cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
944
Views
0
Helpful
10
Replies

Problem to configure VPN

udayashankarsg
Level 1
Level 1

Hi All,

I am having a problem in configuring a dynamic VPN in my pix which has the 7.2 version of ios but i am able to work with same configuration in the pix whch has 6.3 version i just want a user from outside my network using the vpn client access the resource inside my network below is my configuration is it ok are should i need to do anything more? please advice me.

ip local pool vpnpool1 192.168.170.1-192.168.170.254

crypto dynamic-map map2 20 set transform-set guatemala1

crypto map map1 20 ipsec-isakmp dynamic map2

crypto ipsec transform-set guatemala1 esp-aes-256 esp-sha-hmac

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption aes-256

isakmp policy 20 hash sha

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

vpngroup Guatemalavpn address-pool vpnpool1

vpngroup Guatemalavpn split-tunnel inside_nat0_outbound

vpngroup Guatemalavpn idle-time 36000

vpngroup Guatemalavpn password xxxxxxx

access-list outside_acl permit tcp 192.168.170.0 255.255.255.0 172.19.10.0 255.255.255.0

route outside 192.168.170.0 255.255.255.0 200.30.222.65

access-list inside_nat0_outbound extended permit ip any 192.168.170.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 172.19.10.0 255.255.255.0 192.168.170.0 255.255.255.0

access-list 102 permit ip 172.19.10.0 255.255.255.0 192.168.170.0 255.255.255.0

nat (inside) 0 access-list inside_nat0_outbound

10 Replies 10

husycisco
Level 7
Level 7

Hi Uday

6.3 and 7.2 are slightly different. First issue the following command.

isakmp enable outside

Then.

group-policy Guatemalavpn internal

group-policy Guatemalavpn attributes

vpn-idle-timeout 36000

vpn-session-timeout 10080

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value 102

tunnel-group Guatemalavpn type ipsec-ra

tunnel-group Guatemalavpn general-attributes

address-pool vpnpool1

authentication-server-group LOCAL

default-group-policy Guatemalavpn

tunnel-group Guatemalavpn ipsec-attributes

pre-shared-key typeyourpresharedkeyhere

Regards

Should i use your command after my command

if i enter following command i will get some error message

vpngroup Guatemalavpn address-pool vpnpool1

vpngroup Guatemalavpn split-tunnel inside_nat0_outbound

vpngroup Guatemalavpn idle-time 36000

vpngroup Guatemalavpn password cisco123

this is the error message

WARNING: the 'vpngroup' command has been deprecated, and will be converted to the corresponding tunnel-group and group-policy syntax

ERROR: ip pool vpnpool1 is not defined.

if i try to connect after the configuration

the cisco vpn client asks for the Authentication after providing the local username and password of the pix and also i tried with username as Guatemalavpn and password as my preshared key i am get eroor saying

secured vpn connection terminated locally by the client reson 403 unable to caoonect security gateway

vpngroup is changed as tunnel-group in 7.x IOS. So dont use vpngroup and use my config instead. Rest of the config is OK.

When it asks you a username and password, submit a username password that you created in pix. For example following command creates a user

username uday password 1234 priv 1

Regards

I am still having the same error and the below command is not working.

tunnel-group Guatemalavpn type ipsec-ra

Uday,

What error do you encounter when you type

tunnel-group Guatemalavpn type ipsec-ra

Posting your running config would be helpful

please find the configuration as attachement.

Type the following in their respective order in configure terminal mode

tunnel-group Guatemalavpn general-attributes

authentication-server-group LOCAL

Do i have any problem with my crypto map command because when i type i get following error.

crypto map map1 20 ipsec-isakmp dynamic map2

WARNING: dynamic map has incomplete entries

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: