Trying to clean up VPN conf on a PIX506

Unanswered Question

This is the config information I have on my PIX 506 related to the VPN. I'm trying to clean it up since there is no site-to-site and I guess there is commands in there I don't need. Just want to use the Cisco VPN client and another NCP Secure Entry client (both work fine right now). I have tried cleaning it up and then my clients cannot I need some expert advice! What can be cleaned up here or renamed so it makes more sense?

sysopt connection permit-ipsec

crypto ipsec transform-set strong esp-3des esp-sha-hmac

crypto dynamic-map dynmap 100 set transform-set strong

crypto map I-P 20 ipsec-isakmp

crypto map I-P 20 match address site2site

crypto map I-P 20 set peer

crypto map I-P 20 set transform-set strong

crypto map I-P 100 ipsec-isakmp dynamic dynmap

crypto map I-P interface outside

isakmp enable outside

isakmp key ******** address netmask

isakmp identity address

isakmp nat-traversal 20

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption des

isakmp policy 1 hash md5

isakmp policy 1 group 2

isakmp policy 1 lifetime 86400

isakmp policy 2 authentication pre-share

isakmp policy 2 encryption 3des

isakmp policy 2 hash md5

isakmp policy 2 group 2

isakmp policy 2 lifetime 86400

isakmp policy 9 authentication pre-share

isakmp policy 9 encryption 3des

isakmp policy 9 hash sha

isakmp policy 9 group 1

isakmp policy 9 lifetime 86400

I figure once I get this cleaned up, I will remove the access-list for site2site as well. Just not 100% sure what I am doing!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
rtuttle Mon, 11/17/2008 - 09:26

Leave the sysopt connection permit ipsec statement in and as long as you have no crypto map's you are using with the other device it should work. W/out the sysopt conn.. no connections are accepted on the outside regardless of conf.


This Discussion