Cisco Support Community
Community Member

IPsec difficulties...

I'm going to establish an IPsec VPN without success, I'd like to know if there's a big mistake I can't see;

environment is:

client side is an XP SP2, Cisco VPN Client 4.0.5, static IP

server side is PIX515E, 6.3(5), is a FO license (is the secondary / standalone, so it reboot every 24 hours)

configuration, regarding VPN/IPsec structure is

ip address outside 212.110.x.y

ip address inside 213.212.x.y

there's a static like that

static (inside,outside) 213.212.x.y 213.212.x.y so internal Public IP is moved to outside

access-list 101 permit ip 213.212.x.0 212.110.x.224

access-list 101 permit ip 213.212.x.0 212.110.x.225

access-list 101 permit ip 213.212.x.0 212.110.x.226

access-list 101 permit ip 213.212.x.0 212.110.x.227

access-list 101 permit ip 213.212.x.0 212.110.x.228

ip local pool my-pool 212.110.x.224-212.110.x.228

nat (inside) 0 access-list 101

sysopt connection permit-ipsec

crypto ipsec transform-set my-set esp-des esp-md5-hmac

crypto dynamic-map my-dynamic-map 10 set transform-set my-set

crypto map my-map 10 ipsec-isakmp dynamic my-dynamic-map

crypto map my-map client configuration address initiate

crypto map my-map client configuration address respond

crypto map my-map interface outside

isakmp enable outside

isakmp key xxxxxxx address netmask

isakmp identity address

isakmp client configuration my-pool local outside

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

vpngroup mygroup dns-server 212.110.x.y

vpngroup mygroup idle-time 1800

vpngroup mygroup password xxxxxxx


Alberto Brivio

Cisco Employee

Re: IPsec difficulties...

First off, your static is wrong, you can't "move the inside IP to the outside", remove that.

Second, make your VPN IP address pool a part of your internal subnet, not your outside. Or just make it say,, as long as your internal network routes the network back to the PIX it'll work fine.

Third, change ACL 101 to reflect traffic to the new VPN address pool. It'll define traffic from 213.212.x.0 to whatever the VPN pool of addresses is.

Fourth, make sure your VPN client is connecting to the outside address, not the inside. You will never be able to connect up a VPN to the inside interface of a PIX from a host on the outside.

Other than that you should be good to go. If it still doesn't work please include the output of a "debug cry ipsec" and "debug cry isa" on the PIX when you try a connection.

CreatePlease to create content