PIX VPN config not responding to client

[hobbes80]

I am trying to configure a VPN for remote users to access an internal NAT 10.10.0.0/20 network and can't even get the PIX to respond to the VPN client request.

Below is the config on the PIX. The PIX is passing traffic in and out of the network without issues. access-lists are working properly, natting is fine, only issue is I cannot connect to the VPN. Give me the error "Connection Terminated Locally, Reason 412, The remote peer is no longer responding."

The it is assigned to the outside address, I thought I had opened everything. Here is the relevant portion of my PIX config... I can provide other things if neccessary...

Any help would be great, they outsourced this being done and now I'm stuck with the remnants with only minor Cisco experience.

Thanks!!

access-list nonatvpn extended permit ip 199.107.65.64 255.255.255.192 any
access-list nonatvpn extended permit ip 10.10.0.0 255.255.240.0 172.16.1.0 255.255.255.0
ip local pool ippool 172.16.1.1-172.16.1.50
nat (inside) 0 access-list nonatvpn
!
interface DMZ
interface outside
!
!
interface inside
!
route outside 0.0.0.0 0.0.0.0 206.16.233.201 1
aaa-server TACACS+ protocol tacacs+ 
aaa-server TACACS+ max-failed-attempts 3 
aaa-server TACACS+ deadtime 10 
aaa-server RADIUS protocol radius 
aaa-server RADIUS max-failed-attempts 3 
aaa-server RADIUS deadtime 10 
aaa-server LOCAL protocol local 
sysopt connection permit-ipsec
sysopt nodnsalias inbound
sysopt nodnsalias outbound
crypto ipsec transform-set clientset esp-3des esp-md5-hmac 
crypto dynamic-map dynmap 10 set transform-set clientset
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
crypto map clientmap interface outside
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup DS3remote address-pool ippool
vpngroup DS3remote dns-server 10.10.0.20             
vpngroup DS3remote default-domain ds3llc.local
vpngroup DS3remote idle-time 1800
vpngroup DS3remote password ********
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:f04e185df49814d112d1c6762e2d4e89
: end

 

[themut]

Are you able to ping the PIX from the VPN client machine? I'd configure the command "isakmp identity address" besides that it looks fine to me as long as the local pool belongs to an unused subnet. If still not working I'd look at simultaneous logs on the VPN client and debugs at the PIX. On the PIX you need console access and the following debugs:

debug crypto ipsec
debug crypto isakmp

Be careful because debugs are CPU intensive so you might experience some issues.

On the VPN client you need to enable the log at the highest level (level 3) in order to see more details. Click on Log | Log Settings and set all options to High. Then click on Log again and click on enable, if disable is displayed it means it is already enabled

 

[hobbes80]

yeah, am able to ping the external IP Address of the PIX. I also added the isakmp identity address and it still isn't working. I will take a look at the debug and see what it is saying...

 

[hobbes80]

Ran the debug, got the below. (actually, a much longer version of the below) I am guessing that it means that the encryption level on the client needs to be set, but I am no certain...

FWSM/admin# crypto_isakmp_process_block: src TMG, dest 206.16.233.X
OAK_AG exchange
ISAKMP (0): processing SA payload. message ID = 0
ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
ISAKMP:      encryption... What? 7?
ISAKMP:      hash SHA
ISAKMP:      default group 2
ISAKMP:      extended auth pre-share
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4 0x9b
ISAKMP:          attribute 3584
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 2 against priority 10 policy
ISAKMP:      encryption... What? 7?
ISAKMP:      hash MD5
ISAKMP:      default group 2
ISAKMP:      extended auth pre-share
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4 0x9b
ISAKMP:          attribute 3584

 

[hobbes80]

Nevermind, it is working.
our firewall junkie here in the office is doing bizarre port mapping and that is screwing it up.

Thanks for your help!!

 

[hobbes80]

Ok, spoke too soon.
I can connect, I get my 172.16.1.1 IP address, but I can't get to anything.
nothing on interface inside, nothing on dmz... can't ping, can't anything.
Do I need to setup a route from 172.16.1.0/24 to the networks I want to reach?
Or should I change the pool to be part of the range I want to talk to?

Thanks,
--Hobbes

 

[themut]

Add the following command:

isakmp nat-traversal

 

[hobbes80]

Doesn't accept the command... not enough arguments

 

[themut]

do a show ver and tell me what software version is running on the PIX. The command is available on 6.3.X only

 

[hobbes80]

ouch.... looks like this is more out of date than I thought. I'm going to have to do some more research before I start thinking about updating the software on this thing... I'm not even sure where to begin on that.

FWSM/admin# show ver

FWSM Firewall Version 2.2(1) <context>
FWSM Device Manager Version 4.0(1)

Compiled on Fri 07-May-04 12:32 by dalecki

 

[hobbes80]

ok.. by the looks of things, I should be able to just upgrade this by doing a copy tftp flash command.
However, how much downtime will occur and what is the risk of totally screwing myself?

FWSM/admin#  show ver

FWSM Firewall Version 2.2(1) <context>
FWSM Device Manager Version 4.0(1)

Compiled on Fri 07-May-04 12:32 by dalecki

FWSM up 36 days 23 hours

Hardware:   WS-SVC-FWM-1, 1024 MB RAM, CPU Pentium III 1000 MHz
Flash  V1.01   SMART ATA FLASH DISK @ 0xc321, 20MB

0: gb-ethernet0: irq 5
1: gb-ethernet1: irq 7
2: ethernet0: irq 11

Licensed Features:
Failover:           Enabled
VPN-DES:            Enabled
VPN-3DES:           Enabled
Maximum Interfaces: 256 (per security context)
Cut-through Proxy:  Enabled
Guards:             Enabled
URL-filtering:      Enabled
Throughput:         Unlimited
ISAKMP peers:       Unlimited
Security Contexts:  20

This machine has an Unrestricted (UR) license.

 

[themut]

You don't have a PIX perse, what you have is a Firewall Services Module (FWSM) and you are running the latest software version. This version supports all the features supported in PIX 6.0 and some features available on 6.3 code but no all. Looks like NAT-T is not supported on FWSM 2.2(1) but I am not 100% sure.

 

[hobbes80]

That being said, what are my options for getting VPN to work properly? Basically I need remote access to my servers for RDP/NetBios/a few other things... I don't want to open it up to the world, there should be a way to set the VPN to exist on one of the networks, right?
Thanks again,
--Hobbes

 

[themut]

Well still we haven't pinpoint the cause of the problem. The debugs you provided don't say much. All they say is the first two proposals have failed due to a policy mismatch, the line:

encryption... What? 7?

means the client is sending AES as the encryption algorithm and the FWSM doesn't recognize it. The client will send all posible combinations for the proposals until one is matched. So therefore you need to analyze the simultaneous debugs and VPN client logs at the highest level possible (level 3). The link below can help you figuring them out:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a00800949c5.shtml#pix_dbgs

 

[hobbes80]

For the record:
spent about 2 hours with Cisco on the line trying various things only to get an e-mail back from one of the reps letting me know that the FWSM does not support VPN connectivity for anything other than management purposes and that a VPNSM is required for VPN access to inside network devices.

Thank you all for the help, I sure learned a lot and, someday, when I have a real firewall I'll be able to get the VPN working.

--Hobbes