Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

problem with IPSEC through zyxel 650R-31 to PIX 506

Hello

I have a setup with a Zyxel 650R-31 connected to an ADSL coonection. behind the Zyxel I have a Cisco PIX 506E connected. I have setup the zyxel to forward all ports to the PIX IP. The port forwarding works fine (WWW, FTP, SMTP and so on). PPTP to the PIX also works fine, but when i use Cisco VPN client (IPSEC) to make the connection, something goes wrong. I can see that the user gets correctly authenticated in the system log on the RADIUS server. What happens is that the VPN client "hangs" at "Securing communications channel" and then gives the error message: "Secure VPN connection terminated locally by the client. Reason 412: The remote peer is no longer responding".

What could be the problem ???

Here is some of the config output og the PIX:

domain-name vinduesland.local

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

no fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list outside permit tcp any host 10.0.0.2 eq smtp

access-list 101 permit ip 192.168.3.0 255.255.255.0 192.168.99.0 255.255.255.0

pager lines 24

logging on

logging trap notifications

logging facility 16

logging host inside 192.168.3.115

mtu outside 1500

mtu inside 1500

ip address outside 10.0.0.2 255.255.255.0

ip address inside 192.168.3.254 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool vpnpool 192.168.99.1-192.168.99.100

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list 101

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp interface smtp 192.168.3.11 smtp netmask 255.255.255.255 0 0

access-group outside in interface outside

route outside 0.0.0.0 0.0.0.0 10.0.0.1 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

aaa-server partnerauth protocol radius

aaa-server partnerauth max-failed-attempts 3

aaa-server partnerauth deadtime 10

aaa-server partnerauth (inside) host 192.168.3.10 ******** timeout 5

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

sysopt connection permit-pptp

crypto ipsec transform-set myset esp-3des esp-md5-hmac

crypto dynamic-map dynmap 10 set transform-set myset

crypto map mymap 10 ipsec-isakmp dynamic dynmap

crypto map mymap client configuration address initiate

crypto map mymap client configuration address respond

crypto map mymap client authentication partnerauth

crypto map mymap interface outside

isakmp enable outside

isakmp identity address

isakmp nat-traversal 20

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup vinduesland address-pool vpnpool

vpngroup vinduesland dns-server 192.168.3.10

vpngroup vinduesland default-domain vinduesland.local

vpngroup vinduesland split-tunnel 101

vpngroup vinduesland idle-time 1800

vpngroup vinduesland password ********

telnet 192.168.3.0 255.255.255.0 inside

telnet timeout 5

ssh 192.168.3.0 255.255.255.0 inside

ssh timeout 5

console timeout 0

terminal width 80

1 REPLY
Gold

Re: problem with IPSEC through zyxel 650R-31 to PIX 506

just a quick comment.

in order to permit ipsec traffic, esp is required and it's ip 50. port forwarding wouldn't be able to cope with ip, only tcp or udp.

524
Views
0
Helpful
1
Replies
CreatePlease login to create content