Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

a problem about config VPN client

Hi,

I installed 4 pixs working at hub-spoken mode, and plan to config the hub pix as the remote vpn client access server.The site-to-site pix worked well, but when I try the vpn client, it has problem.

I followed the guide "Cisco-configuring IPSEC Between Hub andRemote PIXes with VPN Client and Extended Authentication" the debug message is same as sample and the isakmp sa is built well.when I try to telnet the as400 in internal , i can't reach it, no traffic over VPN. In the log the message is

"%pix-6-302013:Built inbound TCP connection 720 for outside 10.0.2.1/1123(10.0.2.1/1123) to inside 172.28.13.4/23 (172.28.12.4.23)

"%pix-6-302013:Built inbound TCP connection 721 for outside 10.0.2.1/1124(10.0.2.1/1124) to inside 172.28.13.4/23 (172.28.12.4/23)

and so on. if I not stop the telnet, the 10.0.2.1 port number will growing one by one.

what I do is :

(1) ip local pool -- 10.0.2.0 /24

(2) acl 100 permit ip 172.28.13.0/24 172.28.14.0/24

acl 100 permit ip 172.28.13.0/24 10.0.2.0/24

acl 110 permit ip 172.28.13.0/24 172.28.14.0/24

(3) global (outside) 1 218.22.xx.xx-218.22.xx.xx

global (outside) 1 218.22.xx.xx

nat (inside) 0 acl 100

nat (inside) 1 172.28.13.0 255.255.255.0 0 0

other configuraitons I think is correct.

what is the problem?

should we add the routing map in my other router working as a default gateway like

"ip route 172.28.13.0/24 10.0.2.0/24 172.28.13.30"

the ip 172.28.13.30 is the ip of HUB pix.

thanks

oh

1 REPLY
Cisco Employee

Re: a problem about config VPN client

chech the isakmp key on the hub for your vpn clients, it should be

isakmp key ******** address 0.0.0.0 netmask 0.0.0.0

and not

isakmp key ******** address 0.0.0.0 netmask 255.255.255.255

HTH

R/Yusuf

94
Views
0
Helpful
1
Replies
CreatePlease to create content