11-03-2006 12:21 AM - edited 02-21-2020 02:42 PM
Hi,
Company I work for has just got one of these and I have been trying to configure it using asdm but with limited luck.
I have finally managed to get the cisco vpn windows client to connect to it and I can then ping some servers and also remote desktop to some of them.
However this is intermittent and they suddenly stop responding. Odd thing is telnet to the unix servers works fine.
Even when they stop responding from the pc running the vpn software, the inside interface of the pix can still ping the servers without problems and also from servers
on the same network they can ping and remote desktop without any problems.
Im guessing I have probably misconfigured it as I am trying to get it running not knowing what to do with it but I have no option.
Any help would be appreciated as I have no idea why it works intermittently.
Result of the command: "show version"
Cisco PIX Security Appliance Software Version 7.0(4)
Device Manager Version 5.0(4)
Compiled on Thu 13-Oct-05 21:43 by builders
System image file is "flash:/image.bin"
Config file at boot was "startup-config"
xxxxx up 14 hours 52 mins
Hardware: PIX-515E, 128 MB RAM, CPU Pentium II 433 MHz
Flash E28F128J3 @ 0xfff00000, 16MB
BIOS Flash AM29F400B @ 0xfffd8000, 32KB
Encryption hardware device : VAC+ (Crypto5823 revision 0x1)
0: Ext: Ethernet0 : address is 0017.94aa.dfe3, irq 10
1: Ext: Ethernet1 : address is 0017.94aa.dfe4, irq 11
2: Ext: Ethernet2 : address is 000d.8811.bfc8, irq 11
3: Ext: Ethernet3 : address is 000d.8811.bfc9, irq 10
4: Ext: Ethernet4 : address is 000d.8811.bfca, irq 9
5: Ext: Ethernet5 : address is 000d.8811.bfcb, irq 5
Licensed features for this platform:
Maximum Physical Interfaces : 6
Maximum VLANs : 25
Inside Hosts : Unlimited
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Cut-through Proxy : Enabled
Guards : Enabled
URL Filtering : Enabled
Security Contexts : 2
GTP/GPRS : Disabled
VPN Peers : Unlimited
This platform has an Unrestricted (UR) license.
Current running config is:
PIX Version 7.0(4)
!
hostname XXXX
domain-name XXXXXXXXX
enable password XXXXXXXXXX encrypted
names
name xxx.xxx.103.0 dpt-isp-network description net between ilab and isp
name xxx.xxx.xxx.0 ilab-network
!
interface Ethernet0
nameif outside
security-level 0
ip address xxx.xxx.103.9 255.255.255.240
!
interface Ethernet1
nameif inside
security-level 100
ip address xxx.xxx.xxx.1 255.255.255.0
!
interface Ethernet2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet3
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet4
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet5
shutdown
no nameif
no security-level
no ip address
!
<post 1 of 2>
11-03-2006 12:22 AM
passwd XXXXXXXXXXXXXXXX encrypted
ftp mode passive
dns domain-lookup inside
dns name-server XXXXXXXXXXXX
same-security-traffic permit intra-interface
access-list inside_nat0_outbound extended permit ip any ilab-network 255.255.255.224
access-list outside_nat0_outbound extended permit ip any ilab-network 255.255.255.224
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool ilabvpnips xxx.xxx.xxx.xxx-xxx.xxx.xxx.xxx mask 255.255.255.0
no failover
monitor-interface inside
monitor-interface outside
icmp permit any inside
asdm image flash:/asdm504.bin
no asdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 10 0.0.0.0 0.0.0.0
nat (outside) 0 access-list outside_nat0_outbound
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy DfltGrpPolicy attributes
banner none
wins-server none
dns-server value xxx.xxx.xxx.xxx
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout 30
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
client-firewall none
client-access-rule none
group-policy ilabvpn internal
group-policy ilabvpn attributes
dns-server value xxxxxxxxxxxx
username xxxxxx password xxxxxx encrypted
username xxxxxx attributes
vpn-group-policy ilabvpn
http server enable
http ilab-network 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
tunnel-group ilabvpn type ipsec-ra
tunnel-group ilabvpn general-attributes
address-pool ilabvpnips
default-group-policy ilabvpn
tunnel-group ilabvpn ipsec-attributes
pre-shared-key xxxxxxxxxx
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
telnet ilab-network 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
tftp-server inside xxxxxxxxxxxx /pix
Cryptochecksum:xxxxxxxxxxxxxxxxxxxxxxx
: end
11-20-2006 09:52 AM
just wondering if anyone has any ideas on this as it is staill causing problems. If I can provide any more information which may help, please just ask away.
Thanks
11-20-2006 10:53 AM
Darren
Takeout:
nat (outside) 0 access-list outside_nat0_outbound
plus the corresponding crypto ACL, take a look at the following document:
Hope this helps or let us know if you need further assistance.
Please rate posts if it helps.
Jay
11-21-2006 08:35 AM
Hi,
Thanks for the suggestion. I have commented out the 'nat (outside) 0 )' line but am not sure about the crypto acl line as there are several lines with the word crypto in.
I downloaded the pdf file for the link you advised but unfortunately at this time it does not make any sense to me at all as I am only recently starting to try and learn about this stuff.
I just don't understand why it works sometimes but not others. I have also attached a very basic network diagram incase that helps in any way.
If I can provide any other info or even if completely wiping the config and starting again would help in any way please feel free to advise as I really haven't a clue with this.
I should have realised there would be more to it than simply running the wizards and entering the info they asked for.
11-21-2006 09:09 AM
He was referring to
access-list outside_nat0_outbound extended permit ip any ilab-network 255.255.255.224
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide