Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN client connection

I have set up my 515 PIX and I would like to make connection VPN client

when I connection with VPN client, it show following error message and It can't make connection successfully. Would u help to solve problem?

1 13:00:29.910 04/30/02 Sev=Warning/3 IKE/0xA300004A

Received a NOTIFY message with an invalid protocol id (0)

----------------------------------------------

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 dmz security50

enable password mR4k9NNqlwc4Xar4 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

hostname PIX

domain-name hk.tmsw.com

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

access-list VPN permit ip 198.99.173.0 255.255.255.0 198.99.172.0 255.255.255.0

access-list VPN permit ip 198.99.173.0 255.255.255.0 198.99.180.0 255.255.255.0

access-list VPN permit ip 198.99.173.0 255.255.255.0 192.128.60.0 255.255.255.0

access-list VPN permit ip 198.99.173.0 255.255.255.0 198.99.170.0 255.255.255.0

access-list VPN permit ip 198.99.173.0 255.255.255.0 204.126.195.0 255.255.255.0

access-list VPN permit ip 198.99.173.0 255.255.255.0 1.1.1.0 255.255.255.0

access-list VPN permit ip 198.99.173.0 255.255.255.0 1.1.6.0 255.255.255.0

access-list VPN permit ip 198.99.173.0 255.255.255.0 1.1.10.0 255.255.255.0

access-list VPN permit ip 198.99.173.0 255.255.255.0 1.1.11.0 255.255.255.0

access-list VPN permit ip 198.99.173.0 255.255.255.0 1.1.2.0 255.255.255.0

access-list VPN permit ip 198.99.173.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list VPN permit ip 198.99.173.0 255.255.255.0 192.168.8.0 255.255.255.0

access-list VPN permit ip 198.99.173.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list Chicago permit ip 198.99.173.0 255.255.255.0 198.99.172.0 255.255.25

5.0

access-list Chicago permit ip 198.99.173.0 255.255.255.0 198.99.180.0 255.255.25

5.0

access-list Disney permit ip 198.99.173.0 255.255.255.0 host 192.128.60.115

access-list Miami permit ip 198.99.173.0 255.255.255.0 198.99.170.0 255.255.255.

0

access-list Toronto permit ip 198.99.173.0 255.255.255.0 204.126.195.0 255.255.2

55.0

access-list London permit ip 198.99.173.0 255.255.255.0 1.1.1.0 255.255.255.0

access-list London permit ip 198.99.173.0 255.255.255.0 1.1.6.0 255.255.255.0

access-list London permit ip 198.99.173.0 255.255.255.0 1.1.10.0 255.255.255.0

access-list London permit ip 198.99.173.0 255.255.255.0 1.1.11.0 255.255.255.0

access-list Leeds permit ip 198.99.173.0 255.255.255.0 1.1.2.0 255.255.255.0

access-list Sydney permit ip 198.99.173.0 255.255.255.0 192.168.0.0 255.255.255.

0

access-list Melbourne permit ip 198.99.173.0 255.255.255.0 192.168.8.0 255.255.2

55.0

access-list vpnremote permit ip 198.99.173.0 255.255.255.0 10.1.1.0 255.255.255.

0

pager lines 24

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto shutdown

mtu outside 1500

mtu inside 1500

mtu dmz 1500

ip address outside 202.130.186.114 255.255.255.240

ip address inside 198.99.173.2 255.255.255.0

ip address dmz 127.0.0.1 255.255.255.255

ip audit info action alarm

ip audit attack action alarm

ip local pool bigpool 10.1.1.101-10.1.1.102

no failover

failover timeout 0:00:00

failover poll 15

failover ip address outside 0.0.0.0

failover ip address inside 0.0.0.0

failover ip address dmz 0.0.0.0

pdm history enable

arp timeout 604800

nat (inside) 0 access-list VPN

nat (inside) 0 198.99.173.0 255.255.255.0 0 0

conduit permit tcp any any

conduit permit udp any any

conduit permit icmp any any

route outside 0.0.0.0 0.0.0.0 202.130.186.113 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si

p 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

http 192.168.100.30 255.255.255.255 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set common esp-des esp-sha-hmac

crypto dynamic-map dynamp 10 set transform-set common

crypto map tmsw 10 ipsec-isakmp

crypto map tmsw 10 match address Chicago

crypto map tmsw 10 set peer 204.233.233.18

crypto map tmsw 10 set transform-set common

crypto map tmsw 20 ipsec-isakmp

crypto map tmsw 20 match address Miami

crypto map tmsw 20 set peer 157.238.182.50

crypto map tmsw 20 set transform-set common

crypto map tmsw 30 ipsec-isakmp

crypto map tmsw 30 match address Toronto

crypto map tmsw 30 set peer 207.35.192.2

crypto map tmsw 30 set transform-set common

crypto map tmsw 40 ipsec-isakmp

crypto map tmsw 40 match address London

crypto map tmsw 40 set peer 195.74.151.253

crypto map tmsw 40 set transform-set common

crypto map tmsw 50 ipsec-isakmp

crypto map tmsw 50 match address Leeds

crypto map tmsw 50 set peer 212.58.55.253

crypto map tmsw 50 set transform-set common

crypto map tmsw 60 ipsec-isakmp

crypto map tmsw 60 match address Sydney

crypto map tmsw 60 set peer 203.202.137.130

crypto map tmsw 60 set transform-set common

crypto map tmsw 70 ipsec-isakmp

crypto map tmsw 70 match address Melbourne

crypto map tmsw 70 set peer 203.202.137.186

crypto map tmsw 70 set transform-set common

crypto map tmsw client configuration address initiate

crypto map tmsw client configuration address respond

crypto map tmsw interface outside

isakmp enable outside

isakmp key ******** address 204.233.233.18 netmask 255.255.255.255

isakmp key ******** address 157.238.182.50 netmask 255.255.255.255

isakmp key ******** address 207.35.192.2 netmask 255.255.255.255

isakmp key ******** address 195.74.151.253 netmask 255.255.255.255

isakmp key ******** address 212.58.55.253 netmask 255.255.255.255

isakmp key ******** address 203.202.137.130 netmask 255.255.255.255

isakmp key ******** address 203.202.137.186 netmask 255.255.255.255

isakmp client configuration address-pool local bigpool outside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash sha

isakmp policy 10 group 1

isakmp policy 10 lifetime 86400

isakmp policy 30 authentication pre-share

isakmp policy 30 encryption des

isakmp policy 30 hash sha

isakmp policy 30 group 2

isakmp policy 30 lifetime 86400

vpngroup IT address-pool bigpool

vpngroup IT dns-server 198.99.173.32

vpngroup IT default-domain tmsw

vpngroup IT idle-time 86400

vpngroup IT password ********

5 REPLIES
New Member

Re: VPN client connection

Hello,

You seem to be missing the dynamic statment on your tmsw crypto map:

You can use what ever sequence number you like... 100 is just an example.

"crypto map tmsw 100 ipsec-isakmp dynamic dynamp"

You also will need to add the bigpool address-space to the nat 0 access-list

"access-list VPN permit ip 198.99.173.0 255.255.255.0 10.1.1.101 255.255.255.255"

"access-list VPN permit ip 198.99.173.0 255.255.255.0 10.1.1.102 255.255.255.255"

These statments are not needed if you are using VPN 3000 or Unified 3.X client

Only for IRE client 1.0 1.1 client (i.e. Cisco Secure VPN Client)

crypto map tmsw client configuration address initiate

crypto map tmsw client configuration address respond

New Member

Re: VPN client connection

thank you for your much

You give a very good solution to help me to fix the problem

I would like to ask one more question

After form VPN channel, Can I still access other web (www.yahoo.com)?

I found that after the channel, i only can access my intranet only

Thank you for your help

New Member

Re: VPN client connection

You will need to add a command to your vpngroup configuration.

"vpngroup IT split-tunnel vpnremote"

This will match traffic on the remote client side that is to be encrypted and all other traffic with a destination other than your internal network will not be processed by ipsec.

You seemed to already have the correct access-list in your config for this...

access-list vpnremote permit ip 198.99.173.0 255.255.255.0 10.1.1.0 255.255.255.0

Please let me know if this helps.

Thanks

Jason Parrish

jparrish@rightsys.com

New Member

Re: VPN client connection

Thank you for your help!!

I can access internet even form VPN channel

New Member

Re: VPN client connection

But isn't/aren't pre-shared key(s) for the dynamic VPN clients missing? There are pre-shared keys for the static peers but I can't see one for the dynamic VPN clients.

97
Views
0
Helpful
5
Replies
CreatePlease to create content