Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Remote Access VPNs to PIX managed trough CSPM 3.0

Here is the problem:

I am testing CSPM 3.0. In user manual of CSPM 3.0 it is described that it is possible to create Remote Access tunnels. For creating rule, Cisco says that Internet can be used as a source, or modelled Cloud network that corresponds to the address range already defined for VPN clients on PIX firewall. I have tried this, but I was not able to establish IPSec tunnel. I am using VPN client 3.5. IKE Phase 1 is successful, devices are authenticated, user is authenticated, but in IKE Phase 2, in debug log of the PIX, I receive: proxy identities not supported, which means that access-list for IPSec traffic does not match. But, in this case, it is not site-to-site VPN...

Does anybody has running configuration of VPN Remote Access to PIX managed trough CSPM 3.0?

Thanks,

Sasa Vidanovic

P.S. Hey, Cisco guys: CSPM 3.0 looks good, but, again, it is not the final product... You are late...

1 REPLY
New Member

Re: Remote Access VPNs to PIX managed trough CSPM 3.0

OK, I have resolved the problem...

This is probably a CSPM bug. For remote VPN clients access, there is no need to generate command such:

crypto dynamic-map CSM-crypto-map-outside-dyn 5 match address CSM-crypto-acl-outside-0

On the other side (VPN client) I don't have any access list, and that is why I'm receiving "proxy identities not supported" in log of PIX firewall. So, workaround is to add a command that clear this line and then everything is OK.

I would like someone from Cisco to confirm this bug.

Another thing: It seems that CSPM 3.0 is not fully compatible with VPN Unity client (I mean using vpngroup command in PIX). Because of that, I can not configure split tunnelling when using VPN Unity client. Is that right?

Regards,

Sasa Vidanovic

89
Views
0
Helpful
1
Replies
CreatePlease login to create content