Need a Cisco Guy

M

marley1

Supreme [H]ardness
Joined
Jul 18, 2000
Messages
5,447
I need some help. I do not use Cisco gear, and one of my clients has a Pix506e. The VPN stopped working on it. When I telnet into the device I have a password that works, but I have no idea how to do anything else.

I was wondering if someone would be willing to logmein/teamviewer into the server, and do the config with me over the phone.

I don't expect this to be free but I can't imagine it being a long process.

I want to see how the VPN is setup and either get it working or maybe just port forward 1723 to the server so I can do it that way.

Ideally want to just get it working.
 
Can you post the config and maybe sh logg? I can probably help, but not really through remote access.
 
I have no idea how to post or do the sh logg.

If you want me to walk through that is fine, but need some hand holding as cisco units aren't my thing.

On a sheet from the old IT i have a username that says telnet and enable password. Then 2 other username/password that list PPTP
 
login in, type en then hit enter, it will ask for a password enter the enable password then type show run, hit enter and copy out the config to a text file and post it up here, remove any passwords and hashes and the external ip

It may be a pain via telnet though.
 
User Access Verification

Password:
Type help or '?' for a list of available commands.
shpd-gw1> show run
Type help or '?' for a list of available commands.
shpd-gw1> en
Password: *********
shpd-gw1# show run
: Saved
:
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password SOMEPASSWORDHASH? encrypted
passwd SOMEPASSWORDHASH2? encrypted
hostname domain-gw1
domain-name domain.local
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name SOMEIP4? LanPro-Backup
name SOMEIP3? LanPro
name SOMEIP2? LanPro-Alt
name SOMEIP? Totalcomputer
object-group network NetworkSupport
description Total Computer & Lan Pro
network-object LanPro 255.255.255.255
network-object SOMEIP5? 255.255.255.255
network-object LanPro-Backup 255.255.255.255
network-object LanPro-Alt 255.255.255.255
access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 192.168
.1.0 255.255.255.0
pager lines 24
icmp permit any echo inside
mtu outside 1500
mtu inside 1500
ip address outside EXTERNALIP 255.255.255.248
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool pptp-pool 192.168.1.200-192.168.1.220
pdm location 192.168.1.10 255.255.255.255 inside
pdm location 192.168.1.0 255.255.255.0 outside
pdm location ANOTHEREXTENRALIP? 255.255.255.255 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
conduit permit icmp any any
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-pptp
telnet 192.168.1.10 255.255.255.255 inside
telnet timeout 5
ssh ANOTHEREXTERNALIP?? 255.255.255.255 outside
ssh timeout 60
management-access inside
console timeout 0
vpdn group pptp-in accept dialin pptp
vpdn group pptp-in ppp authentication pap
vpdn group pptp-in ppp authentication chap
vpdn group pptp-in ppp authentication mschap
vpdn group pptp-in ppp encryption mppe 40
vpdn group pptp-in client configuration address local pptp-pool
vpdn group pptp-in client configuration dns 192.168.1.10
vpdn group pptp-in pptp echo 60
vpdn group pptp-in client authentication local
vpdn username alp password *********
vpdn username tcg password *********
vpdn username msquires password *********
vpdn username shpd password *********
vpdn enable outside
dhcpd address 192.168.1.2-192.168.1.254 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
terminal width 80
Cryptochecksum:93dd6a4ab325b29306b5bda2487285f6
: end
shpd-gw1#
 
Posted it, the VPN on the machines use the TCG username and I remember the password for it, not sure how to check if it was changed by the old company.

I would like to get this working, change the admin password, make sure the tcg user only has VPN rights but no way to modify settings,.
 
Curious what the hell this is as well:
names
name SOMEIP4? LanPro-Backup
name SOMEIP3? LanPro
name SOMEIP2? LanPro-Alt
name SOMEIP? Totalcomputer
object-group network NetworkSupport
description Total Computer & Lan Pro
network-object LanPro 255.255.255.255
network-object SOMEIP5? 255.255.255.255
network-object LanPro-Backup 255.255.255.255
network-object LanPro-Alt 255.255.255.255
 
I could also make a port forward to the server and let windows handle PPTP, of course I would like to remove the old setup.

Ideally would be better to just make it work, but let me know.
 
I think they will use the network-object for NAT / ACL to allow external support in.

I would look for Cisco PIX Device Manager and see if you can use that.
 
Okay what about the VPN portion? Does something look wrong?

Going through the Win7 VPN it goes through the process but fails and says:

Connection failed with error 2147952460
A connection attempt failed because the connected party did not properly respond after a perio f of time, or established connection failed because connected host has failed to respond.
 
marley, what is happened exactly? When someone tries to connect, it just doesn't work? I'd like to see the show logg and maybe some debugs while someone is trying to connect.

debug vpdn error—Displays PPTP protocol error messages.
debug vpdn events—Displays PPTP tunnel event change information.
 
Again and option we can try, as all the VPN is used for is to access a local web page, I could disable the PPTP on the Cisco, port Forward 1723 to the local IP of the server and just setup MS RRAS.

The port forward and disabling I wouldn't know.
 
This probably doesn't matter, but change:

vpdn group pptp-in ppp encryption mppe 40

to

vpdn group pptp-in ppp encryption mppe auto
 
marley1 said:
Again and option we can try, as all the VPN is used for is to access a local web page, I could disable the PPTP on the Cisco, port Forward 1723 to the local IP of the server and just setup MS RRAS.

The port forward and disabling I wouldn't know.
Click to expand...

You said you wanted it to work though, lol.
 
I ran the debug vpdn error, but nothing happens

wait something popped up

PPTP: socket select return 0 fd
Interface outside - PPTP xGREL Session 3 not estd
 
what caused this? Did you have a power cut or did some one log in?
 
This would be how you stop the pix vpn and forward pptp to whatever server:

no vpdn enable outside
static (inside,outside) tcp interface 1723 <ip.of.inside.host> 1723 netmask 255.255.255.255
access-list outside-in permit tcp any any eq 1723
access-group outside-in in interface outside
 
User Access Verification

Password:
Type help or '?' for a list of available commands.
shpd-gw1> en
Password: *********
shpd-gw1# show log
Syslog logging: disabled
Facility: 20
Timestamp logging: disabled
Standby logging: disabled
Console logging: disabled
Monitor logging: disabled
Buffer logging: disabled
Trap logging: disabled
History logging: disabled
Device ID: disabled
shpd-gw1# debug vpdn error
shpd-gw1#
PPTP: socket select return 0 fd

Interface outside - PPTP xGRE: Session 4 not estd
show log
Syslog logging: disabled
Facility: 20
Timestamp logging: disabled
Standby logging: disabled
Console logging: disabled
Monitor logging: disabled
Buffer logging: disabled
Trap logging: disabled
History logging: disabled
Device ID: disabled
shpd-gw1# show log
Syslog logging: disabled
Facility: 20
Timestamp logging: disabled
Standby logging: disabled
Console logging: disabled
Monitor logging: disabled
Buffer logging: disabled
Trap logging: disabled
History logging: disabled
Device ID: disabled
shpd-gw1#
 
shpd-gw1# logging buggered 7
Usage: clear logging
shpd-gw1# debug vpdn error
shpd-gw1#
PPTP: socket select return 0 fd

Interface outside - PPTP xGRE: Session 5 not estd

PPTP: socket select return 0 fd

Interface outside - PPTP xGRE: Session 6 not estd
show log
Syslog logging: disabled
Facility: 20
Timestamp logging: disabled
Standby logging: disabled
Console logging: disabled
Monitor logging: disabled
Buffer logging: disabled
Trap logging: disabled
History logging: disabled
Device ID: disabled
 
Would you like to remote into the machine with me and work on it?
 
you have tried opening IE and going to the inside IP of the PIX?
 
Doesn't want to run, just hangs, but I heard Java needs to be an exact version of before
 
marley1 said:
Doesn't want to run, just hangs, but I heard Java needs to be an exact version of before
Click to expand...

Try uninstalling all versions of Java on the machine, reboot and then try the web interface. It should propmt to download it's preferred version of Java, and then let you in.
 
VPDN is virtual private dial networking.. it's a specific transport type for VPN.

PPTP is point-to-point tunnelling. googling these will lead to enlightenment.

cisco-dot-com. Just sayin,
 
You must log in or register to reply here.
Back
Top