Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PIX VPN

Hi,

I have configured PIX VPN to establish VPN tunnel between VPN concentrator. On my LAN we have installed VPN Client to connect to another VPN Server. I am able to connect to the server but cannot ping any server, same works from dialup.

Is there any configuration required ?

PIX Version 6.2(1)

nameif ethernet0 dmz security10

nameif ethernet1 inside security100

nameif ethernet2 outside security0

enable password XXXXXXXXX encrypted

passwd xxxxxxxxx

hostname XXXXXXX

domain-name XXXXXXXXX.com

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

access-list inside permit tcp 192.168.x.x 255.255.255.0 any eq www

access-list inside permit tcp 192.168.x.x 255.255.255.0 any eq https

access-list inside permit tcp 192.168.x.x 255.255.255.0 any eq ftp

access-list inside permit tcp 192.168.x.x 255.255.255.0 any eq h323

access-list inside permit udp 192.168.x.x 255.255.255.0 any eq domain

access-list inside permit icmp 192.168.x.x 255.255.255.0 any

access-list inside permit ip 192.168.x.x 255.255.255.0 host 217.X.X.X (IP address of the VPN Server for VPN Clients on LAN)

access-list nonat permit ip 192.168.x.x 255.255.255.0 172.16.x.x 255.255.255.0

access-list nonat permit ip 192.168.x.x 255.255.255.0 172.16.x.x 255.255.255.0

access-list nonat permit ip 192.168.x.x 255.255.255.0 172.16.x.x 255.255.255.0

access-list nonat permit ip 192.168.x.x 255.255.255.0 172.16.x.x 255.255.255.0

access-list nonat permit ip 192.168.x.x 255.255.255.0 172.16.x.x 255.255.255.0

access-list vpn3000 permit ip 192.168.x.x 255.255.255.0 172.16.x.x 255.255.255.0

access-list vpn3000 permit ip 192.168.x.x 255.255.255.0 172.16.x.x 255.255.255.0

access-list vpn3000 permit ip 192.168.x.x 255.255.255.0 172.16.x.x 255.255.255.0

access-list vpn3000 permit ip 192.168.x.x 255.255.255.0 172.16.x.x 255.255.255.0

access-list vpn3000 permit ip 192.168.x.x 255.255.255.0 172.16.x.x 255.255.255.0

access-list vpn3000 permit ip 192.168.x.x 255.255.255.0 172.16.x.x 255.255.255.0

access-list vpn3000 permit ip 192.168.x.x 255.255.255.0 172.16.x.x 255.255.255.0

access-list vpn3000 permit ip 1192.168.x.x 255.255.255.0 172.16.x.x 255.255.255.0

access-list 101 permit tcp any host 217.x.x.x eq www

access-list 101 permit ip host 217.x.x.x host 201.x.x.x ( This is for connecting from VPN client to VPN Server)

pager lines 24

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto

icmp deny any echo-reply outside

mtu dmz 1500

mtu inside 1500

mtu outside 1500

ip address dmz 10.0.0.1 255.0.0.0

ip address inside 192.168.x.x 255.255.255.0

ip address outside 217.x.x.x 255.255.255.248

ip audit info action alarm

ip audit attack action alarm

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 192.168.x.x 255.255.255.0 0 0

static (inside,outside) 217.x.x.x 192.168.x.x netmask 255.255.255.255 0 0

access-group 101 in interface outside

route outside 0.0.0.0 0.0.0.0 217.x.x.x 2

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si

p 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

floodguard enable

sysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set myset esp-3des esp-sha-hmac

crypto map mymap 10 ipsec-isakmp

crypto map mymap 10 match address vpn3000

crypto map mymap 10 set peer 202.x.x.x

crypto map mymap 10 set transform-set myset

crypto map mymap interface outside

isakmp enable outside

isakmp key xxxxxxxx address 202.x.x.x netmask 255.255.255.255

isakmp identity address

isakmp policy 5 authentication pre-share

isakmp policy 5 encryption 3des

isakmp policy 5 hash sha

isakmp policy 5 group 2

isakmp policy 5 lifetime 86400

2 REPLIES
Silver

Re: PIX VPN

The document at http://www.cisco.com/warp/public/471/vpn-net-hood.html should help. Best of luck.

Bronze

Re: PIX VPN

This ACL looks backwards...

access-list 101 permit ip host 217.x.x.x host 201.x.x.x ( This is for connecting from VPN client to VPN Server)

I think it should look like this...

access-list 101 permit ip host 201.x.x.x host 217.x.x.x

After you connect to the VPN server and try and ping, are you sending packets and not recieving or are you not sending packets at all?

86
Views
0
Helpful
2
Replies
CreatePlease login to create content