Pix 501 and Client VPN's

Unanswered Question
Feb 8th, 2007

Hi, I've had this 501 for several months now and really stuggled to get the client VPN side working.

I can get site to site working with no problems using the wizard but the Client VPN never works.

Latest i've set it up for pptp which I can get the client to connect with no problems but fails to get any traffic from the pix - I can however ping the remote PC from a PC behind the PIX.

I'm setting these up by the PDM buy i've attached a copy of the config anyway.

Best,

Chris

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
procom-it Fri, 02/09/2007 - 08:36

Hi, Has anyone got these 501's working in a vpn client form ?

The PDM wizard doesnt seem to work and Cisco wont help unless you buy a contract with them... Seems a little unfair as it appears as though the product doesnt work.

I've also posted this to several other forums and so far nothing.

Kamal Malhotra Fri, 02/09/2007 - 16:36

Hi Chris,

I'm not sure why the PPTP clients are not able to access the inside resources. We'll need to capture the traffic to get that information but if you want to Cisco VPN client, then you can configure the following commands on the CLI, and it should work :

access-list split permit ip 192.168.1.0 255.255.255.0 any

no access-list inside_outbound_nat0_acl

access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0

nat (inside) 0 access0list nonat

sysopt connection permit-ipsec

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto dynamic-map cisco 1 set transform-set myset

crypto map dyn-map 20 ipsec-isakmp dynamic cisco

crypto map dyn-map interface outside

isakmp nat-t

isakmp enable outside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 1

isakmp policy 10 lifetime 86400

vpngroup VPNclient address-pool pool

vpngroup VPNclient idle-time 1800

vpngroup VPNclient split-tunnel split

vpngroup VPNclient password

Please make sure to configure your own password.

Hope this helps.

Regards,

Kamal

procom-it Mon, 02/12/2007 - 02:05

Hi Kamal.

It didnt like the command

nat (inside) 0 access0list nonat

I can attach via Cisco VPN Client but the same occurs - I can ping the remote from the network - but not the other way round.

Config attached. - Best, Chris

: Written by enable_15 at 02:14:05.990 UTC Mon Feb 12 2007

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxx

passwd xxx

hostname pixfirewall

domain-name ciscopix.com

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0

access-list outside_cryptomap_dyn_20 permit ip any 10.10.10.0 255.255.255.240

access-list split permit ip 192.168.1.0 255.255.255.0 any

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside 213.x.146.72 255.255.x.0

ip address inside 192.168.1.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool vpnpool 10.10.10.1-10.10.10.10

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

route outside 0.0.0.0 0.0.0.x.249.x.65 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5

crypto dynamic-map cisco 1 set transform-set myset

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map client authentication LOCAL

crypto map dyn-map 20 ipsec-isakmp dynamic cisco

crypto map dyn-map interface outside

isakmp enable outside

isakmp nat-traversal 20

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 1

isakmp policy 10 lifetime 86400

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption 3des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

vpngroup vpn address-pool vpnpool

vpngroup vpn dns-server 192.168.1.1

vpngroup vpn idle-time 1800

vpngroup vpn password 634083

vpngroup VPNclient split-tunnel split

vpngroup VPNclient idle-time 1800

vpngroup VPNclient password ******

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.2-192.168.1.33 inside

dhcpd dns 89.238.129.211

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

dhcpd enable inside

username chris password 9DgK/T8KJkq.BhX6 encrypted privilege 15

terminal width 80

Cryptochecksum:xxx

: end

acomiskey Mon, 02/12/2007 - 11:36

it was a typo it should be

nat (inside) 0 access-list nonat

Actions

This Discussion