Question : Problem: PIX 515E Firewall with VPN Accelerator Card VPN Troubles

I have the following configuration setup on the PIX firewall in an attempt to create a VPN with a Windows 2000 domain for remote pc users so that they may access e-mail, files, ... etc.:

PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 36Te6gjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname PIX-506-2
domain-name sjvpn.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
access-list nonat permit ip 20.1.1.0 255.255.255.0 50.1.1.0 255.255.255.0
access-list l2tp permit udp host 171.68.9.57 any eq 1701
no pager
logging on
logging console debugging
logging buffered debugging
interface ethernet0 10baset
interface ethernet1 10baset
mtu outside 1500
mtu inside 1500
ip address outside 171.68.9.57 255.255.255.0
ip address inside 20.1.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool l2tp 50.1.1.1-50.1.1.5
pdm history enable
arp timeout 14400
nat (inside) 0 access-list nonat
route outside 0.0.0.0 0.0.0.0 171.68.9.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host 20.1.1.2 cisco timeout 5
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-l2tp
no sysopt route dnat
crypto ipsec transform-set l2tp esp-des esp-md5-hmac
crypto ipsec transform-set l2tp mode transport
crypto ipsec security-association lifetime seconds 3600
crypto dynamic-map dyna 20 match address l2tp
crypto dynamic-map dyna 20 set transform-set l2tp
crypto map mymap 10 ipsec-isakmp dynamic dyna
crypto map mymap client authentication RADIUS
crypto map mymap interface outside
isakmp enable outside
isakmp policy 20 authentication rsa-sig
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 1
isakmp policy 20 lifetime 86400
ca identity hsvpn 20.1.1.2:/certsrv/mscep/mscep.dll
ca configure hsvpn ra 1 20 crloptional
telnet 171.68.9.0 255.255.255.0 inside
telnet 20.1.1.2 255.255.255.255 inside
telnet timeout 60
ssh timeout 5
vpdn group l2tpipsec accept dialin l2tp
vpdn group l2tpipsec ppp authentication chap
vpdn group l2tpipsec ppp authentication mschap
vpdn group l2tpipsec client configuration address local l2tp
vpdn group l2tpipsec client configuration dns 20.1.1.250 20.1.1.251
vpdn group l2tpipsec client configuration wins 20.1.1.250
vpdn group l2tpipsec client authentication aaa RADIUS
vpdn group l2tpipsec client accounting RADIUS
vpdn group l2tpipsec l2tp tunnel hello 60
vpdn enable outside
terminal width 80
: end
[OK]

I am attempting to create the VPN through the PIX firewall to a Windows 2000 domain. I receive an error message when attempting to authenticate using:

ca authenticate hsvpn

The error message says "... = FAIL"

However, I have been able to authenticate before (I didn't receive the FAIL error message), but when I attempt to enroll the certificate

(ca enroll hsvpn )

from the Windows 2000 CA Enterprise Root server I recieve the following error message that says that there is no root CA, use ca authenticate.

I have installed the Windows 2000 Server Resource Kit and I have verified that the Cisco Enrollment Protocol is installed by navigating to http://Host_Name/certsrv/mscep/mscep.dll and I get the fingerprint and challenge password.

Any ideas would be greatly appreciated. I am new the Cisco PIX firewall, but I have been able to set it up such that inside users can browse the Internet and the outside world can access our e-mail and web servers fine. That configuration information is not shown since I reset the PIX to default settings to remove as many pieces from the puzzle as possible.

Windows 2000 server information:
DNS: 20.1.1.2
WINS: 20.1.1.2
DC: 20.1.1.2
20.1.1.2 is also the CA Root server and the server to which remote single users need to access through the VPN.

Thank you,
Kevin

Answer : Problem: PIX 515E Firewall with VPN Accelerator Card VPN Troubles

This can be a pretty drawn out process to put in a forum so what I'm going to do is give you the Cisco instructions here, and let me know if then if there is anything that you don't understand.

http://www.cisco.com/warp/public/110/pptppix.html

Meanwhile I will try to find the ones for the gui managament to.

Random Solutions

Problem: Can someone explain the output of Bonnie++ or point to good reference

Problem: Citrix

Problem: "No signal" error message on Acer AL1912 TFT monitor

Problem: what could be wrong? i have video problems on certain applications...

Problem: projector with CPU/bluetooth

Problem: how to connect my HP printer into a network

Problem: Differnece between Citrix and VNC

Problem: Sony 10 cd changer CDX-757MX .What is the converter i need to use to connect it to my laptop.

Problem: Using SMS to push folder to client and set client screen saver to My Pictures Slideshow

Problem: Setting up multiple ISP - Cisco 1812