Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN 3.03a client connectivity

Working with a PIX 515 6.0 3des and using vpn 3.03a client - I have two issues - one regarding installation of the client and problems with the DNE miniport. I have tried successfully installing on a compaq desktop with win2k but unsuccessfully on 3 different OEM laptops with W2K. I keep getting the error that the VPN sub-system is unavailable. I checked the bugs and it is documented but have been unable to get the workaround to fix the issue.

The other issue is connectivity to the internal network. From the desktop machine I can establish the IPSec tunnel to the pix but cannot access anything on the internal network. Following is my config - (I'm still pretty new at the firewall). Suggestions or fixes - pease advise.

PIX Version 6.0(1)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 dmz security20

nameif ethernet3 inside2 security80

nameif ethernet4 extranet security30

nameif ethernet5 dmz2 security40

.hostname citypix

domain-name xxxxxxxx.com

access-list acl_out permit tcp any host xxx.xxx.xxx.204 eq smtp

access-list acl_out permit tcp any host xxx.xxx.xxx.203 eq smtp

access-list acl_out permit tcp any host xxx.xxx.xxx.206 eq www

access-list acl_out permit tcp any host xxx.xxx.xxx.206 eq ftp

access-list acl_out permit icmp any any

access-list acl_out permit tcp host 172.16.8.40 any eq www

access-list acl_dmz permit icmp any any

access-list acl_dmz permit ip any any

access-list 192 permit ip 172.16.0.0 255.255.0.0 192.168.1.0 255.255.255.0

access-list acl_inside2 permit icmp any any

access-list acl_inside2 permit ip any any

logging on

logging buffered debugging

logging trap debugging

logging history debugging

logging facility 16

logging host inside 172.16.8.40

interface ethernet0 10baset

interface ethernet1 auto

interface ethernet2 auto

interface ethernet3 auto

interface ethernet4 10baset

interface ethernet5 auto shutdown

mtu outside 1500

mtu inside 1500

mtu dmz 1500

mtu inside2 1500

mtu extranet 1500

mtu dmz2 1500

ip address outside xxx.xxx.xxx.202 255.255.255.248

ip address inside 172.16.8.4 255.255.255.0

ip address dmz 190.90.90.4 255.255.255.0

ip address inside2 172.16.41.4 255.255.255.0

ip addres extranet xxx.xxx.xxx.xxx 255.255.255.0

ip address dmz2 127.0.0.1 255.255.255.255

ip audit info action alarm

ip audit attack action alarm

ip local pool vpnusers 192.168.1.1-192.168.1.254

arp timeout 14400

global (outside) 1 interface

global (dmz) 1 interface

nat (inside) 0 access-list 192

nat (inside) 1 172.16.8.40 255.255.255.255 0 0

nat (inside2) 0 access-list 192

nat (extranet) 1 0.0.0.0 0.0.0.0 0 0

alias (extranet) xxx.xxx.xxx.206 190.90.90.72 255.255.255.255

static (dmz,outside) xxx.xxx.xxx.204 190.90.90.70 netmask 255.255.255.255 0 0

static (dmz,outside) xxx.xxx.xxx.203 190.90.90.71 netmask 255.255.255.255 0 0

static (dmz,outside) xxx.xxx.xxx.206 190.90.90.72 netmask 255.255.255.255 0 0

static (inside,dmz) 172.16.0.0 172.16.0.0 netmask 255.255.0.0 0 0

static (inside,inside2) 172.16.0.0 172.16.0.0 netmask 255.255.0.0 0 0

access-group acl_out in interface outside

access-group acl_dmz in interface dmz

access-group acl_inside2 in interface inside2

route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.201 1

route inside 172.16.0.0 255.255.0.0 172.16.8.2 1

timeout xlate 3:00:00

timeout conn 10:00:00 half-closed 0:10:00 udp 0:15:00 rpc 4:00:00 h323 0:05:00 s

ip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

sysopt connection permit-ipsec

sysopt connection pl-compatible

no sysopt route dnat

crypto ipsec transform-set myset esp-3des esp-sha-hmac

crypto dynamic-map dynmap 4 set transform-set myset

crypto map vpn 10 ipsec-isakmp dynamic dynmap

crypto map vpn client configuration address initiate

crypto map vpn client configuration address respond

crypto map vpn interface outside

isakmp enable outside

isakmp key ******** address 0.0.0.0 netmask 0.0.0.0

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption 3des

isakmp policy 20 hash md5

isakmp policy 20 group 1

isakmp policy 20 lifetime 86400

vpngroup support address-pool vpnusers

vpngroup support dns-server 172.16.2.40

vpngroup support wins-server 172.16.2.40

vpngroup support default-domain city.xxx

vpngroup support split-tunnel 192

vpngroup support idle-time 1800

telnet timeout 5

ssh timeout 5

terminal width 80

Cryptochecksum:50cc71b37469bc4e75facd2bc7c72c2a

citypix#

1 REPLY
New Member

Re: VPN 3.03a client connectivity

I think you’re going to need to troubleshoot both of those problems with Cisco’s tac. The config looks okay at a glance.

100
Views
0
Helpful
1
Replies