192.168.*.66 netmask 255.255.255.255
static (DMZ,Outside) *.*.*.67 192.168.*.67 netmask 255.255.255.255
static (inside,Hosting) 192.168.*.0 192.168.*.0 netmask 255.255.252.0
static (inside,DMZ) 192.168.*.0 192.168.*.0 netmask 255.255.252.0
static (inside,Outside) *.*.*.34 192.168.*.98 netmask 255.255.255.255
static (inside,Outside) *.*.*.31 192.168.*.94 netmask 255.255.255.255
static (inside,Outside) *.*.*.33 192.168.*.95 netmask 255.255.255.255
static (inside,Outside) *.*.*.32 192.168.*.96 netmask 255.255.255.255
static (inside,MNAWAN) 192.168.*.0 192.168.*.0 netmask 255.255.252.0
static (MNAWAN,Hosting) 126.0.0.0 126.0.0.0 netmask 255.0.0.0
static (Hosting,MNAWAN) *.*.*.128 192.168.*.128 netmask 255.255.255.128
access-group Outside_access_in in interface Outside
access-group Inside_access_out in interface inside
access-group DMZ_access_out in interface DMZ
access-group Hosting_access_out in interface Hosting
access-group MNAWAN_in in interface MNAWAN
rip Outside passive version 1
route Outside 0.0.0.0 0.0.0.0 *.*.*.1 1
route MNAWAN *.1.0.0 255.255.0.0 *.5.0.1 1
route MNAWAN *.0.0.0 255.0.0.0 *.5.0.1 1
route MNAWAN *.0.0.0 255.0.0.0 *.5.0.1 1
route MNAWAN *.0.0.0 255.0.0.0 *.5.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:02:00
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server AAA-Server protocol radius
aaa-server AAA-Server host 192.168.*.200
key ######
group-policy aaa-access internal
group-policy aaa-access attributes
dns-server value 192.168.*.202 192.168.*.204
password-storage enable
ip-comp enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split_tunnel
default-domain value internal.******.com
group-policy bbb internal
group-policy bbb attributes
dns-server value 192.168.*.202 192.168.*.204
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split_tunnel
default-domain value internal.******.com
group-policy ccc internal
group-policy ccc attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split_tunnel
default-domain value ******.com
aaa authentication ssh console AAA-Server
http server enable
snmp-server host DMZ 192.168.*.18 community *****
snmp-server enable traps snmp
snmp-server enable traps syslog
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map inside_dyn_map 20 match address inside_cryptomap_dyn_20
crypto dynamic-map inside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map inside_map 65535 ipsec-isakmp dynamic inside_dyn_map
crypto map inside_map interface Outside
crypto map inside_map interface inside
isakmp enable Outside
isakmp enable inside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 65535 authentication pre-share
isakmp policy 65535 encryption 3des
isakmp policy 65535 hash sha
isakmp policy 65535 group 2
isakmp policy 65535 lifetime 86400
telnet 192.168.*.0 255.255.252.0 inside
telnet *.0.0.0 255.0.0.0 MNAWAN
telnet *.0.0.0 255.0.0.0 MNAWAN
telnet *.0.0.0 255.0.0.0 MNAWAN
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 Outside
ssh 192.168.*.0 255.255.252.0 inside
ssh *.0.0.0 255.0.0.0 MNAWAN
ssh *.0.0.0 255.0.0.0 MNAWAN
ssh *.0.0.0 255.0.0.0 MNAWAN
ssh timeout 60
ssh version 2
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 50
tunnel-group aaa type ipsec-ra
tunnel-group aaa general-attributes
address-pool aaa-pool
authentication-server-group AAA-Server
default-group-policy aaa
tunnel-group aaa ipsec-attributes
pre-shared-key *
tunnel-group bbb-access type ipsec-ra
tunnel-group bbb-access general-attributes
address-pool bbb-pool
authentication-server-group AAA-Server
default-group-policy bbb-access
tunnel-group full-access ipsec-attributes
pre-shared-key *
tunnel-group ccc type ipsec-ra
tunnel-group ccc general-attributes
address-pool ccc-pool
authentication-server-group AAA-Server
default-group-policy ccc
tunnel-group ccc ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
class-map ICMP-CLASS
match access-list ICMPACL
!
!
policy-map global_policy
class inspection_default
inspect ftp
inspect rsh
inspect rtsp
inspect sqlnet
inspect sunrpc
inspect xdmcp
inspect netbios
inspect icmp
inspect icmp error
!
service-policy global_policy global
ntp server 194.*.*.* source Outside prefer
tftp-server inside 192.168.*.98 /pixcfg.wri
: end
Click to expand...
Any suggestions are most welcome
 
Sort by date Sort by votes
Hello,

We have same version and it work fine. Just verify you accept agressive mode (i don't know why but cisco VPN client use agressive mode).
(i didn't checked all your config but i can be this ;)

PIX 501/515
ASA 5510
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
831
intel233
intel233
ISDPCMAN
  • Locked
  • Question
RDP fails over VPN
Replies
1
Views
342
gkittelson
gkittelson
Shmid
  • Locked
  • Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
985
Shmid
Shmid
WhosYourDiffie
  • Locked
  • Question
Cisco ASA 5506 VPN for Avaya Phones
Replies
0
Views
270
WhosYourDiffie
WhosYourDiffie
ITSUPPORTIT
  • Locked
  • Question
VPN from ASA 5510 and RV215W problem
Replies
0
Views
217
ITSUPPORTIT
ITSUPPORTIT

Part and Inventory Search

Sponsor

Back
Top