PIX 515E and Cisco VPN Client 3.6

oldkemosh · ‎10-24-2003

I have setup a VPN client to terminate at the PIX with vpngroup and it connects successfully but I cannot reach anything on the network I connect to.

Yet I can reach the client( ping, pcAnywhere)from my desktop within the network after the client connects.

If anyone has an idea why I cannot access anything on the netwrok from the client I can post my PIX configuration and see what I'm missing. Thanks.

bizsnatch · ‎10-24-2003

Please post your config.

oldkemosh · ‎10-24-2003

Here is my config. I removed some of the stuff that is on all the PIX's.

:

PIX Version

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 intf2 security10

enable password xxxxx

passwd xxxxxx

hostname *****

domain-name *****

names

access-list Cisco_VPN permit ip host x.x.37.146 192.168.10.0 255.255.255.0

pager lines 24

logging on

logging trap informational

logging host inside 192.168.10.24

logging host inside 192.168.10.68

interface ethernet0 10baset

interface ethernet1 10full

interface ethernet2 auto shutdown

icmp deny any echo-reply outside

icmp permit any unreachable outside

mtu outside 1500

mtu inside 1500

mtu intf2 1500

ip address outside x.x.x.146 255.255.255.255

ip address inside 192.168.10.90 255.255.255.0

ip address intf2 x.x.x.1 255.255.255.255

ip audit info action alarm

ip audit attack action alarm

ip local pool dealer 192.168.10.44-192.168.10.46

arp timeout 14400

global (outside) x.x.37.147

nat (inside) 0 access-list Cisco_VPN

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

access-group ACL_IN in interface outside

route outside 0.0.0.0 0.0.0.0 12.168.37.142 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 s0

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

http server enable

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set aaa3des esp-3des esp-md5-hmac

crypto dynamic-map dynomap 10 set transform-set aaa3des

crypto map vpnpeer 20 ipsec-isakmp dynamic dynomap

crypto map vpnpeer interface outside

isakmp enable outside

isakmp client configuration address-pool local dealer outside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup test address-pool dealer

vpngroup test dns-server ******

vpngroup test wins-server ******

vpngroup test default-domain ******

vpngroup test idle-time 1800

vpngroup test password ********

vpdn username admin password *********

terminal width 80

Cryptochecksum:xxxxxxx

mcvosi · ‎10-24-2003

I don't see any lists that allow connectivity to and from the VPN pool you've specified. You may have removed those portions when you posted the config?

Also, I don't know what kind of clients you've got, but I know I've had better success with version 4.03 of the VPN client.

oldkemosh · ‎10-24-2003

I'm using version 3.6.

List to allow connectivity to and from VPN pool?????

I've seen no mention of this in any of the example configs I have found. That something I'm missing????