Microsoft
Software
Hardware
Network
Question : Problem: PIX 515E Firewall with VPN Accelerator Card VPN Troubles
I have the following configuration setup on the PIX firewall in an attempt to create a VPN with a Windows 2000 domain for remote pc users so that they may access e-mail, files, ... etc.:
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 36Te6gjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname PIX-506-2
domain-name sjvpn.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
access-list nonat permit ip 20.1.1.0 255.255.255.0 50.1.1.0 255.255.255.0
access-list l2tp permit udp host 171.68.9.57 any eq 1701
no pager
logging on
logging console debugging
logging buffered debugging
interface ethernet0 10baset
interface ethernet1 10baset
mtu outside 1500
mtu inside 1500
ip address outside 171.68.9.57 255.255.255.0
ip address inside 20.1.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool l2tp 50.1.1.1-50.1.1.5
pdm history enable
arp timeout 14400
nat (inside) 0 access-list nonat
route outside 0.0.0.0 0.0.0.0 171.68.9.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host 20.1.1.2 cisco timeout 5
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-l2tp
no sysopt route dnat
crypto ipsec transform-set l2tp esp-des esp-md5-hmac
crypto ipsec transform-set l2tp mode transport
crypto ipsec security-association lifetime seconds 3600
crypto dynamic-map dyna 20 match address l2tp
crypto dynamic-map dyna 20 set transform-set l2tp
crypto map mymap 10 ipsec-isakmp dynamic dyna
crypto map mymap client authentication RADIUS
crypto map mymap interface outside
isakmp enable outside
isakmp policy 20 authentication rsa-sig
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 1
isakmp policy 20 lifetime 86400
ca identity hsvpn 20.1.1.2:/certsrv/mscep/ms
cep.dll
ca configure hsvpn ra 1 20 crloptional
telnet 171.68.9.0 255.255.255.0 inside
telnet 20.1.1.2 255.255.255.255 inside
telnet timeout 60
ssh timeout 5
vpdn group l2tpipsec accept dialin l2tp
vpdn group l2tpipsec ppp authentication chap
vpdn group l2tpipsec ppp authentication mschap
vpdn group l2tpipsec client configuration address local l2tp
vpdn group l2tpipsec client configuration dns 20.1.1.250 20.1.1.251
vpdn group l2tpipsec client configuration wins 20.1.1.250
vpdn group l2tpipsec client authentication aaa RADIUS
vpdn group l2tpipsec client accounting RADIUS
vpdn group l2tpipsec l2tp tunnel hello 60
vpdn enable outside
terminal width 80
: end
[OK]
I am attempting to create the VPN through the PIX firewall to a Windows 2000 domain. I receive an error message when attempting to authenticate using:
ca authenticate hsvpn
The error message says "... = FAIL"
However, I have been able to authenticate before (I didn't receive the FAIL error message), but when I attempt to enroll the certificate
(ca enroll hsvpn
)
from the Windows 2000 CA Enterprise Root server I recieve the following error message that says that there is no root CA, use ca authenticate.
I have installed the Windows 2000 Server Resource Kit and I have verified that the Cisco Enrollment Protocol is installed by navigating to
http://Host_Name/certsrv/m
scep/mscep
.dll
and I get the fingerprint and challenge password.
Any ideas would be greatly appreciated. I am new the Cisco PIX firewall, but I have been able to set it up such that inside users can browse the Internet and the outside world can access our e-mail and web servers fine. That configuration information is not shown since I reset the PIX to default settings to remove as many pieces from the puzzle as possible.
Windows 2000 server information:
DNS: 20.1.1.2
WINS: 20.1.1.2
DC: 20.1.1.2
20.1.1.2 is also the CA Root server and the server to which remote single users need to access through the VPN.
Thank you,
Kevin
Answer : Problem: PIX 515E Firewall with VPN Accelerator Card VPN Troubles
This can be a pretty drawn out process to put in a forum so what I'm going to do is give you the Cisco instructions here, and let me know if then if there is anything that you don't understand.
http://www.cisco.com/warp/
public/110
/pptppix.h
tml
Meanwhile I will try to find the ones for the gui managament to.
Random Solutions
Problem: Hardware and software needed for citrix
Problem: How do I diagnose connection problems and dropped signals on Linksys AP's?
Problem: After installation of the VPN client, and reboot, I am unable to start the service; Error 1075 pops if I try starting the service from the services control.
Problem: ThinkPad BIOS Processor Identification
Problem: Lexar Jump drive will not recognize Lexar media, but recognizes Scandisk media of same type and size 256mb
Problem: Free up partition space Linux Swap to NTFS
Problem: WAP54G and IAS Radius
Problem: microphone and speakers do not work with windows vista on messenger live.
Problem: Configuring main mail folder on Blackberry
Problem: On Windows mobil 6.1 on Palm Treo Pro download mail is timing out "Looking for changes"