I would like to point and clarify one possible bug in Cisco Secure Policy Manager 3.0. Currently, I am evaluating this product for one customer that requires manageable remote access VPN connection with PIX firewall.
Here is scenario: Customer has PIX firewall version 6.1 and want to have visual managament of remote VPN IPSec tunnels. VPN client is Cisco VPN Unity Client version 3.5.1. In CSPM 3.0 I was able to create IPSec Tunnel templates, and in the Network topology I modeled Cloud network that corresponds to the address range already defined for VPN clients on PIX firewall and attach this cloud network directly to Internet. In the rule for IPSec traffic, I am using this modeled cloud network as a source, inside network as destination and all IP traffic as a service. When I tried to connect to PIX with VPN client, IKE Phase 1 is successful, devices are authenticated, user is authenticated, but in IKE Phase 2, in debug log of the PIX, I receive:
"proxy identities not supported",
which means that access-list for IPSec traffic does not match. But, in this case, it is not site-to-site VPN...
During troubleshooting, I have noticed that CSPM incorrectly generates the following command:
crypto dynamic-map CSM-crypto-map-outside-dyn 5 match address CSM-crypto-acl-outside-0
This command is OK when site-to-site IPSec tunnels are in place, but for remote access, this line is not needed. Workaround is to clear this line in epilogue section, but this is not the solution. Could you please confirm this behavior as a bug of CSPM 3.0?
Another thing: It seems that CSPM 3.0 is not fully compatible with VPN Unity client (I mean using vpngroup command in PIX). Because of that, I can not configure split tunneling when using VPN Unity client with PIPX firewall. Is that right?
Often times complex troubleshooting issues are best addressed in an interactive session with one of our trained technical assistance engineers. While other forum users may be able to help, its often difficult to do so for this type of issue.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :