Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
245
Views
3
Helpful
2
Replies

Help me PLEASE!!

thespirit
Level 1
Level 1

‎11-27-2003 03:19 AM - edited ‎03-09-2019 05:40 AM

We hav problems with connecting over VPN, when the client is located on another LAN and the users get "remote peer not resonding". But when using dial-up connection, they get through. What could be wrong? We are using Cisco VPN Client ver 4.0(rel), PIX Firewall version 6.2(1) and Pix Device Manager 2.0(1). I'm new to the PIX 501, so I need help!!! Here is my configuration(I haven't set this up. The company I'm working for have had someone to do it for them).

Building configuration...

: Saved

:

PIX Version 6.2(1)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxxxxxxxxxxxx encrypted

passwd xxxxxxxxxxxxxxxx encrypted

hostname xxxx-PIX-501

domain-name xxxx.xxxxx

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

name xxxxxxxxxxxxxxxxxxxxx

access-list 100 permit ip 192.168.10.0 255.255.255.0 192.168.50.0 255.255.255.0

access-list outside_access_in permit icmp any any echo-reply

access-list inside_access_in permit ip 192.168.10.0 255.255.255.0 any

pager lines 24

interface ethernet0 10baset

interface ethernet1 10full

mtu outside 1500

mtu inside 1500

ip address outside xxx.xxx.xxx.178 255.255.255.248

ip address inside 192.168.10.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool REMOTE-VPN-IP-POOL xxx.xxx.xxx.150-xxx.xxx.xxx.200

pdm location xxxx-xxxxx 255.255.255.255 inside

pdm location xxx.xxx.xxx.0 255.255.255.0 outside

pdm location xxx.xxx.xx.x 255.255.255.255 outside

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list 100

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) xxx.xxx.xxx.xxx abcd-efghx netmask 255.255.255.255 0 0

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

aaa-server vpnauth protocol radius

aaa-server vpnauth (inside) host abcd-efghx ZAQ!2wsxpp timeout 10

aaa-server vpn protocol tacacs+

http server enable

http xxx.xxx.xx.x 255.255.255.255 outside

http 192.168.10.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

sysopt radius ignore-secret

no sysopt route dnat

crypto ipsec transform-set TRANSFORM-SET-ID-1 esp-des esp-md5-hmac

crypto dynamic-map DYNAMIC-ID 1 set transform-set TRANSFORM-SET-ID-1

crypto map CRYPTO-RULE 20 ipsec-isakmp dynamic DYNAMIC-ID

crypto map CRYPTO-RULE client configuration address initiate

crypto map CRYPTO-RULE client configuration address respond

crypto map CRYPTO-RULE client authentication vpnauth

crypto map CRYPTO-RULE interface outside

isakmp enable outside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup xxxx address-pool REMOTE-VPN-IP-POOL

vpngroup xxxx wins-server abcd-efgh1

vpngroup xxxx default-domain abcd.efghi

vpngroup xxxx idle-time 1800

vpngroup xxxx password ********

telnet 192.168.10.0 255.255.255.0 inside

telnet timeout 5

ssh xxx.xxx.xx.x 255.255.255.255 outside

ssh 192.168.10.0 255.255.255.0 inside

ssh timeout 60

vpnclient vpngroup xxxx password ********

vpnclient server xxx.xxx.xxx.xxx

vpnclient mode client-mode

terminal width 80

Cryptochecksum:xxxxxxxxxxxxxxxxxxxxxxxxxxxx

: end

[OK]

Labels:
0 Helpful
2 Replies 2

amritpatek
Level 6
Level 6

‎12-03-2003 08:04 AM

This is one of the common problems faced in such cases. please refer to the following document for the solution

Failed IKE Establishment

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a0080093f87.shtml#failedikeestab

0 Helpful

bourasp
Level 1
Level 1

‎12-12-2003 04:35 AM

You have entered wrong access-list commands. The wild card bits works the other way around. Example : to permy all hosts in network 192.168.1.0 with subnet mask 255.255.255.0 the command is access-list 100 permit ip 192.168.10.0 0.0.0.255 192.168.50.0 0.0.0.255 .

At least this is one part of the problem. Let me know if this works.

Customers Also Viewed These Support Documents