Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Pix 501 Vpn Client

I try to connect with Vpn Client Cisco or Vpn Client Microsoft to Cisco Pix 501 but without success.

The connection is established but the data don't pass through the Vpn tunnel.

I don't reach the host in interface inside.

This is my configuration:

Pix# sh conf

: Saved

: Written by enable_15 at 09:37:19.986 UTC Fri Dec 6 2002

PIX Version 6.2(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

hostname Test

domain-name test.com

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

access-list acl_in permit icmp any any

access-list acl_in permit tcp any any

access-list acl_in permit udp any any

access-list acl_in permit gre any any

access-list acl_out permit icmp any any

access-list acl_out permit tcp any host x.x.x.x eq smtp

pager lines 24

interface ethernet0 10baset

interface ethernet1 10full

mtu outside 1500

mtu inside 1500

ip address outside x.x.x.x 255.255.255.248

ip address inside 192.9.200.106 255.255.255.0

ip verify reverse-path interface outside

ip verify reverse-path interface inside

ip audit info action alarm

ip audit attack action alarm

ip local pool ip-pool 192.9.200.200-192.9.200.210

pdm location 192.9.200.104 255.255.255.255 inside

pdm location 192.9.200.127 255.255.255.255 inside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 x.x.x.x

nat (inside) 1 192.9.200.0 255.255.255.0 0 0

static (inside,outside) x.x.x.x 192.9.200.104 netmask 255.255.255.255 0 0

access-group acl_out in interface outside

access-group acl_in in interface inside

route outside 0.0.0.0 0.0.0.0 x.x.x.x 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 192.9.200.104 255.255.255.255 inside

http 192.9.200.127 255.255.255.255 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

sysopt connection permit-pptp

no sysopt route dnat

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto dynamic-map dynamap 10 set transform-set myset

crypto map mymap 10 ipsec-isakmp dynamic dynamap

crypto map mymap interface outside

isakmp enable outside

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup vpn address-pool ip-pool

vpngroup vpn dns-server 192.9.200.104

vpngroup vpn default-domain test.com

vpngroup vpn idle-time 1800

vpngroup vpn password ********

telnet 192.9.200.127 255.255.255.255 inside

telnet 192.9.200.104 255.255.255.255 inside

telnet timeout 5

ssh timeout 5

vpdn group 1 accept dialin pptp

vpdn group 1 ppp authentication pap

vpdn group 1 ppp authentication chap

vpdn group 1 ppp authentication mschap

vpdn group 1 client configuration address local ip-pool

vpdn group 1 client configuration dns 192.9.200.104

vpdn group 1 pptp echo 60

vpdn group 1 client authentication local

vpdn username vpn password ********

vpdn enable outside

terminal width 80

The network 192.9.200.0 255.255.255.0 is a private network.

Thanks

3 REPLIES

Re: Pix 501 Vpn Client

Hi,

is there a router on your outside interface? If so, does it forward incoming IPSec packets (esp) to the outside interface of the pix?

Kind Regards,

Tom

New Member

Re: Pix 501 Vpn Client

Hi,

Yes,there is router of Telecom Communications,I don't know the router configuration.

Best Regards.

Cisco Employee

Re: Pix 501 Vpn Client

Hi,

You have to configure a NAT (inside) 0 command to bypass NAT for the IPSec and PPTP Connection. And you can follow the below URL for the same:

http://www.cisco.com/warp/public/110/pix3000.html

And regarding your local pool, it is always a good practice to assign a different range for the remote users.

Regards,

Arul

299
Views
0
Helpful
3
Replies
CreatePlease to create content