Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
209
Views
0
Helpful
1
Replies

Trying to use Cisco VPN Client behind a PIX 7.2.2 in layer 2 bridging mode

tim.brown
Level 1
Level 1

‎05-16-2007 12:33 PM - edited ‎02-21-2020 03:03 PM

I hope this is the tright place it was the closest to my problem.

I have a Windows 2000 PC with Cisco Client VPN 4.8 behind a Cisco PIX 515e operating in Layer 2 (transparent firewall) My rule set is attaached below.

What my issue is I connect to a Cisco VPN through the PIX it authenticates fine but then does not pass any data through the tunnel. I remove the PIX and put a linux box with a transparent firwall on it works perfect.

I'm sure there is a config I'm missing and hope someone can help point it out.

Thanks

Tim

My Config:

pixfirewall# sh run

: Saved

:

PIX Version 7.2(2)

!

firewall transparent

hostname pixfirewall

domain-name default.domain.invalid

enable password xxx

names

!

interface Ethernet0

nameif outside

security-level 0

!

interface Ethernet1

nameif inside

security-level 100

!

passwd xxx

ftp mode passive

dns server-group DefaultDNS

domain-name default.domain.invalid

access-list rules ethertype permit any

access-list rules ethertype permit bpdu

pager lines 24

mtu outside 1500

mtu inside 1500

ip address XXX.XXX.XX.XXX 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

asdm image flash:/asdm-522.bin

no asdm history enable

arp timeout 14400

access-group rules in interface outside

access-group rules in interface inside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http XXX.XXX.XX.XXX 255.255.255.255 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto isakmp nat-traversal 20

telnet timeout 5

ssh XXX.XXX.XX.XXX 255.255.255.255 inside

ssh timeout 5

console timeout 0

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect pptp

inspect icmp

policy-map type inspect ipsec-pass-thru preset_ipsec_map

parameters

esp

ah

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:xxx

: end

Labels:
0 Helpful
1 Reply 1

b.hsu
Level 5
Level 5

‎05-22-2007 10:34 AM

This document contains the most common solutions to IPSec VPN problems. These solutions come directly from service requests that the TAC have solved. Many of these solutions can be implemented prior to the in-depth troubleshooting of an IPSec VPN connection. As a result, this document is presented as a checklist of common procedures to try before you begin to troubleshoot a connection and call the TAC.

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml

0 Helpful
Customers Also Viewed These Support Documents