Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

help,failed to setup pix515e as the vpn gateway

--begin ciscomoderator note-- The following post has been edited to remove potentially confidential information. Please refrain from posting confidential information on the site to reduce security risks to your network. -- end ciscomoderator note --

the vpn server is PIX515E,the client program is SSH¡¡Sentinel,now,the client can login the vpn server,but can not ping(or access) any hosts inside,the following is the configuration:

pix515e(config)# show run

: Saved

:

PIX Version 6.3(1)

interface ethernet0 auto

interface ethernet1 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxxxxxxxxxxx encrypted

passwd xxxxxxxxxxxxxx encrypted

hostname pix515e

domain-name mize.myrice.com

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

names

access-list 110 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list 110 permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list 101 permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list 101 permit ip xx.xxx.228.56 255.255.255.248 192.168.2.0 255.255.255.

0

access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.1.0 255.255.255.0

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside xx.xxx.228.61 255.255.255.248

ip address inside 192.168.2.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool vpn1 192.168.1.101-192.168.1.110

no failover

failover timeout 0:00:00

failover poll 15

no failover ip address outside

no failover ip address inside

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list 110

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

conduit permit icmp any any

conduit permit ip any any

route outside 0.0.0.0 0.0.0.0 xx.xxx.228.57 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto dynamic-map dynmap 10 match address 101

crypto dynamic-map dynmap 10 set transform-set myset

crypto dynamic-map dynmap 10 set security-association lifetime seconds 3600 kilo

bytes 400000

crypto map mymap 10 ipsec-isakmp dynamic dynmap

crypto map mymap client configuration address respond

crypto map mymap interface outside

isakmp enable outside

isakmp key ******** address 0.0.0.0 netmask 0.0.0.0

isakmp identity address

isakmp client configuration address-pool local vpn1 outside

isakmp nat-traversal 10

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 28800

telnet timeout 5

ssh timeout 5

console timeout 0

terminal width 80

Cryptochecksum:xxxxxxxxxxxxxxxxxxxxxx

: end

pix515e(config)#

pix515e(config)# sh crypto ipsec sa

interface: outside

Crypto map tag: mymap, local addr. xx.xxx.228.61

local ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (192.168.1.11/255.255.255.255/0/0)

current_peer: xx.xxx.228.60:500

dynamic allocated peer ip: 0.0.0.0

PERMIT, flags={}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0

#pkts decaps: 175, #pkts decrypt: 175, #pkts verify 175

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: xx.xxx.228.61, remote crypto endpt.: xx.xxx.228.60

path mtu 1500, ipsec overhead 56, media mtu 1500

current outbound spi: 57e46e4b

inbound esp sas:

spi: 0xae181ee2(2920816354)

transform: esp-des esp-md5-hmac ,

in use settings ={Tunnel, }

slot: 0, conn id: 1, crypto map: mymap

sa timing: remaining key lifetime (k/sec): (399984/2752)

IV size: 8 bytes

replay detection support: Y

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0x57e46e4b(1474588235)

transform: esp-des esp-md5-hmac ,

in use settings ={Tunnel, }

slot: 0, conn id: 2, crypto map: mymap

sa timing: remaining key lifetime (k/sec): (400000/2752)

IV size: 8 bytes

replay detection support: Y

outbound ah sas:

outbound pcp sas:

local ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (xx.xxx.228.62/255.255.255.255/0/0)

current_peer: xx.xxx.228.62:500

dynamic allocated peer ip: 0.0.0.0

PERMIT, flags={}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 8

local crypto endpt.: xx.xxx.228.61, remote crypto endpt.: xx.xxx.228.62

path mtu 1500, ipsec overhead 56, media mtu 1500

current outbound spi: 97eaf88c

inbound esp sas:

spi: 0xd02347d1(3491973073)

transform: esp-des esp-md5-hmac ,

in use settings ={Tunnel, }

slot: 0, conn id: 4, crypto map: mymap

sa timing: remaining key lifetime (k/sec): (400000/2835)

IV size: 8 bytes

replay detection support: Y

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0x97eaf88c(2548758668)

transform: esp-des esp-md5-hmac ,

in use settings ={Tunnel, }

slot: 0, conn id: 3, crypto map: mymap

sa timing: remaining key lifetime (k/sec): (400000/2826)

IV size: 8 bytes

replay detection support: Y

outbound ah sas:

outbound pcp sas:

local crypto endpt.: xx.xxx.228.61, remote crypto endpt.: xx.xxx.228.61

path mtu 1500, ipsec overhead 0, media mtu 1500

current outbound spi: 0

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

sh crypto engin

Crypto Engine Connection Map:

size = 8, free = 4, used = 4, active = 4

1 REPLY
Silver

Re: help,failed to setup pix515e as the vpn gateway

It looks like the client is not getting a dynamically assigned ip address. I would try to remap crypto and isakmp map statements to the outside interface so that the engines reparse the config settings.

Is there any reason you aren't using cisco's software client?

77
Views
0
Helpful
1
Replies