I am testing CSPM 3.0. In user manual of CSPM 3.0 it is described that it is possible to create Remote Access tunnels. For creating rule, Cisco says that Internet can be used as a source, or modelled Cloud network that corresponds to the address range already defined for VPN clients on PIX firewall. I have tried this, but I was not able to establish IPSec tunnel. I am using VPN client 3.5. IKE Phase 1 is successful, devices are authenticated, user is authenticated, but in IKE Phase 2, in debug log of the PIX, I receive: proxy identities not supported, which means that access-list for IPSec traffic does not match. But, in this case, it is not site-to-site VPN...
Does anybody has running configuration of VPN Remote Access to PIX managed trough CSPM 3.0?
P.S. Hey, Cisco guys: CSPM 3.0 looks good, but, again, it is not the final product... You are late...
Re: Remote Access VPNs to PIX managed trough CSPM 3.0
OK, I have resolved the problem...
This is probably a CSPM bug. For remote VPN clients access, there is no need to generate command such:
crypto dynamic-map CSM-crypto-map-outside-dyn 5 match address CSM-crypto-acl-outside-0
On the other side (VPN client) I don't have any access list, and that is why I'm receiving "proxy identities not supported" in log of PIX firewall. So, workaround is to add a command that clear this line and then everything is OK.
I would like someone from Cisco to confirm this bug.
Another thing: It seems that CSPM 3.0 is not fully compatible with VPN Unity client (I mean using vpngroup command in PIX). Because of that, I can not configure split tunnelling when using VPN Unity client. Is that right?
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :