Pix6.2 and VPN Client 3.5 and PDM

sipjang · ‎04-25-2002

I'm testing the VPN client to connect the internal network protected by pix(6.2)

I congiure the Pix with pdm. after config.. I can connect to the pix with vpnclient and client PC can get the ip-pool.

But I could't access to the internal network..access-list

From the "debug icmp tr" command I can find there was a proper packet transfer ... But...

============================================================

inside_outbound_nat0_acl permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0

access-list outside_cryptomap_dyn_20 permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0

access-list outside_cryptomap_dyn_20 permit ip host x.x.x.x 10.1.2.0 255.255.255.0

access-list pin permit icmp any any

access-list test_splitTunnelAcl permit ip 10.1.1.0 255.255.255.0 any

pager lines 24

interface ethernet0 auto

interface ethernet1 auto

mtu outside 1500

mtu inside 1500

ip address outside x.x.x.x 255.255.255.128

ip address inside 10.1.1.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool testpool 10.1.2.1-10.1.2.255

no failover

failover timeout 0:00:00

failover poll 15

failover ip address outside 0.0.0.0

failover ip address inside 0.0.0.0

pdm location 10.1.1.100 255.255.255.255 inside

pdm location 10.1.2.0 255.255.255.0 inside

pdm history enable

arp timeout 14400

global (outside) 10 x.x.x.190-x.x.x.199

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 10 0.0.0.0 0.0.0.0 0 0

access-group pin in interface outside

route outside 0.0.0.0 0.0.0.0 x.x.x.129 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 10.1.1.100 255.255.255.255 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

sysopt noproxyarp outside

no sysopt route dnat

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

isakmp enable outside

isakmp identity address

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption des

isakmp policy 20 hash sha

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

vpngroup test address-pool testpool

vpngroup test split-tunnel test_splitTunnelAcl

vpngroup test idle-time 1800

vpngroup test password ********

gfesler · ‎04-26-2002

the pool handed to the client cannot be the same network as the internal network reference the following url:

http://www.cisco.com/warp/public/110/cvpn3k_pix_ias.html

gfesler · ‎04-26-2002

sorry it isn't I should have looked closer.

the url sent has a sample config.

is there other devices on the internal network also(routers)?

sipjang · ‎04-28-2002

No.. See the below...

Clinet ---------- Pix -------------Local PC

saluko · ‎05-01-2002

Looking at your configuration there seem to be a typo error - your first acl needs to be preceded with the word 'access-list'