Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN Client - Cisco 806 - DSL - PIX 501 - Server

Hi there,

I am not sure about IOS or PIX configuration, maybe one of you can help me. My problem is that the tunnel is established, but no data is transferred. My router drops the packets with "destination host unkown" as a sniffer output revealed to me. On the client, I see the "bytes encrypted" counter go up and at the same time the "bytes dropped" counter go up as well.

I am using a Windows 2000 PC with VPN Client 3.5.2 C for the connection.

The Cisco 806 uses 12.2(8)T5.

Pix software is 6.2.

[0] Network Diagram

[ Client ]--------[ 806 ] ~~~~~T-DSL~~~~[Telekom]~~~~~T-DSL~~~~[ PIX501 ]--------[ Server ]

[1] Exerpt from my vpn client log

| 1 11:59:38.778 07/27/02 Sev=Warning/3 IKE/0xA3000058

| Received malformed message or negotiation no longer active (message id: 0x1363B7F7)

[2] the router doesn't see the destination address in its routing table (is that an error?):

| tdsl#ping drsfabel.dns2go.com

|

| Type escape sequence to abort.

| Sending 5, 100-byte ICMP Echos to 62.155.144.55, timeout is 2 seconds:

| !!!!!

| Success rate is 100 percent (5/5), round-trip min/avg/max = 116/116/116 ms

| tdsl#show ip route 62.155.144.55

| % Network not in table

-> default route is set to interface dialer0.

[3] Configuration Cisco 806:

| tdsl#sh version

| Cisco Internetwork Operating System Software

| IOS (tm) C806 Software (C806-K9OSY6-M), Version 12.2(8)T5, RELEASE SOFTWARE (fc1)

| TAC Support: http://www.cisco.com/tac

| Copyright (c) 1986-2002 by cisco Systems, Inc.

| Compiled Fri 21-Jun-02 21:41 by ccai

| Image text-base: 0x80013170, data-base: 0x8081F708

| [..]

|

| tdsl#sh run

| Building configuration...

|

| Current configuration : 2375 bytes

| !

| version 12.2

| no service pad

| service timestamps debug uptime

| service timestamps log uptime

| service password-encryption

| !

| hostname tdsl

| !

| enable secret 5 $1$/HB4$ENV5hYc2592Fi67ciJwKu.

| !

| ip subnet-zero

| ip name-server 194.25.2.129

| ip dhcp excluded-address 192.168.1.254

| ip dhcp excluded-address 192.168.1.1 192.168.1.128

| !

| ip dhcp pool fabel

| network 192.168.1.0 255.255.255.0

| dns-server 194.25.2.129

| default-router 192.168.1.254

| !

| ip inspect name myfw tcp alert on timeout 3600

| ip inspect name myfw cuseeme timeout 3600

| ip inspect name myfw ftp timeout 3600

| ip inspect name myfw http timeout 3600

| ip inspect name myfw rcmd timeout 3600

| ip inspect name myfw realaudio timeout 3600

| ip inspect name myfw smtp timeout 3600

| ip inspect name myfw tftp timeout 30

| ip inspect name myfw udp timeout 15

| ip inspect name myfw h323 timeout 3600

| vpdn enable

| !

| vpdn-group 1

| request-dialin

| protocol pppoe

| !

| !

| crypto ipsec df-bit clear

| !

| !

| !

| interface Ethernet0

| ip address 192.168.1.254 255.255.255.0

| ip nat inside

| ip tcp adjust-mss 1452

| hold-queue 100 out

| !

| interface Ethernet1

| no ip address

| ip tcp adjust-mss 1452

| pppoe enable

| pppoe-client dial-pool-number 1

| !

| interface Dialer0

| ip address negotiated

| ip access-group 105 in

| ip mtu 1492

| ip nat outside

| ip inspect myfw in

| encapsulation ppp

| no ip mroute-cache

| dialer pool 1

| dialer-group 1

| no cdp enable

| ppp authentication pap callin

| ppp pap sent-username xxxxxxxxxxxxxxxyyyyyyyyy#0001@t-online.de password 7 zzzzzzzzzzzzzzzzz

| !

| ip nat inside source list 1 interface Dialer0 overload

| ip classless

| ip route 0.0.0.0 0.0.0.0 Dialer0

| no ip http server

| ip pim bidir-enable

| !

| !

| access-list 1 permit 192.168.1.0 0.0.0.255

| access-list 105 deny ip 192.168.1.0 0.0.0.255 any

| access-list 105 permit icmp any any echo-reply

| access-list 105 permit icmp any any time-exceeded

| access-list 105 permit icmp any any packet-too-big

| access-list 105 permit icmp any any traceroute

| access-list 105 permit icmp any any unreachable

| access-list 105 permit udp any any

| access-list 105 permit tcp any any established

| access-list 105 deny ip any any

| !

| line con 0

| logging synchronous

| stopbits 1

| line vty 0 4

| password 7 04570E040E27

| login

| !

| scheduler max-task-time 5000

| end

[4] Configuration PIX 501:

| : Saved

| : Written by enable_15 at 21:41:12.570 CEDT Sun Jul 14 2002

| PIX Version 6.2(1)

| nameif ethernet0 outside security0

| nameif ethernet1 inside security100

| enable password zzzzzzzzzzzzzzzzz encrypted

| passwd zzzzzzzzzzzzzzzz encrypted

| hostname pix501

| domain-name dr-fabel.de

| clock timezone CEST 1

| clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00

| fixup protocol ftp 21

| fixup protocol http 80

| fixup protocol h323 h225 1720

| fixup protocol h323 ras 1718-1719

| fixup protocol ils 389

| fixup protocol rsh 514

| fixup protocol rtsp 554

| fixup protocol smtp 25

| fixup protocol sqlnet 1521

| fixup protocol sip 5060

| fixup protocol skinny 2000

| names

| access-list inside_outbound_nat0_acl permit ip any host 192.168.0.200

| access-list outside_cryptomap_dyn_30 permit ip any host 192.168.0.200

| pager lines 24

| logging on

| logging timestamp

| interface ethernet0 10baset

| interface ethernet1 10full

| mtu outside 1492

| mtu inside 1500

| ip address outside pppoe setroute

| ip address inside 192.168.0.254 255.255.255.0

| ip verify reverse-path interface outside

| ip audit name info1 info action alarm

| ip audit name attack1 attack action alarm

| ip audit interface outside info1

| ip audit interface outside attack1

| ip audit interface inside info1

| ip audit interface inside attack1

| ip audit info action alarm

| ip audit attack action alarm

| ip local pool remote-vpn 192.168.0.200

| pdm logging errors 100

| pdm history enable

| arp timeout 14400

| global (outside) 1 interface

| nat (inside) 0 access-list inside_outbound_nat0_acl

| nat (inside) 1 0.0.0.0 0.0.0.0 0 0

| timeout xlate 3:00:00

| timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

| timeout uauth 0:05:00 absolute

| aaa-server TACACS+ protocol tacacs+

| aaa-server RADIUS protocol radius

| aaa-server LOCAL protocol local

| ntp server 192.53.103.103 source outside

| ntp server 192.53.103.104 source outside

| ntp server 129.132.2.21 source outside

| ntp server 131.188.3.222 source outside

| ntp server 131.188.3.221 source outside

| ntp server 131.188.3.220 source outside

| http server enable

| http 192.168.0.0 255.255.255.0 inside

| no snmp-server location

| no snmp-server contact

| snmp-server community public

| no snmp-server enable traps

| tftp-server inside 192.168.0.10 pix501-config.txt

| floodguard enable

| sysopt connection permit-ipsec

| no sysopt route dnat

| crypto ipsec transform-set myset esp-3des esp-md5-hmac

| crypto dynamic-map dynmap 10 set transform-set myset

| crypto map mymap 10 ipsec-isakmp dynamic dynmap

| crypto map mymap interface outside

| isakmp enable outside

| isakmp identity address

| isakmp policy 10 authentication pre-share

| isakmp policy 10 encryption 3des

| isakmp policy 10 hash md5

| isakmp policy 10 group 2

| isakmp policy 10 lifetime 86400

| vpngroup steffen address-pool remote-vpn

| vpngroup steffen dns-server 192.168.0.200 194.25.2.129

| vpngroup steffen default-domain dr-fabel.de

| vpngroup steffen split-tunnel inside_outbound_nat0_acl

| vpngroup steffen idle-time 1800

| vpngroup steffen password zzzzzzzzzzzzzzz

| telnet 192.168.0.0 255.255.255.0 inside

| telnet timeout 5

| ssh 192.168.0.0 255.255.255.0 inside

| ssh timeout 5

| vpdn group pppoe-fabel request dialout pppoe

| vpdn group pppoe-fabel localname xxxxxxxxxxxxxxxxxxxxxxxx#0001@t-online.de

| vpdn username xxxxxxxxxxxxxxxxxxxxxxx#0001@t-online.de password zzzzzzzzzzz

| dhcpd address 192.168.0.10-192.168.0.20 inside

| dhcpd dns 194.25.2.129

| dhcpd lease 3600

| dhcpd ping_timeout 750

| dhcpd domain dr-fabel.de

| dhcpd auto_config outside

| dhcpd enable inside

| terminal width 80

| Cryptochecksum:9341839b4a3cb7291c4f55184cb02418

| : end

Thank you very much for your input. I am really stuck with this. I had assumed that the dynamic DNS issue would be more of a problem. Somewhere in this forum I read that VPN client connections over PAT to a PIX are not supported, which would apparently be the case with this one. Do you have any more specific information (like, URL to read the bug report?). Also, if so, do you have any idea as to when this will be fixed?

Thanks,

Stephan

3 REPLIES
New Member

Re: VPN Client - Cisco 806 - DSL - PIX 501 - Server

Hi Stephan,

VPN client to PIX "IPSEC over PAT" is not supported in the current PIX IOS version. Not a router as well.

This is a not a bug, just need some time to impelement those features from VPN 3000 concentrator to PIX and router.

So far it still need some time to make "IPSEC over PAT" into router and PIX in the future release.

But you do have a workaroud in your settings, you can try to setup LAN to LAN tunnel between a router and PIX to avoide use "IPSEC over PAT":

http://www.cisco.com/warp/customer/110/39.html

Best Regards,

New Member

Re: VPN Client - Cisco 806 - DSL - PIX 501 - Server

Hi,

thank you for the information. I will keep this in mind. The reason I chose to use the VPN Client (instead of having a site-to-site VPN) was because I was told that the IOS does not support connecting to a DNS entry, only an IP address. Since I have two dynamic IP addresses, I need to use dynamic DNS as well, that means I need to configure my vpn to connect to a domain name instead of the address.

Is there any way I can solve this?

Thanks,

Stephan

Cisco Employee

Re: VPN Client - Cisco 806 - DSL - PIX 501 - Server

Won't Dynamic Crypto Maps help you?

351
Views
0
Helpful
3
Replies
CreatePlease login to create content