Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
400
Views
0
Helpful
1
Replies

question about 4 pixs work at seay VPN mode

y.haraguchi
Level 1
Level 1

‎07-08-2002 08:27 PM - edited ‎02-21-2020 11:55 AM

Hello

I plan to config my 4 pix 515e at easy VPN mode, one is for central office working as easy server, others in 3 branch office as easy VPN remote device.

each branch should be let one pc just access internet, other pc should access the intranet behind the server, include a WWW server, a AS400 (by telnet), and another AS400 in other subnet. The VPN server should be let the people at home access same resource by VPN via dialup.

What I have done is:

(1) At client side set the PIX as PPPoE can get the IP address from ISP

(2) At server side there is a ADSL router 213.26.xxx.xx5 and the outside ip

address of PIX is 213.26.xxx.xx6

(3) global (inside) 1 172.28.16.235

nat (outside) 1 10.0.2.0 255.255.255.248 outside 0 0

ip local pool my pool (10.0.2.1--10.0.2.7)

(4) access-list 100 permit ip host xxx.xxx.xxx.xxx( Http server, AS400) 10.0.2.0 255.255.255.248 and so on

nat (inside) 0 access-list 100

(5) VPNgroup , isakmp ,crypto map

(6) xauth is a radius. indentity the domain user id and password

I have set up my VPN server, and one pix in one branch as easy VPN mode. it seems fit my needs, but I got some problems.

(1) The pc in branch for internet can not access internet. I try to config split tunneling at server side(by PDM), and finished by VPN wizard, but when I try a test by a dialup access, the PIX server reboot, so no VPN tunnel built.

(2) Without split tunneling, the user in branch can access intranet. It's ok. but, they can ping the IP address of my http server, can not access it. the log file says "%PIX-4-402106: Rec'd packet not an IPSEC packet. (ip) dest_addr= 213.26.xxx.xx6, src_addr= 213.26.xxx.xx5, prot= icmp" what is mean?

(3) In client PIX side I config vpnclient username password as one people's domain user id and password, but he has no right to access a application in AS400, when other people telnet to th AS400 though the VPN and log on, then he fail to access the application. but when I do a test from a dialup user, and try the same thing, this time it works. why make it happen? should I setting a username in "vpnclient username xxx password xxx" command with the enough right?

Thanks. I hope somebody here can give me a help.

oh

Labels:
0 Helpful
1 Reply 1

edadios
Cisco Employee
Cisco Employee

‎07-09-2002 04:31 PM

1) Unless you issue a reload, the pix should not reboot. You might want to log a case for this issue.

2)This must be some config issue likely with NAT 0 statement.

3)PIX authentication is separate from domain authentication. The PC itself should authenticate to the domain to get access to the domain, not authentiacte to the pix.

Regards,

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents