Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

pix515 configuration problem to perform vpn remote access using vpn client

Hi,

My network diagram is simple :

a pc client with cisco vpn client 3.X

try to connect to a remote site through a pix 515E.

What's happens :

the pc can connect, the pix give it a ip address, but no trafic encrypted so no access to remote network.

My config is :

---------------------------------------

BEGIN CONFIG

--------------------------------------

access-list 102 permit ip 192.168.80.0 255.255.255.0 10.10.10.0 255.255.255.0

ip local pool clientpool 10.10.10.5-10.10.10.50

nat (inside) 0 access-list 102

sysopt connection permit-ipsec

crypto ipsec transform-set robuste esp-des esp-md5-hmac

crypto dynamic-map dynmap 10 set transform-set robuste

crypto map mymap 10 ipsec-isakmp dynamic dynmap

crypto map mymap interface outside

isakmp enable outside

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup vpn30002 address-pool clientpool

vpngroup vpn30002 password 123daniel456789

vpngroup vpn30002 split-tunnel 102

-------------------------------------

END CONFIG

-------------------------------------

Please help me !

Regards

2 ACCEPTED SOLUTIONS

Accepted Solutions
Silver

Re: pix515 configuration problem to perform vpn remote access us

Can you upgrade to a newer vpn client or try disabling the XP sp 2 firewall? I believe the problem is that clients that old are not supported on xp sp2, or will have problems with the SP2 firewall. Try running a 4.0x or higher client.

Gold

Re: pix515 configuration problem to perform vpn remote access us

create another acl for "nat (inside) 0" rather than acl 102, also create an acl for "nat (dmz) 0".

e.g.

access-list no_nat_inside permit ip 192.168.80.0 255.255.255.0 10.10.10.0 255.255.255.0

access-list no_nat_dmz permit ip 10.10.10.0 255.255.255.0

access-list 102 permit ip 192.168.80.0 255.255.255.0 10.10.10.0 255.255.255.0

access-list 102 permit ip 10.10.10.0 255.255.255.0

nat (inside) 0 access-list no_nat_inside

nat (dmz) 0 access-list no_nat_dmz

7 REPLIES
Gold

Re: pix515 configuration problem to perform vpn remote access us

try this command "isakmp nat-traversal"

New Member

Re: pix515 configuration problem to perform vpn remote access us

Nothng changes with command 'isakmp nat-traversal'

Regards

Gold

Re: pix515 configuration problem to perform vpn remote access us

you mentioned no traffic is encrypted, are you referring the statistic with the vpn client.

on the pix, do "debug icmp trace" then ping from the remote pc to a host behind the pix.

just wondering if the pix is the default gateway of the lan. another suggestion is to verify the software firewall installed on the pc, including windows xp sp2.

New Member

Re: pix515 configuration problem to perform vpn remote access us

Hi,

i refered both statistics on the vpn client and with the 'show crypto isakmp sa' commands

results of debug icmp trace :

transform: esp-des esp-md5-hmac ,

<--- More --->37392: ICMP unreachable (code 3) @ip src > @ip dest

37393: ICMP unreachable (code 3) @ip src > @ip dest

37394: ICMP unreachable (code 3) @ip src > @ip dest

in xp sp2 firewall, vpn client is permitted

Regards !

Silver

Re: pix515 configuration problem to perform vpn remote access us

Can you upgrade to a newer vpn client or try disabling the XP sp 2 firewall? I believe the problem is that clients that old are not supported on xp sp2, or will have problems with the SP2 firewall. Try running a 4.0x or higher client.

New Member

Re: pix515 configuration problem to perform vpn remote access us

Hi,

Everything is right now !!!!!!!!

I just desabled XP sp2 firewall.

Thanks to all.

But one kestion i can only ping the PIX inside network, not the PIX dmz network. I try to add some static but nothing.

What command have I to put in my pix to let the remote pc using vpn client also ping dmz network :

Thansk to all again

Gold

Re: pix515 configuration problem to perform vpn remote access us

create another acl for "nat (inside) 0" rather than acl 102, also create an acl for "nat (dmz) 0".

e.g.

access-list no_nat_inside permit ip 192.168.80.0 255.255.255.0 10.10.10.0 255.255.255.0

access-list no_nat_dmz permit ip 10.10.10.0 255.255.255.0

access-list 102 permit ip 192.168.80.0 255.255.255.0 10.10.10.0 255.255.255.0

access-list 102 permit ip 10.10.10.0 255.255.255.0

nat (inside) 0 access-list no_nat_inside

nat (dmz) 0 access-list no_nat_dmz

120
Views
0
Helpful
7
Replies
CreatePlease login to create content