12-12-2006 04:40 AM - edited 03-11-2019 02:07 AM
at the beginning, i'm sorry for my long message.
i've read here more post about my trouble...but still not foun any solution.
My problem is about a VPN IPSEC TUNNEL on cisco pix 515e
device.
The pix OS version is 7.0.6.
my win xp client have sp2 installed, and try to make vpn tunnel with IPSEC via cisco client 4.6.00.0049
The strange behavior is:
XP client with Cisco VPN client authenticate itself but can't ping any host of the remote lan.
Pix is configured with:
PAT on outside interface
and PAT on DMZ interface.
no nat acl for exclude packet sourced from inside network and destinated to vpn pool address.
(this acl haven't any matched when tunnel is up and running)
split tunnel acl for inside lan.
when i make IPSEC vpn up, and check it via sh crypto ipsec sa i found tunnel active.
when i make sh access-list to check if acl are matched, i found only crypto_dyn20_ acl matched.
nonat acl and splittunnel acl are zero matched.
if i try to ping from client some host on inside network,
nothing appears on stats page on the vpn client.
if i ping from pix to vpn client i see decrypted packet on stats page on client.
no encryption appears to be done on client.
if i try to traceroute from xp client any inside network host, stars appears from first hop..
on my pix i've enabled ipsec-over tcp and
nat-t
where is my mistake?
please help me!
i'm going crazy!!
i attach my pix config.
thanks a lot .
Daniele
12-12-2006 08:12 AM
hi
do you think it's possible to post the debug output from following
debug crypto ipsec
debug crypto isakmp
12-12-2006 09:58 AM
sorry, but when i start vpn client, I can't see any output on debug!
i make:
term mon
debug crypto ipsec 255
debug crypto isakmp 255
and after:
try to connect, establishing connection, and pinging..
but on pix no output!
BUT after
sh crypto ipsec sa
on pix i have this output:
-----
see attachment!
-----
thanks a lot
Daniele
12-13-2006 07:25 AM
i haven't found solutions..
someone can help me?
thanks a lot to evrybody
daniele
12-13-2006 08:04 AM
maybe solved!
client versioning problem.
with last version of cisco vpn client (4.8) evrything working well...
thanks a lot
12-13-2006 05:07 PM
false!
isn't a client problem, but ip addressing problem.
if xp client is behind nat, nothing work.
if xp client has a public ip, no nat, evry thing workin' correcty..also linux via vpnc .. :)
obvioulsy pix has:
nat-t enabled via isakmp nat-traversal 20
command in global configuration, and also
ipsec-over-tcp 10000...
any ideas?
big trouble..
cheers
daniele
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: