Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Problem PIX515 and VPN client 3.6.1, connection established but NO PING

Hello,

I have problem in our firm with PIX515 and VPN client form notebook via GPRS. Connection established but i cannot ping to PIX and from PIX to client.

Can you help me, please?

access-list 101 permit ip 192.168.254.0 255.255.255.0 192.168.100.0 255.255.255.0

access-list 101 permit ip 10.186.0.0 255.255.0.0 192.168.100.0 255.255.255.0

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto

interface ethernet3 auto

mtu outside 1500

mtu inside 1500

mtu dmz 1500

mtu fw1 1500

ip address inside 192.168.254.1 255.255.255.252

ip local pool vpnpool 192.168.100.1-192.168.100.5

nat (inside) 0 access-list 101

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

sysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set vpnset esp-des esp-md5-hmac

crypto ipsec transform-set vpnset mode transport

crypto dynamic-map dynmap 10 set transform-set vpnset

crypto map vpnmap 10 ipsec-isakmp dynamic dynmap

crypto map vpnmap interface outside

isakmp enable outside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup vpn35 address-pool vpnpool

vpngroup vpn35 dns-server 213.235.163.193

vpngroup vpn35 wins-server 10.186.33.2

vpngroup vpn35 default-domain sntcr.cz

vpngroup vpn35 split-tunnel 101

vpngroup vpn35 idle-time 1800

vpngroup vpn35 password ********

5 REPLIES
Bronze

Re: Problem PIX515 and VPN client 3.6.1, connection established

Hi David,

Your pix configuration looks good as far as VPN is concerned. You may be running into some routing issue.

Once the tunnel is established, ping something inside the pix firewall from the VPN client. You should see encrypts on the client and decrypts on the pix firewall ( sh cry ip sa ). If this is the case, you are running into some routing issues towards the pix firewall. But if you are seeing decrypts as well as encrypts on the pix ( sh cry ip sa ), then you might be running into some filtering issues between the pix and the VPN client

Jazib

New Member

Re: Problem PIX515 and VPN client 3.6.1, connection established

Now I am connecting to pix and I pinging. I see on the client all packets are discards. On pix I see 0 encryp 0 decryp..??:-(

We have CISCO 2620 between pix and the client . Can be problem there?

David

Bronze

Re: Problem PIX515 and VPN client 3.6.1, connection established

If you are not seeing any encrypts on the client, then it sounds like your VPN client is not intercepting the packets properly. In the stats screen on the VPN client, do you see a small yellow key next to 0.0.0.0 route?

Jazib

New Member

Re: Problem PIX515 and VPN client 3.6.1, connection established

In the list of routes on the vpnclient i have approx. ten routes but only two routes have yellow key. When I ping on te route with yellow key i see encrypt paket but on the other without yellow key the packet are discards. Why I have yellow key only on two routes from ten?

Thank you

David

New Member

Re: Problem PIX515 and VPN client 3.6.1, connection established

And next to default route 0.0.0.0 i have not yellow key...:-((

David

107
Views
0
Helpful
5
Replies