Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Users might experience few discrepancies in Search results. We are working on this on our side. We apologize for the inconvenience it may have caused.
New Member

problem with static to dynamic connections in VPN

hi,

i try to configure a pix 515 to accept dynamic connection from remote clients and remote cisco ios routers (with dynamic ip).

i have no problem with the clients but i can't establish a tunnel with the routers.

here is my configuration file on the pix :

PIX Version 6.2(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password jLM8v3IOUGCnCDWR encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

hostname Sabetpix

domain-name Sabet.fr

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

access-list sabet1_splitTunnelAcl permit ip 192.168.0.0 255.255.255.0 any

access-list inside_outbound_nat0_acl permit ip 192.168.0.0 255.255.255.0 192.168.0.192 255.255.255.224

access-list inside_outbound_nat0_acl permit ip 192.168.0.0 255.255.255.0 192.168.10.0 255.255.255.0

access-list inside_outbound_nat0_acl permit ip 192.168.0.0 255.255.255.0 192.168.20.0 255.255.255.0

access-list outside_cryptomap_dyn_20 permit ip any 192.168.0.192 255.255.255.224

access-list sabet2_splitTunnelAcl permit ip 192.168.0.0 255.255.255.0 any

access-list outside_cryptomap_dyn_40 permit ip any 192.168.0.192 255.255.255.224

access-list outside_cryptomap_dyn_60 permit ip any 192.168.0.192 255.255.255.224

access-list outside_cryptomap_dyn_80 permit ip 192.168.0.0 255.255.255.0 sabet0 255.255.255.0

access-list outside_cryptomap_dyn_90 permit ip 192.168.0.0 255.255.255.0 192.168.10.0 255.255.255.0

pager lines 24

logging on

logging console notifications

logging monitor notifications

interface ethernet0 auto

interface ethernet1 auto

mtu outside 1500

mtu inside 1500

ip address outside pppoe setroute

ip address inside 192.168.0.200 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool remotevpn1 192.168.0.205-192.168.0.210

no failover

failover timeout 0:00:00

failover poll 15

failover ip address outside 0.0.0.0

failover ip address inside 0.0.0.0

pdm location 192.168.0.1 255.255.255.255 inside

pdm location 192.168.10.0 255.255.255.0 outside

pdm location sabet0 255.255.255.0 outside

pdm location 192.168.0.0 255.255.255.0 outside

pdm history enable

arp timeout 14400

global (outside) 10 interface

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 10 0.0.0.0 0.0.0.0 0 0

conduit permit icmp any any

conduit permit tcp any any

conduit permit udp any any

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 192.168.0.0 255.255.255.0 outside

http 192.168.10.0 255.255.255.0 outside

http 192.168.0.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5

crypto dynamic-map outside_dyn_map 40 match address outside_cryptomap_dyn_40

crypto dynamic-map outside_dyn_map 40 set transform-set ESP-DES-MD5

crypto dynamic-map outside_dyn_map 60 match address outside_cryptomap_dyn_60

crypto dynamic-map outside_dyn_map 60 set transform-set ESP-DES-MD5

crypto dynamic-map outside_dyn_map 80 match address outside_cryptomap_dyn_80

crypto dynamic-map outside_dyn_map 80 set transform-set ESP-DES-SHA

crypto dynamic-map outside_dyn_map 90 match address outside_cryptomap_dyn_90

crypto dynamic-map outside_dyn_map 90 set transform-set ESP-DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

isakmp enable outside

isakmp key ******** address 0.0.0.0 netmask 0.0.0.0

isakmp identity address

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

isakmp policy 90 authentication pre-share

isakmp policy 90 encryption des

isakmp policy 90 hash md5

isakmp policy 90 group 2

isakmp policy 90 lifetime 6400

vpngroup sabet1 address-pool remotevpn1

vpngroup sabet1 wins-server 192.168.0.1

vpngroup sabet1 default-domain Sabet.fr

vpngroup sabet1 split-tunnel sabet1_splitTunnelAcl

vpngroup sabet1 idle-time 1800

vpngroup sabet1 password ********

vpngroup sabet2 address-pool remotevpn1

vpngroup sabet2 wins-server 192.168.0.1

vpngroup sabet2 default-domain Sabet.fr

vpngroup sabet2 split-tunnel sabet2_splitTunnelAcl

vpngroup sabet2 idle-time 1800

vpngroup sabet2 password ********

vpngroup sabet3 address-pool remotevpn1

vpngroup sabet3 wins-server 192.168.0.1

vpngroup sabet3 default-domain sabet.fr

vpngroup sabet3 idle-time 1800

vpngroup sabet3 password ********

telnet 192.168.10.0 255.255.255.0 outside

telnet 192.168.0.0 255.255.255.0 outside

telnet 192.168.0.0 255.255.255.0 inside

telnet timeout 5

ssh 192.168.0.0 255.255.255.0 outside

ssh timeout 5

vpdn group pppoe_group request dialout pppoe

vpdn group pppoe_group localname fti/ebt6t2k

vpdn group pppoe_group ppp authentication chap

vpdn username fti/ebt6t2k password *********

vpdn username sabet password *********

dhcpd domain sabet.fr

username sabet password pnDLqQIbA4bEoSxg encrypted privilege 15

terminal width 80

Cryptochecksum:e47cbc2c347e3834312c25df974b56ef

: end

help,

thanks !

2 REPLIES
Bronze

Re: problem with static to dynamic connections in VPN

Hi,

Can you enable:

debug cry isa

debug cry ip

These debugs are needed to troubleshoot the problem

Jazib

New Member

Re: problem with static to dynamic connections in VPN

hi, i resolve the problem by enabling also ipsec keepalive on the pix.

keepalive was enable on the router but not on the pix.

so i add the command : "isakmp keepalive 60 60".

thanks for your interest about this question!

91
Views
0
Helpful
2
Replies
CreatePlease to create content