04-25-2002 09:59 PM - edited 02-21-2020 11:42 AM
I'm testing the VPN client to connect the internal network protected by pix(6.2)
I congiure the Pix with pdm. after config.. I can connect to the pix with vpnclient and client PC can get the ip-pool.
But I could't access to the internal network..access-list
From the "debug icmp tr" command I can find there was a proper packet transfer ... But...
============================================================
inside_outbound_nat0_acl permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0
access-list outside_cryptomap_dyn_20 permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0
access-list outside_cryptomap_dyn_20 permit ip host x.x.x.x 10.1.2.0 255.255.255.0
access-list pin permit icmp any any
access-list test_splitTunnelAcl permit ip 10.1.1.0 255.255.255.0 any
pager lines 24
interface ethernet0 auto
interface ethernet1 auto
mtu outside 1500
mtu inside 1500
ip address outside x.x.x.x 255.255.255.128
ip address inside 10.1.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool testpool 10.1.2.1-10.1.2.255
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
pdm location 10.1.1.100 255.255.255.255 inside
pdm location 10.1.2.0 255.255.255.0 inside
pdm history enable
arp timeout 14400
global (outside) 10 x.x.x.190-x.x.x.199
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
access-group pin in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 10.1.1.100 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt noproxyarp outside
no sysopt route dnat
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup test address-pool testpool
vpngroup test split-tunnel test_splitTunnelAcl
vpngroup test idle-time 1800
vpngroup test password ********
04-26-2002 04:13 AM
the pool handed to the client cannot be the same network as the internal network reference the following url:
04-26-2002 04:17 AM
sorry it isn't I should have looked closer.
the url sent has a sample config.
is there other devices on the internal network also(routers)?
04-28-2002 04:56 PM
No.. See the below...
Clinet ---------- Pix -------------Local PC
05-01-2002 03:42 AM
Looking at your configuration there seem to be a typo error - your first acl needs to be preceded with the word 'access-list'
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide