The pix Norspik-Nor is a Pix 501 at the main site. Local adresses are 192.168.1.0/24
The pix Norspik-Hbg is a pix 501 at the branch site. Local adresses are 192.168.10.0/24
Both Pixes are running 6.3.1
The Norspik-Nor has a static Ip on outside interface and should allow incoming vpn-tunnels from VPN dialer clients as well as the Norspik-Hbg (which has dynamic IP on outside interface).
As far as I can see the tunnels seems to work just fine. The problem is the "management-access inside" that doesnt work. No matter what I try to do I cant remotely administer the devices (i e from the local Norspik-Hbg LAN I cant https to Norspik-Nor inside IP, from VPN Dialer client on internet I cant telnet to Norspik-Nor inside IP and so on...)
Am I missing something? Is there something else that should be done to get this working?
Another question: I have heard that with 6.3.1 it is possible for a vpn dialer client to connect to the pix using TCP (port 10000?) instead of UDP, to make the traffic pass thru firewalls/NAT:s easier. In the release notes for 6.3.1 it says something that this is automatically handled in the pix, but when I try to change my client to TCP I will get no contact at all with the pix. Are there some magic commands in the pix to enable this feature?
Thanks for your help!
Norspik-Nor# wr t
PIX Version 6.3(1)
interface ethernet0 10baset
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password h/4fnFHQj9685eIP encrypted
passwd h/4fnFHQj9685eIP encrypted
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 22.214.171.124 255.255.255.0
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool clientpool 192.168.1.200-192.168.1.210
Try removing the "telnet 192.168.10.0 inside" command and the one for http also, I don't believe you need these when using the management-access command. They may be confusing the PIX thinking that it should be receiving these packets on the inside interface, when in effect they're coming in from the outside interface.
Failing that, what does the syslog show when you try and connect? That'll give you a good indication of what's going on.
As for your IPSec question, the PIX doesn't support TCP or UDP encapsulation in port 10000, that's still only (and always will be) a VPN concentrator function. PIX 6.3 code supports a new standard called NAT-T which encapsulates IPSec packets into UDP port 4500 for transmission through NAT/PAT devices. The VPN client from 3.6 onwards, and the PIX will automatically negotiate this at startup and encapsulate if necessary, you don't need to configure anything on the client. On the PIX configure the command:
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :