Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Students Click Here

PIX Configuration Assitance

PIX Configuration Assitance

PIX Configuration Assitance


I'm a novice to configuring PIX devices so I'm seeking some help from others.

I need to establish a remote VPN connection into my Windows Active Directory domain. I've configured my PIX 515e similar to another PIX that is working fine. I didn't get any errors when doing the configuration but when I try to connect with my VPN Client I get a user authentication error.

Here are the details of my equipment:

PIX 515e v6.3(5)
Connecting from Windows 7 computer with Cisco VPN Client

When I connect using the client I enter my Windows user name and password but it fails with a "Reason 413: User Authentication Failed". My log shows the following error:

Cisco Systems VPN Client Version
Copyright (C) 1998-2007 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 6.1.7600

295    20:32:19.287  11/07/09  Sev=Info/4    CM/0x63100002
Begin connection process

296    20:32:19.287  11/07/09  Sev=Info/4    CM/0x63100004
Establish secure connection

297    20:32:19.287  11/07/09  Sev=Info/4    CM/0x63100024
Attempt connection with server "209.128.xx.xxx"

298    20:32:19.287  11/07/09  Sev=Info/6    IKE/0x6300003B
Attempting to establish a connection with 209.128.xx.xxx.

299    20:32:19.302  11/07/09  Sev=Info/4    IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to 209.128.xx.xxx

300    20:32:19.443  11/07/09  Sev=Info/5    IKE/0x6300002F
Received ISAKMP packet: peer = 209.128.xx.xxx

301    20:32:19.443  11/07/09  Sev=Info/4    IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (SA, VID(Xauth), VID(dpd), VID(Unity), VID(?), KE, ID, NON, VID(?), VID(Nat-T), NAT-D, NAT-D, HASH) from 209.128.xx.xxx

302    20:32:19.443  11/07/09  Sev=Info/5    IKE/0x63000001
Peer supports XAUTH

303    20:32:19.443  11/07/09  Sev=Info/5    IKE/0x63000001
Peer supports DPD

304    20:32:19.443  11/07/09  Sev=Info/5    IKE/0x63000001
Peer is a Cisco-Unity compliant peer

305    20:32:19.443  11/07/09  Sev=Info/5    IKE/0x63000082
Received IOS Vendor ID with unknown capabilities flag 0x000000A5

306    20:32:19.443  11/07/09  Sev=Info/5    IKE/0x63000001
Peer supports NAT-T

307    20:32:19.443  11/07/09  Sev=Info/6    IKE/0x63000001
IOS Vendor ID Contruction successful

308    20:32:19.443  11/07/09  Sev=Info/4    IKE/0x63000013

309    20:32:19.443  11/07/09  Sev=Info/6    IKE/0x63000055
Sent a keepalive on the IPSec SA

310    20:32:19.443  11/07/09  Sev=Info/4    IKE/0x63000083
IKE Port in use - Local Port =  0xD310, Remote Port = 0x1194

311    20:32:19.443  11/07/09  Sev=Info/5    IKE/0x63000072
Automatic NAT Detection Status:
   Remote end is NOT behind a NAT device
   This   end IS behind a NAT device

312    20:32:19.443  11/07/09  Sev=Info/4    CM/0x6310000E
Established Phase 1 SA.  1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system

313    20:32:19.474  11/07/09  Sev=Info/5    IKE/0x6300002F
Received ISAKMP packet: peer = 209.128.xx.xxx

314    20:32:19.474  11/07/09  Sev=Info/4    IKE/0x63000014

315    20:32:19.474  11/07/09  Sev=Info/5    IKE/0x63000045
RESPONDER-LIFETIME notify has value of 86400 seconds

316    20:32:19.474  11/07/09  Sev=Info/5    IKE/0x63000047
This SA has already been alive for 0 seconds, setting expiry to 86400 seconds from now

317    20:32:19.474  11/07/09  Sev=Info/5    IKE/0x6300002F
Received ISAKMP packet: peer = 209.128.xx.xxx

318    20:32:19.474  11/07/09  Sev=Info/4    IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 209.128.xx.xxx

319    20:32:19.474  11/07/09  Sev=Info/4    CM/0x63100015
Launch xAuth application

320    20:32:19.583  11/07/09  Sev=Info/4    IPSEC/0x63700008
IPSec driver successfully started

321    20:32:19.583  11/07/09  Sev=Info/4    IPSEC/0x63700014
Deleted all keys

322    20:32:24.466  11/07/09  Sev=Info/5    IKE/0x6300002F
Received ISAKMP packet: peer = 209.128.xx.xxx

323    20:32:24.466  11/07/09  Sev=Info/4    IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(Retransmission) from 209.128.xx.xxx

324    20:32:29.255  11/07/09  Sev=Info/4    CM/0x63100017
xAuth application returned

325    20:32:29.255  11/07/09  Sev=Info/4    IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 209.128.xx.xxx

326    20:32:29.286  11/07/09  Sev=Info/5    IKE/0x6300002F
Received ISAKMP packet: peer = 209.128.xx.xxx

327    20:32:29.286  11/07/09  Sev=Info/4    IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 209.128.xx.xxx

328    20:32:29.286  11/07/09  Sev=Info/4    IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 209.128.xx.xxx

329    20:32:29.286  11/07/09  Sev=Info/4    IKE/0x63000017
Marking IKE SA for deletion  (I_Cookie=DDFBCD1BEFD1DA0D R_Cookie=A425C1A3EA1F6A29) reason = DEL_REASON_WE_FAILED_AUTH

330    20:32:29.286  11/07/09  Sev=Info/4    IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, DEL) to 209.128.xx.xxx

331    20:32:29.848  11/07/09  Sev=Info/4    IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=DDFBCD1BEFD1DA0D R_Cookie=A425C1A3EA1F6A29) reason = DEL_REASON_WE_FAILED_AUTH

332    20:32:29.848  11/07/09  Sev=Info/4    CM/0x63100014
Unable to establish Phase 1 SA with server "209.128.xx.xxx" because of "DEL_REASON_WE_FAILED_AUTH"

333    20:32:29.879  11/07/09  Sev=Info/5    CM/0x63100025
Initializing CVPNDrv

334    20:32:29.895  11/07/09  Sev=Info/6    CM/0x63100046
Set tunnel established flag in registry to 0.

335    20:32:29.895  11/07/09  Sev=Info/4    IKE/0x63000001
IKE received signal to terminate VPN connection

336    20:32:30.369  11/07/09  Sev=Info/4    IPSEC/0x63700014
Deleted all keys

337    20:32:30.369  11/07/09  Sev=Info/4    IPSEC/0x63700014
Deleted all keys

338    20:32:30.369  11/07/09  Sev=Info/4    IPSEC/0x63700014
Deleted all keys

339    20:32:30.369  11/07/09  Sev=Info/4    IPSEC/0x6370000A
IPSec driver successfully stopped

Here is the config of my PIX 515E:

PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
enable password r31ME0CIhiUS4m2Q encrypted
passwd r31ME0CIhiUS4m2Q encrypted
hostname dwr-10405-515e
domain-name my-domain.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
access-list 101 permit ip
access-list 101 permit ip any
access-list outside_cryptomap_dyn_50 permit ip any
access-list outbound permit ip any any
access-list split permit ip
pager lines 24
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside 209.128.xx.xxx
ip address inside
no ip address intf2
ip audit info action alarm
ip audit attack action alarm
ip local pool mypool
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0 0
route outside 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa-server radius protocol radius
aaa-server radius max-failed-attempts 3
aaa-server radius deadtime 10
aaa-server radius (inside) host xxxxxxxxxx timeout 10
http server enable
http inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto dynamic-map dynmap 50 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap client configuration address initiate
crypto map mymap client configuration address respond
crypto map mymap client authentication radius
crypto map mymap interface outside
isakmp enable outside
isakmp client configuration address-pool local mypool outside
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup remotevpn address-pool mypool
vpngroup remotevpn dns-server
vpngroup remotevpn wins-server
vpngroup remotevpn default-domain my-domain.com
vpngroup remotevpn split-tunnel split
vpngroup remotevpn idle-time 1800
vpngroup remotevpn password ********
telnet timeout 5
ssh outside
ssh inside
ssh intf2
ssh timeout 60
console timeout 0
vpdn group 1 accept dialin pptp
vpdn group 1 ppp authentication pap
vpdn group 1 ppp authentication mschap
vpdn group 1 ppp encryption mppe 40
vpdn group 1 pptp echo 60
vpdn group 1 client authentication local
vpdn username widget password *********
vpdn enable outside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
terminal width 80

If anyone could help me out or provide any suggestions I would be very appreciative.

Thank you.
Replies continue below

Recommended for you

RE: PIX Configuration Assitance

Do you have IAS installed on your AD box

Red Flag This Post

Please let us know here why this post is inappropriate. Reasons such as off-topic, duplicates, flames, illegal, vulgar, or students posting their homework.

Red Flag Submitted

Thank you for helping keep Tek-Tips Forums free from inappropriate posts.
The Tek-Tips staff will check this out and take appropriate action.

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members! Already a Member? Login

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close