After PIX upgrade from 6.3 to 7.2(2) VPN doesn?t work

c-quinteros · ‎02-21-2007

Hi There,

I have configured site-to-site VPN between PIX and router 871. After upgrade to version 7 , I am not able to access the remote network. I am using ver 7.2(2) in the pix and IOS ver 12.4(6)T2 in the router. The ACLs for no nat and encryption are :

access-list encryp permit ip 172.16.0.0 255.240.0.0 192.168.130.0 255.255.254.0

access-list encryp permit ip 192.168.0.0 255.255.255.0 192.168.130.0 255.255.254.0

access-list nonat permit ip 172.16.0.0 255.240.0.0 192.168.128.0 255.255.128.0

access-list nonat permit ip 192.168.0.0 255.255.255.0 192.168.128.0 255.255.128.0

Is possible that the pix OS ver 7 do not support this ACLs type (IP class B with mask /12 or IP class C with mask /17 ??

Thx

daviddtran · ‎02-21-2007

Hi c-quinteros,

Whoever designed the Pix firewall should be

shot. It's so F! stupid. But enough of my

ranting.

I ran into the same problem you have before

when upgrading from 6.3(5) to 7.2(2). You

need to do this for it to work:

tunnel-group DefaultRAGroup ipsec-attributes

isakmp ikev1-user-authentication (outside) none

keep in mind that these are "hidden" command.

WTF!

for version 7.1(2):

tunnel-group DefaultRAGroup general-attributes

authentication-server-group (outside) none

Good luck.

David

CCIE Security