Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PIX 6.1 upgrade to 6.2(2) Problem

We are using the Cisco VPN Client 3.6 for our remote users to log in to our 515e with the configuration below. It worked fine until I upgraded the PIX from 6.1 to 6.2(2) and even though they can log in and browse the 192.168.10.0 network,they can no longer access the subnets.

The error message in the sys log when I try and ping one of the subnets from a connected client is PIX-3-106011 Deny inbound (no xlate). I can ping the subnets from the inside interface of the PIX.

I'm going through the 6.2(2) configuration book but can't find anything that would have changed between the versions. Any ideas on this?????

: Saved

: Written by enable_15 at 05:07:24.286 UTC Mon Nov 17 2003

PIX Version 6.2(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 intf2 security10

enable password xxxx

passwd xxxxxx

hostname PIX

domain-name TEST.COM

fixup protocol http 80

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol smtp 25 no fixup protocol h323 h225 1720

no fixup protocol sqlnet 1521

no fixup protocol rtsp 554

no fixup protocol sip 5060

no fixup protocol skinny 2000

no fixup protocol ftp 21

names

access-list Cisco permit ip 192.168.10.0 255.255.255.0 192.168.10.0 255.255.255.0

access-list Cisco permit ip 192.168.20.0 255.255.255.0 192.168.10.0 255.255.255.0

access-list Cisco permit ip 192.168.30.0 255.255.255.0 192.168.10.0 255.255.255.0

access-list Cisco permit ip 192.168.40.0 255.255.255.0 192.168.10.0 255.255.255.0

access-list Cisco permit ip 192.168.50.0 255.255.255.0 192.168.10.0 255.255.255.0

pager lines 24

logging on

logging trap informational

logging host inside 192.168.10.35

logging host inside 192.168.10.98

interface ethernet0 10baset

interface ethernet1 10full

interface ethernet2 auto shutdown

icmp deny any echo-reply outside

icmp permit any unreachable outside

mtu outside 1500

mtu inside 1500

mtu intf2 1500

ip address outside 12.188.60.212 255.255.255.240

ip address inside 192.168.10.67 255.255.255.0

ip address intf2 127.0.0.1 255.255.255.255

ip audit info action alarm

ip audit attack action alarm

ip local pool dealer 192.168.10.120-192.168.10.125

pdm history enable

arp timeout 14400

nat (inside) 0 access-list Cisco

static (inside,outside) 12.188.60.213 192.168.10.101 netmask 255.255.255.255 0 0

access-group ACL_IN in interface outside

route outside 0.0.0.0 0.0.0.0 12.188.60.211 1

route inside 0.0.0.0 0.0.0.0 192.168.10.1 2

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set aaades esp-3des esp-md5-hmac

crypto dynamic-map dynomap 10 set transform-set aaades

crypto map vpn 20 ipsec-isakmp dynamic dynomap

crypto map vpn client authentication

crypto map vpn interface outside

isakmp enable outside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup vpnone address-pool dealer

vpngroup vpnone dns-server 192.168.10.95

vpngroup vpnone wins-server 192.168.10.95

vpngroup vpnone default-domain test.com

vpngroup vpnone idle-time 1800

vpngroup vpnone password *****************************

telnet timeout 60

terminal width 80

Cryptochecksum:xxxxxx

: end

2 REPLIES
Cisco Employee

Re: PIX 6.1 upgrade to 6.2(2) Problem

Woah, get rid of the two default routes, that hasn't been supported for quite a while. I'm surprised it even worked with 6.1. Do this:

no route inside 0.0.0.0 0.0.0.0 192.168.10.1

route inside 192.168.0.0 255.255.0.0 192.168.10.1

and see how that goes.

New Member

Re: PIX 6.1 upgrade to 6.2(2) Problem

That fixed it. Thank you so much gfullage.

89
Views
0
Helpful
2
Replies
CreatePlease login to create content