Cisco Pix problemen

Beste Tweakers,

Ik ben al pozen aan het worstellen met eigenlijk twee (volgens mij) niet zulke moeilijke vragen, ik heb een Cisco pix 515E, software versie 7. De bedoeling is dat dit apparaat de tunnels op moet zetten naar andere routers/pix/ clients. De eerste twee gaan prima, ik kan de tunnels instellen en ze blijven goed. Als ik dit wil doen voor de VPN client dan blijf ik de melding krijgen: reason 412: the remote peer is no longer responding. Ik heb de firewall al eens uitgezet, het process van cisco in de exclusion lijst gezet maar ik kom er niet door.

In het logbestand van de client krijg ik het volgende te zien:

1 14:46:27.336 06/07/07 Sev=Info/4 CM/0x63100002
Begin connection process

2 14:46:27.342 06/07/07 Sev=Info/4 CM/0x63100004
Establish secure connection

3 14:46:27.342 06/07/07 Sev=Info/4 CM/0x63100024
Attempt connection with server "82.94.31.134"

4 14:46:27.352 06/07/07 Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with 82.94.31.134.

5 14:46:27.368 06/07/07 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to 82.94.31.134

6 14:46:28.073 06/07/07 Sev=Info/4 IPSEC/0x63700008
IPSec driver successfully started

7 14:46:28.073 06/07/07 Sev=Info/4 IPSEC/0x63700014
Deleted all keys

8 14:46:32.579 06/07/07 Sev=Info/4 IKE/0x63000021
Retransmitting last packet!

9 14:46:32.579 06/07/07 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to 82.94.31.134

10 14:46:37.583 06/07/07 Sev=Info/4 IKE/0x63000021
Retransmitting last packet!

11 14:46:37.584 06/07/07 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to 82.94.31.134

12 14:46:42.595 06/07/07 Sev=Info/4 IKE/0x63000021
Retransmitting last packet!

13 14:46:42.595 06/07/07 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to 82.94.31.134

14 14:46:47.601 06/07/07 Sev=Info/4 IKE/0x63000017
Marking IKE SA for deletion (I_Cookie=797E9EB5B2FB9665 R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING

15 14:46:48.601 06/07/07 Sev=Info/4 IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=797E9EB5B2FB9665 R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING

16 14:46:48.602 06/07/07 Sev=Info/4 CM/0x63100014
Unable to establish Phase 1 SA with server "82.94.31.134" because of "DEL_REASON_PEER_NOT_RESPONDING"

17 14:46:48.602 06/07/07 Sev=Info/5 CM/0x63100025
Initializing CVPNDrv

18 14:46:48.638 06/07/07 Sev=Info/6 CM/0x63100046
Set tunnel established flag in registry to 0.

19 14:46:48.638 06/07/07 Sev=Info/4 IKE/0x63000001
IKE received signal to terminate VPN connection

20 14:46:48.651 06/07/07 Sev=Info/4 IPSEC/0x63700014
Deleted all keys

21 14:46:48.651 06/07/07 Sev=Info/4 IPSEC/0x63700014
Deleted all keys

22 14:46:48.652 06/07/07 Sev=Info/4 IPSEC/0x63700014
Deleted all keys

23 14:46:48.652 06/07/07 Sev=Info/4 IPSEC/0x6370000A
IPSec driver successfully stopped

Vraag twee waar ik nogal gefrustreerd over aan het raken ben

Ik wil een tweetal poorten openzetten op het netwerk.

Zeg dat ik van mijn externe netwerk ip: 82.x.x.x op poort 1000 doorgelust wil worden naar 10.1.1.50 op poort 500 dat moet toch gewoon lukken?

Als ik hier een access policy voor instel via ASDM gebeurd er niets.

Ik hoop dat iemand me even een duwtje in de rug kan geven?

Gr,

Jeroen

paella schreef op donderdag 07 juni 2007 @ 15:51:
Vraag 2: hoe maak je die access rule, welke interfaces, etc,etc.

Vraag 1: hoe stel je die Remote Access VPN nu in?

Kortom, wat heb je aan instellingen geprobeerd?

Via ASDM: kies in de configuratie voor security policy -> add access rule.
Maak dan een permit regel incoming to scr. Source is dan mijn externe interface destination het internet ip adres van de server die ik wil bereiken.
Source port service 4000 destination 3389.

Wat betreft de software gebruik ik nu versie 5 van de VPN client, host inkloppen en naam en wachtwoord. daarna udp en tcp geprobeerd maar ik kom er niet doorheen.
Wat ik een beetje vreemd vind alleen is dat als ik de VPN wizzard in asdm start dan vraagt deze om een pre-shared key om client vpn's mogelijk te maken, maar ik kan helemaal geen pre-shared key in de software aangeven?


Config file pix:

ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
access-list Internet_nat0_inbound extended permit ip any 192.168.0.0 255.255.255.0
access-list Internet_cryptomap_20 extended permit ip any 192.168.0.0 255.255.255.0
access-list 222 extended permit ip 192.168.1.0 255.255.255.0 10.39.5.0 255.255.255.0
access-list 222 extended permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list 222 extended permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list 222 extended permit ip any 192.168.1.128 255.255.255.128
access-list outside_cryptomap_1 extended permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list outside_cryptomap_2 extended permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list vpnclient_splitTunnelAcl standard permit any
access-list outside_cryptomap_dyn_20 extended permit ip any 192.168.1.128 255.255.255.128
access-list outside_pnat_inbound extended permit tcp interface outside eq 4000 host 192.168.1.50 eq 3389
pager lines 24
logging trap emergencies
logging asdm informational
logging class auth trap emergencies
mtu outside 1500
mtu inside 1500
ip local pool VPNclientpool 192.168.1.175-192.168.1.225 mask 255.255.255.0
monitor-interface outside
monitor-interface inside
asdm image flash:/asdm-501.bin
no asdm history enable
arp timeout 14400
global (outside) 10 interface
global (inside) 2 192.168.1.50
nat (outside) 0 access-list Internet_nat0_inbound outside
nat (inside) 0 access-list 222
nat (inside) 10 0.0.0.0 0.0.0.0
static (outside,inside) tcp interface 3389 access-list outside_pnat_inbound
route outside 0.0.0.0 0.0.0.0 82.94.31.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy vpnclient internal
group-policy vpnclient attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpnclient_splitTunnelAcl
username sabra password 9zpQIMMxEQ2QXgFd encrypted privilege 15
username vpnclient password .PWl1PwAsJNfjW8u encrypted privilege 0
username vpntest password wdFWFxCzwfGC9u3W encrypted privilege 0
username jeroen password BsYrksOLbSlKLKIL encrypted privilege 15
http server enable
http 192.168.1.0 255.255.255.0 inside
snmp-server host inside 192.168.1.50 community public
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set Tunnel-ESPDES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-SHA
crypto map Internet_map 20 match address Internet_cryptomap_20
crypto map Internet_map 20 set peer 80.61.25.182
crypto map Internet_map 20 set transform-set ESP-DES-MD5
crypto map Forinternet 222 set peer 82.92.216.209
crypto map ForInternet 1 match address outside_cryptomap_1
crypto map ForInternet 1 set peer 212.129.136.247
crypto map ForInternet 1 set transform-set Tunnel-ESPDES-MD5
crypto map ForInternet 2 match address outside_cryptomap_2
crypto map ForInternet 2 set peer 80.61.25.182
crypto map ForInternet 2 set transform-set Tunnel-ESPDES-MD5
crypto map ForInternet 222 match address 222
crypto map ForInternet 222 set peer 82.92.216.209
crypto map ForInternet 222 set transform-set Tunnel-ESPDES-MD5
crypto map ForInternet 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map ForInternet interface outside
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 22 authentication pre-share
isakmp policy 22 encryption des
isakmp policy 22 hash md5
isakmp policy 22 group 1
isakmp policy 22 lifetime 28800
isakmp policy 42 authentication pre-share
isakmp policy 42 encryption des
isakmp policy 42 hash sha
isakmp policy 42 group 2
isakmp policy 42 lifetime 86400
isakmp nat-traversal 20
isakmp ipsec-over-tcp port 10000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.50-192.168.1.254 inside
dhcpd dns 194.109.6.66 194.109.9.99
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable inside
tunnel-group BIG type ipsec-l2l
tunnel-group BIG ipsec-attributes
pre-shared-key *
tunnel-group 82.92.216.209 type ipsec-l2l
tunnel-group 82.92.216.209 ipsec-attributes
pre-shared-key *
tunnel-group 212.129.136.247 type ipsec-l2l
tunnel-group 212.129.136.247 ipsec-attributes
pre-shared-key *
tunnel-group 80.61.25.182 type ipsec-l2l
tunnel-group 80.61.25.182 ipsec-attributes
pre-shared-key *
tunnel-group vpnclient type ipsec-ra
tunnel-group vpnclient general-attributes
address-pool (inside) VPNclientpool
default-group-policy vpnclient
dhcp-server 192.168.1.1
tunnel-group vpnclient ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
Cryptochecksum:4f22a3538e917429d4fb8eb321a9006c

[ Voor 3% gewijzigd door Verwijderd op 07-06-2007 16:25 ]