Help Configuring PIX and VPN Client

Unanswered Question
Aug 10th, 2007

Here is the code, what could cause the vpn client not to connect.

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 remotes security10

domain-name x.org

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

fixup protocol sip udp 5060

names

access-list nonat permit ip 10.10.0.0 255.255.255.0 10.10.255.0 255.255.255.0

access-list nonat permit ip 10.10.10.0 255.255.255.0 10.10.255.0 255.255.255.0

access-list nonat permit ip 10.10.20.0 255.255.255.0 10.10.255.0 255.255.255.0

access-list nonat permit ip 10.10.30.0 255.255.255.0 10.10.255.0 255.255.255.0

access-list nonat permit ip 10.10.40.0 255.255.255.0 10.10.255.0 255.255.255.0

access-list nonat permit ip 10.10.50.0 255.255.255.0 10.10.255.0 255.255.255.0

access-list nonat permit ip 10.10.100.0 255.255.255.0 10.10.255.0 255.255.255.0

access-list nonat permit ip 192.x.x.0 255.255.255.0 10.10.255.0 255.255.255.

0

access-list nonat permit ip 10.10.x.0 255.255.255.0 10.10.255.0 255.255.255.0

access-list nonat permit ip 10.10.1.0 255.255.255.0 10.10.255.0 255.255.255.0

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto

icmp permit any outside

icmp permit any inside

icmp permit any remotes

mtu outside 1500

mtu inside 1500

mtu remotes 1500

ip address outside x.x.x.3 255.255.255.0

ip address inside 10.10.30.254 255.255.255.0

ip address remotes 10.10.220.2 255.255.255.0

ip local pool bigpool 10.10.255.1-10.10.255.254

global (outside) 1 x.x.x.129

global (remotes) 1 10.10.220.5

nat (inside) 0 access-list nonat

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

nat (remotes) 1 0.0.0.0 0.0.0.0 0 0

conduit permit icmp any any

route outside 0.0.0.0 0.0.0.0 74.255.101.1 1

route inside 10.10.1.0 255.255.255.0 10.10.30.1 1

route inside 10.10.10.0 255.255.255.0 10.10.30.1 1

route inside 10.10.20.0 255.255.255.0 10.10.30.1 1

route inside 10.10.40.0 255.255.255.0 10.10.30.1 1

route inside 10.10.50.0 255.255.255.0 10.10.30.1 1

route inside 10.10.60.0 255.255.255.0 10.10.30.1 1

route inside 10.10.70.0 255.255.255.0 10.10.30.1 1

route inside 10.10.100.0 255.255.255.0 10.10.30.1 1

route inside 10.10.201.0 255.255.255.0 10.10.30.1 1

route inside 10.10.202.0 255.255.254.0 10.10.30.1 1

route inside 10.10.204.0 255.255.254.0 10.10.30.1 1

route inside 10.10.210.0 255.255.255.0 10.10.30.1 1

route inside 10.10.254.0 255.255.255.0 10.10.30.1 1

route inside 192.168.2.0 255.255.255.0 10.10.30.1 1

route inside 192.168.193.0 255.255.255.0 10.10.30.1 1

aaa-server TACSERVER (inside) host 10.10.30.200 library timeout 10

aaa-server FCLRADIUS (inside) host 10.10.30.200 library timeout 10

url-server (inside) vendor n2h2 host 10.10.30.6 port 4005 timeout 5 protocol TCP

aaa authentication telnet console TACSERVER

filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0

http server enable

http 10.10.20.0 255.255.255.0 inside

http 10.10.30.0 255.255.255.0 inside

snmp-server host inside 10.10.200.230 poll

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

vpngroup fclvpn address-pool bigpool

vpngroup fclvpn dns-server x.133.x.4

vpngroup fclvpn idle-time 1800

vpngroup fclvpn password ********

telnet 10.10.30.0 255.255.255.0 inside

telnet 10.10.20.0 255.255.255.0 inside

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
dlgoodson Mon, 08/13/2007 - 08:57

sysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto dynamic-map library 1 set transform-set myset

crypto map fcl 20 ipsec-isakmp dynamic library

crypto map fcl client authentication FCLRADIUS

crypto map fcl interface outside

isakmp enable outside

isakmp key ******** address 0.0.0.0 netmask 0.0.0.0

isakmp identity address

isakmp client configuration address-pool local bigpool outside

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

Actions

This Discussion