-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

Thanks for the replies. That did the trick...

Now, one final piece is allowing the client to browse the internal network (which I think is working - still have to get the WINS server running however)... but also reach the outside world.

I thought I had configured it as per below to allow both but I can't reach out external DNS or even ping our core router...?

Thanks again for all your help... Paul

Koen Peetermans wrote: | Hi Paul, | | Try using "username" instead of "vpdn username" for creating your local | accounts. | | I think only pptp (and maybe L2tp) uses vpdn username, Ipsec remote access | uses "username" | | Kind regards, | | Koen. | | -----Original Message----- | From: cisco-nsp-bounces at puck.nether.net | [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Paul Stewart | Sent: maandag 24 januari 2005 17:57 | To: cisco-nsp at puck.nether.net | Subject: [c-nsp] PIX VPN Problem | | Hi there... | | I hope the list can help me out...:) | | I've got a 515E PIX box that I'm trying to get remote access VPN running | to. Below is the config... what's happening is 413-user auth failed | | The config is setup to use local username/passwords and I've recreated | my own login just to make sure the password is correct.. what am I | missing here? | | Thanks, | | Paul | | PIX Version 6.3(4) | interface ethernet0 100full | interface ethernet1 100full | interface ethernet2 auto shutdown | nameif ethernet0 outside security0 | nameif ethernet1 inside security100 | nameif ethernet2 intf2 security10 | enable password XXXXXXXXXXXXXXX encrypted | passwd XXXXXXXXXXXXXXXXX encrypted | hostname fw | domain-name XXX.NET | clock timezone EST -5 | clock summer-time EDT recurring | fixup protocol dns maximum-length 512 | fixup protocol ftp 21 | fixup protocol h323 h225 1720 | fixup protocol h323 ras 1718-1719 | no fixup protocol http 80 | fixup protocol ils 389 | fixup protocol rsh 514 | fixup protocol rtsp 554 | fixup protocol sip 5060 | fixup protocol sip udp 5060 | fixup protocol skinny 2000 | no fixup protocol smtp 25 | fixup protocol sqlnet 1521 | fixup protocol tftp 69 | names | access-list compiled | access-list 100 permit icmp any any echo-reply | access-list 100 permit icmp any any time-exceeded | access-list 100 permit icmp any any unreachable | access-list 101 permit ip 192.192.61.0 255.255.255.0 10.1.1.0 255.255.255.0 | access-list 101 permit ip any 172.30.230.0 255.255.255.0 | access-list Nexicom_splitTunnelAcl permit ip any any | access-list outside_cryptomap_dyn_20 permit ip any 172.30.230.0 | 255.255.255.0 | pager lines 24 | logging on | logging trap warnings | logging facility 23 | logging queue 0 | logging host outside XXX.XXX.XXX.XXX | mtu outside 1500 | mtu inside 1500 | mtu intf2 1500 | ip address outside XXX.XXX.XXX.XXX 255.255.255.0 | ip address inside 192.192.61.224 255.255.255.0 | ip address intf2 127.0.0.1 255.255.255.255 | ip verify reverse-path interface outside | ip audit info action alarm | ip audit attack action alarm | ip local pool VPN 172.30.230.1-172.30.230.254 | pdm history enable | arp timeout 14400 | global (outside) 10 interface | nat (inside) 0 access-list 101 | nat (inside) 10 0.0.0.0 0.0.0.0 dns 0 0 | access-group 100 in interface outside | route outside 0.0.0.0 0.0.0.0 216.168.96.1 1 | timeout xlate 3:00:00 | timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 | 1:00:00 | timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 | timeout uauth 0:05:00 absolute | aaa-server TACACS+ protocol tacacs+ | aaa-server TACACS+ max-failed-attempts 3 | aaa-server TACACS+ deadtime 10 | aaa-server RADIUS protocol radius | aaa-server RADIUS max-failed-attempts 3 | aaa-server RADIUS deadtime 10 | aaa-server LOCAL protocol local | aaa authentication telnet console LOCAL | aaa authentication ssh console LOCAL | ntp server 130.126.24.44 source outside prefer | http server enable | http 192.192.61.0 255.255.255.0 inside | no snmp-server enable traps | no floodguard enable | sysopt connection tcpmss 0 | sysopt connection permit-ipsec | crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac | crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20 | crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5 | crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map | crypto map outside_map client authentication LOCAL | crypto map outside_map interface outside | isakmp enable outside | isakmp identity address | isakmp policy 20 authentication pre-share | isakmp policy 20 encryption 3des | isakmp policy 20 hash md5 | isakmp policy 20 group 2 | isakmp policy 20 lifetime 86400 | vpngroup Nexicom address-pool VPN | vpngroup Nexicom dns-server 216.168.96.10 216.168.96.13 | vpngroup Nexicom wins-server 192.192.61.246 | vpngroup Nexicom default-domain nexicom.net | vpngroup Nexicom split-tunnel Nexicom_splitTunnelAcl | vpngroup Nexicom idle-time 1800 | vpngroup Nexicom password ******** | telnet timeout 5 | ssh 192.192.61.0 255.255.255.0 inside | ssh timeout 5 | console timeout 0 | vpdn username harvey password ******** | vpdn username tom password ******** | vpdn username mike password ******** | vpdn username billr password ******** | vpdn username amhalliday password ******** | vpdn username paul password ********** | vpdn enable outside | dhcpd address 192.192.61.32-192.192.61.99 inside | dhcpd dns 216.168.96.10 216.168.96.13 | dhcpd lease 50400 | dhcpd ping_timeout 750 | dhcpd domain nexicom.net | dhcpd enable inside | username admin password XXXXXXXXXXXXXXXX encrypted privilege 15 | terminal width 80 | -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (MingW32)

iD8DBQFB9T4EqMetgU57IuQRAvfbAJ4hJvRZY0J2R+l7/WFillVW2rT/bQCffrrl ORddzyqDqEJh9Kn6Cqz25ZY= =p+bT -----END PGP SIGNATURE-----