02-26-2008 02:59 PM
Dear Netpros,
I have a PIX 501 which I have setup to accept connections via Cisco VPN client. I am able to connect and receive an IP from the NEW_VPN_POOL, but I can't reach hosts on the LAN 192.168.1.0/24. I think my access rule 201 needs to be modified but I am not sure. Could you look at my config and suggest what I may need to add? Many thank yous, Julian
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password encrypted
passwd encrypted
hostname firewall
domain-name fw.com
clock timezone EST -5
clock summer-time EDT recurring
names
access-list inside_outbound_nat0_acl permit ip any 192.168.1.0 255.255.255.0
access-list inside_outbound_nat0_acl permit icmp any any
access-list 102 permit ip 192.168.1.0 255.255.255.0 192.168.200.0 255.255.255.0
access-list pub [permit a bunch of stuff]
access-list 101 permit ip any any
pager lines 24
logging on
logging console errors
logging buffered debugging
mtu outside 1500
mtu inside 1500
ip address outside 255.255.255.240
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool NEW_VPN_POOL 192.168.200.1-192.168.200.254
pdm logging informational 100
pdm history enable
arp timeout 14400
nat (inside) 0 access-list 102
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 192.168.1.4 netmask 255.255.255.255 0 0
access-group pub in interface outside
conduit permit icmp any any
route outside 0.0.0.0 0.0.0.0 gw 1
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map dynmap 11 set transform-set myset
crypto map mymap 11 ipsec-isakmp dynamic dynmap
crypto map mymap client configuration address initiate
crypto map mymap client configuration address respond
crypto map mymap interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp identity address
isakmp client configuration address-pool local NEW_VPN_POOL outside
isakmp policy 11 authentication pre-share
isakmp policy 11 encryption des
isakmp policy 11 hash md5
isakmp policy 11 group 1
isakmp policy 11 lifetime 86400
isakmp policy 22 authentication pre-share
isakmp policy 22 encryption des
isakmp policy 22 hash md5
isakmp policy 22 group 2
isakmp policy 22 lifetime 86400
vpngroup CSH_OFFSITE address-pool NEW_VPN_POOL
vpngroup CSH_OFFSITE dns-server 192.168.1.1
vpngroup CSH_OFFSITE wins-server 192.168.1.1
vpngroup CSH_OFFSITE default-domain password
vpngroup CSH_OFFSITE idle-time 1800
vpngroup CSH_OFFSITE password ********
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
management-access inside
console timeout 0
vpdn enable outside
dhcpd address 192.168.1.248-192.168.1.254 inside
dhcpd dns
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
: end
02-27-2008 04:49 AM
I solved my own problem with this command:
isakmp nat-traversal [natkeepalive]
Thanks,
Julian
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: