- Posts: 37
- Thank you received: 0
PIX 506E VPN Problem - People getting booted off
- FiercePowahs
- Topic Author
- Offline
- Junior Member
-
Less
More
17 years 7 months ago #20895
by FiercePowahs
PIX 506E VPN Problem - People getting booted off was created by FiercePowahs
Hey,
I have a PIX506E that employees are connecting to remotely via VPN. My problem...
When two people are connected remotely and a third dials connects, one of the first two people get kicked off.
Here is my pertinent config:
access-list NoNAT permit ip 192.168.1.0 255.255.255.0 192.168.1.160 255.255.255.240
ip local pool VPNPool 192.168.1.160-192.168.1.169 mask 255.255.255.0
global (outside) 1 interface
nat (inside) 0 access-list NoNAT
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server RADIUS (inside) host 192.168.*.* ********** timeout 5
aaa-server LOCAL protocol local
sysopt connection permit-ipsec
sysopt connection permit-pptp
sysopt connection permit-l2tp
crypto ipsec transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_MD5 mode transport
crypto ipsec transform-set l2tp_tran esp-des esp-md5-hmac
crypto ipsec transform-set l2tp_tran mode transport
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set orlando esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 3600
crypto dynamic-map outside_dyn_map 20 set transform-set TRANS_ESP_3DES_MD5
crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 28800 kilobytes 4608000
crypto dynamic-map dyna 20 set transform-set l2tp_tran
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map mymap 65535 ipsec-isakmp dynamic dyna
crypto map mymap client authentication LOCAL
crypto map mymap interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0 no-xauth no-config-mode
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 1
isakmp policy 20 lifetime 3600
vpdn group FBCL2TPVPN accept dialin l2tp
vpdn group FBCL2TPVPN ppp authentication chap
vpdn group FBCL2TPVPN ppp authentication mschap
vpdn group FBCL2TPVPN client configuration address local VPNPool
vpdn group FBCL2TPVPN client configuration dns 192.168.*.*
vpdn group FBCL2TPVPN client authentication aaa RADIUS
vpdn group FBCL2TPVPN client accounting RADIUS
vpdn group FBCL2TPVPN l2tp tunnel hello 60
vpdn enable outside
So:
To prevent NAT for Remote VPN connections:
access-list NoNAT permit ip 192.168.1.0 255.255.255.0 192.168.1.160 255.255.255.240
VPN Pool:
ip local pool VPNPool 192.168.1.160-192.168.1.169 mask 255.255.255.0
Authenticate via Radius Server:
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server RADIUS (inside) host 192.168.*.* ********** timeout 5
aaa-server LOCAL protocol local
Allow ipsec, pptp and l2tp connections:
sysopt connection permit-ipsec
sysopt connection permit-pptp
sysopt connection permit-l2tp
Crypto map:
crypto ipsec transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_MD5 mode transport
crypto ipsec transform-set l2tp_tran esp-des esp-md5-hmac
crypto ipsec transform-set l2tp_tran mode transport
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set orlando esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 3600
crypto dynamic-map outside_dyn_map 20 set transform-set TRANS_ESP_3DES_MD5
crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 28800 kilobytes 4608000
crypto dynamic-map dyna 20 set transform-set l2tp_tran
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map mymap 65535 ipsec-isakmp dynamic dyna
crypto map mymap client authentication LOCAL
crypto map mymap interface outside
Shared Key and policy:
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0 no-xauth no-config-mode
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 1
isakmp policy 20 lifetime 3600
Radius information:
vpdn group FBCL2TPVPN accept dialin l2tp
vpdn group FBCL2TPVPN ppp authentication chap
vpdn group FBCL2TPVPN ppp authentication mschap
vpdn group FBCL2TPVPN client configuration address local VPNPool
vpdn group FBCL2TPVPN client configuration dns 192.168.*.*
vpdn group FBCL2TPVPN client authentication aaa RADIUS
vpdn group FBCL2TPVPN client accounting RADIUS
vpdn group FBCL2TPVPN l2tp tunnel hello 60
vpdn enable outside
I've gone over this a few times and still cannot figure out why its only allowing a few users to connect.
All 3 users that need to connect are connecting from one office location.
Any ideas?
I have a PIX506E that employees are connecting to remotely via VPN. My problem...
When two people are connected remotely and a third dials connects, one of the first two people get kicked off.
Here is my pertinent config:
access-list NoNAT permit ip 192.168.1.0 255.255.255.0 192.168.1.160 255.255.255.240
ip local pool VPNPool 192.168.1.160-192.168.1.169 mask 255.255.255.0
global (outside) 1 interface
nat (inside) 0 access-list NoNAT
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server RADIUS (inside) host 192.168.*.* ********** timeout 5
aaa-server LOCAL protocol local
sysopt connection permit-ipsec
sysopt connection permit-pptp
sysopt connection permit-l2tp
crypto ipsec transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_MD5 mode transport
crypto ipsec transform-set l2tp_tran esp-des esp-md5-hmac
crypto ipsec transform-set l2tp_tran mode transport
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set orlando esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 3600
crypto dynamic-map outside_dyn_map 20 set transform-set TRANS_ESP_3DES_MD5
crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 28800 kilobytes 4608000
crypto dynamic-map dyna 20 set transform-set l2tp_tran
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map mymap 65535 ipsec-isakmp dynamic dyna
crypto map mymap client authentication LOCAL
crypto map mymap interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0 no-xauth no-config-mode
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 1
isakmp policy 20 lifetime 3600
vpdn group FBCL2TPVPN accept dialin l2tp
vpdn group FBCL2TPVPN ppp authentication chap
vpdn group FBCL2TPVPN ppp authentication mschap
vpdn group FBCL2TPVPN client configuration address local VPNPool
vpdn group FBCL2TPVPN client configuration dns 192.168.*.*
vpdn group FBCL2TPVPN client authentication aaa RADIUS
vpdn group FBCL2TPVPN client accounting RADIUS
vpdn group FBCL2TPVPN l2tp tunnel hello 60
vpdn enable outside
So:
To prevent NAT for Remote VPN connections:
access-list NoNAT permit ip 192.168.1.0 255.255.255.0 192.168.1.160 255.255.255.240
VPN Pool:
ip local pool VPNPool 192.168.1.160-192.168.1.169 mask 255.255.255.0
Authenticate via Radius Server:
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server RADIUS (inside) host 192.168.*.* ********** timeout 5
aaa-server LOCAL protocol local
Allow ipsec, pptp and l2tp connections:
sysopt connection permit-ipsec
sysopt connection permit-pptp
sysopt connection permit-l2tp
Crypto map:
crypto ipsec transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_MD5 mode transport
crypto ipsec transform-set l2tp_tran esp-des esp-md5-hmac
crypto ipsec transform-set l2tp_tran mode transport
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set orlando esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 3600
crypto dynamic-map outside_dyn_map 20 set transform-set TRANS_ESP_3DES_MD5
crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 28800 kilobytes 4608000
crypto dynamic-map dyna 20 set transform-set l2tp_tran
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map mymap 65535 ipsec-isakmp dynamic dyna
crypto map mymap client authentication LOCAL
crypto map mymap interface outside
Shared Key and policy:
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0 no-xauth no-config-mode
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 1
isakmp policy 20 lifetime 3600
Radius information:
vpdn group FBCL2TPVPN accept dialin l2tp
vpdn group FBCL2TPVPN ppp authentication chap
vpdn group FBCL2TPVPN ppp authentication mschap
vpdn group FBCL2TPVPN client configuration address local VPNPool
vpdn group FBCL2TPVPN client configuration dns 192.168.*.*
vpdn group FBCL2TPVPN client authentication aaa RADIUS
vpdn group FBCL2TPVPN client accounting RADIUS
vpdn group FBCL2TPVPN l2tp tunnel hello 60
vpdn enable outside
I've gone over this a few times and still cannot figure out why its only allowing a few users to connect.
All 3 users that need to connect are connecting from one office location.
Any ideas?
Time to create page: 0.110 seconds