Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
254
Views
0
Helpful
1
Replies

connection from outside lan to pix 501 won't work,

thespirit
Level 1
Level 1

‎11-26-2003 05:47 AM - edited ‎02-20-2020 11:07 PM

and the users get "remote peer not resonding". But when using dial-up connection, they get through. What could be wrong? We are using Cisco VPN Client ver 4.0(rel), PIX Firewall version 6.2(1) and PDM 2.0(1). I'm a new to the PIX 501, so I need help!!! Here is my configuration(I haven't set this up. The company I'm working for have had someone to do it for them).

Building configuration...

: Saved

:

PIX Version 6.2(1)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxxxxxxxxxxxx encrypted

passwd xxxxxxxxxxxxxxxx encrypted

hostname xxxx-PIX-501

domain-name xxxx.xxxxx

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

name xxxxxxxxxxxxxxxxxxxxx

access-list 100 permit ip 192.168.10.0 255.255.255.0 192.168.50.0 255.255.255.0

access-list outside_access_in permit icmp any any echo-reply

access-list inside_access_in permit ip 192.168.10.0 255.255.255.0 any

pager lines 24

interface ethernet0 10baset

interface ethernet1 10full

mtu outside 1500

mtu inside 1500

ip address outside xxx.xxx.xxx.178 255.255.255.248

ip address inside 192.168.10.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool REMOTE-VPN-IP-POOL xxx.xxx.xxx.150-xxx.xxx.xxx.200

pdm location xxxx-xxxxx 255.255.255.255 inside

pdm location xxx.xxx.xxx.0 255.255.255.0 outside

pdm location xxx.xxx.xx.x 255.255.255.255 outside

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list 100

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) xxx.xxx.xxx.xxx abcd-efghx netmask 255.255.255.255 0 0

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

aaa-server vpnauth protocol radius

aaa-server vpnauth (inside) host abcd-efghx ZAQ!2wsxpp timeout 10

aaa-server vpn protocol tacacs+

http server enable

http xxx.xxx.xx.x 255.255.255.255 outside

http 192.168.10.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

sysopt radius ignore-secret

no sysopt route dnat

crypto ipsec transform-set TRANSFORM-SET-ID-1 esp-des esp-md5-hmac

crypto dynamic-map DYNAMIC-ID 1 set transform-set TRANSFORM-SET-ID-1

crypto map CRYPTO-RULE 20 ipsec-isakmp dynamic DYNAMIC-ID

crypto map CRYPTO-RULE client configuration address initiate

crypto map CRYPTO-RULE client configuration address respond

crypto map CRYPTO-RULE client authentication vpnauth

crypto map CRYPTO-RULE interface outside

isakmp enable outside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup xxxx address-pool REMOTE-VPN-IP-POOL

vpngroup xxxx wins-server abcd-efgh1

vpngroup xxxx default-domain abcd.efghi

vpngroup xxxx idle-time 1800

vpngroup xxxx password ********

telnet 192.168.10.0 255.255.255.0 inside

telnet timeout 5

ssh xxx.xxx.xx.x 255.255.255.255 outside

ssh 192.168.10.0 255.255.255.0 inside

ssh timeout 60

vpnclient vpngroup xxxx password ********

vpnclient server xxx.xxx.xxx.xxx

vpnclient mode client-mode

terminal width 80

Cryptochecksum:xxxxxxxxxxxxxxxxxxxxxxxxxxxx

: end

[OK]

0 Helpful
1 Reply 1

jsivulka
Level 5
Level 5

‎12-02-2003 08:20 AM

I recently tried a PIX to VPN 4.0.3(A) setup with AES. I was running into the same message on the client. When I used debug crypto isakmp on the pix, the messages I observed were

ISKMP (0): atts are not acceptable. Next payload is 3, after which it would start checking the next transform set. Why I kept running into this error I have no idea, but what worked was using the transform set 'esp-3des esp-md5-hmac' and encryption algorithm of 3des in the isakmp policy.

isakmp policy 10 encryption 3des

crypto ipsec transform-set trmset1 esp-3des esp-md5-hmac I suspect that the VPN client will not work witl all encryption algorithms and transform sets. Try these and see if it works for you.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card