Hot Downloads

Welcome, Guest
Username: Password: Remember me

TOPIC: PIX 506E VPN Problem - People getting booted off

PIX 506E VPN Problem - People getting booted off 9 years 7 months ago #20895

Hey,

I have a PIX506E that employees are connecting to remotely via VPN. My problem...

When two people are connected remotely and a third dials connects, one of the first two people get kicked off.

Here is my pertinent config:
access-list NoNAT permit ip 192.168.1.0 255.255.255.0 192.168.1.160 255.255.255.240
ip local pool VPNPool 192.168.1.160-192.168.1.169 mask 255.255.255.0
global (outside) 1 interface
nat (inside) 0 access-list NoNAT
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server RADIUS (inside) host 192.168.*.* ********** timeout 5
aaa-server LOCAL protocol local
sysopt connection permit-ipsec
sysopt connection permit-pptp
sysopt connection permit-l2tp
crypto ipsec transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_MD5 mode transport
crypto ipsec transform-set l2tp_tran esp-des esp-md5-hmac
crypto ipsec transform-set l2tp_tran mode transport
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set orlando esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 3600
crypto dynamic-map outside_dyn_map 20 set transform-set TRANS_ESP_3DES_MD5
crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 28800 kilobytes 4608000
crypto dynamic-map dyna 20 set transform-set l2tp_tran
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map mymap 65535 ipsec-isakmp dynamic dyna
crypto map mymap client authentication LOCAL
crypto map mymap interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0 no-xauth no-config-mode
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 1
isakmp policy 20 lifetime 3600
vpdn group FBCL2TPVPN accept dialin l2tp
vpdn group FBCL2TPVPN ppp authentication chap
vpdn group FBCL2TPVPN ppp authentication mschap
vpdn group FBCL2TPVPN client configuration address local VPNPool
vpdn group FBCL2TPVPN client configuration dns 192.168.*.*
vpdn group FBCL2TPVPN client authentication aaa RADIUS
vpdn group FBCL2TPVPN client accounting RADIUS
vpdn group FBCL2TPVPN l2tp tunnel hello 60
vpdn enable outside
So:

To prevent NAT for Remote VPN connections:
access-list NoNAT permit ip 192.168.1.0 255.255.255.0 192.168.1.160 255.255.255.240

VPN Pool:
ip local pool VPNPool 192.168.1.160-192.168.1.169 mask 255.255.255.0

Authenticate via Radius Server:
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server RADIUS (inside) host 192.168.*.* ********** timeout 5
aaa-server LOCAL protocol local

Allow ipsec, pptp and l2tp connections:
sysopt connection permit-ipsec
sysopt connection permit-pptp
sysopt connection permit-l2tp

Crypto map:
crypto ipsec transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_MD5 mode transport
crypto ipsec transform-set l2tp_tran esp-des esp-md5-hmac
crypto ipsec transform-set l2tp_tran mode transport
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set orlando esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 3600
crypto dynamic-map outside_dyn_map 20 set transform-set TRANS_ESP_3DES_MD5
crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 28800 kilobytes 4608000
crypto dynamic-map dyna 20 set transform-set l2tp_tran
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map mymap 65535 ipsec-isakmp dynamic dyna
crypto map mymap client authentication LOCAL
crypto map mymap interface outside

Shared Key and policy:
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0 no-xauth no-config-mode
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 1
isakmp policy 20 lifetime 3600

Radius information:
vpdn group FBCL2TPVPN accept dialin l2tp
vpdn group FBCL2TPVPN ppp authentication chap
vpdn group FBCL2TPVPN ppp authentication mschap
vpdn group FBCL2TPVPN client configuration address local VPNPool
vpdn group FBCL2TPVPN client configuration dns 192.168.*.*
vpdn group FBCL2TPVPN client authentication aaa RADIUS
vpdn group FBCL2TPVPN client accounting RADIUS
vpdn group FBCL2TPVPN l2tp tunnel hello 60
vpdn enable outside

I've gone over this a few times and still cannot figure out why its only allowing a few users to connect.

All 3 users that need to connect are connecting from one office location.

Any ideas?
The administrator has disabled public write access.
Time to create page: 0.079 seconds

CCENT/CCNA

Cisco Routers

  • SSL WebVPN
  • Securing Routers
  • Policy Based Routing
  • Router on-a-Stick

VPN Security

  • Understand DMVPN
  • GRE/IPSec Configuration
  • Site-to-Site IPSec VPN
  • IPSec Modes

Cisco Help

  • VPN Client Windows 8
  • VPN Client Windows 7
  • CCP Display Problem
  • Cisco Support App.

Windows 2012

  • New Features
  • Licensing
  • Hyper-V / VDI
  • Install Hyper-V

Linux

  • File Permissions
  • Webmin
  • Groups - Users
  • Samba Setup