Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

help,failed to setup pix515e as the vpn server

--begin ciscomoderator note-- The following post has been edited to remove potentially confidential information. Please refrain from posting confidential information on the site to reduce security risks to your network. -- end ciscomoderator note --

the vpn server is PIX515E,the client program is SSH¡¡Sentinel,now,the client can login the vpn server,but can not ping(or access) any hosts inside,the following is the configuration:

pix515e(config)# show run

: Saved

:

PIX Version 6.3(1)

interface ethernet0 auto

interface ethernet1 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password --moderator edit-- encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

hostname pix515e

domain-name mize.myrice.com

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

names

access-list 110 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list 110 permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list 101 permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list 101 permit ip xx.xxx.xxx.56 255.255.255.248 192.168.2.0 255.255.255.

0

access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.1.0 255.255.255.0

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside xx.xxx.xxx.61 255.255.255.248

ip address inside 192.168.2.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool vpn1 192.168.1.101-192.168.1.110

no failover

failover timeout 0:00:00

failover poll 15

no failover ip address outside

no failover ip address inside

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list 110

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

conduit permit icmp any any

conduit permit ip any any

route outside 0.0.0.0 0.0.0.0 xx.xxx.xxx.57 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto dynamic-map dynmap 10 match address 101

crypto dynamic-map dynmap 10 set transform-set myset

crypto dynamic-map dynmap 10 set security-association lifetime seconds 3600 kilo

bytes 400000

crypto map mymap 10 ipsec-isakmp dynamic dynmap

crypto map mymap client configuration address respond

crypto map mymap interface outside

isakmp enable outside

isakmp key ******** address 0.0.0.0 netmask 0.0.0.0

isakmp identity address

isakmp client configuration address-pool local vpn1 outside

isakmp nat-traversal 10

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 28800

telnet timeout 5

ssh timeout 5

console timeout 0

terminal width 80

Cryptochecksum:--moderator edit--

: end

pix515e(config)#

pix515e(config)# sh crypto ipsec sa

interface: outside

Crypto map tag: mymap, local addr. xx.xxx.xxx.61

local ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (192.168.1.11/255.255.255.255/0/0)

current_peer: xx.xxx.xxx.60:500

dynamic allocated peer ip: 0.0.0.0

PERMIT, flags={}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0

#pkts decaps: 175, #pkts decrypt: 175, #pkts verify 175

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: xx.xxx.xxx.61, remote crypto endpt.: xx.xxx.xxx.60

path mtu 1500, ipsec overhead 56, media mtu 1500

current outbound spi: 57e46e4b

inbound esp sas:

spi: 0xae181ee2(2920816354)

transform: esp-des esp-md5-hmac ,

in use settings ={Tunnel, }

slot: 0, conn id: 1, crypto map: mymap

sa timing: remaining key lifetime (k/sec): (399984/2752)

IV size: 8 bytes

replay detection support: Y

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0x57e46e4b(1474588235)

transform: esp-des esp-md5-hmac ,

in use settings ={Tunnel, }

slot: 0, conn id: 2, crypto map: mymap

sa timing: remaining key lifetime (k/sec): (400000/2752)

IV size: 8 bytes

replay detection support: Y

outbound ah sas:

outbound pcp sas:

local ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (xx.xxx.xxx.62/255.255.255.255/0/0)

current_peer: xx.xxx.xxx.62:500

dynamic allocated peer ip: 0.0.0.0

PERMIT, flags={}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 8

local crypto endpt.: xx.xxx.xxx.61, remote crypto endpt.: xx.xxx.xxx.62

path mtu 1500, ipsec overhead 56, media mtu 1500

current outbound spi: 97eaf88c

inbound esp sas:

spi: 0xd02347d1(3491973073)

transform: esp-des esp-md5-hmac ,

in use settings ={Tunnel, }

slot: 0, conn id: 4, crypto map: mymap

sa timing: remaining key lifetime (k/sec): (400000/2835)

IV size: 8 bytes

replay detection support: Y

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0x97eaf88c(2548758668)

transform: esp-des esp-md5-hmac ,

in use settings ={Tunnel, }

slot: 0, conn id: 3, crypto map: mymap

sa timing: remaining key lifetime (k/sec): (400000/2826)

IV size: 8 bytes

replay detection support: Y

outbound ah sas:

outbound pcp sas:

local crypto endpt.: xx.xxx.xxx.61, remote crypto endpt.: xx.xxx.xxx.61

path mtu 1500, ipsec overhead 0, media mtu 1500

current outbound spi: 0

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

sh crypto engin

Crypto Engine Connection Map:

size = 8, free = 4, used = 4, active = 4

1 REPLY
Cisco Employee

Re: help,failed to setup pix515e as the vpn server

Do:

> no access-list 110 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

> no crypto dynamic-map dynmap 10 match address 101

> no access-list 101

and see if that works. The first line is just to clean up your config and won't actually make any difference, but the second and third lines remove the ACL from a dynamic crypto map, something which generally causes more problems than it fixes.

If it still doesn't work, then your config looks OK. We can see that the tunnel is being built correctly and the PIX is receiving packets from the VPN client, but is not seeing responses from the inside hosts. Make sure these devices have a route to the 192.168.1.0 network (this is probably just their default gateway) that eventually points back to the PIX inside interface.

79
Views
0
Helpful
1
Replies
CreatePlease login to create content