08-16-2001 04:38 PM - edited 02-21-2020 11:24 AM
Working with a PIX 515 6.0 3des and using vpn 3.03a client - I have two issues - one regarding installation of the client and problems with the DNE miniport. I have tried successfully installing on a compaq desktop with win2k but unsuccessfully on 3 different OEM laptops with W2K. I keep getting the error that the VPN sub-system is unavailable. I checked the bugs and it is documented but have been unable to get the workaround to fix the issue.
The other issue is connectivity to the internal network. From the desktop machine I can establish the IPSec tunnel to the pix but cannot access anything on the internal network. Following is my config - (I'm still pretty new at the firewall). Suggestions or fixes - pease advise.
PIX Version 6.0(1)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security20
nameif ethernet3 inside2 security80
nameif ethernet4 extranet security30
nameif ethernet5 dmz2 security40
.hostname citypix
domain-name xxxxxxxx.com
access-list acl_out permit tcp any host xxx.xxx.xxx.204 eq smtp
access-list acl_out permit tcp any host xxx.xxx.xxx.203 eq smtp
access-list acl_out permit tcp any host xxx.xxx.xxx.206 eq www
access-list acl_out permit tcp any host xxx.xxx.xxx.206 eq ftp
access-list acl_out permit icmp any any
access-list acl_out permit tcp host 172.16.8.40 any eq www
access-list acl_dmz permit icmp any any
access-list acl_dmz permit ip any any
access-list 192 permit ip 172.16.0.0 255.255.0.0 192.168.1.0 255.255.255.0
access-list acl_inside2 permit icmp any any
access-list acl_inside2 permit ip any any
logging on
logging buffered debugging
logging trap debugging
logging history debugging
logging facility 16
logging host inside 172.16.8.40
interface ethernet0 10baset
interface ethernet1 auto
interface ethernet2 auto
interface ethernet3 auto
interface ethernet4 10baset
interface ethernet5 auto shutdown
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu inside2 1500
mtu extranet 1500
mtu dmz2 1500
ip address outside xxx.xxx.xxx.202 255.255.255.248
ip address inside 172.16.8.4 255.255.255.0
ip address dmz 190.90.90.4 255.255.255.0
ip address inside2 172.16.41.4 255.255.255.0
ip addres extranet xxx.xxx.xxx.xxx 255.255.255.0
ip address dmz2 127.0.0.1 255.255.255.255
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnusers 192.168.1.1-192.168.1.254
arp timeout 14400
global (outside) 1 interface
global (dmz) 1 interface
nat (inside) 0 access-list 192
nat (inside) 1 172.16.8.40 255.255.255.255 0 0
nat (inside2) 0 access-list 192
nat (extranet) 1 0.0.0.0 0.0.0.0 0 0
alias (extranet) xxx.xxx.xxx.206 190.90.90.72 255.255.255.255
static (dmz,outside) xxx.xxx.xxx.204 190.90.90.70 netmask 255.255.255.255 0 0
static (dmz,outside) xxx.xxx.xxx.203 190.90.90.71 netmask 255.255.255.255 0 0
static (dmz,outside) xxx.xxx.xxx.206 190.90.90.72 netmask 255.255.255.255 0 0
static (inside,dmz) 172.16.0.0 172.16.0.0 netmask 255.255.0.0 0 0
static (inside,inside2) 172.16.0.0 172.16.0.0 netmask 255.255.0.0 0 0
access-group acl_out in interface outside
access-group acl_dmz in interface dmz
access-group acl_inside2 in interface inside2
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.201 1
route inside 172.16.0.0 255.255.0.0 172.16.8.2 1
timeout xlate 3:00:00
timeout conn 10:00:00 half-closed 0:10:00 udp 0:15:00 rpc 4:00:00 h323 0:05:00 s
ip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
sysopt connection permit-ipsec
sysopt connection pl-compatible
no sysopt route dnat
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto dynamic-map dynmap 4 set transform-set myset
crypto map vpn 10 ipsec-isakmp dynamic dynmap
crypto map vpn client configuration address initiate
crypto map vpn client configuration address respond
crypto map vpn interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 1
isakmp policy 20 lifetime 86400
vpngroup support address-pool vpnusers
vpngroup support dns-server 172.16.2.40
vpngroup support wins-server 172.16.2.40
vpngroup support default-domain city.xxx
vpngroup support split-tunnel 192
vpngroup support idle-time 1800
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:50cc71b37469bc4e75facd2bc7c72c2a
citypix#
08-21-2001 01:58 PM
I think youre going to need to troubleshoot both of those problems with Ciscos tac. The config looks okay at a glance.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: