Firewall Wizards mailing list archives
Re: user authentication filed
From: Prabhu Gurumurthy <pgurumu () gmail com>
Date: Thu, 08 Jun 2006 08:33:23 -0700
When you say VPN Client, which VPN client, cisco VPN client or any thing other? In cases like these, it will also be better if you log everything from the client side and PIX side and mail the client side logs. Do not send PIX logs as it tends to be verbose and sifting thru it is not easy, unless you can sift for us.
Your VPN configuration on PIX 506E seems to be fine, but when you say VPN client, is it just one or many? How many users use it.
I had a similar problem, when I/(many users) running VPN client behind a $10 netgear router, when I switched it behind Linksys WRT54G, the problem disappeared. Theory is that PIX + Netgear has some problems wrt Remote access VPN, but not everyone can substantiate this.
Unless you can provide with more logs that just PIX configuration, it is anybody's guess.
Hope this helps. Prabhu --- Kana Pathi wrote:
we have windows2003 doamin and pix506E.tried to use vpn client and get connection terminated locally and user authentication failed error.it keeps asking for user name and password.I would appreciate if you could correct my setup.Thank you in advance.PIX Version 6.3(5) interface ethernet0 auto interface ethernet1 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password *********encrypted passwd **************encrypted hostname PIX domain-name abc.com no fixup protocol dns no fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 no fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 namesaccess-list VPNACL permit ip 10.0.50.0 255.255.255.0 172.16.1.0 255.255.255.0access-list outside_acl permit icmp any any access-list outside_acl permit tcp any host *.*.*.* eq www access-list outside_acl permit tcp any host *.*.*.* eq pop3 access-list outside_acl permit tcp any host *.*.*.* eq imap4 access-list outside_acl permit tcp any host *.*.*.* eq 3389 access-list outside_acl permit tcp any host *.*.*.* eq 5900 access-list outside_acl permit tcp any host *.*.*.* eq 3389 access-list outside_acl permit tcp any host *.*.*.* eq 5900 access-list outside_acl permit tcp any host *.*.*.* eq 3389 access-list outside_acl permit tcp any host *.*.*.* eq 5900 access-list outside_acl permit tcp any host *.*.*.* eq smtp access-list outside_acl permit tcp any host *.*.*.* eq ftp access-list outside_acl permit tcp any host *.*.*.* eq ftp-data access-list outside_acl permit tcp host *.*.*.* host D.E.F.G eq f tp access-list outside_acl permit tcp host *.*.*.* host D.E.F.G eq f tp-data access-list outside_acl permit tcp any host *.*.*.* eq smtp access-list outside_acl permit tcp any host *.*.*.* eq 5901 pager lines 24 icmp permit any echo-reply outside icmp permit any echo outside mtu outside 1500 mtu inside 1500 ip address outside A.B.C.D 255.255.255.240 ip address inside 10.0.50.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm ip local pool TCTank 172.16.1.1-172.16.1.50 pdm location 10.0.50.0 255.255.255.255 inside pdm location 172.16.1.0 255.255.255.0 outside pdm location 10.0.50.2 255.255.255.255 inside pdm location 10.0.50.3 255.255.255.255 inside pdm location 10.0.50.5 255.255.255.255 inside pdm logging informational 100 pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list VPNACL nat (inside) 1 0.0.0.0 0.0.0.0 0 0 static (inside,outside) tcp *.*.*.* smtp 10.0.50.2 smtp netmask 255.255. 255.255 0 0 static (inside,outside) tcp *.*.*.* 3389 10.0.50.6 3389 netmask 255.255. 255.255 0 0 static (inside,outside) tcp *.*.*.* 5900 10.0.50.52 5900 netmask 255.255 .255.255 0 0 static (inside,outside) tcp *.*.*.* 5901 10.0.50.52 5901 netmask 255.255 .255.255 0 0 static (inside,outside) *.*.*.* 10.0.50.5 netmask 255.255.255.255 0 0 static (inside,outside) *.*.*.* 10.0.50.4 netmask 255.255.255.255 0 0 access-group outside_acl in interface outside route outside 0.0.0.0 0.0.0.0 E.F.G.H 1 timeout xlate 0:05:00timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout sip-disconnect 0:02:00 sip-invite 0:03:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local aaa-server TCRADIUS protocol radius aaa-server TCRADIUS max-failed-attempts 3 aaa-server TCRADIUS deadtime 10 aaa-server TCRADIUS (inside) host 10.0.50.5 abc timeout 10 http server enable http 0.0.0.0 0.0.0.0 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec sysopt connection permit-pptp crypto ipsec transform-set TCDES esp-des esp-md5-hmac crypto dynamic-map TCDYN 10 set transform-set TCDES crypto map TCDES 10 ipsec-isakmp dynamic TCDYN crypto map TCDES client authentication TCRADIUS crypto map TCDES interface outside isakmp enable outside isakmp identity address isakmp policy 10 authentication pre-share isakmp policy 10 encryption des isakmp policy 10 hash md5 isakmp policy 10 group 2 isakmp policy 10 lifetime 86400 vpngroup address idle-time 1800 vpngroup abc address-pool TCTank vpngroup abc dns-server 10.0.50.2 10.0.50.5 vpngroup abc wins-server 10.0.50.2 10.0.50.5 vpngroup abc default-domain abc.com vpngroup abc split-tunnel VPNACL vpngroup abc idle-time 1800 vpngroup abc password ******** telnet 10.0.50.0 255.255.255.0 inside telnet timeout 60 ssh 0.0.0.0 0.0.0.0 outside ssh timeout 25 console timeout 0 vpdn group VPN accept dialin pptp vpdn group VPN ppp authentication mschap vpdn group VPN ppp encryption mppe 40 required vpdn group VPN client configuration address local TCTank vpdn group VPN client configuration dns 10.0.50.2 10.0.50.5 vpdn group VPN client configuration wins 10.0.50.2 10.0.50.5 vpdn group VPN client authentication aaa TCRADIUS vpdn group VPN pptp echo 60 vpdn enable outside terminal width 80 Cryptochecksum:e0053be5cab6037a7d195************ : end [OK] PIX(config)# ` __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ------------------------------------------------------------------------ _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Attachment:
pgurumu.vcf
Description:
_______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- user authentication filed Kana Pathi (Jun 08)
- Re: user authentication filed Prabhu Gurumurthy (Jun 08)
- Re: user authentication filed PaulM (Jun 09)