10-19-2005 10:32 AM - edited 02-21-2020 02:03 PM
Hi,
My network diagram is simple :
a pc client with cisco vpn client 3.X
try to connect to a remote site through a pix 515E.
What's happens :
the pc can connect, the pix give it a ip address, but no trafic encrypted so no access to remote network.
My config is :
---------------------------------------
BEGIN CONFIG
--------------------------------------
access-list 102 permit ip 192.168.80.0 255.255.255.0 10.10.10.0 255.255.255.0
ip local pool clientpool 10.10.10.5-10.10.10.50
nat (inside) 0 access-list 102
sysopt connection permit-ipsec
crypto ipsec transform-set robuste esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set robuste
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
isakmp enable outside
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup vpn30002 address-pool clientpool
vpngroup vpn30002 password 123daniel456789
vpngroup vpn30002 split-tunnel 102
-------------------------------------
END CONFIG
-------------------------------------
Please help me !
Regards
Solved! Go to Solution.
10-20-2005 07:59 AM
Can you upgrade to a newer vpn client or try disabling the XP sp 2 firewall? I believe the problem is that clients that old are not supported on xp sp2, or will have problems with the SP2 firewall. Try running a 4.0x or higher client.
10-21-2005 12:40 AM
create another acl for "nat (inside) 0" rather than acl 102, also create an acl for "nat (dmz) 0".
e.g.
access-list no_nat_inside permit ip 192.168.80.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list no_nat_dmz permit ip
access-list 102 permit ip 192.168.80.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list 102 permit ip
nat (inside) 0 access-list no_nat_inside
nat (dmz) 0 access-list no_nat_dmz
10-19-2005 05:30 PM
try this command "isakmp nat-traversal"
10-20-2005 01:37 AM
Nothng changes with command 'isakmp nat-traversal'
Regards
10-20-2005 04:00 AM
you mentioned no traffic is encrypted, are you referring the statistic with the vpn client.
on the pix, do "debug icmp trace" then ping from the remote pc to a host behind the pix.
just wondering if the pix is the default gateway of the lan. another suggestion is to verify the software firewall installed on the pc, including windows xp sp2.
10-20-2005 06:29 AM
Hi,
i refered both statistics on the vpn client and with the 'show crypto isakmp sa' commands
results of debug icmp trace :
transform: esp-des esp-md5-hmac ,
<--- More --->37392: ICMP unreachable (code 3) @ip src > @ip dest
37393: ICMP unreachable (code 3) @ip src > @ip dest
37394: ICMP unreachable (code 3) @ip src > @ip dest
in xp sp2 firewall, vpn client is permitted
Regards !
10-20-2005 07:59 AM
Can you upgrade to a newer vpn client or try disabling the XP sp 2 firewall? I believe the problem is that clients that old are not supported on xp sp2, or will have problems with the SP2 firewall. Try running a 4.0x or higher client.
10-21-2005 12:13 AM
Hi,
Everything is right now !!!!!!!!
I just desabled XP sp2 firewall.
Thanks to all.
But one kestion i can only ping the PIX inside network, not the PIX dmz network. I try to add some static but nothing.
What command have I to put in my pix to let the remote pc using vpn client also ping dmz network :
Thansk to all again
10-21-2005 12:40 AM
create another acl for "nat (inside) 0" rather than acl 102, also create an acl for "nat (dmz) 0".
e.g.
access-list no_nat_inside permit ip 192.168.80.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list no_nat_dmz permit ip
access-list 102 permit ip 192.168.80.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list 102 permit ip
nat (inside) 0 access-list no_nat_inside
nat (dmz) 0 access-list no_nat_dmz
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide