09-25-2008 08:47 AM
I've got everything to work except I cant ping inside servers. Here's a ipconfig from the VPN client to the RADIUS server:
Ethernet adapter Local Area Connection 3:
Connection-specific DNS Suffix . :domainnamelocal
IP Address. . . . . . . . . . . . : 192.168.100.2
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
H:\>ping 192.168.1.10
Pinging 192.168.1.10 with 32 bytes of data:
Request timed out.
Request timed out.
Here's the pix configuration:
PIX Version 6.3(5)
no fixup protocol dns
access-list 10 permit ip 192.168.1.0 255.255.255.0 host 172.16.7.33
access-list 10 permit ip 192.168.1.0 255.255.255.0 host 172.16.7.14
access-list Internet permit icmp any any echo-reply
access-list Internet permit icmp any any time-exceeded
access-list Internet permit icmp any any traceroute
access-list Internet permit udp any any eq isakmp
access-list Internet permit esp any any
access-list Internet deny ip any any log
access-list NO-NAT-VPN permit ip 192.168.1.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list 102 permit ip 192.168.1.0 255.255.255.0 192.168.100.0 255.255.255.0
pager lines 24
mtu outside 1492
mtu inside 1500
ip address outside outsideaddress subnetmask
ip address inside 192.168.1.254 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip audit info action alarm
ip audit attack action drop
ip local pool VPNPOOL 192.168.100.1-192.168.100.50
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NO-NAT-VPN
nat (inside) 1 access-list 10 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 192.168.1.10 netmask 255.255.255.255 0 0
access-group Internet in interface outside
route outside 0.0.0.0 0.0.0.0 outside addr
timeout xlate 0:05:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server RADIUS (inside) host 192.168.1.10 keyname timeout 15
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set strong esp-3des esp-md5-hmac
crypto ipsec transform-set 3DES esp-3des esp-md5-hmac
crypto ipsec transform-set SHA esp-3des esp-sha-hmac
crypto dynamic-map dynmap 20 set transform-set SHA
crypto map VPN 10 ipsec-isakmp
crypto map VPN 10 match address 10
crypto map VPN 10 set peer peeraddress
crypto map VPN 10 set transform-set strong
crypto map VPN 65000 ipsec-isakmp dynamic dynmap
crypto map VPN client authentication RADIUS
crypto map VPN interface outside
isakmp enable outside
isakmp key key address peer address netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp policy 40 authentication pre-share
isakmp policy 40 encryption 3des
isakmp policy 40 hash md5
isakmp policy 40 group 2
isakmp policy 40 lifetime 3600
isakmp policy 50 authentication rsa-sig
isakmp policy 50 encryption des
isakmp policy 50 hash sha
isakmp policy 50 group 1
isakmp policy 50 lifetime 86400
isakmp policy 60 authentication pre-share
isakmp policy 60 encryption 3des
isakmp policy 60 hash sha
isakmp policy 60 group 2
isakmp policy 60 lifetime 86400
vpngroup VPN address-pool VPNPOOL
vpngroup VPN dns-server 192.168.1.10
vpngroup VPN default-domain domain
vpngroup VPN split-tunnel 102
vpngroup VPN idle-time 1800
vpngroup VPN authentication-server RADIUS
vpngroup VPN password ********
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 15
ssh myoustide outside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 15
management-access inside
09-25-2008 09:29 AM
Add this to the pix...
isakmp nat-traversal
09-27-2008 12:14 PM
you "nailed" it. Thanks.
09-27-2008 12:14 PM
fixed it.
09-25-2008 09:33 AM
enable NAT-T:
isakmp nat-t 20
connect vpn client again and post results.
HTH
Saju
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: