12-17-2007 11:41 PM - edited 03-12-2019 05:52 PM
Hi All,
I am having a problem in configuring a dynamic VPN in my pix which has the 7.2 version of ios but i am able to work with same configuration in the pix whch has 6.3 version i just want a user from outside my network using the vpn client access the resource inside my network below is my configuration is it ok are should i need to do anything more? please advice me.
ip local pool vpnpool1 192.168.170.1-192.168.170.254
crypto dynamic-map map2 20 set transform-set guatemala1
crypto map map1 20 ipsec-isakmp dynamic map2
crypto ipsec transform-set guatemala1 esp-aes-256 esp-sha-hmac
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption aes-256
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup Guatemalavpn address-pool vpnpool1
vpngroup Guatemalavpn split-tunnel inside_nat0_outbound
vpngroup Guatemalavpn idle-time 36000
vpngroup Guatemalavpn password xxxxxxx
access-list outside_acl permit tcp 192.168.170.0 255.255.255.0 172.19.10.0 255.255.255.0
route outside 192.168.170.0 255.255.255.0 200.30.222.65
access-list inside_nat0_outbound extended permit ip any 192.168.170.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.19.10.0 255.255.255.0 192.168.170.0 255.255.255.0
access-list 102 permit ip 172.19.10.0 255.255.255.0 192.168.170.0 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound
12-18-2007 01:00 AM
Hi Uday
6.3 and 7.2 are slightly different. First issue the following command.
isakmp enable outside
Then.
group-policy Guatemalavpn internal
group-policy Guatemalavpn attributes
vpn-idle-timeout 36000
vpn-session-timeout 10080
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value 102
tunnel-group Guatemalavpn type ipsec-ra
tunnel-group Guatemalavpn general-attributes
address-pool vpnpool1
authentication-server-group LOCAL
default-group-policy Guatemalavpn
tunnel-group Guatemalavpn ipsec-attributes
pre-shared-key typeyourpresharedkeyhere
Regards
12-18-2007 01:22 AM
Should i use your command after my command
if i enter following command i will get some error message
vpngroup Guatemalavpn address-pool vpnpool1
vpngroup Guatemalavpn split-tunnel inside_nat0_outbound
vpngroup Guatemalavpn idle-time 36000
vpngroup Guatemalavpn password cisco123
12-18-2007 01:23 AM
this is the error message
WARNING: the 'vpngroup' command has been deprecated, and will be converted to the corresponding tunnel-group and group-policy syntax
ERROR: ip pool vpnpool1 is not defined.
12-18-2007 01:50 AM
if i try to connect after the configuration
the cisco vpn client asks for the Authentication after providing the local username and password of the pix and also i tried with username as Guatemalavpn and password as my preshared key i am get eroor saying
secured vpn connection terminated locally by the client reson 403 unable to caoonect security gateway
12-18-2007 01:51 AM
vpngroup is changed as tunnel-group in 7.x IOS. So dont use vpngroup and use my config instead. Rest of the config is OK.
When it asks you a username and password, submit a username password that you created in pix. For example following command creates a user
username uday password 1234 priv 1
Regards
12-18-2007 02:21 AM
I am still having the same error and the below command is not working.
tunnel-group Guatemalavpn type ipsec-ra
12-18-2007 02:27 AM
Uday,
What error do you encounter when you type
tunnel-group Guatemalavpn type ipsec-ra
Posting your running config would be helpful
12-18-2007 02:56 AM
12-18-2007 03:41 AM
Type the following in their respective order in configure terminal mode
tunnel-group Guatemalavpn general-attributes
authentication-server-group LOCAL
12-19-2007 08:20 PM
Do i have any problem with my crypto map command because when i type i get following error.
crypto map map1 20 ipsec-isakmp dynamic map2
WARNING: dynamic map has incomplete entries
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: