10-16-2007 07:49 AM
Ok, I thought that I had setup everything I would need for a user to access my network behind a PIX 515e but I guess not.
I basically gave inside and outside ports ip adds on their respective subnets. Created some ACL's applied these to a group and gave a user access to this group. Thats it.
I then pointed the VPN client towards the outside IP and it looks likes its about to connect but then I get a reason 412 error "remote peer no longer responding" I have seen some posts about a port 500 not being open but have no idea how to do this, I am still really new at all of this.
Any help would be appreciated.
10-16-2007 09:26 AM
David,
Unfortunately there is a lot more too it.
I cannot find a good doc as well.. you need to add the following
** Indentify your transform set and Remote Access parameters
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
** enable an isakmp policy
isakmp enable outside
isakmp policy 10 authentication pre
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
** ip address given to your clients
ip local pool vpnpool 10.0.0.10-10.0.0.100
** you dont want to NAT connectivity to your remote clients
access-list 120 permit ip 10.1.1.0 255.255.255.0 10.0.0.0 255.255.255.0
nat (inside) 0 access-list 120
** actual parameters to type into your client
vpngroup vpncert address-pool vpnpool
vpngroup vpncert idle-time 1800
vpngroup vpncert password letmein
** In your Client
Group name : vpncert
password : letmein
This will get you 90% if not 100%..
10-16-2007 09:28 AM
Also putting in
sysopt connection permit-vpn or sysopt connection permit-ipsec
This will allow you to not worry about Access lists botching up your vpn
10-22-2007 06:04 AM
Nathan,
I finally have the connection up but am having some difficulty pinging across.
I connect and it gives local area connection 2 an IP address of the inside network. I can ping from inside PC to outside PC (outside PC's local area connection 2) but I can't ping in from outside. I have the ACL for the user as following:
access-l test ext permit ip 172.15.116.0 255.255.255.0 any
access-l test ext permit ip any 172.15.116.0 255.255.255.0
I am not sure if it is this or a NAT problem, thanks for the help.
Dave
10-16-2007 06:45 PM
It sounds as if you are relatively close.
I prefer to use the sysopt connection permit-ipsec option to accept ipsec connections from most anywhere, this keeps me from fowling up VPN connectivity should I mess up an ACL. As well as I do not have a lot of control where clients want to connect from. This does not allow any user without the correct credentials access to your network, just an opportunity to connect to the VPN server on the specific IPSec required ports.
This allows IP ports 50,51 (ESP and AH)and UDP 500 (IKE) to connect to the VPN server (PIX or ASA).
Did you set up a NAT pool for clients? You may want to do this if you need the IP traffic to return to the client via this VPN server in the event there may be some asymetric routing paths.
If you are running 7.x+ code and ASDM 6.x+, the VPN remote client wizard pretty much takes out any of the guess work with this.
Does this help?
Mike
10-17-2007 03:20 AM
I will attempt to try out your ideas. I tried to use the GUI but I could connect only about 1 of 3 times and then when changes were to be updated it couldn't see the PIX for some reason.
Right now I have just have 2 PC's, one on the outside and one on the inside. I am just trying to set it up before I try to place it in the real network. I don't know why there are connection errors all the time with this thing, it just seems easier to use the CLI.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide