Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
413
Views
0
Helpful
7
Replies

pix515 configuration problem to perform vpn remote access using vpn client

Go to solution
dom.a
Level 1
Level 1

‎10-19-2005 10:32 AM - edited ‎02-21-2020 02:03 PM

Hi,

My network diagram is simple :

a pc client with cisco vpn client 3.X

try to connect to a remote site through a pix 515E.

What's happens :

the pc can connect, the pix give it a ip address, but no trafic encrypted so no access to remote network.

My config is :

---------------------------------------

BEGIN CONFIG

--------------------------------------

access-list 102 permit ip 192.168.80.0 255.255.255.0 10.10.10.0 255.255.255.0

ip local pool clientpool 10.10.10.5-10.10.10.50

nat (inside) 0 access-list 102

sysopt connection permit-ipsec

crypto ipsec transform-set robuste esp-des esp-md5-hmac

crypto dynamic-map dynmap 10 set transform-set robuste

crypto map mymap 10 ipsec-isakmp dynamic dynmap

crypto map mymap interface outside

isakmp enable outside

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup vpn30002 address-pool clientpool

vpngroup vpn30002 password 123daniel456789

vpngroup vpn30002 split-tunnel 102

-------------------------------------

END CONFIG

-------------------------------------

Please help me !

Regards

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
mostiguy
Level 6
Level 6

‎10-20-2005 07:59 AM

Can you upgrade to a newer vpn client or try disabling the XP sp 2 firewall? I believe the problem is that clients that old are not supported on xp sp2, or will have problems with the SP2 firewall. Try running a 4.0x or higher client.

View solution in original post

0 Helpful

Go to solution
jackko
Level 7
Level 7
In response to dom.a

‎10-21-2005 12:40 AM

create another acl for "nat (inside) 0" rather than acl 102, also create an acl for "nat (dmz) 0".

e.g.

access-list no_nat_inside permit ip 192.168.80.0 255.255.255.0 10.10.10.0 255.255.255.0

access-list no_nat_dmz permit ip 10.10.10.0 255.255.255.0

access-list 102 permit ip 192.168.80.0 255.255.255.0 10.10.10.0 255.255.255.0

access-list 102 permit ip 10.10.10.0 255.255.255.0

nat (inside) 0 access-list no_nat_inside

nat (dmz) 0 access-list no_nat_dmz

View solution in original post

0 Helpful
7 Replies 7

Go to solution
jackko
Level 7
Level 7

‎10-19-2005 05:30 PM

try this command "isakmp nat-traversal"

0 Helpful

Go to solution
dom.a
Level 1
Level 1
In response to jackko

‎10-20-2005 01:37 AM

Nothng changes with command 'isakmp nat-traversal'

Regards

0 Helpful

Go to solution
jackko
Level 7
Level 7
In response to dom.a

‎10-20-2005 04:00 AM

you mentioned no traffic is encrypted, are you referring the statistic with the vpn client.

on the pix, do "debug icmp trace" then ping from the remote pc to a host behind the pix.

just wondering if the pix is the default gateway of the lan. another suggestion is to verify the software firewall installed on the pc, including windows xp sp2.

0 Helpful

Go to solution
dom.a
Level 1
Level 1
In response to jackko

‎10-20-2005 06:29 AM

Hi,

i refered both statistics on the vpn client and with the 'show crypto isakmp sa' commands

results of debug icmp trace :

transform: esp-des esp-md5-hmac ,

<--- More --->37392: ICMP unreachable (code 3) @ip src > @ip dest

37393: ICMP unreachable (code 3) @ip src > @ip dest

37394: ICMP unreachable (code 3) @ip src > @ip dest

in xp sp2 firewall, vpn client is permitted

Regards !

0 Helpful

Go to solution
mostiguy
Level 6
Level 6

‎10-20-2005 07:59 AM

Can you upgrade to a newer vpn client or try disabling the XP sp 2 firewall? I believe the problem is that clients that old are not supported on xp sp2, or will have problems with the SP2 firewall. Try running a 4.0x or higher client.

0 Helpful

Go to solution
dom.a
Level 1
Level 1
In response to mostiguy

‎10-21-2005 12:13 AM

Hi,

Everything is right now !!!!!!!!

I just desabled XP sp2 firewall.

Thanks to all.

But one kestion i can only ping the PIX inside network, not the PIX dmz network. I try to add some static but nothing.

What command have I to put in my pix to let the remote pc using vpn client also ping dmz network :

Thansk to all again

0 Helpful

Go to solution
jackko
Level 7
Level 7
In response to dom.a

‎10-21-2005 12:40 AM

create another acl for "nat (inside) 0" rather than acl 102, also create an acl for "nat (dmz) 0".

e.g.

access-list no_nat_inside permit ip 192.168.80.0 255.255.255.0 10.10.10.0 255.255.255.0

access-list no_nat_dmz permit ip 10.10.10.0 255.255.255.0

access-list 102 permit ip 192.168.80.0 255.255.255.0 10.10.10.0 255.255.255.0

access-list 102 permit ip 10.10.10.0 255.255.255.0

nat (inside) 0 access-list no_nat_inside

nat (dmz) 0 access-list no_nat_dmz

0 Helpful
Customers Also Viewed These Support Documents